@awsless/awsless 0.0.267 → 0.0.270

package/dist/bin.js

@@ -69,52 +69,23 @@ var debug = (...parts) => {
 };
 
 // src/config/app.ts
-import { z as z15 } from "zod";
+import { z as z17 } from "zod";
+
+// src/feature/auth/schema.ts
+import { z as z7 } from "zod";
 
 // src/config/schema/resource-id.ts
 import { paramCase } from "change-case";
 import { z } from "zod";
 var ResourceIdSchema = z.string().min(3).max(24).regex(/^[a-z0-9\-]+$/i, "Invalid resource ID").transform((value) => paramCase(value));
 
-// src/config/schema/region.ts
-import { z as z2 } from "zod";
-var US = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"];
-var AF = ["af-south-1"];
-var AP = [
-  "ap-east-1",
-  "ap-south-2",
-  "ap-southeast-3",
-  "ap-southeast-4",
-  "ap-south-1",
-  "ap-northeast-3",
-  "ap-northeast-2",
-  "ap-southeast-1",
-  "ap-southeast-2",
-  "ap-northeast-1"
-];
-var CA = ["ca-central-1"];
-var EU = [
-  "eu-central-1",
-  "eu-west-1",
-  "eu-west-2",
-  "eu-south-1",
-  "eu-west-3",
-  "eu-south-2",
-  "eu-north-1",
-  "eu-central-2"
-];
-var ME = ["me-south-1", "me-central-1"];
-var SA = ["sa-east-1"];
-var regions = [...US, ...AF, ...AP, ...CA, ...EU, ...ME, ...SA];
-var RegionSchema = z2.enum(regions);
-
-// src/feature/domain/schema.ts
-import { z as z4 } from "zod";
+// src/feature/function/schema.ts
+import { z as z5 } from "zod";
 
 // src/config/schema/duration.ts
-import { z as z3 } from "zod";
+import { z as z2 } from "zod";
 import { parse } from "@awsless/duration";
-var DurationSchema = z3.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/, "Invalid duration").transform((v) => parse(v));
+var DurationSchema = z2.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/, "Invalid duration").transform((v) => parse(v));
 var durationMin = (min) => {
   return (duration) => {
     return duration.value >= min.value;
@@ -126,32 +97,9 @@ var durationMax = (max) => {
   };
 };
 
-// src/feature/domain/schema.ts
-var DomainNameSchema = z4.string().regex(/[a-z\-\_\.]/g, "Invalid domain name").describe(
-  "Enter a fully qualified domain name, for example, www.example.com. You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical."
-);
-var DNSTypeSchema = z4.enum(["A", "AAAA", "CAA", "CNAME", "DS", "MX", "NAPTR", "NS", "PTR", "SOA", "SPF", "SRV", "TXT"]).describe("The DNS record type.");
-var TTLSchema = DurationSchema.describe("The resource record cache time to live (TTL).");
-var RecordsSchema = z4.string().array().describe("One or more values that correspond with the value that you specified for the Type property.");
-var DomainsDefaultSchema = z4.record(
-  ResourceIdSchema,
-  z4.object({
-    domain: DomainNameSchema.describe("Define the domain name"),
-    dns: z4.object({
-      name: DomainNameSchema.optional(),
-      type: DNSTypeSchema,
-      ttl: TTLSchema,
-      records: RecordsSchema
-    }).array().optional().describe("Define the domain dns records")
-  })
-).optional().describe("Define the domains for your application.");
-
-// src/feature/function/schema.ts
-import { z as z7 } from "zod";
-
 // src/config/schema/local-file.ts
 import { stat } from "fs/promises";
-import { z as z5 } from "zod";
+import { z as z3 } from "zod";
 
 // src/util/path.ts
 import { lstat } from "fs/promises";
@@ -220,7 +168,7 @@ var resolvePath = (path) => {
   }
   return join2(directories.root, path);
 };
-var LocalFileSchema = z5.string().transform((path) => resolvePath(path)).refine(async (path) => {
+var LocalFileSchema = z3.string().transform((path) => resolvePath(path)).refine(async (path) => {
   try {
     const s = await stat(path);
     return s.isFile();
@@ -230,9 +178,9 @@ var LocalFileSchema = z5.string().transform((path) => resolvePath(path)).refine(
 }, `File doesn't exist`);
 
 // src/config/schema/size.ts
-import { z as z6 } from "zod";
+import { z as z4 } from "zod";
 import { parse as parse2 } from "@awsless/size";
-var SizeSchema = z6.string().regex(/^[0-9]+ (B|KB|MB|GB|TB|PB)$/, "Invalid size").transform((v) => parse2(v));
+var SizeSchema = z4.string().regex(/^[0-9]+ (B|KB|MB|GB|TB|PB)$/, "Invalid size").transform((v) => parse2(v));
 var sizeMin = (min) => {
   return (size) => {
     return size.value >= min.value;
@@ -257,62 +205,62 @@ var EphemeralStorageSizeSchema = SizeSchema.refine(
   sizeMin(mebibytes(512)),
   "Minimum ephemeral storage size is 512 MB"
 ).refine(sizeMax(gibibytes(10)), "Minimum ephemeral storage size is 10 GB").describe("The size of the function's /tmp directory. You can specify a size value from 512 MB to 10 GB.");
-var ReservedConcurrentExecutionsSchema = z7.number().int().min(0).describe(
+var ReservedConcurrentExecutionsSchema = z5.number().int().min(0).describe(
   "The number of simultaneous executions to reserve for the function. You can specify a number from 0."
 );
-var EnvironmentSchema = z7.record(z7.string(), z7.string()).optional().describe("Environment variable key-value pairs.");
-var ArchitectureSchema = z7.enum(["x86_64", "arm64"]).describe("The instruction set architecture that the function supports.");
-var RetryAttemptsSchema = z7.number().int().min(0).max(2).describe(
+var EnvironmentSchema = z5.record(z5.string(), z5.string()).optional().describe("Environment variable key-value pairs.");
+var ArchitectureSchema = z5.enum(["x86_64", "arm64"]).describe("The instruction set architecture that the function supports.");
+var RetryAttemptsSchema = z5.number().int().min(0).max(2).describe(
   "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 2."
 );
-var RuntimeSchema = z7.enum(["nodejs18.x", "nodejs20.x"]).describe("The identifier of the function's runtime.");
-var ActionSchema = z7.string();
-var ActionsSchema = z7.union([ActionSchema.transform((v) => [v]), ActionSchema.array()]);
-var ArnSchema = z7.string().startsWith("arn:");
-var WildcardSchema = z7.literal("*");
-var ResourceSchema = z7.union([ArnSchema, WildcardSchema]).transform((v) => v);
-var ResourcesSchema = z7.union([ResourceSchema.transform((v) => [v]), ResourceSchema.array()]);
-var PermissionSchema = z7.object({
-  effect: z7.enum(["allow", "deny"]).default("allow"),
+var RuntimeSchema = z5.enum(["nodejs18.x", "nodejs20.x"]).describe("The identifier of the function's runtime.");
+var ActionSchema = z5.string();
+var ActionsSchema = z5.union([ActionSchema.transform((v) => [v]), ActionSchema.array()]);
+var ArnSchema = z5.string().startsWith("arn:");
+var WildcardSchema = z5.literal("*");
+var ResourceSchema = z5.union([ArnSchema, WildcardSchema]).transform((v) => v);
+var ResourcesSchema = z5.union([ResourceSchema.transform((v) => [v]), ResourceSchema.array()]);
+var PermissionSchema = z5.object({
+  effect: z5.enum(["allow", "deny"]).default("allow"),
   actions: ActionsSchema,
   resources: ResourcesSchema
 });
-var PermissionsSchema = z7.union([PermissionSchema.transform((v) => [v]), PermissionSchema.array()]).describe("Add IAM permissions to your function.");
-var WarmSchema = z7.number().int().min(0).max(10).describe(
+var PermissionsSchema = z5.union([PermissionSchema.transform((v) => [v]), PermissionSchema.array()]).describe("Add IAM permissions to your function.");
+var WarmSchema = z5.number().int().min(0).max(10).describe(
   "Specify how many functions you want to warm up each 5 minutes. You can specify a number from 0 to 10."
 );
-var VPCSchema = z7.boolean().describe("Put the function inside your global VPC.");
-var MinifySchema = z7.boolean().describe("Minify the function code.");
-var HandlerSchema = z7.string().describe("The name of the exported method within your code that Lambda calls to run your function.");
+var VPCSchema = z5.boolean().describe("Put the function inside your global VPC.");
+var MinifySchema = z5.boolean().describe("Minify the function code.");
+var HandlerSchema = z5.string().describe("The name of the exported method within your code that Lambda calls to run your function.");
 var FileSchema = LocalFileSchema.describe("The file path of the function code.");
-var DescriptionSchema = z7.string().describe("A description of the function.");
+var DescriptionSchema = z5.string().describe("A description of the function.");
 var LogRetentionSchema = DurationSchema.refine(
   durationMin(days(0)),
   "Minimum log retention is 0 day, which will disable logging."
 );
-var LogSchema = z7.union([
-  z7.boolean().transform((enabled) => ({ retention: enabled ? days(7) : days(0) })),
+var LogSchema = z5.union([
+  z5.boolean().transform((enabled) => ({ retention: enabled ? days(7) : days(0) })),
   LogRetentionSchema.transform((retention) => ({ retention })),
-  z7.object({
+  z5.object({
     retention: LogRetentionSchema.describe("The log retention duration."),
-    format: z7.enum(["text", "json"]).describe(
+    format: z5.enum(["text", "json"]).describe(
       `The format in which Lambda sends your function's application and system logs to CloudWatch. Select between plain text and structured JSON.`
     ).optional(),
-    system: z7.enum(["debug", "info", "warn"]).describe(
+    system: z5.enum(["debug", "info", "warn"]).describe(
       "Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level of detail and lower, where DEBUG is the highest level and WARN is the lowest."
     ).optional(),
-    level: z7.enum(["trace", "debug", "info", "warn", "error", "fatal"]).describe(
+    level: z5.enum(["trace", "debug", "info", "warn", "error", "fatal"]).describe(
       "Set this property to filter the application logs for your function that Lambda sends to CloudWatch. Lambda only sends application logs at the selected level of detail and lower, where TRACE is the highest level and FATAL is the lowest."
     ).optional()
   })
 ]).describe(
   "Enable logging to a CloudWatch log group. Providing a duration value will set the log retention time."
 );
-var FunctionSchema = z7.union([
+var FunctionSchema = z5.union([
   LocalFileSchema.transform((file) => ({
     file
   })),
-  z7.object({
+  z5.object({
     file: FileSchema,
     description: DescriptionSchema.optional(),
     handler: HandlerSchema.optional(),
@@ -331,8 +279,8 @@ var FunctionSchema = z7.union([
     permissions: PermissionsSchema.optional()
   })
 ]);
-var FunctionsSchema = z7.record(ResourceIdSchema, FunctionSchema).optional().describe("Define the functions in your stack.");
-var FunctionDefaultSchema = z7.object({
+var FunctionsSchema = z5.record(ResourceIdSchema, FunctionSchema).optional().describe("Define the functions in your stack.");
+var FunctionDefaultSchema = z5.object({
   handler: HandlerSchema.default("index.default"),
   minify: MinifySchema.default(true),
   warm: WarmSchema.default(0),
@@ -354,19 +302,111 @@ var FunctionDefaultSchema = z7.object({
   permissions: PermissionsSchema.optional()
 }).default({});
 
-// src/feature/graphql/schema.ts
+// src/config/schema/email.ts
+import { z as z6 } from "zod";
+var EmailSchema = z6.string().email();
+var isEmail = (value) => {
+  return EmailSchema.safeParse(value).success;
+};
+
+// src/feature/auth/schema.ts
+var TriggersSchema = z7.object({
+  beforeToken: FunctionSchema.optional().describe("A pre jwt token generation AWS Lambda trigger."),
+  beforeLogin: FunctionSchema.optional().describe("A pre user login AWS Lambda trigger."),
+  afterLogin: FunctionSchema.optional().describe("A post user login AWS Lambda trigger."),
+  beforeRegister: FunctionSchema.optional().describe("A pre user register AWS Lambda trigger."),
+  afterRegister: FunctionSchema.optional().describe("A post user register AWS Lambda trigger."),
+  customMessage: FunctionSchema.optional().describe("A custom message AWS Lambda trigger."),
+  // /** A custom email sender AWS Lambda trigger */
+  // emailSender: FunctionSchema.optional(),
+  defineChallenge: FunctionSchema.optional().describe("Defines the authentication challenge."),
+  createChallenge: FunctionSchema.optional().describe("Creates an authentication challenge."),
+  verifyChallenge: FunctionSchema.optional().describe("Verifies the authentication challenge response.")
+}).describe("Specifies the configuration for AWS Lambda triggers.");
+var AuthSchema = z7.record(
+  ResourceIdSchema,
+  z7.object({
+    access: z7.boolean().default(false).describe("Give access to every function in this stack to your cognito instance."),
+    triggers: TriggersSchema.optional()
+  })
+).optional().describe("Define the auth triggers in your stack.");
+var AuthDefaultSchema = z7.record(
+  ResourceIdSchema,
+  z7.object({
+    allowUserRegistration: z7.boolean().default(true).describe("Specifies whether users can create an user account or if only the administrator can."),
+    messaging: z7.object({
+      fromEmail: EmailSchema.describe("Specifies the sender's email address."),
+      fromName: z7.string().optional().describe("Specifies the sender's name."),
+      replyTo: EmailSchema.optional().describe(
+        "The destination to which the receiver of the email should reply."
+      )
+    }).optional().describe("The email configuration for sending messages."),
+    // secret: z.boolean().default(false).describe('Specifies whether you want to generate a client secret.'),
+    username: z7.object({
+      emailAlias: z7.boolean().default(true).describe("Allow the user email to be used as username."),
+      caseSensitive: z7.boolean().default(false).describe(
+        "Specifies whether username case sensitivity will be enabled. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name."
+      )
+    }).default({}).describe("The username policy."),
+    password: z7.object({
+      minLength: z7.number().int().min(6).max(99).default(12).describe("Required users to have at least the minimum password length."),
+      uppercase: z7.boolean().default(true).describe("Required users to use at least one uppercase letter in their password."),
+      lowercase: z7.boolean().default(true).describe("Required users to use at least one lowercase letter in their password."),
+      numbers: z7.boolean().default(true).describe("Required users to use at least one number in their password."),
+      symbols: z7.boolean().default(true).describe("Required users to use at least one symbol in their password."),
+      temporaryPasswordValidity: DurationSchema.default("7 days").describe(
+        "The duration a temporary password is valid. If the user doesn't sign in during this time, an administrator must reset their password."
+      )
+    }).default({}).describe("The password policy."),
+    validity: z7.object({
+      idToken: DurationSchema.default("1 hour").describe(
+        "The ID token time limit. After this limit expires, your user can't use their ID token."
+      ),
+      accessToken: DurationSchema.default("1 hour").describe(
+        "The access token time limit. After this limit expires, your user can't use their access token."
+      ),
+      refreshToken: DurationSchema.default("365 days").describe(
+        "The refresh token time limit. After this limit expires, your user can't use their refresh token."
+      )
+    }).default({}).describe("Specifies the validity duration for every JWT token."),
+    triggers: TriggersSchema.optional()
+  })
+).default({}).describe("Define the authenticatable users in your app.");
+
+// src/feature/domain/schema.ts
 import { z as z8 } from "zod";
+var DomainNameSchema = z8.string().regex(/[a-z\-\_\.]/g, "Invalid domain name").describe(
+  "Enter a fully qualified domain name, for example, www.example.com. You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical."
+);
+var DNSTypeSchema = z8.enum(["A", "AAAA", "CAA", "CNAME", "DS", "MX", "NAPTR", "NS", "PTR", "SOA", "SPF", "SRV", "TXT"]).describe("The DNS record type.");
+var TTLSchema = DurationSchema.describe("The resource record cache time to live (TTL).");
+var RecordsSchema = z8.string().array().describe("One or more values that correspond with the value that you specified for the Type property.");
+var DomainsDefaultSchema = z8.record(
+  ResourceIdSchema,
+  z8.object({
+    domain: DomainNameSchema.describe("Define the domain name"),
+    dns: z8.object({
+      name: DomainNameSchema.optional(),
+      type: DNSTypeSchema,
+      ttl: TTLSchema,
+      records: RecordsSchema
+    }).array().optional().describe("Define the domain dns records")
+  })
+).optional().describe("Define the domains for your application.");
+
+// src/feature/graphql/schema.ts
+import { z as z9 } from "zod";
 var AuthorizerTtl = DurationSchema.describe(
   `The number of seconds a response should be cached for. The maximum value is one hour (3600 seconds). The Lambda function can override this by returning a ttlOverride key in its response.`
 );
-var GraphQLDefaultSchema = z8.record(
+var GraphQLDefaultSchema = z9.record(
   ResourceIdSchema,
-  z8.object({
+  z9.object({
     domain: ResourceIdSchema.describe("The domain id to link your API with.").optional(),
-    subDomain: z8.string().optional(),
-    auth: z8.union([
+    subDomain: z9.string().optional(),
+    auth: z9.union([
       ResourceIdSchema,
-      z8.object({
+      z9.object({
         authorizer: FunctionSchema,
         ttl: AuthorizerTtl.default("1 hour")
       })
@@ -378,22 +418,22 @@ var GraphQLDefaultSchema = z8.record(
     resolver: LocalFileSchema.optional()
   })
 ).describe(`Define the global GraphQL API's.`).optional();
-var GraphQLSchema = z8.record(
+var GraphQLSchema = z9.record(
   ResourceIdSchema,
-  z8.object({
+  z9.object({
     // schema: z.union([LocalFileSchema.transform(v => [v]), z.array(LocalFileSchema).min(1)]).optional(),
     schema: LocalFileSchema.describe("The graphql schema file."),
-    resolvers: z8.record(
+    resolvers: z9.record(
       // TypeName
-      z8.string(),
-      z8.record(
+      z9.string(),
+      z9.record(
         // FieldName
-        z8.string(),
-        z8.union([
+        z9.string(),
+        z9.union([
           FunctionSchema.transform((consumer) => ({
             consumer
           })),
-          z8.object({
+          z9.object({
             consumer: FunctionSchema,
             resolver: LocalFileSchema.optional()
           })
@@ -403,8 +443,73 @@ var GraphQLSchema = z8.record(
   })
 ).describe("Define the schema & resolvers in your stack for your global GraphQL API.").optional();
 
+// src/feature/http/schema.ts
+import { z as z10 } from "zod";
+var RouteSchema = z10.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route").transform((v) => v);
+var HttpDefaultSchema = z10.record(
+  ResourceIdSchema,
+  z10.object({
+    domain: ResourceIdSchema.describe("The domain id to link your API with."),
+    subDomain: z10.string().optional()
+    // auth: ResourceIdSchema.optional(),
+  })
+).optional().describe("Define your global HTTP API's.");
+var HttpSchema = z10.record(ResourceIdSchema, z10.record(RouteSchema, FunctionSchema)).optional().describe("Define routes in your stack for your global HTTP API.");
+
+// src/feature/instance/schema.ts
+import { z as z12 } from "zod";
+
+// src/config/schema/local-directory.ts
+import { stat as stat2 } from "fs/promises";
+import { z as z11 } from "zod";
+var LocalDirectorySchema = z11.string().transform((path) => resolvePath(path)).refine(async (path) => {
+  try {
+    const s = await stat2(path);
+    return s.isDirectory();
+  } catch (error) {
+    return false;
+  }
+}, `Directory doesn't exist`);
+
+// src/feature/instance/schema.ts
+var ImageSchema = z12.string().regex(/^ami\-[0-9a-f]+/).describe("The ID of the AMI.");
+var TypeSchema = z12.enum([
+  "t3.nano",
+  "t3.micro",
+  "t3.small",
+  "t3.medium",
+  "t3.large",
+  "t3.xlarge",
+  "t3.2xlarge",
+  "t4g.nano",
+  "t4g.micro",
+  "t4g.small",
+  "t4g.medium",
+  "t4g.large",
+  "t4g.xlarge",
+  "t4g.2xlarge",
+  "g4ad.xlarge"
+]).describe(`The instance type.`);
+var CommandSchema = z12.string().describe(`The script you want to execute when the instance starts up.`);
+var CodeSchema = LocalDirectorySchema.describe(`The code directory that will be deployed to your instance.`);
+var ConnectSchema = z12.boolean().describe("Allows you to connect to all instances with an Instance Connect Endpoint.");
+var EnvironmentSchema2 = z12.record(z12.string(), z12.string()).optional().describe("Environment variable key-value pairs.");
+var InstanceDefaultSchema = z12.object({
+  connect: ConnectSchema.default(false)
+}).default({}).describe("Define the default settings for all instances in your stacks.");
+var InstancesSchema = z12.record(
+  ResourceIdSchema,
+  z12.object({
+    image: ImageSchema,
+    type: TypeSchema,
+    code: CodeSchema,
+    command: CommandSchema.optional(),
+    environment: EnvironmentSchema2.optional()
+  })
+).optional().describe("Define the instances in your stack.");
+
 // src/feature/queue/schema.ts
-import { z as z9 } from "zod";
+import { z as z13 } from "zod";
 import { days as days2, hours, minutes as minutes2, seconds as seconds2 } from "@awsless/duration";
 import { kibibytes } from "@awsless/size";
 var RetentionPeriodSchema = DurationSchema.refine(
@@ -434,10 +539,10 @@ var ReceiveMessageWaitTimeSchema = DurationSchema.refine(
 var MaxMessageSizeSchema = SizeSchema.refine(sizeMin(kibibytes(1)), "Minimum max message size is 1 KB").refine(sizeMax(kibibytes(256)), "Maximum max message size is 256 KB").describe(
   "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an size from 1 KB to 256 KB."
 );
-var BatchSizeSchema = z9.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
+var BatchSizeSchema = z13.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
   "The maximum number of records in each batch that Lambda pulls from your queue and sends to your function. Lambda passes all of the records in the batch to the function in a single call, up to the payload limit for synchronous invocation (6 MB). You can specify an integer from 1 to 10000."
 );
-var MaxConcurrencySchema = z9.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
+var MaxConcurrencySchema = z13.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
   "Limits the number of concurrent instances that the queue worker can invoke. You can specify an integer from 2 to 1000."
 );
 var MaxBatchingWindow = DurationSchema.refine(
@@ -446,7 +551,7 @@ var MaxBatchingWindow = DurationSchema.refine(
 ).describe(
   "The maximum amount of time, that Lambda spends gathering records before invoking the function. You can specify an duration from 0 seconds to 5 minutes."
 );
-var QueueDefaultSchema = z9.object({
+var QueueDefaultSchema = z13.object({
   retentionPeriod: RetentionPeriodSchema.default("7 days"),
   visibilityTimeout: VisibilityTimeoutSchema.default("30 seconds"),
   deliveryDelay: DeliveryDelaySchema.default("0 seconds"),
@@ -456,15 +561,15 @@ var QueueDefaultSchema = z9.object({
   maxConcurrency: MaxConcurrencySchema.optional(),
   maxBatchingWindow: MaxBatchingWindow.optional()
 }).default({});
-var QueuesSchema = z9.record(
+var QueuesSchema = z13.record(
   ResourceIdSchema,
-  z9.union([
+  z13.union([
     LocalFileSchema.transform((file) => ({
       consumer: {
         file
       }
     })),
-    z9.object({
+    z13.object({
       consumer: FunctionSchema.describe("he consuming lambda function properties."),
       retentionPeriod: RetentionPeriodSchema.optional(),
       visibilityTimeout: VisibilityTimeoutSchema.optional(),
@@ -478,291 +583,134 @@ var QueuesSchema = z9.record(
   ])
 ).optional().describe("Define the queues in your stack.");
 
-// src/feature/auth/schema.ts
-import { z as z11 } from "zod";
-
-// src/config/schema/email.ts
-import { z as z10 } from "zod";
-var EmailSchema = z10.string().email();
-var isEmail = (value) => {
-  return EmailSchema.safeParse(value).success;
-};
-
-// src/feature/auth/schema.ts
-var TriggersSchema = z11.object({
-  beforeToken: FunctionSchema.optional().describe("A pre jwt token generation AWS Lambda trigger."),
-  beforeLogin: FunctionSchema.optional().describe("A pre user login AWS Lambda trigger."),
-  afterLogin: FunctionSchema.optional().describe("A post user login AWS Lambda trigger."),
-  beforeRegister: FunctionSchema.optional().describe("A pre user register AWS Lambda trigger."),
-  afterRegister: FunctionSchema.optional().describe("A post user register AWS Lambda trigger."),
-  customMessage: FunctionSchema.optional().describe("A custom message AWS Lambda trigger."),
-  // /** A custom email sender AWS Lambda trigger */
-  // emailSender: FunctionSchema.optional(),
-  defineChallenge: FunctionSchema.optional().describe("Defines the authentication challenge."),
-  createChallenge: FunctionSchema.optional().describe("Creates an authentication challenge."),
-  verifyChallenge: FunctionSchema.optional().describe("Verifies the authentication challenge response.")
-}).describe("Specifies the configuration for AWS Lambda triggers.");
-var AuthSchema = z11.record(
-  ResourceIdSchema,
-  z11.object({
-    access: z11.boolean().default(false).describe("Give access to every function in this stack to your cognito instance."),
-    triggers: TriggersSchema.optional()
-  })
-).optional().describe("Define the auth triggers in your stack.");
-var AuthDefaultSchema = z11.record(
-  ResourceIdSchema,
-  z11.object({
-    allowUserRegistration: z11.boolean().default(true).describe("Specifies whether users can create an user account or if only the administrator can."),
-    messaging: z11.object({
-      fromEmail: EmailSchema.describe("Specifies the sender's email address."),
-      fromName: z11.string().optional().describe("Specifies the sender's name."),
-      replyTo: EmailSchema.optional().describe(
-        "The destination to which the receiver of the email should reply."
-      )
-    }).optional().describe("The email configuration for sending messages."),
-    // secret: z.boolean().default(false).describe('Specifies whether you want to generate a client secret.'),
-    username: z11.object({
-      emailAlias: z11.boolean().default(true).describe("Allow the user email to be used as username."),
-      caseSensitive: z11.boolean().default(false).describe(
-        "Specifies whether username case sensitivity will be enabled. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name."
-      )
-    }).default({}).describe("The username policy."),
-    password: z11.object({
-      minLength: z11.number().int().min(6).max(99).default(12).describe("Required users to have at least the minimum password length."),
-      uppercase: z11.boolean().default(true).describe("Required users to use at least one uppercase letter in their password."),
-      lowercase: z11.boolean().default(true).describe("Required users to use at least one lowercase letter in their password."),
-      numbers: z11.boolean().default(true).describe("Required users to use at least one number in their password."),
-      symbols: z11.boolean().default(true).describe("Required users to use at least one symbol in their password."),
-      temporaryPasswordValidity: DurationSchema.default("7 days").describe(
-        "The duration a temporary password is valid. If the user doesn't sign in during this time, an administrator must reset their password."
-      )
-    }).default({}).describe("The password policy."),
-    validity: z11.object({
-      idToken: DurationSchema.default("1 hour").describe(
-        "The ID token time limit. After this limit expires, your user can't use their ID token."
-      ),
-      accessToken: DurationSchema.default("1 hour").describe(
-        "The access token time limit. After this limit expires, your user can't use their access token."
-      ),
-      refreshToken: DurationSchema.default("365 days").describe(
-        "The refresh token time limit. After this limit expires, your user can't use their refresh token."
-      )
-    }).default({}).describe("Specifies the validity duration for every JWT token."),
-    triggers: TriggersSchema.optional()
-  })
-).default({}).describe("Define the authenticatable users in your app.");
-
-// src/feature/http/schema.ts
-import { z as z12 } from "zod";
-var RouteSchema = z12.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route").transform((v) => v);
-var HttpDefaultSchema = z12.record(
-  ResourceIdSchema,
-  z12.object({
-    domain: ResourceIdSchema.describe("The domain id to link your API with."),
-    subDomain: z12.string().optional()
-    // auth: ResourceIdSchema.optional(),
-  })
-).optional().describe("Define your global HTTP API's.");
-var HttpSchema = z12.record(ResourceIdSchema, z12.record(RouteSchema, FunctionSchema)).optional().describe("Define routes in your stack for your global HTTP API.");
-
 // src/feature/rest/schema.ts
-import { z as z14 } from "zod";
+import { z as z15 } from "zod";
 
 // src/config/schema/route.ts
-import { z as z13 } from "zod";
-var RouteSchema2 = z13.union([
-  z13.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
-  z13.literal("$default")
+import { z as z14 } from "zod";
+var RouteSchema2 = z14.union([
+  z14.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
+  z14.literal("$default")
 ]);
 
 // src/feature/rest/schema.ts
-var RestDefaultSchema = z14.record(
+var RestDefaultSchema = z15.record(
   ResourceIdSchema,
-  z14.object({
+  z15.object({
     domain: ResourceIdSchema.describe("The domain id to link your API with.").optional(),
-    subDomain: z14.string().optional()
+    subDomain: z15.string().optional()
   })
 ).optional().describe("Define your global REST API's.");
-var RestSchema = z14.record(ResourceIdSchema, z14.record(RouteSchema2, FunctionSchema)).optional().describe("Define routes in your stack for your global REST API.");
+var RestSchema = z15.record(ResourceIdSchema, z15.record(RouteSchema2, FunctionSchema)).optional().describe("Define routes in your stack for your global REST API.");
 
-// src/config/app.ts
-var AppSchema = z15.object({
-  $schema: z15.string().optional(),
-  name: ResourceIdSchema.describe("App name."),
-  region: RegionSchema.describe("The AWS region to deploy to."),
-  profile: z15.string().describe("The AWS profile to deploy to."),
-  // stage: z
-  // 	.string()
-  // 	.regex(/^[a-z]+$/)
-  // 	.default('prod')
-  // 	.describe('The deployment stage.'),
-  defaults: z15.object({
-    auth: AuthDefaultSchema,
-    domains: DomainsDefaultSchema,
-    function: FunctionDefaultSchema,
-    queue: QueueDefaultSchema,
-    graphql: GraphQLDefaultSchema,
-    http: HttpDefaultSchema,
-    rest: RestDefaultSchema
-  }).default({}).describe("Default properties")
-});
+// src/config/schema/region.ts
+import { z as z16 } from "zod";
+var US = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"];
+var AF = ["af-south-1"];
+var AP = [
+  "ap-east-1",
+  "ap-south-2",
+  "ap-southeast-3",
+  "ap-southeast-4",
+  "ap-south-1",
+  "ap-northeast-3",
+  "ap-northeast-2",
+  "ap-southeast-1",
+  "ap-southeast-2",
+  "ap-northeast-1"
+];
+var CA = ["ca-central-1"];
+var EU = [
+  "eu-central-1",
+  "eu-west-1",
+  "eu-west-2",
+  "eu-south-1",
+  "eu-west-3",
+  "eu-south-2",
+  "eu-north-1",
+  "eu-central-2"
+];
+var ME = ["me-south-1", "me-central-1"];
+var SA = ["sa-east-1"];
+var regions = [...US, ...AF, ...AP, ...CA, ...EU, ...ME, ...SA];
+var RegionSchema = z16.enum(regions);
+
+// src/config/app.ts
+var AppSchema = z17.object({
+  $schema: z17.string().optional(),
+  name: ResourceIdSchema.describe("App name."),
+  region: RegionSchema.describe("The AWS region to deploy to."),
+  profile: z17.string().describe("The AWS profile to deploy to."),
+  // stage: z
+  // 	.string()
+  // 	.regex(/^[a-z]+$/)
+  // 	.default('prod')
+  // 	.describe('The deployment stage.'),
+  defaults: z17.object({
+    auth: AuthDefaultSchema,
+    domains: DomainsDefaultSchema,
+    function: FunctionDefaultSchema,
+    instance: InstanceDefaultSchema,
+    queue: QueueDefaultSchema,
+    graphql: GraphQLDefaultSchema,
+    http: HttpDefaultSchema,
+    rest: RestDefaultSchema
+  }).default({}).describe("Default properties")
+});
 
 // src/config/load/load.ts
 import { glob } from "glob";
 
 // src/config/stack.ts
-import { z as z29 } from "zod";
-
-// src/feature/on-failure/schema.ts
-var OnFailureSchema = FunctionSchema.optional().describe(
-  "Defining a onFailure handler will add a global onFailure handler for the following resources:\n- Async lambda functions\n- SQS queues\n- DynamoDB streams"
-);
-
-// src/feature/config/schema.ts
-import { z as z16 } from "zod";
-var ConfigNameSchema = z16.string().regex(/[a-z0-9\-]/g, "Invalid config name");
-var ConfigsSchema = z16.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
-
-// src/feature/table/schema.ts
-import { z as z17 } from "zod";
-var KeySchema = z17.string().min(1).max(255);
-var TablesSchema = z17.record(
-  ResourceIdSchema,
-  z17.object({
-    hash: KeySchema.describe(
-      "Specifies the name of the partition / hash key that makes up the primary key for the table."
-    ),
-    sort: KeySchema.optional().describe(
-      "Specifies the name of the range / sort key that makes up the primary key for the table."
-    ),
-    fields: z17.record(z17.string(), z17.enum(["string", "number", "binary"])).optional().describe(
-      'A list of attributes that describe the key schema for the table and indexes. If no attribute field is defined we default to "string".'
-    ),
-    class: z17.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
-    pointInTimeRecovery: z17.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
-    timeToLiveAttribute: KeySchema.optional().describe(
-      "The name of the TTL attribute used to store the expiration time for items in the table. To update this property, you must first disable TTL and then enable TTL with the new attribute name."
-    ),
-    stream: z17.object({
-      type: z17.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
-        "When an item in the table is modified, stream.type determines what information is written to the stream for this table. Valid values are:\n- keys-only - Only the key attributes of the modified item are written to the stream.\n- new-image - The entire item, as it appears after it was modified, is written to the stream.\n- old-image - The entire item, as it appeared before it was modified, is written to the stream.\n- new-and-old-images - Both the new and the old item images of the item are written to the stream."
-      ),
-      consumer: FunctionSchema.describe("The consuming lambda function for the stream")
-    }).optional().describe(
-      "The settings for the DynamoDB table stream, which capture changes to items stored in the table."
-    ),
-    indexes: z17.record(
-      z17.string(),
-      z17.object({
-        /** Specifies the name of the partition / hash key that makes up the primary key for the global secondary index. */
-        hash: KeySchema,
-        /** Specifies the name of the range / sort key that makes up the primary key for the global secondary index. */
-        sort: KeySchema.optional(),
-        /** The set of attributes that are projected into the index:
-         * - all - All of the table attributes are projected into the index.
-         * - keys-only - Only the index and primary keys are projected into the index.
-         * @default 'all'
-         */
-        projection: z17.enum(["all", "keys-only"]).default("all")
-      })
-    ).optional().describe("Specifies the global secondary indexes to be created on the table.")
-  })
-).optional().describe("Define the tables in your stack.");
+import { z as z31 } from "zod";
 
-// src/feature/store/schema.ts
+// src/feature/cache/schema.ts
 import { z as z18 } from "zod";
-var StoresSchema = z18.union([
-  z18.array(ResourceIdSchema).transform((list4) => {
-    const stores = {};
-    for (const key of list4) {
-      stores[key] = {};
-    }
-    return stores;
-  }),
-  z18.record(
-    ResourceIdSchema,
-    z18.object({
-      // cors: CorsSchema,
-      versioning: z18.boolean().default(false).describe("Enable versioning of your store."),
-      events: z18.object({
-        // create
-        "created:*": FunctionSchema.optional().describe(
-          "Subscribe to notifications regardless of the API that was used to create an object."
-        ),
-        "created:put": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object is created using the PUT API operation."
-        ),
-        "created:post": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object is created using the POST API operation."
-        ),
-        "created:copy": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object is created using the COPY API operation."
-        ),
-        "created:upload": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object multipart upload has been completed."
-        ),
-        // remove
-        "removed:*": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object is deleted or a delete marker for a versioned object is created."
-        ),
-        "removed:delete": FunctionSchema.optional().describe(
-          "Subscribe to notifications when an object is deleted"
-        ),
-        "removed:marker": FunctionSchema.optional().describe(
-          "Subscribe to notifications when a delete marker for a versioned object is created."
-        )
-      }).optional().describe("Describes the store events you want to subscribe too.")
-    })
-  )
-]).optional().describe("Define the stores in your stack.");
-
-// src/feature/pubsub/schema.ts
-import { z as z19 } from "zod";
-var PubSubSchema = z19.record(
+var TypeSchema2 = z18.enum([
+  "t4g.small",
+  "t4g.medium",
+  "r6g.large",
+  "r6g.xlarge",
+  "r6g.2xlarge",
+  "r6g.4xlarge",
+  "r6g.8xlarge",
+  "r6g.12xlarge",
+  "r6g.16xlarge",
+  "r6gd.xlarge",
+  "r6gd.2xlarge",
+  "r6gd.4xlarge",
+  "r6gd.8xlarge"
+]);
+var PortSchema = z18.number().int().min(1).max(5e4);
+var ShardsSchema = z18.number().int().min(0).max(100);
+var ReplicasPerShardSchema = z18.number().int().min(0).max(5);
+var EngineSchema = z18.enum(["7.0", "6.2"]);
+var CachesSchema = z18.record(
   ResourceIdSchema,
-  z19.object({
-    sql: z19.string().describe("The SQL statement used to query the IOT topic."),
-    sqlVersion: z19.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
-    consumer: FunctionSchema.describe("The consuming lambda function properties.")
+  z18.object({
+    type: TypeSchema2.default("t4g.small"),
+    port: PortSchema.default(6379),
+    shards: ShardsSchema.default(1),
+    replicasPerShard: ReplicasPerShardSchema.default(1),
+    engine: EngineSchema.default("7.0"),
+    dataTiering: z18.boolean().default(false)
   })
-).optional().describe("Define the pubsub subscriber in your stack.");
-
-// src/feature/test/schema.ts
-import { z as z21 } from "zod";
-
-// src/config/schema/local-directory.ts
-import { stat as stat2 } from "fs/promises";
-import { z as z20 } from "zod";
-var LocalDirectorySchema = z20.string().transform((path) => resolvePath(path)).refine(async (path) => {
-  try {
-    const s = await stat2(path);
-    return s.isDirectory();
-  } catch (error) {
-    return false;
-  }
-}, `Directory doesn't exist`);
-
-// src/feature/test/schema.ts
-var TestsSchema = z21.union([LocalDirectorySchema.transform((v) => [v]), LocalDirectorySchema.array()]).describe("Define the location of your tests for your stack.").optional();
+).optional().describe("Define the caches in your stack. For access to the cache put your functions inside the global VPC.");
 
-// src/feature/topic/schema.ts
-import { paramCase as paramCase2 } from "change-case";
-import { z as z22 } from "zod";
-var TopicNameSchema = z22.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => paramCase2(value)).describe("Define event topic name.");
-var TopicsSchema = z22.array(TopicNameSchema).refine((topics) => {
-  return topics.length === new Set(topics).size;
-}, "Must be a list of unique topic names").optional().describe("Define the event topics to publish too in your stack.");
-var SubscribersSchema = z22.record(TopicNameSchema, z22.union([EmailSchema, FunctionSchema])).optional().describe("Define the event topics to subscribe too in your stack.");
+// src/feature/config/schema.ts
+import { z as z19 } from "zod";
+var ConfigNameSchema = z19.string().regex(/[a-z0-9\-]/g, "Invalid config name");
+var ConfigsSchema = z19.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
 
 // src/feature/cron/schema/index.ts
-import { z as z24 } from "zod";
+import { z as z21 } from "zod";
 
 // src/feature/cron/schema/schedule.ts
-import { z as z23 } from "zod";
+import { z as z20 } from "zod";
 import { awsCronExpressionValidator } from "aws-cron-expression-validator";
-var RateExpressionSchema = z23.custom(
+var RateExpressionSchema = z20.custom(
   (value) => {
-    return z23.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
+    return z20.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
       const [str] = rate.split(" ");
       const number = parseInt(str);
       return number > 0;
@@ -778,9 +726,9 @@ var RateExpressionSchema = z23.custom(
   }
   return `rate(${rate})`;
 });
-var CronExpressionSchema = z23.custom(
+var CronExpressionSchema = z20.custom(
   (value) => {
-    return z23.string().safeParse(value).success;
+    return z20.string().safeParse(value).success;
   },
   { message: "Invalid cron expression" }
 ).superRefine((value, ctx) => {
@@ -789,12 +737,12 @@ var CronExpressionSchema = z23.custom(
   } catch (error) {
     if (error instanceof Error) {
       ctx.addIssue({
-        code: z23.ZodIssueCode.custom,
+        code: z20.ZodIssueCode.custom,
         message: `Invalid cron expression: ${error.message}`
       });
     } else {
       ctx.addIssue({
-        code: z23.ZodIssueCode.custom,
+        code: z20.ZodIssueCode.custom,
         message: "Invalid cron expression"
       });
     }
@@ -805,56 +753,39 @@ var CronExpressionSchema = z23.custom(
 var ScheduleExpressionSchema = RateExpressionSchema.or(CronExpressionSchema);
 
 // src/feature/cron/schema/index.ts
-var CronsSchema = z24.record(
+var CronsSchema = z21.record(
   ResourceIdSchema,
-  z24.object({
-    enabled: z24.boolean().default(true).describe("If the cron is enabled."),
+  z21.object({
+    enabled: z21.boolean().default(true).describe("If the cron is enabled."),
     consumer: FunctionSchema.describe("The consuming lambda function properties."),
     schedule: ScheduleExpressionSchema.describe(
       'The scheduling expression.\n\nexample: "0 20 * * ? *"\nexample: "5 minutes"'
     ),
-    payload: z24.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
+    payload: z21.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
   })
 ).optional();
 
-// src/feature/cache/schema.ts
-import { z as z25 } from "zod";
-var TypeSchema = z25.enum([
-  "t4g.small",
-  "t4g.medium",
-  "r6g.large",
-  "r6g.xlarge",
-  "r6g.2xlarge",
-  "r6g.4xlarge",
-  "r6g.8xlarge",
-  "r6g.12xlarge",
-  "r6g.16xlarge",
-  "r6gd.xlarge",
-  "r6gd.2xlarge",
-  "r6gd.4xlarge",
-  "r6gd.8xlarge"
-]);
-var PortSchema = z25.number().int().min(1).max(5e4);
-var ShardsSchema = z25.number().int().min(0).max(100);
-var ReplicasPerShardSchema = z25.number().int().min(0).max(5);
-var EngineSchema = z25.enum(["7.0", "6.2"]);
-var CachesSchema = z25.record(
+// src/feature/on-failure/schema.ts
+var OnFailureSchema = FunctionSchema.optional().describe(
+  "Defining a onFailure handler will add a global onFailure handler for the following resources:\n- Async lambda functions\n- SQS queues\n- DynamoDB streams"
+);
+
+// src/feature/pubsub/schema.ts
+import { z as z22 } from "zod";
+var PubSubSchema = z22.record(
   ResourceIdSchema,
-  z25.object({
-    type: TypeSchema.default("t4g.small"),
-    port: PortSchema.default(6379),
-    shards: ShardsSchema.default(1),
-    replicasPerShard: ReplicasPerShardSchema.default(1),
-    engine: EngineSchema.default("7.0"),
-    dataTiering: z25.boolean().default(false)
+  z22.object({
+    sql: z22.string().describe("The SQL statement used to query the IOT topic."),
+    sqlVersion: z22.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
+    consumer: FunctionSchema.describe("The consuming lambda function properties.")
   })
-).optional().describe("Define the caches in your stack. For access to the cache put your functions inside the global VPC.");
+).optional().describe("Define the pubsub subscriber in your stack.");
 
 // src/feature/search/schema.ts
-import { z as z26 } from "zod";
+import { z as z23 } from "zod";
 import { gibibytes as gibibytes2 } from "@awsless/size";
-var VersionSchema = z26.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]);
-var TypeSchema2 = z26.enum([
+var VersionSchema = z23.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]);
+var TypeSchema3 = z23.enum([
   "t3.small",
   "t3.medium",
   "t3.large",
@@ -955,41 +886,41 @@ var TypeSchema2 = z26.enum([
   "r6gd.16xlarge"
 ]);
 var StorageSizeSchema = SizeSchema.refine(sizeMin(gibibytes2(10)), "Minimum storage size is 10 GB").refine(sizeMax(gibibytes2(100)), "Maximum storage size is 100 GB").describe("The size of the function's /tmp directory. You can specify a size value from 512 MB to 10 GiB.");
-var SearchsSchema = z26.record(
+var SearchsSchema = z23.record(
   ResourceIdSchema,
-  z26.object({
-    type: TypeSchema2.default("t3.small"),
-    count: z26.number().int().min(1).default(1),
+  z23.object({
+    type: TypeSchema3.default("t3.small"),
+    count: z23.number().int().min(1).default(1),
     version: VersionSchema.default("2.13"),
     storage: StorageSizeSchema.default("10 GB"),
-    vpc: z26.boolean().default(false)
+    vpc: z23.boolean().default(false)
   })
 ).optional().describe("Define the search instances in your stack. Backed by OpenSearch.");
 
 // src/feature/site/schema.ts
-import { z as z27 } from "zod";
-var ErrorResponsePathSchema = z27.string().describe(
+import { z as z24 } from "zod";
+var ErrorResponsePathSchema = z24.string().describe(
   "The path to the custom error page that you want to return to the viewer when your origin returns the HTTP status code specified.\n - We recommend that you store custom error pages in an Amazon S3 bucket. If you store custom error pages on an HTTP server and the server starts to return 5xx errors, CloudFront can't get the files that you want to return to viewers because the origin server is unavailable."
 );
-var StatusCodeSchema = z27.number().int().positive().optional().describe(
+var StatusCodeSchema = z24.number().int().positive().optional().describe(
   "The HTTP status code that you want CloudFront to return to the viewer along with the custom error page. There are a variety of reasons that you might want CloudFront to return a status code different from the status code that your origin returned to CloudFront, for example:\n- Some Internet devices (some firewalls and corporate proxies, for example) intercept HTTP 4xx and 5xx and prevent the response from being returned to the viewer. If you substitute 200, the response typically won't be intercepted.\n- If you don't care about distinguishing among different client errors or server errors, you can specify 400 or 500 as the ResponseCode for all 4xx or 5xx errors.\n- You might want to return a 200 status code (OK) and static website so your customers don't know that your website is down."
 );
 var MinTTLSchema = DurationSchema.describe(
   "The minimum amount of time, that you want to cache the error response. When this time period has elapsed, CloudFront queries your origin to see whether the problem that caused the error has been resolved and the requested object is now available."
 );
-var ErrorResponseSchema = z27.union([
+var ErrorResponseSchema = z24.union([
   ErrorResponsePathSchema,
-  z27.object({
+  z24.object({
     path: ErrorResponsePathSchema,
     statusCode: StatusCodeSchema.optional(),
     minTTL: MinTTLSchema.optional()
   })
 ]).optional();
-var SitesSchema = z27.record(
+var SitesSchema = z24.record(
   ResourceIdSchema,
-  z27.object({
+  z24.object({
     domain: ResourceIdSchema.describe("The domain id to link your site with."),
-    subDomain: z27.string().optional(),
+    subDomain: z24.string().optional(),
     // bind: z
     // 	.object({
     // 		auth: z.array(ResourceIdSchema),
@@ -1012,7 +943,7 @@ var SitesSchema = z27.record(
     // 		build: z.string().optional(),
     // 	}),
     // ]),
-    errors: z27.object({
+    errors: z24.object({
       400: ErrorResponseSchema.describe("Customize a `400 Bad Request` response."),
       403: ErrorResponseSchema.describe("Customize a `403 Forbidden` response."),
       404: ErrorResponseSchema.describe("Customize a `404 Not Found` response."),
@@ -1025,16 +956,16 @@ var SitesSchema = z27.record(
       503: ErrorResponseSchema.describe("Customize a `503 Service Unavailable` response."),
       504: ErrorResponseSchema.describe("Customize a `504 Gateway Timeout` response.")
     }).optional().describe("Customize the error responses for specific HTTP status codes."),
-    cors: z27.object({
-      override: z27.boolean().default(false),
+    cors: z24.object({
+      override: z24.boolean().default(false),
       maxAge: DurationSchema.default("365 days"),
-      exposeHeaders: z27.string().array().optional(),
-      credentials: z27.boolean().default(false),
-      headers: z27.string().array().default(["*"]),
-      origins: z27.string().array().default(["*"]),
-      methods: z27.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
+      exposeHeaders: z24.string().array().optional(),
+      credentials: z24.boolean().default(false),
+      headers: z24.string().array().default(["*"]),
+      origins: z24.string().array().default(["*"]),
+      methods: z24.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
     }).optional().describe("Define the cors headers."),
-    security: z27.object({
+    security: z24.object({
       // contentSecurityPolicy: z.object({
       // 	override: z.boolean().default(false),
       // 	policy: z.string(),
@@ -1076,56 +1007,187 @@ var SitesSchema = z27.record(
       // 	reportUri?: string
       // }
     }).optional().describe("Define the security policy."),
-    cache: z27.object({
-      cookies: z27.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
-      headers: z27.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
-      queries: z27.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
+    cache: z24.object({
+      cookies: z24.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
+      headers: z24.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
+      queries: z24.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
     }).optional().describe(
       "Specifies the cookies, headers, and query values that CloudFront includes in the cache key."
     )
   })
 ).optional().describe("Define the sites in your stack.");
 
-// src/feature/task/schema.ts
-import { z as z28 } from "zod";
-var RetryAttemptsSchema2 = z28.number().int().min(0).max(2).describe(
-  "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 2."
-);
-var TaskSchema = z28.union([
-  LocalFileSchema.transform((file) => ({
-    consumer: { file },
-    retryAttempts: void 0
-  })),
-  z28.object({
-    consumer: FunctionSchema,
-    retryAttempts: RetryAttemptsSchema2.optional()
-  })
-]);
-var TasksSchema = z28.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
-
-// src/config/stack.ts
-var DependsSchema = ResourceIdSchema.array().optional().describe("Define the stacks that this stack is depended on.");
-var NameSchema = ResourceIdSchema.refine((name) => !["base"].includes(name), {
-  message: `Stack name can't be a reserved name.`
-}).describe("Stack name.");
-var StackSchema = z29.object({
-  $schema: z29.string().optional(),
-  name: NameSchema,
-  depends: DependsSchema,
-  onFailure: OnFailureSchema,
-  auth: AuthSchema,
-  graphql: GraphQLSchema,
-  http: HttpSchema,
-  rest: RestSchema,
-  configs: ConfigsSchema,
-  crons: CronsSchema,
-  caches: CachesSchema,
-  topics: TopicsSchema,
-  subscribers: SubscribersSchema,
+// src/feature/store/schema.ts
+import { z as z25 } from "zod";
+var StoresSchema = z25.union([
+  z25.array(ResourceIdSchema).transform((list4) => {
+    const stores = {};
+    for (const key of list4) {
+      stores[key] = {};
+    }
+    return stores;
+  }),
+  z25.record(
+    ResourceIdSchema,
+    z25.object({
+      // cors: CorsSchema,
+      versioning: z25.boolean().default(false).describe("Enable versioning of your store."),
+      events: z25.object({
+        // create
+        "created:*": FunctionSchema.optional().describe(
+          "Subscribe to notifications regardless of the API that was used to create an object."
+        ),
+        "created:put": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object is created using the PUT API operation."
+        ),
+        "created:post": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object is created using the POST API operation."
+        ),
+        "created:copy": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object is created using the COPY API operation."
+        ),
+        "created:upload": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object multipart upload has been completed."
+        ),
+        // remove
+        "removed:*": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object is deleted or a delete marker for a versioned object is created."
+        ),
+        "removed:delete": FunctionSchema.optional().describe(
+          "Subscribe to notifications when an object is deleted"
+        ),
+        "removed:marker": FunctionSchema.optional().describe(
+          "Subscribe to notifications when a delete marker for a versioned object is created."
+        )
+      }).optional().describe("Describes the store events you want to subscribe too.")
+    })
+  )
+]).optional().describe("Define the stores in your stack.");
+
+// src/feature/stream/schema.ts
+import { z as z26 } from "zod";
+var LatencyModeSchema = z26.enum(["low", "normal"]).describe(
+  `Channel latency mode. Valid values:
+- normal: Use "normal" to broadcast and deliver live video up to Full HD.
+- low: Use "low" for near real-time interactions with viewers.`
+);
+var TypeSchema4 = z26.enum(["standard", "basic", "advanced-sd", "advanced-hd"]).describe(`The channel type, which determines the allowable resolution and bitrate.
+If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately. Valid values:
+- standard: Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.
+- basic: Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer's video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.
+- advanced-sd: Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.
+- advanced-hd: Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.
+`);
+var StreamsSchema = z26.record(
+  ResourceIdSchema,
+  z26.object({
+    type: TypeSchema4.default("standard"),
+    // preset: PresetSchema.optional(),
+    latencyMode: LatencyModeSchema.default("low")
+  })
+).optional().describe("Define the streams in your stack.");
+
+// src/feature/table/schema.ts
+import { z as z27 } from "zod";
+var KeySchema = z27.string().min(1).max(255);
+var TablesSchema = z27.record(
+  ResourceIdSchema,
+  z27.object({
+    hash: KeySchema.describe(
+      "Specifies the name of the partition / hash key that makes up the primary key for the table."
+    ),
+    sort: KeySchema.optional().describe(
+      "Specifies the name of the range / sort key that makes up the primary key for the table."
+    ),
+    fields: z27.record(z27.string(), z27.enum(["string", "number", "binary"])).optional().describe(
+      'A list of attributes that describe the key schema for the table and indexes. If no attribute field is defined we default to "string".'
+    ),
+    class: z27.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
+    pointInTimeRecovery: z27.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
+    timeToLiveAttribute: KeySchema.optional().describe(
+      "The name of the TTL attribute used to store the expiration time for items in the table. To update this property, you must first disable TTL and then enable TTL with the new attribute name."
+    ),
+    stream: z27.object({
+      type: z27.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
+        "When an item in the table is modified, stream.type determines what information is written to the stream for this table. Valid values are:\n- keys-only - Only the key attributes of the modified item are written to the stream.\n- new-image - The entire item, as it appears after it was modified, is written to the stream.\n- old-image - The entire item, as it appeared before it was modified, is written to the stream.\n- new-and-old-images - Both the new and the old item images of the item are written to the stream."
+      ),
+      consumer: FunctionSchema.describe("The consuming lambda function for the stream")
+    }).optional().describe(
+      "The settings for the DynamoDB table stream, which capture changes to items stored in the table."
+    ),
+    indexes: z27.record(
+      z27.string(),
+      z27.object({
+        /** Specifies the name of the partition / hash key that makes up the primary key for the global secondary index. */
+        hash: KeySchema,
+        /** Specifies the name of the range / sort key that makes up the primary key for the global secondary index. */
+        sort: KeySchema.optional(),
+        /** The set of attributes that are projected into the index:
+         * - all - All of the table attributes are projected into the index.
+         * - keys-only - Only the index and primary keys are projected into the index.
+         * @default 'all'
+         */
+        projection: z27.enum(["all", "keys-only"]).default("all")
+      })
+    ).optional().describe("Specifies the global secondary indexes to be created on the table.")
+  })
+).optional().describe("Define the tables in your stack.");
+
+// src/feature/task/schema.ts
+import { z as z28 } from "zod";
+var RetryAttemptsSchema2 = z28.number().int().min(0).max(2).describe(
+  "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 2."
+);
+var TaskSchema = z28.union([
+  LocalFileSchema.transform((file) => ({
+    consumer: { file },
+    retryAttempts: void 0
+  })),
+  z28.object({
+    consumer: FunctionSchema,
+    retryAttempts: RetryAttemptsSchema2.optional()
+  })
+]);
+var TasksSchema = z28.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
+
+// src/feature/test/schema.ts
+import { z as z29 } from "zod";
+var TestsSchema = z29.union([LocalDirectorySchema.transform((v) => [v]), LocalDirectorySchema.array()]).describe("Define the location of your tests for your stack.").optional();
+
+// src/feature/topic/schema.ts
+import { paramCase as paramCase2 } from "change-case";
+import { z as z30 } from "zod";
+var TopicNameSchema = z30.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => paramCase2(value)).describe("Define event topic name.");
+var TopicsSchema = z30.array(TopicNameSchema).refine((topics) => {
+  return topics.length === new Set(topics).size;
+}, "Must be a list of unique topic names").optional().describe("Define the event topics to publish too in your stack.");
+var SubscribersSchema = z30.record(TopicNameSchema, z30.union([EmailSchema, FunctionSchema])).optional().describe("Define the event topics to subscribe too in your stack.");
+
+// src/config/stack.ts
+var DependsSchema = ResourceIdSchema.array().optional().describe("Define the stacks that this stack is depended on.");
+var NameSchema = ResourceIdSchema.refine((name) => !["base"].includes(name), {
+  message: `Stack name can't be a reserved name.`
+}).describe("Stack name.");
+var StackSchema = z31.object({
+  $schema: z31.string().optional(),
+  name: NameSchema,
+  depends: DependsSchema,
+  onFailure: OnFailureSchema,
+  auth: AuthSchema,
+  graphql: GraphQLSchema,
+  http: HttpSchema,
+  rest: RestSchema,
+  configs: ConfigsSchema,
+  crons: CronsSchema,
+  caches: CachesSchema,
+  topics: TopicsSchema,
+  subscribers: SubscribersSchema,
   functions: FunctionsSchema,
+  instances: InstancesSchema,
   tasks: TasksSchema,
   tables: TablesSchema,
   stores: StoresSchema,
+  streams: StreamsSchema,
   queues: QueuesSchema,
   pubsub: PubSubSchema,
   searchs: SearchsSchema,
@@ -1188,13 +1250,13 @@ var readConfigWithStage = async (file, stage) => {
 };
 
 // src/config/load/validate.ts
-import { z as z30 } from "zod";
+import { z as z32 } from "zod";
 var validateConfig = async (schema, file, data) => {
   try {
     const result = await schema.parseAsync(data);
     return result;
   } catch (error) {
-    if (error instanceof z30.ZodError) {
+    if (error instanceof z32.ZodError) {
       throw new ConfigError(file, error, data);
     }
     throw error;
@@ -1658,8 +1720,8 @@ var bootstrapAwsless = async (props) => {
 };
 
 // src/util/aws.ts
+import { GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { fromIni } from "@aws-sdk/credential-providers";
-import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 var getCredentials = (profile) => {
   return fromIni({ profile });
 };
@@ -2056,11 +2118,11 @@ var findDependencies = async (file, code) => {
 // src/feature/function/build/zip.ts
 import JSZip from "jszip";
 var zipFiles = (files) => {
-  const zip = new JSZip();
+  const zip2 = new JSZip();
   for (const file of files) {
-    zip.file(file.name, file.code);
+    zip2.file(file.name, file.code);
   }
-  return zip.generateAsync({
+  return zip2.generateAsync({
     type: "nodebuffer",
     compression: "DEFLATE",
     compressionOptions: {
@@ -2147,14 +2209,14 @@ var createLambdaFunction = (group, ctx, ns, id, local2) => {
   const policy = new aws.iam.RolePolicy(group, "policy", {
     role: role.name,
     name: "lambda-policy",
-    version: "2012-10-17",
-    statements: [
-      {
-        // Give lambda access to all lambda's inside your app.
-        actions: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
-        resources: [`arn:aws:lambda:*:*:function:${ctx.appConfig.name}--*`]
-      }
-    ]
+    version: "2012-10-17"
+    // statements: [
+    // 	{
+    // 		// Give lambda access to all lambda's inside your app.
+    // 		actions: ['lambda:InvokeFunction', 'lambda:InvokeAsync'],
+    // 		resources: [`arn:aws:lambda:*:*:function:${ctx.appConfig.name}--*`],
+    // 	},
+    // ],
   });
   const lambda = new aws.lambda.Function(group, `function`, {
     ...props,
@@ -2166,7 +2228,10 @@ var createLambdaFunction = (group, ctx, ns, id, local2) => {
     vpc: void 0,
     log: props.log
   });
-  ctx.registerFunction(lambda, policy);
+  ctx.onEnv((name2, value) => {
+    lambda.addEnvironment(name2, value);
+  });
+  ctx.registerPolicy(policy);
   lambda.addEnvironment("APP", ctx.appConfig.name);
   if ("stackConfig" in ctx) {
     lambda.addEnvironment("STACK", ctx.stackConfig.name);
@@ -2275,7 +2340,6 @@ var authFeature = defineFeature({
     const gen = new TypeFile("@awsless/awsless/client");
     const resources = new TypeObject(1);
     for (const name of Object.keys(ctx.appConfig.defaults.auth)) {
-      const authName = formatGlobalResourceName(ctx.appConfig.name, "auth", name);
       resources.addType(name, `{ readonly userPoolId: string, readonly clientId: string }`);
     }
     gen.addInterface("AuthResources", resources);
@@ -2367,8 +2431,8 @@ var authFeature = defineFeature({
           userSrp: true
         }
       });
-      ctx.bindEnv(`AUTH_${constantCase2(id)}_USER_POOL_ID`, userPool.id);
-      ctx.bindEnv(`AUTH_${constantCase2(id)}_CLIENT_ID`, client.id);
+      ctx.bind(`AUTH_${constantCase2(id)}_USER_POOL_ID`, userPool.id);
+      ctx.bind(`AUTH_${constantCase2(id)}_CLIENT_ID`, client.id);
       ctx.shared.set(`auth-${id}-user-pool-arn`, userPool.arn);
       ctx.shared.set(`auth-${id}-user-pool-id`, userPool.id);
       ctx.shared.set(`auth-${id}-client-id`, client.id);
@@ -2377,8 +2441,8 @@ var authFeature = defineFeature({
 });
 
 // src/feature/cache/index.ts
+import { aws as aws3, Node as Node3 } from "@awsless/formation";
 import { constantCase as constantCase3 } from "change-case";
-import { Node as Node3, aws as aws3 } from "@awsless/formation";
 var typeGenCode = `
 import { Cluster, CommandOptions } from '@awsless/redis'
 
@@ -2433,11 +2497,9 @@ var cacheFeature = defineFeature({
         subnetGroupName: subnetGroup.name,
         ...props
       });
-      ctx.onFunction(({ lambda }) => {
-        const prefix = `CACHE_${constantCase3(ctx.stack.name)}_${constantCase3(id)}`;
-        lambda.addEnvironment(`${prefix}_HOST`, cluster.address);
-        lambda.addEnvironment(`${prefix}_PORT`, props.port.toString());
-      });
+      const prefix = `CACHE_${constantCase3(ctx.stack.name)}_${constantCase3(id)}`;
+      ctx.addEnv(`${prefix}_HOST`, cluster.address);
+      ctx.addEnv(`${prefix}_PORT`, props.port.toString());
     }
   }
 });
@@ -2563,9 +2625,9 @@ var configFeature = defineFeature({
     for (const name of configs) {
       ctx.registerConfig(name);
     }
-    ctx.onFunction(({ lambda, policy }) => {
-      if (configs.length) {
-        lambda.addEnvironment("CONFIG", configs.join(","));
+    if (configs.length) {
+      ctx.addEnv("CONFIG", configs.join(","));
+      ctx.onPolicy((policy) => {
         policy.addStatement({
           actions: [
             "ssm:GetParameter",
@@ -2579,8 +2641,8 @@ var configFeature = defineFeature({
             )}/${paramCase4(name)}`
           )
         });
-      }
-    });
+      });
+    }
   }
 });
 
@@ -2615,8 +2677,8 @@ var cronFeature = defineFeature({
 });
 
 // src/feature/domain/index.ts
-import { Node as Node5, aws as aws5 } from "@awsless/formation";
 import { minutes as minutes3 } from "@awsless/duration";
+import { aws as aws5, Node as Node5 } from "@awsless/formation";
 var domainFeature = defineFeature({
   name: "domain",
   onApp(ctx) {
@@ -2712,8 +2774,8 @@ var domainFeature = defineFeature({
         });
       }
     }
-    ctx.onFunction(
-      ({ policy }) => policy.addStatement({
+    ctx.onPolicy(
+      (policy) => policy.addStatement({
         actions: ["ses:*"],
         resources: [`arn:aws:ses:${ctx.appConfig.region}:${ctx.accountId}:identity/*`]
       })
@@ -2788,6 +2850,12 @@ var functionFeature = defineFeature({
     });
     ctx.shared.set("function-repository-name", repository.name);
     ctx.shared.set("function-repository-uri", repository.uri);
+    ctx.onPolicy((policy) => {
+      policy.addStatement({
+        actions: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
+        resources: [`arn:aws:lambda:*:*:function:${ctx.appConfig.name}--*`]
+      });
+    });
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.functions || {})) {
@@ -3137,9 +3205,9 @@ var graphqlFeature = defineFeature({
             evaluateTargetHealth: false
           }
         });
-        ctx.bindEnv(`GRAPHQL_${constantCase4(id)}_ENDPOINT`, domainName);
+        ctx.bind(`GRAPHQL_${constantCase4(id)}_ENDPOINT`, domainName);
       } else {
-        ctx.bindEnv(`GRAPHQL_${constantCase4(id)}_ENDPOINT`, api.graphql.uri);
+        ctx.bind(`GRAPHQL_${constantCase4(id)}_ENDPOINT`, api.graphql.uri);
       }
     }
   },
@@ -3330,7 +3398,7 @@ var httpFeature = defineFeature({
           dnsName: loadBalancer.dnsName
         }
       });
-      ctx.bindEnv(`HTTP_${constantCase5(id)}_ENDPOINT`, domainName);
+      ctx.bind(`HTTP_${constantCase5(id)}_ENDPOINT`, domainName);
     }
   },
   onStack(ctx) {
@@ -3374,8 +3442,140 @@ var httpFeature = defineFeature({
   }
 });
 
+// src/feature/instance/index.ts
+import { days as days3 } from "@awsless/duration";
+import { Asset as Asset3, aws as aws9, combine, Node as Node9, Output as Output2, unwrap } from "@awsless/formation";
+import { hashElement as hashElement2 } from "folder-hash";
+import { mkdir as mkdir2 } from "fs/promises";
+import { dirname as dirname9 } from "path";
+import { zip } from "zip-a-folder";
+var instanceFeature = defineFeature({
+  name: "instance",
+  onApp(ctx) {
+    const group = new Node9(ctx.base, "instance", "asset");
+    const bucket = new aws9.s3.Bucket(group, "bucket", {
+      name: formatGlobalResourceName(ctx.appConfig.name, "instance", "assets"),
+      forceDelete: true
+    });
+    ctx.shared.set("instance-bucket-name", bucket.name);
+    if (ctx.appConfig.defaults.instance.connect) {
+      new aws9.ec2.InstanceConnectEndpoint(group, "connect", {
+        name: ctx.appConfig.name,
+        subnetId: ctx.shared.get(`vpc-public-subnet-id-1`),
+        securityGroupIds: [ctx.shared.get("vpc-security-group-id")]
+      });
+    }
+  },
+  onStack(ctx) {
+    for (const [id, props] of Object.entries(ctx.stackConfig.instances ?? {})) {
+      const group = new Node9(ctx.stack, "instance", id);
+      const name = formatLocalResourceName(ctx.appConfig.name, ctx.stack.name, "instance", id);
+      const env = {
+        APP: ctx.appConfig.name,
+        STACK: ctx.stackConfig.name
+      };
+      ctx.onEnv((name2, value) => {
+        env[name2] = value;
+        if (value instanceof Output2) {
+          template.dependsOn(...value.resources);
+        }
+      });
+      const bucketName = ctx.shared.get("instance-bucket-name");
+      const userData = new Output2([], (resolve) => {
+        ctx.onReady(() => {
+          combine([bucketName, ...Object.values(env)]).apply(([bucketName2]) => {
+            const u = "ec2-user";
+            const code2 = [
+              `#!/bin/bash`,
+              `cd /home/${u}`,
+              `sudo -u ${u} aws configure set default.s3.use_dualstack_endpoint true`,
+              `sudo -u ${u} aws s3 cp s3://${bucketName2}/${name} .`,
+              `sudo -u ${u} unzip -o ${name} -d ./code`,
+              `sudo -u ${u} rm ./${name}`,
+              `cd ./code`,
+              // system environment vars
+              ...Object.entries(env).map(([key, value]) => {
+                return `echo export ${key}="${unwrap(value)}" >> /etc/profile`;
+              }),
+              // user environment vars
+              ...Object.entries(props.environment ?? {}).map(([key, value]) => {
+                return `echo export ${key}="${value}" >> /etc/profile`;
+              }),
+              props.command ? `sudo -u ${u} ${props.command}` : ""
+            ].join("\n");
+            resolve(Asset3.fromString(Buffer.from(code2, "utf8").toString("base64")));
+          });
+        });
+      });
+      const bundleFile = getBuildPath("instance", name, "bundle.zip");
+      ctx.registerBuild("instance", name, async (build3) => {
+        const version = await hashElement2(props.code, {
+          files: {
+            exclude: ["stack.json"]
+          }
+        });
+        await build3(version.hash, async () => {
+          await mkdir2(dirname9(bundleFile), { recursive: true });
+          await zip(props.code, bundleFile);
+        });
+      });
+      const code = new aws9.s3.BucketObject(group, "code", {
+        key: name,
+        bucket: bucketName,
+        body: Asset3.fromFile(bundleFile)
+      });
+      const template = new aws9.ec2.LaunchTemplate(group, "template", {
+        name,
+        imageId: props.image,
+        instanceType: props.type,
+        securityGroupIds: [ctx.shared.get("vpc-security-group-id")],
+        monitoring: true,
+        userData
+      });
+      const role = new aws9.iam.Role(group, "role", {
+        name,
+        assumedBy: "ec2.amazonaws.com"
+      });
+      const policy = new aws9.iam.RolePolicy(group, "policy", {
+        name,
+        role: role.name
+      });
+      policy.addStatement({
+        actions: ["s3:GetObject"],
+        resources: [bucketName.apply((bucket) => `arn:aws:s3:::${bucket}/${name}`)]
+      });
+      ctx.registerPolicy(policy);
+      const profile = new aws9.iam.InstanceProfile(group, "profile", {
+        name,
+        roles: [role.name]
+      });
+      const instance = new aws9.ec2.Instance(group, "instance", {
+        name,
+        iamInstanceProfile: profile.arn,
+        launchTemplate: template,
+        subnetId: ctx.shared.get(`vpc-public-subnet-id-1`)
+      });
+      instance.dependsOn(code);
+      const logGroup = new aws9.cloudWatch.LogGroup(group, "log", {
+        name: `/awsless/instance/${name}`,
+        retention: days3(3)
+      });
+      policy.addStatement(
+        {
+          actions: ["logs:CreateLogStream"],
+          resources: [logGroup.arn]
+        },
+        {
+          actions: ["logs:PutLogEvents"],
+          resources: [logGroup.arn.apply((arn) => `${arn}:*`)]
+        }
+      );
+    }
+  }
+});
+
 // src/feature/on-failure/index.ts
-import { Node as Node9, aws as aws9 } from "@awsless/formation";
+import { Node as Node10, aws as aws10 } from "@awsless/formation";
 var onFailureFeature = defineFeature({
   name: "on-failure",
   onApp(ctx) {
@@ -3386,7 +3586,7 @@ var onFailureFeature = defineFeature({
     if (count > 1) {
       throw new TypeError("Only 1 onFailure configuration is allowed in your app.");
     }
-    const queue2 = new aws9.sqs.Queue(ctx.base, "on-failure", {
+    const queue2 = new aws10.sqs.Queue(ctx.base, "on-failure", {
       name: formatGlobalResourceName(ctx.appConfig.name, "on-failure", "failure")
     });
     ctx.shared.set("on-failure-queue-arn", queue2.arn);
@@ -3397,9 +3597,9 @@ var onFailureFeature = defineFeature({
       return;
     }
     const queueArn = ctx.shared.get("on-failure-queue-arn");
-    const group = new Node9(ctx.stack, "on-failure", "failure");
+    const group = new Node10(ctx.stack, "on-failure", "failure");
     const { lambda, policy } = createLambdaFunction(group, ctx, "on-failure", "failure", onFailure);
-    const source = new aws9.lambda.EventSourceMapping(group, "on-failure", {
+    const source = new aws10.lambda.EventSourceMapping(group, "on-failure", {
       functionArn: lambda.arn,
       sourceArn: queueArn,
       batchSize: 10
@@ -3419,29 +3619,29 @@ var onFailureFeature = defineFeature({
 });
 
 // src/feature/pubsub/index.ts
-import { Node as Node10, aws as aws10 } from "@awsless/formation";
+import { aws as aws11, Node as Node11 } from "@awsless/formation";
 var pubsubFeature = defineFeature({
   name: "pubsub",
   onApp(ctx) {
-    ctx.onFunction(({ policy }) => {
+    ctx.onPolicy((policy) => {
       policy.addStatement({
-        actions: ["iot-data:publish"],
+        actions: [`iot:Publish`],
         resources: [`arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:rule/*`]
       });
     });
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.pubsub ?? {})) {
-      const group = new Node10(ctx.stack, "pubsub", id);
+      const group = new Node11(ctx.stack, "pubsub", id);
       const { lambda } = createAsyncLambdaFunction(group, ctx, `pubsub`, id, props.consumer);
       const name = formatLocalResourceName(ctx.app.name, ctx.stack.name, "pubsub", id);
-      const topic = new aws10.iot.TopicRule(group, "rule", {
+      const topic = new aws11.iot.TopicRule(group, "rule", {
         name: name.replaceAll("-", "_"),
         sql: props.sql,
         sqlVersion: props.sqlVersion,
         actions: [{ lambda: { functionArn: lambda.arn } }]
       });
-      new aws10.lambda.Permission(group, "permission", {
+      new aws11.lambda.Permission(group, "permission", {
         action: "lambda:InvokeFunction",
         principal: "iot.amazonaws.com",
         functionArn: lambda.arn,
@@ -3452,10 +3652,10 @@ var pubsubFeature = defineFeature({
 });
 
 // src/feature/queue/index.ts
+import { aws as aws12, Node as Node12 } from "@awsless/formation";
 import { camelCase as camelCase5, constantCase as constantCase6 } from "change-case";
-import { relative as relative3 } from "path";
 import deepmerge2 from "deepmerge";
-import { Node as Node11, aws as aws11 } from "@awsless/formation";
+import { relative as relative3 } from "path";
 var typeGenCode3 = `
 import { SendMessageOptions, SendMessageBatchOptions, BatchItem } from '@awsless/sqs'
 import type { Mock } from 'vitest'
@@ -3507,15 +3707,15 @@ var queueFeature = defineFeature({
   onStack(ctx) {
     for (const [id, local2] of Object.entries(ctx.stackConfig.queues || {})) {
       const props = deepmerge2(ctx.appConfig.defaults.queue, local2);
-      const group = new Node11(ctx.stack, "queue", id);
-      const queue2 = new aws11.sqs.Queue(group, "queue", {
+      const group = new Node12(ctx.stack, "queue", id);
+      const queue2 = new aws12.sqs.Queue(group, "queue", {
         name: formatLocalResourceName(ctx.appConfig.name, ctx.stack.name, "queue", id),
         deadLetterArn: getGlobalOnFailure(ctx),
         ...props
       });
       const { lambda, policy } = createLambdaFunction(group, ctx, `queue`, id, props.consumer);
       lambda.addEnvironment("LOG_VIEWABLE_ERROR", "1");
-      new aws11.lambda.EventSourceMapping(group, "event", {
+      new aws12.lambda.EventSourceMapping(group, "event", {
         functionArn: lambda.arn,
         sourceArn: queue2.arn,
         batchSize: props.batchSize,
@@ -3526,27 +3726,27 @@ var queueFeature = defineFeature({
         actions: ["sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes"],
         resources: [queue2.arn]
       });
-      ctx.onFunction(({ lambda: lambda2, policy: policy2 }) => {
+      ctx.addEnv(`QUEUE_${constantCase6(ctx.stack.name)}_${constantCase6(id)}_URL`, queue2.url);
+      ctx.onPolicy((policy2) => {
         policy2.addStatement(queue2.permissions);
-        lambda2.addEnvironment(`QUEUE_${constantCase6(ctx.stack.name)}_${constantCase6(id)}_URL`, queue2.url);
       });
     }
   }
 });
 
 // src/feature/rest/index.ts
-import { aws as aws12, Node as Node12 } from "@awsless/formation";
+import { aws as aws13, Node as Node13 } from "@awsless/formation";
 import { constantCase as constantCase7 } from "change-case";
 var restFeature = defineFeature({
   name: "rest",
   onApp(ctx) {
     for (const [id, props] of Object.entries(ctx.appConfig.defaults?.rest ?? {})) {
-      const group = new Node12(ctx.base, "rest", id);
-      const api = new aws12.apiGatewayV2.Api(group, "api", {
+      const group = new Node13(ctx.base, "rest", id);
+      const api = new aws13.apiGatewayV2.Api(group, "api", {
         name: formatGlobalResourceName(ctx.app.name, "rest", id),
         protocolType: "HTTP"
       });
-      const stage = new aws12.apiGatewayV2.Stage(group, "stage", {
+      const stage = new aws13.apiGatewayV2.Stage(group, "stage", {
         name: "v1",
         apiId: api.id
       });
@@ -3555,7 +3755,7 @@ var restFeature = defineFeature({
         const domainName = formatFullDomainName(ctx.appConfig, props.domain, props.subDomain);
         const hostedZoneId = ctx.shared.get(`hosted-zone-${props.domain}-id`);
         const certificateArn = ctx.shared.get(`certificate-${props.domain}-arn`);
-        const domain = new aws12.apiGatewayV2.DomainName(group, "domain", {
+        const domain = new aws13.apiGatewayV2.DomainName(group, "domain", {
           name: domainName,
           certificates: [
             {
@@ -3563,12 +3763,12 @@ var restFeature = defineFeature({
             }
           ]
         });
-        const mapping = new aws12.apiGatewayV2.ApiMapping(group, "mapping", {
+        const mapping = new aws13.apiGatewayV2.ApiMapping(group, "mapping", {
           apiId: api.id,
           domainName: domain.name,
           stage: stage.name
         });
-        const record = new aws12.route53.RecordSet(group, "record", {
+        const record = new aws13.route53.RecordSet(group, "record", {
           hostedZoneId,
           type: "A",
           name: domainName,
@@ -3579,28 +3779,28 @@ var restFeature = defineFeature({
           }
         });
         record.dependsOn(domain, mapping);
-        ctx.bindEnv(`REST_${constantCase7(id)}_ENDPOINT`, domainName);
+        ctx.bind(`REST_${constantCase7(id)}_ENDPOINT`, domainName);
       } else {
       }
     }
   },
   onStack(ctx) {
     for (const [id, routes] of Object.entries(ctx.stackConfig.rest ?? {})) {
-      const restGroup = new Node12(ctx.stack, "rest", id);
+      const restGroup = new Node13(ctx.stack, "rest", id);
       for (const [routeKey, props] of Object.entries(routes)) {
-        const group = new Node12(restGroup, "route", routeKey);
+        const group = new Node13(restGroup, "route", routeKey);
         const apiId = ctx.shared.get(`rest-${id}-id`);
         const routeId = shortId(routeKey);
         const { lambda } = createLambdaFunction(group, ctx, "rest", `${id}-${routeId}`, {
           ...props,
           description: `${id} ${routeKey}`
         });
-        const permission = new aws12.lambda.Permission(group, "permission", {
+        const permission = new aws13.lambda.Permission(group, "permission", {
           action: "lambda:InvokeFunction",
           principal: "apigateway.amazonaws.com",
           functionArn: lambda.arn
         });
-        const integration = new aws12.apiGatewayV2.Integration(group, "integration", {
+        const integration = new aws13.apiGatewayV2.Integration(group, "integration", {
           apiId,
           description: `${id} ${routeKey}`,
           method: "POST",
@@ -3610,7 +3810,7 @@ var restFeature = defineFeature({
             return `arn:aws:apigateway:${ctx.appConfig.region}:lambda:path/2015-03-31/functions/${arn}/invocations`;
           })
         });
-        const route = new aws12.apiGatewayV2.Route(group, "route", {
+        const route = new aws13.apiGatewayV2.Route(group, "route", {
           apiId,
           routeKey,
           target: integration.id.apply((id2) => `integrations/${id2}`)
@@ -3622,7 +3822,7 @@ var restFeature = defineFeature({
 });
 
 // src/feature/search/index.ts
-import { Node as Node13, aws as aws13 } from "@awsless/formation";
+import { aws as aws14, Node as Node14 } from "@awsless/formation";
 import { constantCase as constantCase8 } from "change-case";
 var typeGenCode4 = `
 import { AnyStruct, Table } from '@awsless/open-search'
@@ -3650,8 +3850,8 @@ var searchFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.searchs ?? {})) {
-      const group = new Node13(ctx.stack, "search", id);
-      const openSearch = new aws13.openSearch.Domain(group, "domain", {
+      const group = new Node14(ctx.stack, "search", id);
+      const openSearch = new aws14.openSearch.Domain(group, "domain", {
         // name: formatLocalResourceName(ctx.app.name, ctx.stack.name, this.name, id),
         version: props.version,
         storageSize: props.storage,
@@ -3677,11 +3877,8 @@ var searchFeature = defineFeature({
           ]
         });
       }
-      ctx.onFunction(({ lambda, policy }) => {
-        lambda.addEnvironment(
-          `SEARCH_${constantCase8(ctx.stack.name)}_${constantCase8(id)}_DOMAIN`,
-          openSearch.domainEndpoint
-        );
+      ctx.addEnv(`SEARCH_${constantCase8(ctx.stack.name)}_${constantCase8(id)}_DOMAIN`, openSearch.domainEndpoint);
+      ctx.onPolicy((policy) => {
         policy.addStatement({
           actions: ["es:*"],
           resources: [openSearch.arn]
@@ -3692,8 +3889,8 @@ var searchFeature = defineFeature({
 });
 
 // src/feature/site/index.ts
-import { Asset as Asset3, Node as Node14, aws as aws14 } from "@awsless/formation";
-import { days as days3, seconds as seconds3 } from "@awsless/duration";
+import { days as days4, seconds as seconds3 } from "@awsless/duration";
+import { Asset as Asset4, aws as aws15, Node as Node15 } from "@awsless/formation";
 import { glob as glob2 } from "glob";
 import { join as join8 } from "path";
 
@@ -3722,7 +3919,7 @@ var siteFeature = defineFeature({
   name: "site",
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.sites ?? {})) {
-      const group = new Node14(ctx.stack, "site", id);
+      const group = new Node15(ctx.stack, "site", id);
       const name = formatLocalResourceName(ctx.app.name, ctx.stack.name, "site", id);
       const origins = [];
       const originGroups = [];
@@ -3731,8 +3928,10 @@ var siteFeature = defineFeature({
       if (props.ssr) {
         const { lambda, code } = createLambdaFunction(group, ctx, `site`, id, props.ssr);
         versions.push(code.version);
-        ctx.registerSiteFunction(lambda);
-        new aws14.lambda.Permission(group, "permission", {
+        ctx.onBind((name2, value) => {
+          lambda.addEnvironment(name2, value);
+        });
+        new aws15.lambda.Permission(group, "permission", {
           principal: "*",
           // principal: 'cloudfront.amazonaws.com',
           action: "lambda:InvokeFunctionUrl",
@@ -3741,7 +3940,7 @@ var siteFeature = defineFeature({
           // urlAuthType: 'aws-iam',
           // sourceArn: distribution.arn,
         });
-        const url = new aws14.lambda.Url(group, "url", {
+        const url = new aws15.lambda.Url(group, "url", {
           targetArn: lambda.arn,
           authType: "none"
           // authType: 'aws-iam',
@@ -3753,7 +3952,7 @@ var siteFeature = defineFeature({
         });
       }
       if (props.static) {
-        bucket = new aws14.s3.Bucket(group, "bucket", {
+        bucket = new aws15.s3.Bucket(group, "bucket", {
           name,
           forceDelete: true,
           website: {
@@ -3770,7 +3969,7 @@ var siteFeature = defineFeature({
           ]
         });
         bucket.deletionPolicy = "after-deployment";
-        const accessControl = new aws14.cloudFront.OriginAccessControl(group, `access`, {
+        const accessControl = new aws15.cloudFront.OriginAccessControl(group, `access`, {
           name,
           type: "s3",
           behavior: "always",
@@ -3782,10 +3981,10 @@ var siteFeature = defineFeature({
           nodir: true
         });
         for (const file of files) {
-          const object = new aws14.s3.BucketObject(group, file, {
+          const object = new aws15.s3.BucketObject(group, file, {
             bucket: bucket.name,
             key: file,
-            body: Asset3.fromFile(join8(props.static, file)),
+            body: Asset4.fromFile(join8(props.static, file)),
             cacheControl: getCacheControl(file),
             contentType: getContentType(file)
           });
@@ -3805,14 +4004,14 @@ var siteFeature = defineFeature({
           statusCodes: [403, 404]
         });
       }
-      const cache = new aws14.cloudFront.CachePolicy(group, "cache", {
+      const cache = new aws15.cloudFront.CachePolicy(group, "cache", {
         name,
         minTtl: seconds3(1),
-        maxTtl: days3(365),
-        defaultTtl: days3(1),
+        maxTtl: days4(365),
+        defaultTtl: days4(1),
         ...props.cache
       });
-      const originRequest = new aws14.cloudFront.OriginRequestPolicy(group, "request", {
+      const originRequest = new aws15.cloudFront.OriginRequestPolicy(group, "request", {
         name,
         header: {
           behavior: "all-except",
@@ -3820,7 +4019,7 @@ var siteFeature = defineFeature({
         }
       });
       const domainName = formatFullDomainName(ctx.appConfig, props.domain, props.subDomain);
-      const responseHeaders = new aws14.cloudFront.ResponseHeadersPolicy(group, "response", {
+      const responseHeaders = new aws15.cloudFront.ResponseHeadersPolicy(group, "response", {
         name,
         cors: props.cors,
         remove: ["server"]
@@ -3828,7 +4027,7 @@ var siteFeature = defineFeature({
         // 	override: true,
         // },
       });
-      const distribution = new aws14.cloudFront.Distribution(group, "distribution", {
+      const distribution = new aws15.cloudFront.Distribution(group, "distribution", {
         name,
         certificateArn: ctx.shared.get(`global-certificate-${props.domain}-arn`),
         compress: true,
@@ -3856,13 +4055,13 @@ var siteFeature = defineFeature({
           };
         })
       });
-      new aws14.cloudFront.InvalidateCache(group, "invalidate", {
+      new aws15.cloudFront.InvalidateCache(group, "invalidate", {
         distributionId: distribution.id,
         paths: ["/*"],
         versions
       });
       if (props.static) {
-        new aws14.s3.BucketPolicy(group, `policy`, {
+        new aws15.s3.BucketPolicy(group, `policy`, {
           bucketName: bucket.name,
           statements: [
             {
@@ -3888,7 +4087,7 @@ var siteFeature = defineFeature({
           ]
         });
       }
-      new aws14.route53.RecordSet(group, `record`, {
+      new aws15.route53.RecordSet(group, `record`, {
         hostedZoneId: ctx.shared.get(`hosted-zone-${props.domain}-id`),
         type: "A",
         name: domainName,
@@ -3903,7 +4102,7 @@ var siteFeature = defineFeature({
 });
 
 // src/feature/store/index.ts
-import { aws as aws15, Node as Node15 } from "@awsless/formation";
+import { aws as aws16, Node as Node16 } from "@awsless/formation";
 import { paramCase as paramCase6 } from "change-case";
 var typeGenCode5 = `
 import { Body, PutObjectProps, BodyStream, createPresignedPost } from '@awsless/s3'
@@ -3940,7 +4139,7 @@ var storeFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.stores ?? {})) {
-      const group = new Node15(ctx.stack, "store", id);
+      const group = new Node16(ctx.stack, "store", id);
       const bucketName = formatLocalResourceName(ctx.appConfig.name, ctx.stack.name, "store", id);
       const lambdaConfigs = [];
       const eventMap = {
@@ -3954,10 +4153,10 @@ var storeFeature = defineFeature({
         "removed:marker": "s3:ObjectRemoved:DeleteMarkerCreated"
       };
       for (const [event, funcProps] of Object.entries(props.events ?? {})) {
-        const eventGroup = new Node15(group, "event", event);
+        const eventGroup = new Node16(group, "event", event);
         const eventId = paramCase6(`${id}-${shortId(event)}`);
         const { lambda } = createAsyncLambdaFunction(eventGroup, ctx, `store`, eventId, funcProps);
-        new aws15.lambda.Permission(eventGroup, "permission", {
+        new aws16.lambda.Permission(eventGroup, "permission", {
           action: "lambda:InvokeFunction",
           principal: "s3.amazonaws.com",
           functionArn: lambda.arn,
@@ -3968,7 +4167,7 @@ var storeFeature = defineFeature({
           function: lambda.arn
         });
       }
-      const bucket = new aws15.s3.Bucket(group, "store", {
+      const bucket = new aws16.s3.Bucket(group, "store", {
         name: bucketName,
         versioning: props.versioning,
         lambdaConfigs,
@@ -3983,15 +4182,39 @@ var storeFeature = defineFeature({
           // ---------------------------------------------
         ]
       });
-      ctx.onFunction(({ policy }) => {
+      ctx.onPolicy((policy) => {
         policy.addStatement(bucket.permissions);
       });
     }
   }
 });
 
+// src/feature/stream/index.ts
+import { aws as aws17, Node as Node17 } from "@awsless/formation";
+import { constantCase as constantCase9 } from "change-case";
+var streamFeature = defineFeature({
+  name: "stream",
+  onStack(ctx) {
+    for (const [id, props] of Object.entries(ctx.stackConfig.streams ?? {})) {
+      const group = new Node17(ctx.stack, "stream", id);
+      const name = formatLocalResourceName(ctx.appConfig.name, ctx.stack.name, "stream", id);
+      const channel = new aws17.ivs.Channel(group, "channel", {
+        name,
+        ...props
+      });
+      const streamKey = new aws17.ivs.StreamKey(group, "key", {
+        channel: channel.arn
+      });
+      const prefix = `STREAM_${constantCase9(ctx.stack.name)}_${constantCase9(id)}`;
+      ctx.bind(`${prefix}_ENDPOINT`, channel.playbackUrl);
+      ctx.addEnv(`${prefix}_INGEST_ENDPOINT`, channel.ingestEndpoint);
+      ctx.addEnv(`${prefix}_STREAM_KEY`, streamKey.value);
+    }
+  }
+});
+
 // src/feature/table/index.ts
-import { Node as Node16, aws as aws16 } from "@awsless/formation";
+import { aws as aws18, Node as Node18 } from "@awsless/formation";
 var tableFeature = defineFeature({
   name: "table",
   async onTypeGen(ctx) {
@@ -4010,8 +4233,8 @@ var tableFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.tables ?? {})) {
-      const group = new Node16(ctx.stack, "table", id);
-      const table2 = new aws16.dynamodb.Table(group, "table", {
+      const group = new Node18(ctx.stack, "table", id);
+      const table2 = new aws18.dynamodb.Table(group, "table", {
         ...props,
         name: formatLocalResourceName(ctx.appConfig.name, ctx.stackConfig.name, "table", id),
         stream: props.stream?.type
@@ -4020,7 +4243,7 @@ var tableFeature = defineFeature({
         const { lambda, policy } = createLambdaFunction(group, ctx, "table", id, props.stream.consumer);
         lambda.addEnvironment("LOG_VIEWABLE_ERROR", "1");
         const onFailure = getGlobalOnFailure(ctx);
-        const source = new aws16.lambda.EventSourceMapping(group, id, {
+        const source = new aws18.lambda.EventSourceMapping(group, id, {
           functionArn: lambda.arn,
           sourceArn: table2.streamArn,
           batchSize: 100,
@@ -4039,7 +4262,7 @@ var tableFeature = defineFeature({
           });
         }
       }
-      ctx.onFunction(({ policy }) => {
+      ctx.onPolicy((policy) => {
         policy.addStatement(...table2.permissions);
       });
     }
@@ -4047,9 +4270,9 @@ var tableFeature = defineFeature({
 });
 
 // src/feature/task/index.ts
+import { Node as Node19 } from "@awsless/formation";
 import { camelCase as camelCase6 } from "change-case";
 import { relative as relative4 } from "path";
-import { Node as Node17 } from "@awsless/formation";
 var typeGenCode6 = `
 import { InvokeOptions } from '@awsless/lambda'
 import type { Mock } from 'vitest'
@@ -4097,7 +4320,7 @@ var taskFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.tasks ?? {})) {
-      const group = new Node17(ctx.stack, "task", id);
+      const group = new Node19(ctx.stack, "task", id);
       createAsyncLambdaFunction(group, ctx, "task", id, props.consumer);
     }
   }
@@ -4114,7 +4337,7 @@ var testFeature = defineFeature({
 });
 
 // src/feature/topic/index.ts
-import { Node as Node18, aws as aws17 } from "@awsless/formation";
+import { aws as aws19, Node as Node20 } from "@awsless/formation";
 var typeGenCode7 = `
 import type { PublishOptions } from '@awsless/sns'
 import type { Mock } from 'vitest'
@@ -4151,8 +4374,8 @@ var topicFeature = defineFeature({
   onApp(ctx) {
     for (const stack of ctx.stackConfigs) {
       for (const id of stack.topics ?? []) {
-        const group = new Node18(ctx.base, "topic", id);
-        const topic = new aws17.sns.Topic(group, "topic", {
+        const group = new Node20(ctx.base, "topic", id);
+        const topic = new aws19.sns.Topic(group, "topic", {
           name: formatGlobalResourceName(ctx.appConfig.name, "topic", id)
         });
         ctx.shared.set(`topic-${id}-arn`, topic.arn);
@@ -4161,7 +4384,7 @@ var topicFeature = defineFeature({
   },
   onStack(ctx) {
     for (const id of ctx.stackConfig.topics ?? []) {
-      ctx.onFunction(({ policy }) => {
+      ctx.onPolicy((policy) => {
         policy.addStatement({
           actions: ["sns:Publish"],
           resources: [ctx.shared.get(`topic-${id}-arn`)]
@@ -4169,22 +4392,22 @@ var topicFeature = defineFeature({
       });
     }
     for (const [id, props] of Object.entries(ctx.stackConfig.subscribers ?? {})) {
-      const group = new Node18(ctx.stack, "topic", id);
+      const group = new Node20(ctx.stack, "topic", id);
       const topicArn = ctx.shared.get(`topic-${id}-arn`);
       if (typeof props === "string" && isEmail(props)) {
-        new aws17.sns.Subscription(group, id, {
+        new aws19.sns.Subscription(group, id, {
           topicArn,
           protocol: "email",
           endpoint: props
         });
       } else if (typeof props === "object") {
         const { lambda } = createAsyncLambdaFunction(group, ctx, `topic`, id, props);
-        new aws17.sns.Subscription(group, id, {
+        new aws19.sns.Subscription(group, id, {
           topicArn,
           protocol: "lambda",
           endpoint: lambda.arn
         });
-        new aws17.lambda.Permission(group, id, {
+        new aws19.lambda.Permission(group, id, {
           action: "lambda:InvokeFunction",
           principal: "sns.amazonaws.com",
           functionArn: lambda.arn,
@@ -4196,52 +4419,72 @@ var topicFeature = defineFeature({
 });
 
 // src/feature/vpc/index.ts
-import { Node as Node19, all, aws as aws18 } from "@awsless/formation";
+import { ipv6CidrBlockFromString } from "@arcanyx/cidr-slicer";
+import { aws as aws20, combine as combine2, Node as Node21 } from "@awsless/formation";
 var vpcFeature = defineFeature({
   name: "vpc",
   onApp(ctx) {
-    const group = new Node19(ctx.base, "vpc", "main");
-    const vpc = new aws18.ec2.Vpc(group, "vpc", {
+    const group = new Node21(ctx.base, "vpc", "main");
+    const vpc = new aws20.ec2.Vpc(group, "vpc", {
       name: ctx.app.name,
-      cidrBlock: aws18.ec2.Peer.ipv4("10.0.0.0/16")
+      cidrBlock: aws20.ec2.Peer.ipv4("10.0.0.0/16")
+      // cidrBlock: aws.ec2.Peer.ipv6('fd00:10:20::/48'),
+      // cidrBlock: aws.ec2.Peer.ipv6('2a05:d018:c69:6600::/56'),
+      // enableDnsSupport: true,
+      // enableDnsHostnames: true,
+    });
+    const ipv6CidrBlock = new aws20.ec2.VPCCidrBlock(group, "ipv6", {
+      vpcId: vpc.id,
+      amazonProvidedIpv6CidrBlock: true
+    });
+    const slices = ipv6CidrBlock.ipv6CidrBlock.apply((ip) => {
+      return ipv6CidrBlockFromString(ip).slice(64);
     });
-    const privateRouteTable = new aws18.ec2.RouteTable(group, "private", {
+    const privateRouteTable = new aws20.ec2.RouteTable(group, "private", {
       vpcId: vpc.id,
       name: "private"
     });
-    const publicRouteTable = new aws18.ec2.RouteTable(group, "public", {
+    const publicRouteTable = new aws20.ec2.RouteTable(group, "public", {
       vpcId: vpc.id,
       name: "public"
     });
-    const gateway = new aws18.ec2.InternetGateway(group, "gateway");
-    const attachment = new aws18.ec2.VPCGatewayAttachment(group, "attachment", {
+    const gateway = new aws20.ec2.InternetGateway(group, "gateway");
+    const attachment = new aws20.ec2.VPCGatewayAttachment(group, "attachment", {
       vpcId: vpc.id,
       internetGatewayId: gateway.id
     });
-    new aws18.ec2.Route(group, "route", {
+    new aws20.ec2.Route(group, "route", {
       gatewayId: gateway.id,
       routeTableId: publicRouteTable.id,
-      destination: aws18.ec2.Peer.anyIpv4()
+      // destination: aws.ec2.Peer.anyIpv4(),
+      destination: aws20.ec2.Peer.anyIpv6()
     });
     ctx.shared.set(
       "vpc-id",
       // Some resources require the internet gateway to be attached.
-      all([vpc.id, attachment.internetGatewayId]).apply(([id]) => id)
+      combine2([vpc.id, attachment.internetGatewayId]).apply(([id]) => id)
     );
     ctx.shared.set("vpc-security-group-id", vpc.defaultSecurityGroup);
     const zones = ["a", "b"];
     const tables = [privateRouteTable, publicRouteTable];
-    let block = 0;
+    let block = 0n;
     for (const table2 of tables) {
       for (const i in zones) {
         const index = Number(i) + 1;
         const id = `${table2.identifier}-${index}`;
-        const subnet = new aws18.ec2.Subnet(group, id, {
+        const subnet = new aws20.ec2.Subnet(group, id, {
+          name: `${ctx.app.name}--${table2.identifier}-${index}`,
           vpcId: vpc.id,
-          cidrBlock: aws18.ec2.Peer.ipv4(`10.0.${block++}.0/24`),
+          cidrBlock: aws20.ec2.Peer.ipv4(`10.0.${block++}.0/24`),
+          // ipv6CidrBlock: aws.ec2.Peer.ipv6(`fd00:10:20:${++block}::/64`),
+          // ipv6CidrBlock: aws.ec2.Peer.ipv6(`2a05:d018:c69:660${++block}::/64`),
+          // ipv6CidrBlock: ipv6CidrBlock.ipv6CidrBlock.apply(ip => ),
+          ipv6CidrBlock: slices.apply((list4) => aws20.ec2.Peer.ipv6(list4.get(block++).toString())),
+          assignIpv6AddressOnCreation: true,
+          // ipv6Native: true,
           availabilityZone: ctx.appConfig.region + zones[i]
         });
-        new aws18.ec2.SubnetRouteTableAssociation(group, id, {
+        new aws20.ec2.SubnetRouteTableAssociation(group, id, {
           routeTableId: table2.id,
           subnetId: subnet.id
         });
@@ -4261,10 +4504,12 @@ var features = [
   authFeature,
   // 3
   functionFeature,
+  instanceFeature,
   graphqlFeature,
   configFeature,
   searchFeature,
   pubsubFeature,
+  streamFeature,
   tableFeature,
   topicFeature,
   queueFeature,
@@ -4313,26 +4558,39 @@ var createApp = (props, filters = []) => {
   const app = new App(props.appConfig.name);
   const base = new Stack(app, "base");
   const shared = new SharedData();
-  const binds = [];
   const siteFunctions = [];
   const configs = /* @__PURE__ */ new Set();
   const tests = [];
   const builders = [];
-  const allFunctions = [];
-  const globalListeners = [];
-  const allLocalListeners = {};
-  const allLocalFunctions = {};
+  const readyListeners = [];
+  const binds = [];
+  const bindListeners = [];
+  const allEnv = [];
+  const allEnvListeners = [];
+  const allLocalEnv = {};
+  const allLocalEnvListeners = {};
+  const allPolicies = [];
+  const allPoliciesListeners = [];
+  const allLocalPolicies = {};
+  const allLocalPolicyListeners = {};
   for (const feature of features) {
     feature.onApp?.({
       ...props,
       app,
+      // env,
       base,
       shared,
-      onFunction(callback) {
-        globalListeners.push(callback);
+      onPolicy(callback) {
+        allPoliciesListeners.push(callback);
       },
-      registerFunction(lambda, policy) {
-        allFunctions.push({ lambda, policy });
+      // onFunction(callback) {
+      // 	allFunctionListeners.push(callback)
+      // },
+      // registerFunction(lambda) {
+      // 	allFunctions.push(lambda)
+      // },
+      registerPolicy(policy) {
+        allPolicies.push(policy);
       },
       registerTest(name, paths) {
         tests.push({ name, paths });
@@ -4340,11 +4598,23 @@ var createApp = (props, filters = []) => {
       registerBuild(type, name, builder) {
         builders.push({ type, name, builder });
       },
-      registerSiteFunction(lambda) {
-        siteFunctions.push(lambda);
-      },
-      bindEnv(name, value) {
+      // registerSiteFunction(lambda) {
+      // 	siteFunctions.push(lambda)
+      // },
+      bind(name, value) {
         binds.push({ name, value });
+      },
+      onBind(cb) {
+        bindListeners.push(cb);
+      },
+      addEnv(name, value) {
+        allEnv.push({ name, value });
+      },
+      onEnv(cb) {
+        allEnvListeners.push(cb);
+      },
+      onReady(cb) {
+        readyListeners.push(cb);
       }
     });
   }
@@ -4354,25 +4624,37 @@ var createApp = (props, filters = []) => {
     filterdStacks = filterdStacks.filter((stack) => filtersWithDeps.includes(stack.name));
   }
   for (const stackConfig of filterdStacks) {
-    const localListeners = [];
-    const localFunctions = [];
+    const localPolicyListeners = [];
+    const localPolicies = [];
+    const localEnvListeners = [];
+    const localEnv = [];
     const stack = new Stack(app, stackConfig.name);
-    allLocalListeners[stack.name] = localListeners;
-    allLocalFunctions[stack.name] = localFunctions;
+    allLocalPolicyListeners[stack.name] = localPolicyListeners;
+    allLocalPolicies[stack.name] = localPolicies;
+    allLocalEnvListeners[stack.name] = localEnvListeners;
+    allLocalEnv[stack.name] = localEnv;
     for (const feature of features) {
       feature.onStack?.({
         ...props,
         stackConfig,
         app,
+        // env,
         base,
         stack,
         shared,
-        onFunction(callback) {
-          localListeners.push(callback);
+        // onFunction(callback) {
+        // 	localFunctionListeners.push(callback)
+        // },
+        // registerFunction(lambda) {
+        // 	allFunctions.push(lambda)
+        // 	localFunctions.push(lambda)
+        // },
+        onPolicy(callback) {
+          localPolicyListeners.push(callback);
         },
-        registerFunction(lambda, policy) {
-          allFunctions.push({ lambda, policy });
-          localFunctions.push({ lambda, policy });
+        registerPolicy(policy) {
+          allPolicies.push(policy);
+          localPolicies.push(policy);
         },
         registerTest(name, paths) {
           tests.push({ name, paths });
@@ -4383,41 +4665,71 @@ var createApp = (props, filters = []) => {
         registerConfig(name) {
           configs.add(name);
         },
-        registerSiteFunction(lambda) {
-          siteFunctions.push(lambda);
-        },
-        bindEnv(name, value) {
+        // registerSiteFunction(lambda) {
+        // 	siteFunctions.push(lambda)
+        // },
+        // bindEnv(name, value) {
+        // 	binds.push({ name, value })
+        // },
+        bind(name, value) {
           binds.push({ name, value });
+        },
+        onBind(cb) {
+          bindListeners.push(cb);
+        },
+        addEnv(name, value) {
+          localEnv.push({ name, value });
+        },
+        onEnv(cb) {
+          localEnvListeners.push(cb);
+        },
+        onReady(cb) {
+          readyListeners.push(cb);
         }
       });
     }
-    for (const listener of localListeners) {
-      for (const fn of localFunctions) {
-        listener(fn);
+    for (const listener of localPolicyListeners) {
+      for (const policy of localPolicies) {
+        listener(policy);
+      }
+    }
+    for (const listener of localEnvListeners) {
+      for (const env of localEnv) {
+        listener(env.name, env.value);
       }
     }
   }
-  for (const listener of globalListeners) {
-    for (const fn of allFunctions) {
+  for (const listener of allPoliciesListeners) {
+    for (const fn of allPolicies) {
       listener(fn);
     }
   }
-  for (const lambda of siteFunctions) {
-    for (const { name, value } of binds) {
-      lambda.addEnvironment(name, value);
+  for (const listener of allEnvListeners) {
+    for (const env of allEnv) {
+      listener(env.name, env.value);
     }
   }
   for (const stackConfig of filterdStacks) {
-    const functions = allLocalFunctions[stackConfig.name];
+    const policies = allLocalPolicies[stackConfig.name];
+    const env = allLocalEnv[stackConfig.name];
     for (const dependency of stackConfig.depends ?? []) {
-      const listeners = allLocalListeners[dependency];
-      for (const fn of functions) {
-        for (const listener of listeners) {
-          listener(fn);
+      const policyListeners = allLocalPolicyListeners[dependency];
+      const envListeners = allLocalEnvListeners[dependency];
+      for (const policy of policies) {
+        for (const listener of policyListeners) {
+          listener(policy);
+        }
+      }
+      for (const entry of env) {
+        for (const listener of envListeners) {
+          listener(entry.name, entry.value);
         }
       }
     }
   }
+  for (const listener of readyListeners) {
+    listener();
+  }
   return {
     app,
     base,
@@ -4611,19 +4923,19 @@ import { confirm as confirm3 } from "@clack/prompts";
 
 // src/util/workspace.ts
 import { minutes as minutes4 } from "@awsless/duration";
-import { aws as aws20, local, WorkSpace } from "@awsless/formation";
-import { mkdir as mkdir2, readFile as readFile6, rm, writeFile as writeFile2 } from "fs/promises";
-import { dirname as dirname9, join as join9 } from "path";
+import { aws as aws22, local, WorkSpace } from "@awsless/formation";
+import { mkdir as mkdir3, readFile as readFile6, rm, writeFile as writeFile2 } from "fs/promises";
+import { dirname as dirname10, join as join9 } from "path";
 var createWorkSpace = (props) => {
-  const lockProvider = new aws20.dynamodb.LockProvider({
+  const lockProvider = new aws22.dynamodb.LockProvider({
     ...props,
     tableName: "awsless-locks"
   });
-  const stateProvider = new aws20.s3.StateProvider({
+  const stateProvider = new aws22.s3.StateProvider({
     ...props,
     bucket: "awsless-state"
   });
-  const cloudProviders = aws20.createCloudProviders({
+  const cloudProviders = aws22.createCloudProviders({
     ...props,
     timeout: minutes4(60)
   });
@@ -4642,7 +4954,7 @@ var createWorkSpace = (props) => {
 var pullRemoteState = async (app, stateProvider) => {
   const file = join9(directories.state, `${app.urn}.json`);
   const state2 = await stateProvider.get(app.urn);
-  await mkdir2(dirname9(file), { recursive: true });
+  await mkdir3(dirname10(file), { recursive: true });
   if (typeof state2 === "undefined") {
     await rm(file);
   } else {
@@ -4699,7 +5011,7 @@ import { confirm as confirm4 } from "@clack/prompts";
 
 // src/cli/ui/complex/run-tests.ts
 import { join as join11 } from "path";
-import { mkdir as mkdir3, readFile as readFile7, writeFile as writeFile3 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile7, writeFile as writeFile3 } from "fs/promises";
 
 // src/test/reporter.ts
 import { getSuites, getTests } from "@vitest/runner/utils";
@@ -4781,10 +5093,10 @@ import { startVitest } from "vitest/node";
 import commonjs3 from "@rollup/plugin-commonjs";
 import nodeResolve3 from "@rollup/plugin-node-resolve";
 import json3 from "@rollup/plugin-json";
-import { dirname as dirname10, join as join10 } from "path";
+import { dirname as dirname11, join as join10 } from "path";
 import { fileURLToPath } from "url";
 var startTest = async (props) => {
-  const __dirname = dirname10(fileURLToPath(import.meta.url));
+  const __dirname = dirname11(fileURLToPath(import.meta.url));
   const result = await startVitest(
     "test",
     props.filters,
@@ -4892,7 +5204,7 @@ var logTestErrors = (event) => {
   });
 };
 var runTest = async (stack, dir, filters) => {
-  await mkdir3(directories.test, { recursive: true });
+  await mkdir4(directories.test, { recursive: true });
   const fingerprint = await fingerprintFromDirectory(dir);
   const file = join11(directories.test, `${stack}.json`);
   const exists = await fileExist(file);
@@ -5001,81 +5313,152 @@ var deploy = (program2) => {
   });
 };
 
-// src/cli/command/diff.ts
-import { aws as aws21, WorkSpace as WorkSpace2 } from "@awsless/formation";
-import chalk7 from "chalk";
-var diff = (program2) => {
-  program2.command("diff").description("Diff your app with AWS").action(async (filters) => {
-    await layout("diff", async ({ appConfig, stackConfigs }) => {
+// src/cli/command/auth/user/create.ts
+import {
+  AdminCreateUserCommand,
+  AdminSetUserPasswordCommand,
+  CognitoIdentityProviderClient
+} from "@aws-sdk/client-cognito-identity-provider";
+import { unwrap as unwrap2 } from "@awsless/formation";
+import { password, select, text as text2 } from "@clack/prompts";
+var create = (program2) => {
+  program2.command("create").argument("[name]", "The name of the auth instance").description("Create an user for your userpool").action(async (name) => {
+    await layout("auth user create", async ({ appConfig, stackConfigs }) => {
       const region = appConfig.region;
       const credentials = getCredentials(appConfig.profile);
       const accountId = await getAccountId(credentials, region);
-      await bootstrapAwsless({ credentials, region });
-      const { app, builders } = createApp({ appConfig, stackConfigs, accountId }, filters);
-      await buildAssets(builders);
-      const workspace = new WorkSpace2({
-        stateProvider: new aws21.dynamodb.DynamoDBStateProvider({
-          credentials,
-          region,
-          tableName: "awsless-state"
-        }),
-        cloudProviders: aws21.createCloudProviders({
-          credentials,
-          region: appConfig.region
-        })
-      });
-      let total = 0;
-      const changes = [];
-      const formatResource = (stack, urn) => {
-        return urn.replace(stack.urn + ":", "").replace(/\{([a-z0-9\-]+)\}/gi, (_, v) => {
-          return `${color.dim("{")}${color.warning(v)}${color.dim("}")}`;
-        }).replaceAll(":", color.dim(":"));
-      };
-      await task("Find app differences", async () => {
-        for (const stack of app.stacks) {
-          const diff2 = await workspace.diffStack(stack);
-          total += diff2.creates.length;
-          total += diff2.updates.length;
-          total += diff2.deletes.length;
-          changes.push(
-            ...diff2.creates.map((v) => [
-              chalk7.magenta(stack.name),
-              color.success`create`,
-              formatResource(stack, v)
-            ]),
-            ...diff2.updates.map((v) => [
-              chalk7.magenta(stack.name),
-              color.warning`update`,
-              formatResource(stack, v)
-            ]),
-            ...diff2.deletes.map((v) => [
-              chalk7.magenta(stack.name),
-              color.error`delete`,
-              formatResource(stack, v)
-            ])
-          );
-        }
-        return "Done finding app differences.";
-      });
-      if (total > 0) {
-        console.log(
-          table({
-            head: ["stack", "operation", "resource"],
-            body: changes
-          })
-        );
-      }
-      return `${color.warning(total)} resources have changed.`;
-    });
-  });
+      if (!name) {
+        name = await select({
+          message: "Select the auth userpool:",
+          options: Object.keys(appConfig.defaults.auth).map((name2) => ({
+            label: name2,
+            value: name2
+          }))
+        });
+      }
+      if (!(name in appConfig.defaults.auth)) {
+        throw new Error(`Provided auth name doesn't exist inside your app config.`);
+      }
+      const { shared, app } = createApp({ appConfig, stackConfigs, accountId });
+      const { workspace } = createWorkSpace({
+        credentials,
+        accountId,
+        region
+      });
+      await workspace.hydrate(app);
+      let userPoolId;
+      try {
+        userPoolId = unwrap2(shared.get(`auth-${name}-user-pool-id`));
+      } catch (_) {
+        throw new Error(`The auth userpool hasn't been deployed yet.`);
+      }
+      const user2 = await text2({
+        message: "Username:",
+        validate(value) {
+          if (!value) {
+            return "Required";
+          }
+          return;
+        }
+      });
+      const pass = await password({
+        message: "Password:",
+        mask: "*",
+        validate(value) {
+          if (!value) {
+            return "Required";
+          }
+          return;
+        }
+      });
+      const client = new CognitoIdentityProviderClient({
+        region,
+        credentials
+      });
+      await client.send(
+        new AdminCreateUserCommand({
+          UserPoolId: userPoolId,
+          Username: user2.toString(),
+          TemporaryPassword: pass.toString()
+        })
+      );
+      await client.send(
+        new AdminSetUserPasswordCommand({
+          UserPoolId: userPoolId,
+          Username: user2.toString(),
+          Password: pass.toString(),
+          Permanent: true
+        })
+      );
+      return "User created.";
+    });
+  });
+};
+
+// src/cli/command/auth/user/index.ts
+var commands2 = [create];
+var user = (program2) => {
+  const command = program2.command("user").description(`Manage auth users`);
+  commands2.forEach((cb) => cb(command));
+};
+
+// src/cli/command/auth/index.ts
+var commands3 = [user];
+var auth = (program2) => {
+  const command = program2.command("auth").description(`Manage auth`);
+  commands3.forEach((cb) => cb(command));
+};
+
+// src/cli/command/bind.ts
+import { unwrap as unwrap3 } from "@awsless/formation";
+import { note as note3 } from "@clack/prompts";
+import { spawn } from "child_process";
+var bind = (program2) => {
+  program2.command("bind").argument("<command...>", "The command to execute").description(`Bind your site environment variables to a command`).action(async (commands7) => {
+    await layout("bind", async ({ appConfig, stackConfigs }) => {
+      const region = appConfig.region;
+      const credentials = getCredentials(appConfig.profile);
+      const accountId = await getAccountId(credentials, region);
+      const { app, binds } = createApp({ appConfig, stackConfigs, accountId });
+      const { workspace } = createWorkSpace({
+        credentials,
+        accountId,
+        region
+      });
+      await workspace.hydrate(app);
+      const env = {};
+      for (const { name, value } of binds) {
+        env[name] = unwrap3(value);
+      }
+      note3(wrap(list(env)), "Bind Env");
+      const command = commands7.join(" ");
+      spawn(command, {
+        env: {
+          // Pass the process env vars
+          ...process.env,
+          // Pass the site bind env vars
+          ...env,
+          // Basic info
+          AWS_REGION: appConfig.region,
+          AWS_ACCOUNT_ID: accountId
+          // Give AWS access
+          // AWS_ACCESS_KEY_ID: credentials.accessKeyId,
+          // AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
+          // AWS_SESSION_TOKEN: credentials.sessionToken,
+        },
+        stdio: "inherit",
+        shell: true
+      });
+    });
+  });
 };
 
 // src/cli/ui/complex/build-types.ts
 import { log as log9 } from "@clack/prompts";
 
 // src/type-gen/generate.ts
-import { mkdir as mkdir4, writeFile as writeFile4 } from "fs/promises";
-import { dirname as dirname11, join as join12, relative as relative5 } from "path";
+import { mkdir as mkdir5, writeFile as writeFile4 } from "fs/promises";
+import { dirname as dirname12, join as join12, relative as relative5 } from "path";
 var generateTypes = async (props) => {
   const files = [];
   await Promise.all(
@@ -5089,7 +5472,7 @@ var generateTypes = async (props) => {
             if (include) {
               files.push(relative5(directories.root, path));
             }
-            await mkdir4(dirname11(path), { recursive: true });
+            await mkdir5(dirname12(path), { recursive: true });
             await writeFile4(path, code);
           }
         }
@@ -5108,75 +5491,6 @@ var buildTypes = async (props) => {
   log9.step("Done generating type definition files.");
 };
 
-// src/cli/command/types.ts
-var types = (program2) => {
-  program2.command("types").description("Generate type definition files").action(async () => {
-    await layout("types", async (props) => {
-      await buildTypes(props);
-      return `Ready to use the ${color.info("@awsless/awsless")} libary!`;
-    });
-  });
-};
-
-// src/cli/command/test.ts
-var test = (program2) => {
-  program2.command("test").argument("[stacks...]", "Optionally filter stacks to test").option("-f --filters <string...>", "Optionally filter test files").description("Test your app").action(async (stacks, options) => {
-    await layout("test", async (props) => {
-      const region = props.appConfig.region;
-      const credentials = getCredentials(props.appConfig.profile);
-      const accountId = await getAccountId(credentials, region);
-      const { tests } = createApp({ ...props, accountId }, stacks);
-      if (tests.length === 0) {
-        return "No tests found.";
-      }
-      await runTests(tests, options?.filters);
-      return "All tests finished.";
-    });
-  });
-};
-
-// src/cli/command/resource/list.ts
-import chalk8 from "chalk";
-var list3 = (program2) => {
-  program2.command("list").description(`List all defined resources`).action(async () => {
-    await layout("resource list", async ({ appConfig, stackConfigs }) => {
-      const region = appConfig.region;
-      const credentials = getCredentials(appConfig.profile);
-      const accountId = await getAccountId(credentials, region);
-      const { app } = createApp({ appConfig, stackConfigs, accountId });
-      const resources = [];
-      const formatResource = (stack, urn) => {
-        return urn.replace(stack.urn + ":", "").replace(/\{([a-z0-9\-\s\/\._]+)\}/gi, (_, v) => {
-          return `${color.dim("{")}${color.warning(v)}${color.dim("}")}`;
-        }).replaceAll(":", color.dim(":"));
-      };
-      for (const stack of app.stacks) {
-        for (const resource2 of stack.resources) {
-          resources.push([
-            chalk8.magenta(stack.name),
-            // resource.type,
-            formatResource(stack, resource2.urn)
-          ]);
-        }
-      }
-      console.log(
-        table({
-          // colWidths,
-          head: ["stack", "urn"],
-          body: resources
-        })
-      );
-    });
-  });
-};
-
-// src/cli/command/resource/index.ts
-var commands2 = [list3];
-var resource = (program2) => {
-  const command = program2.command("resource").description(`Manage app resources`);
-  commands2.forEach((cb) => cb(command));
-};
-
 // src/config/load/watch.ts
 import { watch } from "chokidar";
 var watchConfig = async (options, resolve, reject) => {
@@ -5224,6 +5538,48 @@ var dev = (program2) => {
   });
 };
 
+// src/cli/command/resource/list.ts
+import chalk7 from "chalk";
+var list3 = (program2) => {
+  program2.command("list").description(`List all defined resources`).action(async () => {
+    await layout("resource list", async ({ appConfig, stackConfigs }) => {
+      const region = appConfig.region;
+      const credentials = getCredentials(appConfig.profile);
+      const accountId = await getAccountId(credentials, region);
+      const { app } = createApp({ appConfig, stackConfigs, accountId });
+      const resources = [];
+      const formatResource = (stack, urn) => {
+        return urn.replace(stack.urn + ":", "").replace(/\{([a-z0-9\-\s\/\._]+)\}/gi, (_, v) => {
+          return `${color.dim("{")}${color.warning(v)}${color.dim("}")}`;
+        }).replaceAll(":", color.dim(":"));
+      };
+      for (const stack of app.stacks) {
+        for (const resource2 of stack.resources) {
+          resources.push([
+            chalk7.magenta(stack.name),
+            // resource.type,
+            formatResource(stack, resource2.urn)
+          ]);
+        }
+      }
+      console.log(
+        table({
+          // colWidths,
+          head: ["stack", "urn"],
+          body: resources
+        })
+      );
+    });
+  });
+};
+
+// src/cli/command/resource/index.ts
+var commands4 = [list3];
+var resource = (program2) => {
+  const command = program2.command("resource").description(`Manage app resources`);
+  commands4.forEach((cb) => cb(command));
+};
+
 // src/cli/command/state/pull.ts
 var pull = (program2) => {
   program2.command("pull").description("Pull the remote state and store it locally").action(async () => {
@@ -5262,149 +5618,63 @@ var push = (program2) => {
   });
 };
 
-// src/cli/command/state/index.ts
-var commands3 = [pull, push];
-var state = (program2) => {
-  const command = program2.command("state").description(`Manage app state`);
-  commands3.forEach((cb) => cb(command));
-};
-
-// src/cli/command/auth/user/create.ts
-import {
-  AdminCreateUserCommand,
-  AdminSetUserPasswordCommand,
-  CognitoIdentityProviderClient
-} from "@aws-sdk/client-cognito-identity-provider";
-import { unwrap } from "@awsless/formation";
-import { password, select, text as text2 } from "@clack/prompts";
-var create = (program2) => {
-  program2.command("create").argument("[name]", "The name of the auth instance").description("Create an user for your userpool").action(async (name) => {
-    await layout("auth user create", async ({ appConfig, stackConfigs }) => {
+// src/cli/command/state/unlock.ts
+import { confirm as confirm6 } from "@clack/prompts";
+var unlock = (program2) => {
+  program2.command("unlock").description("Release the lock that ensures sequential deployments").action(async () => {
+    await layout("state unlock", async ({ appConfig, stackConfigs }) => {
       const region = appConfig.region;
       const credentials = getCredentials(appConfig.profile);
       const accountId = await getAccountId(credentials, region);
-      if (!name) {
-        name = await select({
-          message: "Select the auth userpool:",
-          options: Object.keys(appConfig.defaults.auth).map((name2) => ({
-            label: name2,
-            value: name2
-          }))
-        });
-      }
-      if (!(name in appConfig.defaults.auth)) {
-        throw new Error(`Provided auth name doesn't exist inside your app config.`);
+      const { app } = createApp({ appConfig, stackConfigs, accountId });
+      const { lockProvider } = createWorkSpace({ credentials, region, accountId });
+      const isLocked = await lockProvider.locked(app.urn);
+      if (!isLocked) {
+        return "No lock is exists.";
       }
-      const { shared, app } = createApp({ appConfig, stackConfigs, accountId });
-      const { workspace } = createWorkSpace({
-        credentials,
-        accountId,
-        region
+      const ok = await confirm6({
+        message: "Releasing the lock that ensures sequential deployments might result in corrupt state if a deployment is still running. Are you sure?",
+        initialValue: false
       });
-      await workspace.hydrate(app);
-      let userPoolId;
-      try {
-        userPoolId = unwrap(shared.get(`auth-${name}-user-pool-id`));
-      } catch (_) {
-        throw new Error(`The auth userpool hasn't been deployed yet.`);
+      if (!ok) {
+        throw new Cancelled();
       }
-      const user2 = await text2({
-        message: "Username:",
-        validate(value) {
-          if (!value) {
-            return "Required";
-          }
-          return;
-        }
-      });
-      const pass = await password({
-        message: "Password:",
-        mask: "*",
-        validate(value) {
-          if (!value) {
-            return "Required";
-          }
-          return;
-        }
-      });
-      const client = new CognitoIdentityProviderClient({
-        region,
-        credentials
-      });
-      await client.send(
-        new AdminCreateUserCommand({
-          UserPoolId: userPoolId,
-          Username: user2.toString(),
-          TemporaryPassword: pass.toString()
-        })
-      );
-      await client.send(
-        new AdminSetUserPasswordCommand({
-          UserPoolId: userPoolId,
-          Username: user2.toString(),
-          Password: pass.toString(),
-          Permanent: true
-        })
-      );
-      return "User created.";
+      await lockProvider.insecureReleaseLock(app.urn);
+      return "The state lock was been successfully released.";
     });
   });
 };
 
-// src/cli/command/auth/user/index.ts
-var commands4 = [create];
-var user = (program2) => {
-  const command = program2.command("user").description(`Manage auth users`);
-  commands4.forEach((cb) => cb(command));
-};
-
-// src/cli/command/auth/index.ts
-var commands5 = [user];
-var auth = (program2) => {
-  const command = program2.command("auth").description(`Manage auth`);
+// src/cli/command/state/index.ts
+var commands5 = [pull, push, unlock];
+var state = (program2) => {
+  const command = program2.command("state").description(`Manage app state`);
   commands5.forEach((cb) => cb(command));
 };
 
-// src/cli/command/bind.ts
-import { unwrap as unwrap2 } from "@awsless/formation";
-import { note as note3 } from "@clack/prompts";
-import { spawn } from "child_process";
-var bind = (program2) => {
-  program2.command("bind").argument("<command...>", "The command to execute").description(`Bind your site environment variables to a command`).action(async (commands7) => {
-    await layout("bind", async ({ appConfig, stackConfigs }) => {
-      const region = appConfig.region;
-      const credentials = getCredentials(appConfig.profile);
+// src/cli/command/test.ts
+var test = (program2) => {
+  program2.command("test").argument("[stacks...]", "Optionally filter stacks to test").option("-f --filters <string...>", "Optionally filter test files").description("Test your app").action(async (stacks, options) => {
+    await layout("test", async (props) => {
+      const region = props.appConfig.region;
+      const credentials = getCredentials(props.appConfig.profile);
       const accountId = await getAccountId(credentials, region);
-      const { app, binds } = createApp({ appConfig, stackConfigs, accountId });
-      const { workspace } = createWorkSpace({
-        credentials,
-        accountId,
-        region
-      });
-      await workspace.hydrate(app);
-      const env = {};
-      for (const { name, value } of binds) {
-        env[name] = unwrap2(value);
+      const { tests } = createApp({ ...props, accountId }, stacks);
+      if (tests.length === 0) {
+        return "No tests found.";
       }
-      note3(wrap(list(env)), "Bind Env");
-      const command = commands7.join(" ");
-      spawn(command, {
-        env: {
-          // Pass the process env vars
-          ...process.env,
-          // Pass the site bind env vars
-          ...env,
-          // Basic info
-          AWS_REGION: appConfig.region,
-          AWS_ACCOUNT_ID: accountId
-          // Give AWS access
-          // AWS_ACCESS_KEY_ID: credentials.accessKeyId,
-          // AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
-          // AWS_SESSION_TOKEN: credentials.sessionToken,
-        },
-        stdio: "inherit",
-        shell: true
-      });
+      await runTests(tests, options?.filters);
+      return "All tests finished.";
+    });
+  });
+};
+
+// src/cli/command/types.ts
+var types = (program2) => {
+  program2.command("types").description("Generate type definition files").action(async () => {
+    await layout("types", async (props) => {
+      await buildTypes(props);
+      return `Ready to use the ${color.info("@awsless/awsless")} libary!`;
     });
   });
 };
@@ -5415,7 +5685,7 @@ var commands6 = [
   types,
   build2,
   deploy,
-  diff,
+  // diff,
   del2,
   dev,
   bind,