@awsless/awsless 0.0.383 → 0.0.385

package/dist/bin.js

@@ -7563,7 +7563,7 @@ var debug = (...parts) => {
 };
 
 // src/config/app.ts
-import { z as z21 } from "zod";
+import { z as z22 } from "zod";
 
 // src/feature/auth/schema.ts
 import { z as z7 } from "zod";
@@ -7996,37 +7996,51 @@ var InstancesSchema = z12.record(
   })
 ).optional().describe("Define the instances in your stack.");
 
-// src/feature/log-subscription/schema.ts
-var LogSubscriptionSchema2 = FunctionSchema.optional().describe(
-  "Log Subscription allow you to subscribe to a real-time stream of log events and have them delivered to a specific destination."
+// src/feature/on-failure/schema.ts
+var OnFailureDefaultSchema = FunctionSchema.optional().describe(
+  "Defining a onFailure handler will add a global onFailure handler for the following resources:\n- Async lambda functions\n- SQS queues\n- DynamoDB streams"
 );
 
-// src/feature/pubsub/schema.ts
+// src/feature/on-log/schema.ts
 import { z as z13 } from "zod";
+var FilterSchema = z13.enum(["trace", "debug", "info", "warn", "error", "fatal"]).array().describe("The log level that will gets delivered to the consumer.");
+var OnLogDefaultSchema = z13.union([
+  FunctionSchema.transform((consumer) => ({
+    consumer,
+    filter: ["error", "fatal"]
+  })),
+  z13.object({
+    consumer: FunctionSchema,
+    filter: FilterSchema
+  })
+]).optional().describe("Define a subscription on all Lambda functions logs.");
+
+// src/feature/pubsub/schema.ts
+import { z as z14 } from "zod";
 var DomainSchema = ResourceIdSchema.describe("The domain id to link your Pubsub API with.");
-var PubSubDefaultSchema = z13.record(
+var PubSubDefaultSchema = z14.record(
   ResourceIdSchema,
-  z13.object({
+  z14.object({
     domain: DomainSchema.optional(),
-    subDomain: z13.string().optional(),
-    auth: z13.union([
+    subDomain: z14.string().optional(),
+    auth: z14.union([
       ResourceIdSchema,
-      z13.object({
+      z14.object({
         authorizer: FunctionSchema
         // ttl: AuthorizerTtl.default('1 hour'),
       })
     ]),
-    policy: z13.object({
-      publish: z13.array(z13.string()).optional(),
-      subscribe: z13.array(z13.string()).optional()
+    policy: z14.object({
+      publish: z14.array(z14.string()).optional(),
+      subscribe: z14.array(z14.string()).optional()
     }).optional()
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
-var PubSubSchema = z13.record(
+var PubSubSchema = z14.record(
   ResourceIdSchema,
-  z13.object({
-    sql: z13.string().describe("The SQL statement used to query the IOT topic."),
-    sqlVersion: z13.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
+  z14.object({
+    sql: z14.string().describe("The SQL statement used to query the IOT topic."),
+    sqlVersion: z14.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
     consumer: FunctionSchema.describe("The consuming lambda function properties.")
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
@@ -8034,7 +8048,7 @@ var PubSubSchema = z13.record(
 // src/feature/queue/schema.ts
 import { days as days2, hours, minutes as minutes3, seconds as seconds2 } from "@awsless/duration";
 import { kibibytes } from "@awsless/size";
-import { z as z14 } from "zod";
+import { z as z15 } from "zod";
 var RetentionPeriodSchema = DurationSchema.refine(
   durationMin(minutes3(1)),
   "Minimum retention period is 1 minute"
@@ -8062,10 +8076,10 @@ var ReceiveMessageWaitTimeSchema = DurationSchema.refine(
 var MaxMessageSizeSchema = SizeSchema.refine(sizeMin(kibibytes(1)), "Minimum max message size is 1 KB").refine(sizeMax(kibibytes(256)), "Maximum max message size is 256 KB").describe(
   "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an size from 1 KB to 256 KB."
 );
-var BatchSizeSchema = z14.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
+var BatchSizeSchema = z15.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
   "The maximum number of records in each batch that Lambda pulls from your queue and sends to your function. Lambda passes all of the records in the batch to the function in a single call, up to the payload limit for synchronous invocation (6 MB). You can specify an integer from 1 to 10000."
 );
-var MaxConcurrencySchema = z14.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
+var MaxConcurrencySchema = z15.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
   "Limits the number of concurrent instances that the queue worker can invoke. You can specify an integer from 2 to 1000."
 );
 var MaxBatchingWindow = DurationSchema.refine(
@@ -8074,7 +8088,7 @@ var MaxBatchingWindow = DurationSchema.refine(
 ).describe(
   "The maximum amount of time, that Lambda spends gathering records before invoking the function. You can specify an duration from 0 seconds to 5 minutes."
 );
-var QueueDefaultSchema = z14.object({
+var QueueDefaultSchema = z15.object({
   retentionPeriod: RetentionPeriodSchema.default("7 days"),
   visibilityTimeout: VisibilityTimeoutSchema.default("30 seconds"),
   deliveryDelay: DeliveryDelaySchema.default("0 seconds"),
@@ -8084,15 +8098,15 @@ var QueueDefaultSchema = z14.object({
   maxConcurrency: MaxConcurrencySchema.optional(),
   maxBatchingWindow: MaxBatchingWindow.optional()
 }).default({});
-var QueuesSchema = z14.record(
+var QueuesSchema = z15.record(
   ResourceIdSchema,
-  z14.union([
+  z15.union([
     LocalFileSchema.transform((file) => ({
       consumer: {
         file
       }
     })),
-    z14.object({
+    z15.object({
       consumer: FunctionSchema.describe("The consuming lambda function properties."),
       retentionPeriod: RetentionPeriodSchema.optional(),
       visibilityTimeout: VisibilityTimeoutSchema.optional(),
@@ -8107,58 +8121,58 @@ var QueuesSchema = z14.record(
 ).optional().describe("Define the queues in your stack.");
 
 // src/feature/rest/schema.ts
-import { z as z16 } from "zod";
+import { z as z17 } from "zod";
 
 // src/config/schema/route.ts
-import { z as z15 } from "zod";
-var RouteSchema2 = z15.union([
-  z15.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
-  z15.literal("$default")
+import { z as z16 } from "zod";
+var RouteSchema2 = z16.union([
+  z16.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
+  z16.literal("$default")
 ]);
 
 // src/feature/rest/schema.ts
-var RestDefaultSchema = z16.record(
+var RestDefaultSchema = z17.record(
   ResourceIdSchema,
-  z16.object({
+  z17.object({
     domain: ResourceIdSchema.describe("The domain id to link your API with.").optional(),
-    subDomain: z16.string().optional()
+    subDomain: z17.string().optional()
   })
 ).optional().describe("Define your global REST API's.");
-var RestSchema = z16.record(ResourceIdSchema, z16.record(RouteSchema2, FunctionSchema)).optional().describe("Define routes in your stack for your global REST API.");
+var RestSchema = z17.record(ResourceIdSchema, z17.record(RouteSchema2, FunctionSchema)).optional().describe("Define routes in your stack for your global REST API.");
 
 // src/feature/rpc/schema.ts
-import { z as z17 } from "zod";
-var RpcDefaultSchema = z17.record(
+import { z as z18 } from "zod";
+var RpcDefaultSchema = z18.record(
   ResourceIdSchema,
-  z17.object({
+  z18.object({
     domain: ResourceIdSchema.describe("The domain id to link your RPC API with.").optional(),
-    subDomain: z17.string().optional(),
+    subDomain: z18.string().optional(),
     auth: FunctionSchema.optional()
   })
 ).describe(`Define the global RPC API's.`).optional();
-var RpcSchema = z17.record(ResourceIdSchema, z17.record(z17.string(), FunctionSchema).describe("The queries for your global RPC API.")).describe("Define the schema in your stack for your global RPC API.").optional();
+var RpcSchema = z18.record(ResourceIdSchema, z18.record(z18.string(), FunctionSchema).describe("The queries for your global RPC API.")).describe("Define the schema in your stack for your global RPC API.").optional();
 
 // src/feature/store/schema.ts
-import { z as z18 } from "zod";
-var DeletionProtectionSchema = z18.boolean().describe("Specifies if you want to protect the store from being deleted by awsless.");
-var StoreDefaultSchema = z18.object({
+import { z as z19 } from "zod";
+var DeletionProtectionSchema = z19.boolean().describe("Specifies if you want to protect the store from being deleted by awsless.");
+var StoreDefaultSchema = z19.object({
   deletionProtection: DeletionProtectionSchema.optional()
 }).optional();
-var StoresSchema = z18.union([
-  z18.array(ResourceIdSchema).transform((list4) => {
+var StoresSchema = z19.union([
+  z19.array(ResourceIdSchema).transform((list4) => {
     const stores = {};
     for (const key of list4) {
       stores[key] = {};
     }
     return stores;
   }),
-  z18.record(
+  z19.record(
     ResourceIdSchema,
-    z18.object({
+    z19.object({
       // cors: CorsSchema,
       deletionProtection: DeletionProtectionSchema.optional(),
-      versioning: z18.boolean().default(false).describe("Enable versioning of your store."),
-      events: z18.object({
+      versioning: z19.boolean().default(false).describe("Enable versioning of your store."),
+      events: z19.object({
         // create
         "created:*": FunctionSchema.optional().describe(
           "Subscribe to notifications regardless of the API that was used to create an object."
@@ -8191,41 +8205,41 @@ var StoresSchema = z18.union([
 ]).optional().describe("Define the stores in your stack.");
 
 // src/feature/table/schema.ts
-import { z as z19 } from "zod";
-var KeySchema = z19.string().min(1).max(255);
-var DeletionProtectionSchema2 = z19.boolean().describe("Specifies if you want to protect the table from being deleted by awsless.");
-var TableDefaultSchema = z19.object({
+import { z as z20 } from "zod";
+var KeySchema = z20.string().min(1).max(255);
+var DeletionProtectionSchema2 = z20.boolean().describe("Specifies if you want to protect the table from being deleted by awsless.");
+var TableDefaultSchema = z20.object({
   deletionProtection: DeletionProtectionSchema2.optional()
 }).optional();
-var TablesSchema = z19.record(
+var TablesSchema = z20.record(
   ResourceIdSchema,
-  z19.object({
+  z20.object({
     hash: KeySchema.describe(
       "Specifies the name of the partition / hash key that makes up the primary key for the table."
     ),
     sort: KeySchema.optional().describe(
       "Specifies the name of the range / sort key that makes up the primary key for the table."
     ),
-    fields: z19.record(z19.string(), z19.enum(["string", "number", "binary"])).optional().describe(
+    fields: z20.record(z20.string(), z20.enum(["string", "number", "binary"])).optional().describe(
       'A list of attributes that describe the key schema for the table and indexes. If no attribute field is defined we default to "string".'
     ),
-    class: z19.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
-    pointInTimeRecovery: z19.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
+    class: z20.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
+    pointInTimeRecovery: z20.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
     timeToLiveAttribute: KeySchema.optional().describe(
       "The name of the TTL attribute used to store the expiration time for items in the table. To update this property, you must first disable TTL and then enable TTL with the new attribute name."
     ),
     deletionProtection: DeletionProtectionSchema2.optional(),
-    stream: z19.object({
-      type: z19.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
+    stream: z20.object({
+      type: z20.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
         "When an item in the table is modified, stream.type determines what information is written to the stream for this table. Valid values are:\n- keys-only - Only the key attributes of the modified item are written to the stream.\n- new-image - The entire item, as it appears after it was modified, is written to the stream.\n- old-image - The entire item, as it appeared before it was modified, is written to the stream.\n- new-and-old-images - Both the new and the old item images of the item are written to the stream."
       ),
       consumer: FunctionSchema.describe("The consuming lambda function for the stream")
     }).optional().describe(
       "The settings for the DynamoDB table stream, which capture changes to items stored in the table."
     ),
-    indexes: z19.record(
-      z19.string(),
-      z19.object({
+    indexes: z20.record(
+      z20.string(),
+      z20.object({
         /** Specifies the name of the partition / hash key that makes up the primary key for the global secondary index. */
         hash: KeySchema,
         /** Specifies the name of the range / sort key that makes up the primary key for the global secondary index. */
@@ -8235,14 +8249,14 @@ var TablesSchema = z19.record(
          * - keys-only - Only the index and primary keys are projected into the index.
          * @default 'all'
          */
-        projection: z19.enum(["all", "keys-only"]).default("all")
+        projection: z20.enum(["all", "keys-only"]).default("all")
       })
     ).optional().describe("Specifies the global secondary indexes to be created on the table.")
   })
 ).optional().describe("Define the tables in your stack.");
 
 // src/config/schema/region.ts
-import { z as z20 } from "zod";
+import { z as z21 } from "zod";
 var US = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"];
 var AF = ["af-south-1"];
 var AP = [
@@ -8271,22 +8285,23 @@ var EU = [
 var ME = ["me-south-1", "me-central-1"];
 var SA = ["sa-east-1"];
 var regions = [...US, ...AF, ...AP, ...CA, ...EU, ...ME, ...SA];
-var RegionSchema = z20.enum(regions);
+var RegionSchema = z21.enum(regions);
 
 // src/config/app.ts
-var AppSchema = z21.object({
-  $schema: z21.string().optional(),
+var AppSchema = z22.object({
+  $schema: z22.string().optional(),
   name: ResourceIdSchema.describe("App name."),
   region: RegionSchema.describe("The AWS region to deploy to."),
-  profile: z21.string().describe("The AWS profile to deploy to."),
+  profile: z22.string().describe("The AWS profile to deploy to."),
   // stage: z
   // 	.string()
   // 	.regex(/^[a-z]+$/)
   // 	.default('prod')
   // 	.describe('The deployment stage.'),
   // onFailure: OnFailureSchema,
-  logSubscription: LogSubscriptionSchema2,
-  defaults: z21.object({
+  defaults: z22.object({
+    onFailure: OnFailureDefaultSchema,
+    onLog: OnLogDefaultSchema,
     auth: AuthDefaultSchema,
     domains: DomainsDefaultSchema,
     function: FunctionDefaultSchema,
@@ -8304,11 +8319,11 @@ var AppSchema = z21.object({
 });
 
 // src/config/stack.ts
-import { z as z33 } from "zod";
+import { z as z34 } from "zod";
 
 // src/feature/cache/schema.ts
-import { z as z22 } from "zod";
-var TypeSchema2 = z22.enum([
+import { z as z23 } from "zod";
+var TypeSchema2 = z23.enum([
   "t4g.small",
   "t4g.medium",
   "r6g.large",
@@ -8323,29 +8338,29 @@ var TypeSchema2 = z22.enum([
   "r6gd.4xlarge",
   "r6gd.8xlarge"
 ]);
-var PortSchema = z22.number().int().min(1).max(5e4);
-var ShardsSchema = z22.number().int().min(0).max(100);
-var ReplicasPerShardSchema = z22.number().int().min(0).max(5);
-var EngineSchema = z22.enum(["7.0", "6.2"]);
-var CachesSchema = z22.record(
+var PortSchema = z23.number().int().min(1).max(5e4);
+var ShardsSchema = z23.number().int().min(0).max(100);
+var ReplicasPerShardSchema = z23.number().int().min(0).max(5);
+var EngineSchema = z23.enum(["7.0", "6.2"]);
+var CachesSchema = z23.record(
   ResourceIdSchema,
-  z22.object({
+  z23.object({
     type: TypeSchema2.default("t4g.small"),
     port: PortSchema.default(6379),
     shards: ShardsSchema.default(1),
     replicasPerShard: ReplicasPerShardSchema.default(1),
     engine: EngineSchema.default("7.0"),
-    dataTiering: z22.boolean().default(false)
+    dataTiering: z23.boolean().default(false)
   })
 ).optional().describe("Define the caches in your stack. For access to the cache put your functions inside the global VPC.");
 
 // src/feature/command/schema.ts
-import { z as z23 } from "zod";
-var CommandSchema2 = z23.union([
-  z23.object({
+import { z as z24 } from "zod";
+var CommandSchema2 = z24.union([
+  z24.object({
     file: LocalFileSchema,
-    handler: z23.string().default("default").describe("The name of the handler that needs to run"),
-    description: z23.string().optional().describe("A description of the command")
+    handler: z24.string().default("default").describe("The name of the handler that needs to run"),
+    description: z24.string().optional().describe("A description of the command")
     // options: z.record(ResourceIdSchema, OptionSchema).optional(),
     // arguments: z.record(ResourceIdSchema, ArgumentSchema).optional(),
   }),
@@ -8355,22 +8370,22 @@ var CommandSchema2 = z23.union([
     description: void 0
   }))
 ]);
-var CommandsSchema = z23.record(ResourceIdSchema, CommandSchema2).optional().describe("Define the custom commands for your stack.");
+var CommandsSchema = z24.record(ResourceIdSchema, CommandSchema2).optional().describe("Define the custom commands for your stack.");
 
 // src/feature/config/schema.ts
-import { z as z24 } from "zod";
-var ConfigNameSchema = z24.string().regex(/[a-z0-9\-]/g, "Invalid config name");
-var ConfigsSchema = z24.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
+import { z as z25 } from "zod";
+var ConfigNameSchema = z25.string().regex(/[a-z0-9\-]/g, "Invalid config name");
+var ConfigsSchema = z25.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
 
 // src/feature/cron/schema/index.ts
-import { z as z26 } from "zod";
+import { z as z27 } from "zod";
 
 // src/feature/cron/schema/schedule.ts
-import { z as z25 } from "zod";
+import { z as z26 } from "zod";
 import { awsCronExpressionValidator } from "aws-cron-expression-validator";
-var RateExpressionSchema = z25.custom(
+var RateExpressionSchema = z26.custom(
   (value) => {
-    return z25.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
+    return z26.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
       const [str] = rate.split(" ");
       const number = parseInt(str);
       return number > 0;
@@ -8386,9 +8401,9 @@ var RateExpressionSchema = z25.custom(
   }
   return `rate(${rate})`;
 });
-var CronExpressionSchema = z25.custom(
+var CronExpressionSchema = z26.custom(
   (value) => {
-    return z25.string().safeParse(value).success;
+    return z26.string().safeParse(value).success;
   },
   { message: "Invalid cron expression" }
 ).superRefine((value, ctx) => {
@@ -8397,12 +8412,12 @@ var CronExpressionSchema = z25.custom(
   } catch (error) {
     if (error instanceof Error) {
       ctx.addIssue({
-        code: z25.ZodIssueCode.custom,
+        code: z26.ZodIssueCode.custom,
         message: `Invalid cron expression: ${error.message}`
       });
     } else {
       ctx.addIssue({
-        code: z25.ZodIssueCode.custom,
+        code: z26.ZodIssueCode.custom,
         message: "Invalid cron expression"
       });
     }
@@ -8413,28 +8428,23 @@ var CronExpressionSchema = z25.custom(
 var ScheduleExpressionSchema = RateExpressionSchema.or(CronExpressionSchema);
 
 // src/feature/cron/schema/index.ts
-var CronsSchema = z26.record(
+var CronsSchema = z27.record(
   ResourceIdSchema,
-  z26.object({
-    enabled: z26.boolean().default(true).describe("If the cron is enabled."),
+  z27.object({
+    enabled: z27.boolean().default(true).describe("If the cron is enabled."),
     consumer: FunctionSchema.describe("The consuming lambda function properties."),
     schedule: ScheduleExpressionSchema.describe(
       'The scheduling expression.\n\nexample: "0 20 * * ? *"\nexample: "5 minutes"'
     ),
-    payload: z26.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
+    payload: z27.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
   })
 ).optional().describe(`Define the cron jobs in your stack.`);
 
-// src/feature/on-failure/schema.ts
-var OnFailureSchema = FunctionSchema.optional().describe(
-  "Defining a onFailure handler will add a global onFailure handler for the following resources:\n- Async lambda functions\n- SQS queues\n- DynamoDB streams"
-);
-
 // src/feature/search/schema.ts
 import { gibibytes as gibibytes2 } from "@awsless/size";
-import { z as z27 } from "zod";
-var VersionSchema = z27.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]);
-var TypeSchema3 = z27.enum([
+import { z as z28 } from "zod";
+var VersionSchema = z28.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]);
+var TypeSchema3 = z28.enum([
   "t3.small",
   "t3.medium",
   "m3.medium",
@@ -8509,41 +8519,41 @@ var TypeSchema3 = z27.enum([
   "r6gd.16xlarge"
 ]);
 var StorageSizeSchema = SizeSchema.refine(sizeMin(gibibytes2(10)), "Minimum storage size is 10 GB").refine(sizeMax(gibibytes2(100)), "Maximum storage size is 100 GB").describe("The size of the function's /tmp directory. You can specify a size value from 512 MB to 10 GiB.");
-var SearchsSchema = z27.record(
+var SearchsSchema = z28.record(
   ResourceIdSchema,
-  z27.object({
+  z28.object({
     type: TypeSchema3.default("t3.small"),
-    count: z27.number().int().min(1).default(1),
+    count: z28.number().int().min(1).default(1),
     version: VersionSchema.default("2.13"),
     storage: StorageSizeSchema.default("10 GB"),
-    vpc: z27.boolean().default(false)
+    vpc: z28.boolean().default(false)
   })
 ).optional().describe("Define the search instances in your stack. Backed by OpenSearch.");
 
 // src/feature/site/schema.ts
-import { z as z28 } from "zod";
-var ErrorResponsePathSchema = z28.string().describe(
+import { z as z29 } from "zod";
+var ErrorResponsePathSchema = z29.string().describe(
   "The path to the custom error page that you want to return to the viewer when your origin returns the HTTP status code specified.\n - We recommend that you store custom error pages in an Amazon S3 bucket. If you store custom error pages on an HTTP server and the server starts to return 5xx errors, CloudFront can't get the files that you want to return to viewers because the origin server is unavailable."
 );
-var StatusCodeSchema = z28.number().int().positive().optional().describe(
+var StatusCodeSchema = z29.number().int().positive().optional().describe(
   "The HTTP status code that you want CloudFront to return to the viewer along with the custom error page. There are a variety of reasons that you might want CloudFront to return a status code different from the status code that your origin returned to CloudFront, for example:\n- Some Internet devices (some firewalls and corporate proxies, for example) intercept HTTP 4xx and 5xx and prevent the response from being returned to the viewer. If you substitute 200, the response typically won't be intercepted.\n- If you don't care about distinguishing among different client errors or server errors, you can specify 400 or 500 as the ResponseCode for all 4xx or 5xx errors.\n- You might want to return a 200 status code (OK) and static website so your customers don't know that your website is down."
 );
 var MinTTLSchema = DurationSchema.describe(
   "The minimum amount of time, that you want to cache the error response. When this time period has elapsed, CloudFront queries your origin to see whether the problem that caused the error has been resolved and the requested object is now available."
 );
-var ErrorResponseSchema = z28.union([
+var ErrorResponseSchema = z29.union([
   ErrorResponsePathSchema,
-  z28.object({
+  z29.object({
     path: ErrorResponsePathSchema,
     statusCode: StatusCodeSchema.optional(),
     minTTL: MinTTLSchema.optional()
   })
 ]).optional();
-var SitesSchema = z28.record(
+var SitesSchema = z29.record(
   ResourceIdSchema,
-  z28.object({
+  z29.object({
     domain: ResourceIdSchema.describe("The domain id to link your site with.").optional(),
-    subDomain: z28.string().optional(),
+    subDomain: z29.string().optional(),
     // bind: z
     // 	.object({
     // 		auth: z.array(ResourceIdSchema),
@@ -8566,7 +8576,7 @@ var SitesSchema = z28.record(
     // 		build: z.string().optional(),
     // 	}),
     // ]),
-    errors: z28.object({
+    errors: z29.object({
       400: ErrorResponseSchema.describe("Customize a `400 Bad Request` response."),
       403: ErrorResponseSchema.describe("Customize a `403 Forbidden` response."),
       404: ErrorResponseSchema.describe("Customize a `404 Not Found` response."),
@@ -8579,16 +8589,16 @@ var SitesSchema = z28.record(
       503: ErrorResponseSchema.describe("Customize a `503 Service Unavailable` response."),
       504: ErrorResponseSchema.describe("Customize a `504 Gateway Timeout` response.")
     }).optional().describe("Customize the error responses for specific HTTP status codes."),
-    cors: z28.object({
-      override: z28.boolean().default(false),
+    cors: z29.object({
+      override: z29.boolean().default(false),
       maxAge: DurationSchema.default("365 days"),
-      exposeHeaders: z28.string().array().optional(),
-      credentials: z28.boolean().default(false),
-      headers: z28.string().array().default(["*"]),
-      origins: z28.string().array().default(["*"]),
-      methods: z28.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
+      exposeHeaders: z29.string().array().optional(),
+      credentials: z29.boolean().default(false),
+      headers: z29.string().array().default(["*"]),
+      origins: z29.string().array().default(["*"]),
+      methods: z29.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
     }).optional().describe("Define the cors headers."),
-    security: z28.object({
+    security: z29.object({
       // contentSecurityPolicy: z.object({
       // 	override: z.boolean().default(false),
       // 	policy: z.string(),
@@ -8630,10 +8640,10 @@ var SitesSchema = z28.record(
       // 	reportUri?: string
       // }
     }).optional().describe("Define the security policy."),
-    cache: z28.object({
-      cookies: z28.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
-      headers: z28.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
-      queries: z28.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
+    cache: z29.object({
+      cookies: z29.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
+      headers: z29.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
+      queries: z29.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
     }).optional().describe(
       "Specifies the cookies, headers, and query values that CloudFront includes in the cache key."
     )
@@ -8641,22 +8651,22 @@ var SitesSchema = z28.record(
 ).optional().describe("Define the sites in your stack.");
 
 // src/feature/stream/schema.ts
-import { z as z29 } from "zod";
-var LatencyModeSchema = z29.enum(["low", "normal"]).describe(
+import { z as z30 } from "zod";
+var LatencyModeSchema = z30.enum(["low", "normal"]).describe(
   `Channel latency mode. Valid values:
 - normal: Use "normal" to broadcast and deliver live video up to Full HD.
 - low: Use "low" for near real-time interactions with viewers.`
 );
-var TypeSchema4 = z29.enum(["standard", "basic", "advanced-sd", "advanced-hd"]).describe(`The channel type, which determines the allowable resolution and bitrate.
+var TypeSchema4 = z30.enum(["standard", "basic", "advanced-sd", "advanced-hd"]).describe(`The channel type, which determines the allowable resolution and bitrate.
 If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately. Valid values:
 - standard: Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.
 - basic: Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer's video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.
 - advanced-sd: Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.
 - advanced-hd: Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.
 `);
-var StreamsSchema = z29.record(
+var StreamsSchema = z30.record(
   ResourceIdSchema,
-  z29.object({
+  z30.object({
     type: TypeSchema4.default("standard"),
     // preset: PresetSchema.optional(),
     latencyMode: LatencyModeSchema.default("low")
@@ -8664,46 +8674,46 @@ var StreamsSchema = z29.record(
 ).optional().describe("Define the streams in your stack.");
 
 // src/feature/task/schema.ts
-import { z as z30 } from "zod";
-var RetryAttemptsSchema2 = z30.number().int().min(0).max(2).describe(
+import { z as z31 } from "zod";
+var RetryAttemptsSchema2 = z31.number().int().min(0).max(2).describe(
   "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 2."
 );
-var TaskSchema = z30.union([
+var TaskSchema = z31.union([
   LocalFileSchema.transform((file) => ({
     consumer: { file },
     retryAttempts: void 0
   })),
-  z30.object({
+  z31.object({
     consumer: FunctionSchema,
     retryAttempts: RetryAttemptsSchema2.optional()
   })
 ]);
-var TasksSchema = z30.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
+var TasksSchema = z31.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
 
 // src/feature/test/schema.ts
-import { z as z31 } from "zod";
-var TestsSchema = z31.union([LocalDirectorySchema.transform((v) => [v]), LocalDirectorySchema.array()]).describe("Define the location of your tests for your stack.").optional();
+import { z as z32 } from "zod";
+var TestsSchema = z32.union([LocalDirectorySchema.transform((v) => [v]), LocalDirectorySchema.array()]).describe("Define the location of your tests for your stack.").optional();
 
 // src/feature/topic/schema.ts
 import { paramCase as paramCase2 } from "change-case";
-import { z as z32 } from "zod";
-var TopicNameSchema = z32.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => paramCase2(value)).describe("Define event topic name.");
-var TopicsSchema = z32.array(TopicNameSchema).refine((topics) => {
+import { z as z33 } from "zod";
+var TopicNameSchema = z33.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => paramCase2(value)).describe("Define event topic name.");
+var TopicsSchema = z33.array(TopicNameSchema).refine((topics) => {
   return topics.length === new Set(topics).size;
 }, "Must be a list of unique topic names").optional().describe("Define the event topics to publish too in your stack.");
-var SubscribersSchema = z32.record(TopicNameSchema, z32.union([EmailSchema, FunctionSchema])).optional().describe("Define the event topics to subscribe too in your stack.");
+var SubscribersSchema = z33.record(TopicNameSchema, z33.union([EmailSchema, FunctionSchema])).optional().describe("Define the event topics to subscribe too in your stack.");
 
 // src/config/stack.ts
 var DependsSchema = ResourceIdSchema.array().optional().describe("Define the stacks that this stack is depended on.");
 var NameSchema = ResourceIdSchema.refine((name) => !["base"].includes(name), {
   message: `Stack name can't be a reserved name.`
 }).describe("Stack name.");
-var StackSchema = z33.object({
-  $schema: z33.string().optional(),
+var StackSchema = z34.object({
+  $schema: z34.string().optional(),
   name: NameSchema,
   depends: DependsSchema,
   commands: CommandsSchema,
-  onFailure: OnFailureSchema,
+  // onFailure: OnFailureSchema,
   auth: AuthSchema,
   graphql: GraphQLSchema,
   http: HttpSchema,
@@ -8766,13 +8776,13 @@ var readConfigWithStage = async (file, stage) => {
 };
 
 // src/config/load/validate.ts
-import { z as z34 } from "zod";
+import { z as z35 } from "zod";
 var validateConfig = async (schema, file, data) => {
   try {
     const result = await schema.parseAsync(data);
     return result;
   } catch (error) {
-    if (error instanceof z34.ZodError) {
+    if (error instanceof z35.ZodError) {
       throw new ConfigError(file, error, data);
     }
     throw error;
@@ -10425,13 +10435,7 @@ var formatByteSize = (size) => {
 
 // src/feature/on-failure/util.ts
 var getGlobalOnFailure = (ctx) => {
-  return hasOnFailure(ctx.stackConfigs) ? ctx.shared.get("on-failure-queue-arn") : void 0;
-};
-var hasOnFailure = (stacks) => {
-  const onFailure = stacks.find((stack) => {
-    return typeof stack.onFailure !== "undefined";
-  });
-  return !!onFailure;
+  return ctx.appConfig.defaults.onFailure ? ctx.shared.get("on-failure-queue-arn") : void 0;
 };
 
 // src/feature/function/build/typescript/bundle.ts
@@ -10562,6 +10566,14 @@ var createTempFolder = async (name) => {
   };
 };
 
+// src/feature/on-log/util.ts
+var getGlobalOnLog = (ctx) => {
+  return ctx.appConfig.defaults.onLog ? ctx.shared.get("on-log-consumer-arn") : void 0;
+};
+var formatFilterPattern = (filters) => {
+  return `{${filters.map((filter) => `$.level = "${filter.toUpperCase()}"`).join(" || ")}}`;
+};
+
 // src/feature/function/build/container/build.ts
 import { exec } from "promisify-child-process";
 var buildDockerImage = async (opts) => {
@@ -10728,12 +10740,13 @@ var createLambdaFunction = (group, ctx, ns, id, local2) => {
         resources: [logGroup.arn.apply((arn) => `${arn}:*`)]
       }
     );
-    const logSubscriptionArn = ctx.shared.get("log-subscription-destination-arn");
-    if (logSubscriptionArn) {
-      new aws2.cloudWatch.SubscriptionFilter(group, `log-subscription`, {
-        destinationArn: logSubscriptionArn,
+    const onLogArn = getGlobalOnLog(ctx);
+    if (onLogArn && ctx.appConfig.defaults.onLog) {
+      const logFilter = ctx.appConfig.defaults.onLog.filter;
+      new aws2.cloudWatch.SubscriptionFilter(group, `on-log`, {
+        destinationArn: onLogArn,
         logGroupName: logGroup.name,
-        filterPattern: "{$.level = ERROR}"
+        filterPattern: formatFilterPattern(logFilter)
       });
     }
   }
@@ -10810,10 +10823,11 @@ var createAsyncLambdaFunction = (group, ctx, ns, id, local2) => {
     onFailure: getGlobalOnFailure(ctx)
   });
   invokeConfig.dependsOn(result.policy);
-  if (hasOnFailure(ctx.stackConfigs)) {
+  const onFailure = getGlobalOnFailure(ctx);
+  if (onFailure) {
     result.policy.addStatement({
       actions: ["sqs:SendMessage", "sqs:GetQueueUrl"],
-      resources: [getGlobalOnFailure(ctx)]
+      resources: [onFailure]
     });
   }
   return result;
@@ -11145,7 +11159,7 @@ var configFeature = defineFeature({
     }
     if (configs.length) {
       ctx.addEnv("CONFIG", configs.join(","));
-      ctx.onPolicy((policy) => {
+      ctx.onStackPolicy((policy) => {
         policy.addStatement({
           actions: [
             "ssm:GetParameter",
@@ -11297,7 +11311,7 @@ var domainFeature = defineFeature({
         });
       }
     }
-    ctx.onPolicy(
+    ctx.onGlobalPolicy(
       (policy) => policy.addStatement({
         actions: ["ses:*"],
         resources: [`arn:aws:ses:${ctx.appConfig.region}:${ctx.accountId}:identity/*`]
@@ -11381,7 +11395,10 @@ var functionFeature = defineFeature({
     types2.addInterface("FunctionMockResponse", mockResponses);
     await ctx.write("function.d.ts", types2, true);
   },
-  onApp(ctx) {
+  // We are putting the resources for this feature in a onBefore hook
+  // because we will need it for functions defined in the onApp hook
+  // in different features
+  onBefore(ctx) {
     const group = new Node6(ctx.base, "function", "asset");
     const bucket = new aws7.s3.Bucket(group, "bucket", {
       name: formatGlobalResourceName({
@@ -11410,7 +11427,9 @@ var functionFeature = defineFeature({
     });
     ctx.shared.set("function-repository-name", repository.name);
     ctx.shared.set("function-repository-uri", repository.uri);
-    ctx.onPolicy((policy) => {
+  },
+  onApp(ctx) {
+    ctx.onGlobalPolicy((policy) => {
       policy.addStatement({
         actions: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
         resources: [`arn:aws:lambda:*:*:function:${ctx.appConfig.name}--*`]
@@ -12115,70 +12134,30 @@ var instanceFeature = defineFeature({
   }
 });
 
-// src/feature/log-subscription/index.ts
+// src/feature/on-log/index.ts
 import { Node as Node10, aws as aws11 } from "@awsless/formation";
-var logSubscriptionFeature = defineFeature({
-  name: "log-subscription",
+var onLogFeature = defineFeature({
+  name: "on-log",
   onApp(ctx) {
-    if (!ctx.appConfig.logSubscription) {
+    if (!ctx.appConfig.defaults.onLog) {
       return;
     }
-    const group = new Node10(ctx.base, "log-subscription", "main");
-    const { lambda, policy } = createLambdaFunction(
+    const group = new Node10(ctx.base, "on-log", "main");
+    const { lambda } = createLambdaFunction(
+      //
       group,
       ctx,
-      "log-subscription",
-      "main",
-      ctx.appConfig.logSubscription
+      "on-log",
+      "consumer",
+      ctx.appConfig.defaults.onLog.consumer
     );
-    new aws11.lambda.Permission(group, "log-subscription-permission", {
+    new aws11.lambda.Permission(group, "permission", {
       action: "lambda:InvokeFunction",
       principal: "logs.amazonaws.com",
       functionArn: lambda.arn,
-      sourceArn: `arn:aws:logs:${ctx.appConfig.region}:${ctx.accountId}:log-group:/aws/lambda/app-kennedy--*`
+      sourceArn: `arn:aws:logs:${ctx.appConfig.region}:${ctx.accountId}:log-group:/aws/lambda/${ctx.app.name}--*`
     });
-    ctx.shared.set("log-subscription-destination-arn", lambda.arn);
-    for (const stack of ctx.stackConfigs) {
-      for (const id of stack.topics ?? []) {
-        policy.addStatement({
-          actions: ["sns:Publish"],
-          resources: [ctx.shared.get(`topic-${id}-arn`)]
-        });
-      }
-      for (const [id, props] of Object.entries(stack.tables ?? {})) {
-        const tableName = formatLocalResourceName({
-          appName: ctx.app.name,
-          stackName: stack.name,
-          resourceType: "table",
-          resourceName: id
-        });
-        policy.addStatement({
-          actions: [
-            "dynamodb:DescribeTable",
-            "dynamodb:PutItem",
-            "dynamodb:GetItem",
-            "dynamodb:UpdateItem",
-            "dynamodb:DeleteItem",
-            "dynamodb:TransactWrite",
-            "dynamodb:BatchWriteItem",
-            "dynamodb:BatchGetItem",
-            "dynamodb:ConditionCheckItem",
-            "dynamodb:Query",
-            "dynamodb:Scan"
-          ],
-          resources: [`arn:aws:dynamodb:${ctx.appConfig.region}:${ctx.accountId}:table/${tableName}`]
-        });
-        const indexes = Object.keys(props.indexes ?? {});
-        if (indexes.length) {
-          policy.addStatement({
-            actions: ["dynamodb:Query"],
-            resources: indexes.map(
-              (indexName) => `arn:aws:dynamodb:${ctx.appConfig.region}:${ctx.accountId}:table/${tableName}/index/${indexName}`
-            )
-          });
-        }
-      }
-    }
+    ctx.shared.set("on-log-consumer-arn", lambda.arn);
   }
 });
 
@@ -12186,15 +12165,20 @@ var logSubscriptionFeature = defineFeature({
 import { Node as Node11, aws as aws12 } from "@awsless/formation";
 var onFailureFeature = defineFeature({
   name: "on-failure",
+  // onValidate(ctx) {
+  // 	// ----------------------------------------------------------------
+  // 	// Only allow a on-failure single listener
+  // 	const count = ctx.stackConfigs.filter(s => s.onFailure).length
+  // 	if (count > 1) {
+  // 		throw new TypeError('Only 1 onFailure configuration is allowed in your app.')
+  // 	}
+  // },
   onApp(ctx) {
-    if (!hasOnFailure(ctx.stackConfigs)) {
+    if (!ctx.appConfig.defaults.onFailure) {
       return;
     }
-    const count = ctx.stackConfigs.filter((s) => s.onFailure).length;
-    if (count > 1) {
-      throw new TypeError("Only 1 onFailure configuration is allowed in your app.");
-    }
-    const queue2 = new aws12.sqs.Queue(ctx.base, "on-failure", {
+    const group = new Node11(ctx.base, "on-failure", "main");
+    const queue2 = new aws12.sqs.Queue(group, "on-failure", {
       name: formatGlobalResourceName({
         appName: ctx.app.name,
         resourceType: "on-failure",
@@ -12202,18 +12186,16 @@ var onFailureFeature = defineFeature({
       })
     });
     ctx.shared.set("on-failure-queue-arn", queue2.arn);
-  },
-  onStack(ctx) {
-    const onFailure = ctx.stackConfig.onFailure;
-    if (!onFailure) {
-      return;
-    }
-    const queueArn = ctx.shared.get("on-failure-queue-arn");
-    const group = new Node11(ctx.stack, "on-failure", "failure");
-    const { lambda, policy } = createLambdaFunction(group, ctx, "on-failure", "failure", onFailure);
+    const { lambda, policy } = createLambdaFunction(
+      group,
+      ctx,
+      "on-failure",
+      "consumer",
+      ctx.appConfig.defaults.onFailure
+    );
     const source = new aws12.lambda.EventSourceMapping(group, "on-failure", {
       functionArn: lambda.arn,
-      sourceArn: queueArn,
+      sourceArn: queue2.arn,
       batchSize: 10
     });
     source.dependsOn(policy);
@@ -12225,9 +12207,34 @@ var onFailureFeature = defineFeature({
         "sqs:GetQueueUrl",
         "sqs:GetQueueAttributes"
       ],
-      resources: [queueArn]
+      resources: [queue2.arn]
     });
   }
+  // onStack(ctx) {
+  // 	const onFailure = ctx.stackConfig.onFailure
+  // 	if (!onFailure) {
+  // 		return
+  // 	}
+  // 	const queueArn = ctx.shared.get<aws.ARN>('on-failure-queue-arn')
+  // 	const group = new Node(ctx.stack, 'on-failure', 'failure')
+  // 	const { lambda, policy } = createLambdaFunction(group, ctx, 'on-failure', 'failure', onFailure)
+  // 	const source = new aws.lambda.EventSourceMapping(group, 'on-failure', {
+  // 		functionArn: lambda.arn,
+  // 		sourceArn: queueArn,
+  // 		batchSize: 10,
+  // 	})
+  // 	source.dependsOn(policy)
+  // 	policy.addStatement({
+  // 		actions: [
+  // 			'sqs:SendMessage',
+  // 			'sqs:DeleteMessage',
+  // 			'sqs:ReceiveMessage',
+  // 			'sqs:GetQueueUrl',
+  // 			'sqs:GetQueueAttributes',
+  // 		],
+  // 		resources: [queueArn],
+  // 	})
+  // },
 });
 
 // src/feature/pubsub/index.ts
@@ -12283,7 +12290,7 @@ var pubsubFeature = defineFeature({
         ctx.bind(`PUBSUB_${constantCase6(id)}_ENDPOINT`, endpoint.address);
       }
     }
-    ctx.onPolicy((policy) => {
+    ctx.onGlobalPolicy((policy) => {
       policy.addStatement({
         actions: [`iot:Publish`],
         resources: [`arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/*`]
@@ -12404,7 +12411,7 @@ var queueFeature = defineFeature({
         resources: [queue2.arn]
       });
       ctx.addEnv(`QUEUE_${constantCase7(ctx.stack.name)}_${constantCase7(id)}_URL`, queue2.url);
-      ctx.onPolicy((policy2) => {
+      ctx.onStackPolicy((policy2) => {
         policy2.addStatement(queue2.permissions);
       });
     }
@@ -12868,7 +12875,7 @@ var searchFeature = defineFeature({
         });
       }
       ctx.addEnv(`SEARCH_${constantCase10(ctx.stack.name)}_${constantCase10(id)}_DOMAIN`, openSearch.domainEndpoint);
-      ctx.onPolicy((policy) => {
+      ctx.onStackPolicy((policy) => {
         policy.addStatement({
           actions: ["es:ESHttp*"],
           resources: [openSearch.arn]
@@ -12972,7 +12979,7 @@ var siteFeature = defineFeature({
             }
           ]
         });
-        ctx.onPolicy((policy) => {
+        ctx.onStackPolicy((policy) => {
           policy.addStatement(bucket.permissions);
         });
         bucket.deletionPolicy = "after-deployment";
@@ -13147,6 +13154,33 @@ var storeFeature = defineFeature({
     gen.addInterface("StoreResources", resources);
     await ctx.write("store.d.ts", gen, true);
   },
+  onApp(ctx) {
+    ctx.onAppPolicy((policy) => {
+      const name = formatLocalResourceName({
+        appName: ctx.app.name,
+        stackName: "*",
+        resourceType: "store",
+        resourceName: "*"
+      });
+      policy.addStatement({
+        actions: [
+          "s3:ListBucket",
+          "s3:ListBucketV2",
+          "s3:HeadObject",
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:CopyObject",
+          "s3:GetObjectAttributes"
+        ],
+        resources: [
+          //
+          `arn:aws:s3:::${name}`,
+          `arn:aws:s3:::${name}/*`
+        ]
+      });
+    });
+  },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.stores ?? {})) {
       const group = new Node19(ctx.stack, "store", id);
@@ -13206,7 +13240,7 @@ var storeFeature = defineFeature({
       if (deletionProtection) {
         bucket.deletionPolicy = "retain";
       }
-      ctx.onPolicy((policy) => {
+      ctx.onStackPolicy((policy) => {
         policy.addStatement(bucket.permissions);
       });
     }
@@ -13265,6 +13299,33 @@ var tableFeature = defineFeature({
     gen.addInterface("TableResources", resources);
     await ctx.write("table.d.ts", gen, true);
   },
+  onApp(ctx) {
+    ctx.onAppPolicy((policy) => {
+      const name = formatLocalResourceName({
+        appName: ctx.app.name,
+        stackName: "*",
+        resourceType: "table",
+        resourceName: "*"
+      });
+      policy.addStatement({
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:DeleteItem",
+          "dynamodb:BatchWriteItem",
+          "dynamodb:GetItem",
+          "dynamodb:BatchGetItem",
+          "dynamodb:Scan",
+          "dynamodb:Query",
+          "dynamodb:ConditionCheckItem"
+        ],
+        resources: [
+          `arn:aws:dynamodb:${ctx.appConfig.region}:*:table/${name}`,
+          `arn:aws:dynamodb:${ctx.appConfig.region}:*:table/${name}/index/*`
+        ]
+      });
+    });
+  },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.tables ?? {})) {
       const group = new Node21(ctx.stack, "table", id);
@@ -13307,7 +13368,7 @@ var tableFeature = defineFeature({
           });
         }
       }
-      ctx.onPolicy((policy) => {
+      ctx.onStackPolicy((policy) => {
         policy.addStatement(...table2.permissions);
       });
     }
@@ -13466,10 +13527,22 @@ var topicFeature = defineFeature({
         ctx.shared.set(`topic-${id}-arn`, topic.arn);
       }
     }
+    ctx.onAppPolicy((policy) => {
+      policy.addStatement({
+        actions: ["sns:Publish"],
+        resources: [
+          `arn:aws:sns:${ctx.appConfig.region}:*:${formatGlobalResourceName({
+            appName: ctx.app.name,
+            resourceType: "topic",
+            resourceName: "*"
+          })}`
+        ]
+      });
+    });
   },
   onStack(ctx) {
     for (const id of ctx.stackConfig.topics ?? []) {
-      ctx.onPolicy((policy) => {
+      ctx.onStackPolicy((policy) => {
         policy.addStatement({
           actions: ["sns:Publish"],
           resources: [ctx.shared.get(`topic-${id}-arn`)]
@@ -13579,6 +13652,7 @@ var features = [
   domainFeature,
   commandFeature,
   onFailureFeature,
+  onLogFeature,
   // 2
   authFeature,
   // 3
@@ -13601,8 +13675,6 @@ var features = [
   restFeature,
   siteFeature,
   // 4
-  logSubscriptionFeature,
-  // I think needs to be after s3 feature
   rpcFeature
 ];
 
@@ -13928,30 +14000,38 @@ var createApp = (props) => {
   const allLocalEnvListeners = {};
   const globalPolicies = [];
   const globalPoliciesListeners = [];
-  const allLocalPolicies = {};
-  const allLocalPolicyListeners = {};
+  const appPolicies = [];
+  const appPoliciesListeners = [];
+  const allStackPolicies = {};
+  const allStackPolicyListeners = {};
   for (const stackConfig of props.stackConfigs) {
     assertDepsExists(stackConfig, props.stackConfigs);
   }
+  for (const feature of features) {
+    feature.onBefore?.({
+      ...props,
+      app,
+      appId,
+      base: base2,
+      shared
+    });
+  }
   for (const feature of features) {
     feature.onApp?.({
       ...props,
       app,
       appId,
-      // env,
       base: base2,
       shared,
-      onPolicy(callback) {
+      onGlobalPolicy(callback) {
         globalPoliciesListeners.push(callback);
       },
-      // onFunction(callback) {
-      // 	allFunctionListeners.push(callback)
-      // },
-      // registerFunction(lambda) {
-      // 	allFunctions.push(lambda)
-      // },
+      onAppPolicy(callback) {
+        appPoliciesListeners.push(callback);
+      },
       registerPolicy(policy) {
         globalPolicies.push(policy);
+        appPolicies.push(policy);
       },
       registerBuild(type, name, builder) {
         builders.push({
@@ -13964,9 +14044,6 @@ var createApp = (props) => {
       registerCommand(command) {
         commands7.push(command);
       },
-      // registerSiteFunction(lambda) {
-      // 	siteFunctions.push(lambda)
-      // },
       bind(name, value) {
         binds.push({ name, value });
       },
@@ -13986,12 +14063,12 @@ var createApp = (props) => {
   }
   for (const stackConfig of props.stackConfigs) {
     const stack = new Stack(app, stackConfig.name);
-    const localPolicyListeners = [];
-    const localPolicies = [];
+    const stackPolicyListeners = [];
+    const stackPolicies = [];
     const localEnvListeners = [];
     const localEnv = [];
-    allLocalPolicyListeners[stack.name] = localPolicyListeners;
-    allLocalPolicies[stack.name] = localPolicies;
+    allStackPolicyListeners[stack.name] = stackPolicyListeners;
+    allStackPolicies[stack.name] = stackPolicies;
     allLocalEnvListeners[stack.name] = localEnvListeners;
     allLocalEnv[stack.name] = localEnv;
     for (const feature of features) {
@@ -14000,24 +14077,26 @@ var createApp = (props) => {
         stackConfig,
         app,
         appId,
-        // env,
         base: base2,
         stack,
         shared,
-        // onFunction(callback) {
-        // 	localFunctionListeners.push(callback)
-        // },
-        // registerFunction(lambda) {
-        // 	allFunctions.push(lambda)
-        // 	localFunctions.push(lambda)
-        // },
-        onPolicy(callback) {
-          localPolicyListeners.push(callback);
+        onGlobalPolicy(callback) {
+          globalPoliciesListeners.push(callback);
+        },
+        onAppPolicy(callback) {
+          appPoliciesListeners.push(callback);
+        },
+        onStackPolicy(callback) {
+          stackPolicyListeners.push(callback);
         },
         registerPolicy(policy) {
           globalPolicies.push(policy);
-          localPolicies.push(policy);
+          stackPolicies.push(policy);
         },
+        // registerPolicy(policy) {
+        // 	globalPolicies.push(policy)
+        // 	localPolicies.push(policy)
+        // },
         registerTest(name, paths) {
           tests.push({
             stackName: stack.name,
@@ -14062,8 +14141,8 @@ var createApp = (props) => {
         }
       });
     }
-    for (const listener of localPolicyListeners) {
-      for (const policy of localPolicies) {
+    for (const listener of stackPolicyListeners) {
+      for (const policy of stackPolicies) {
         listener(policy);
       }
     }
@@ -14073,6 +14152,11 @@ var createApp = (props) => {
       }
     }
   }
+  for (const listener of appPoliciesListeners) {
+    for (const fn of appPolicies) {
+      listener(fn);
+    }
+  }
   for (const listener of globalPoliciesListeners) {
     for (const fn of globalPolicies) {
       listener(fn);
@@ -14084,10 +14168,10 @@ var createApp = (props) => {
     }
   }
   for (const stackConfig of props.stackConfigs) {
-    const policies = allLocalPolicies[stackConfig.name];
+    const policies = allStackPolicies[stackConfig.name];
     const envListeners = allLocalEnvListeners[stackConfig.name];
     for (const dependency of stackConfig.depends ?? []) {
-      const policyListeners = allLocalPolicyListeners[dependency];
+      const policyListeners = allStackPolicyListeners[dependency];
       const env = allLocalEnv[dependency];
       for (const policy of policies) {
         for (const listener of policyListeners) {