@awsless/awsless 0.0.653 → 0.0.655

package/dist/bin.js

@@ -939,7 +939,7 @@ var debug = (...parts) => {
 };
 
 // src/config/app.ts
-import { z as z28 } from "zod";
+import { z as z29 } from "zod";
 
 // src/feature/alert/schema.ts
 import { kebabCase } from "change-case";
@@ -1304,39 +1304,50 @@ var LayerSchema = z17.record(
 ).optional().describe("Define the lambda layers in your stack.");
 
 // src/feature/on-failure/schema.ts
-var OnFailureDefaultSchema = FunctionSchema.optional().describe(
+import { z as z18 } from "zod";
+var NotifySchema = z18.union([
+  //
+  EmailSchema.transform((v) => [v]),
+  EmailSchema.array()
+]).describe("Receive an email notification when consuming failure entries goes wrong.");
+var OnFailureDefaultSchema = z18.object({
+  consumer: FunctionSchema,
+  notify: NotifySchema.optional()
+}).optional().describe(
   [
     "Defining a onFailure handler will add a global onFailure handler for the following resources:",
-    "- CloudWatch Scheduler",
-    "- Async lambda functions",
-    "- SQS queues",
-    "- DynamoDB streams"
+    "- Tasks",
+    "- Crons",
+    "- Queues",
+    "- Topics",
+    "- Pubsub",
+    "- Table streams"
   ].join("\n")
 );
 
 // src/feature/on-log/schema.ts
-import { z as z18 } from "zod";
-var FilterSchema = z18.enum(["trace", "debug", "info", "warn", "error", "fatal"]).array().describe("The log level that will gets delivered to the consumer.");
-var OnLogDefaultSchema = z18.union([
+import { z as z19 } from "zod";
+var FilterSchema = z19.enum(["trace", "debug", "info", "warn", "error", "fatal"]).array().describe("The log level that will gets delivered to the consumer.");
+var OnLogDefaultSchema = z19.union([
   FunctionSchema.transform((consumer) => ({
     consumer,
     filter: ["error", "fatal"]
   })),
-  z18.object({
+  z19.object({
     consumer: FunctionSchema,
     filter: FilterSchema
   })
 ]).optional().describe("Define a subscription on all Lambda functions logs.");
 
 // src/feature/pubsub/schema.ts
-import { z as z19 } from "zod";
+import { z as z20 } from "zod";
 var DomainSchema = ResourceIdSchema.describe("The domain id to link your Pubsub API with.");
-var PubSubDefaultSchema = z19.record(
+var PubSubDefaultSchema = z20.record(
   ResourceIdSchema,
-  z19.object({
+  z20.object({
     auth: FunctionSchema,
     domain: DomainSchema.optional(),
-    subDomain: z19.string().optional()
+    subDomain: z20.string().optional()
     // auth: z.union([
     // 	ResourceIdSchema,
     // 	z.object({
@@ -1352,11 +1363,11 @@ var PubSubDefaultSchema = z19.record(
     // 	.optional(),
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
-var PubSubSchema = z19.record(
+var PubSubSchema = z20.record(
   ResourceIdSchema,
-  z19.object({
-    sql: z19.string().describe("The SQL statement used to query the IOT topic."),
-    sqlVersion: z19.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
+  z20.object({
+    sql: z20.string().describe("The SQL statement used to query the IOT topic."),
+    sqlVersion: z20.enum(["2015-10-08", "2016-03-23", "beta"]).default("2016-03-23").describe("The version of the SQL rules engine to use when evaluating the rule."),
     consumer: FunctionSchema.describe("The consuming lambda function properties.")
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
@@ -1364,7 +1375,7 @@ var PubSubSchema = z19.record(
 // src/feature/queue/schema.ts
 import { days as days2, hours, minutes as minutes2, seconds as seconds2 } from "@awsless/duration";
 import { kibibytes } from "@awsless/size";
-import { z as z20 } from "zod";
+import { z as z21 } from "zod";
 var RetentionPeriodSchema = DurationSchema.refine(
   durationMin(minutes2(1)),
   "Minimum retention period is 1 minute"
@@ -1392,10 +1403,10 @@ var ReceiveMessageWaitTimeSchema = DurationSchema.refine(
 var MaxMessageSizeSchema = SizeSchema.refine(sizeMin(kibibytes(1)), "Minimum max message size is 1 KB").refine(sizeMax(kibibytes(256)), "Maximum max message size is 256 KB").describe(
   "The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can specify an size from 1 KB to 256 KB."
 );
-var BatchSizeSchema = z20.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
+var BatchSizeSchema = z21.number().int().min(1, "Minimum batch size is 1").max(1e4, "Maximum batch size is 10000").describe(
   "The maximum number of records in each batch that Lambda pulls from your queue and sends to your function. Lambda passes all of the records in the batch to the function in a single call, up to the payload limit for synchronous invocation (6 MB). You can specify an integer from 1 to 10000."
 );
-var MaxConcurrencySchema = z20.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
+var MaxConcurrencySchema = z21.number().int().min(2, "Minimum max concurrency is 2").max(1e3, "Maximum max concurrency is 1000").describe(
   "Limits the number of concurrent instances that the queue worker can invoke. You can specify an integer from 2 to 1000."
 );
 var MaxBatchingWindow = DurationSchema.refine(
@@ -1404,7 +1415,10 @@ var MaxBatchingWindow = DurationSchema.refine(
 ).describe(
   "The maximum amount of time, that Lambda spends gathering records before invoking the function. You can specify an duration from 0 seconds to 5 minutes."
 );
-var QueueDefaultSchema = z20.object({
+var RetryAttemptsSchema2 = z21.number().int().min(0).max(999).describe(
+  "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 999."
+);
+var QueueDefaultSchema = z21.object({
   retentionPeriod: RetentionPeriodSchema.default("7 days"),
   visibilityTimeout: VisibilityTimeoutSchema.default("30 seconds"),
   deliveryDelay: DeliveryDelaySchema.default("0 seconds"),
@@ -1412,9 +1426,10 @@ var QueueDefaultSchema = z20.object({
   maxMessageSize: MaxMessageSizeSchema.default("256 KB"),
   batchSize: BatchSizeSchema.default(10),
   maxConcurrency: MaxConcurrencySchema.optional(),
-  maxBatchingWindow: MaxBatchingWindow.optional()
+  maxBatchingWindow: MaxBatchingWindow.optional(),
+  retryAttempts: RetryAttemptsSchema2.default(2)
 }).default({});
-var QueueSchema = z20.object({
+var QueueSchema = z21.object({
   consumer: FunctionSchema.optional().describe("The consuming lambda function properties."),
   retentionPeriod: RetentionPeriodSchema.optional(),
   visibilityTimeout: VisibilityTimeoutSchema.optional(),
@@ -1423,11 +1438,12 @@ var QueueSchema = z20.object({
   maxMessageSize: MaxMessageSizeSchema.optional(),
   batchSize: BatchSizeSchema.optional(),
   maxConcurrency: MaxConcurrencySchema.optional(),
-  maxBatchingWindow: MaxBatchingWindow.optional()
+  maxBatchingWindow: MaxBatchingWindow.optional(),
+  retryAttempts: RetryAttemptsSchema2.optional()
 });
-var QueuesSchema = z20.record(
+var QueuesSchema = z21.record(
   ResourceIdSchema,
-  z20.union([
+  z21.union([
     LocalFileSchema.transform((consumer) => ({
       consumer
     })).pipe(QueueSchema),
@@ -1436,26 +1452,26 @@ var QueuesSchema = z20.record(
 ).optional().describe("Define the queues in your stack.");
 
 // src/feature/rest/schema.ts
-import { z as z22 } from "zod";
+import { z as z23 } from "zod";
 
 // src/config/schema/route.ts
-import { z as z21 } from "zod";
-var RouteSchema = z21.union([
-  z21.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS|ANY)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
-  z21.literal("$default")
+import { z as z22 } from "zod";
+var RouteSchema = z22.union([
+  z22.string().regex(/^(POST|GET|PUT|DELETE|HEAD|OPTIONS|ANY)(\s\/[a-z0-9\+\_\-\/\{\}]*)$/gi, "Invalid route"),
+  z22.literal("$default")
 ]);
 
 // src/feature/rest/schema.ts
-var RestDefaultSchema = z22.record(
+var RestDefaultSchema = z23.record(
   ResourceIdSchema,
-  z22.object({
+  z23.object({
     domain: ResourceIdSchema.describe("The domain id to link your API with.").optional(),
-    subDomain: z22.string().optional()
+    subDomain: z23.string().optional()
   })
 ).optional().describe("Define your global REST API's.");
-var RestSchema = z22.record(
+var RestSchema = z23.record(
   ResourceIdSchema,
-  z22.record(
+  z23.record(
     RouteSchema.describe(
       [
         "The REST API route that is comprised by the http method and http path.",
@@ -1469,19 +1485,19 @@ var RestSchema = z22.record(
 
 // src/feature/rpc/schema.ts
 import { minutes as minutes4, seconds as seconds3 } from "@awsless/duration";
-import { z as z24 } from "zod";
+import { z as z25 } from "zod";
 
 // src/feature/router/schema.ts
 import { days as days3, minutes as minutes3, parse as parse3 } from "@awsless/duration";
-import { z as z23 } from "zod";
-var ErrorResponsePathSchema = z23.string().describe(
+import { z as z24 } from "zod";
+var ErrorResponsePathSchema = z24.string().describe(
   [
     "The path to the custom error page that you want to return to the viewer when your origin returns the HTTP status code specified.",
     "- We recommend that you store custom error pages in an Amazon S3 bucket.",
     "If you store custom error pages on an HTTP server and the server starts to return 5xx errors, CloudFront can't get the files that you want to return to viewers because the origin server is unavailable."
   ].join("\n")
 );
-var StatusCodeSchema = z23.number().int().positive().optional().describe(
+var StatusCodeSchema = z24.number().int().positive().optional().describe(
   [
     "The HTTP status code that you want CloudFront to return to the viewer along with the custom error page.",
     "There are a variety of reasons that you might want CloudFront to return a status code different from the status code that your origin returned to CloudFront, for example:",
@@ -1494,26 +1510,26 @@ var StatusCodeSchema = z23.number().int().positive().optional().describe(
 var MinTTLSchema = DurationSchema.describe(
   "The minimum amount of time, that you want to cache the error response. When this time period has elapsed, CloudFront queries your origin to see whether the problem that caused the error has been resolved and the requested object is now available."
 );
-var ErrorResponseSchema = z23.union([
+var ErrorResponseSchema = z24.union([
   ErrorResponsePathSchema,
-  z23.object({
+  z24.object({
     path: ErrorResponsePathSchema,
     statusCode: StatusCodeSchema.optional(),
     minTTL: MinTTLSchema.optional()
   })
 ]).optional();
-var RouteSchema2 = z23.string().regex(/^\//, "Route must start with a slash (/)");
-var VisibilitySchema = z23.boolean().default(false).describe("Whether to enable CloudWatch metrics for the WAF rule.");
-var WafSettingsSchema = z23.object({
-  rateLimiter: z23.object({
-    limit: z23.number().min(10).max(2e9).default(10).describe(
+var RouteSchema2 = z24.string().regex(/^\//, "Route must start with a slash (/)");
+var VisibilitySchema = z24.boolean().default(false).describe("Whether to enable CloudWatch metrics for the WAF rule.");
+var WafSettingsSchema = z24.object({
+  rateLimiter: z24.object({
+    limit: z24.number().min(10).max(2e9).default(10).describe(
       "The limit on requests during the specified evaluation window for a single aggregation instance for the rate-based rule."
     ),
-    window: z23.union([
-      z23.literal("1 minute"),
-      z23.literal("2 minutes"),
-      z23.literal("5 minutes"),
-      z23.literal("10 minutes")
+    window: z24.union([
+      z24.literal("1 minute"),
+      z24.literal("2 minutes"),
+      z24.literal("5 minutes"),
+      z24.literal("10 minutes")
     ]).default("5 minutes").transform((v) => parse3(v)).describe(
       "The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time."
     ),
@@ -1521,18 +1537,18 @@ var WafSettingsSchema = z23.object({
   }).optional().describe(
     "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate."
   ),
-  ddosProtection: z23.object({
-    sensitivity: z23.object({
-      challenge: z23.enum(["low", "medium", "high"]).default("low").transform((v) => v.toUpperCase()).describe("The sensitivity level for challenge requests."),
-      block: z23.enum(["low", "medium", "high"]).default("low").transform((v) => v.toUpperCase()).describe("The sensitivity level for block requests.")
+  ddosProtection: z24.object({
+    sensitivity: z24.object({
+      challenge: z24.enum(["low", "medium", "high"]).default("low").transform((v) => v.toUpperCase()).describe("The sensitivity level for challenge requests."),
+      block: z24.enum(["low", "medium", "high"]).default("low").transform((v) => v.toUpperCase()).describe("The sensitivity level for block requests.")
     }),
-    exemptUriRegex: z23.string().default("^$"),
+    exemptUriRegex: z24.string().default("^$"),
     visibility: VisibilitySchema
   }).optional().describe(
     "Provides protection against DDoS attacks targeting the application layer, also known as Layer 7 attacks. Uses 50 WCU."
   ),
-  botProtection: z23.object({
-    inspectionLevel: z23.enum(["common", "targeted"]).default("common").transform((v) => v.toUpperCase()),
+  botProtection: z24.object({
+    inspectionLevel: z24.enum(["common", "targeted"]).default("common").transform((v) => v.toUpperCase()),
     visibility: VisibilitySchema
   }).optional().describe(
     "Provides protection against automated bots that can consume excess resources, skew business metrics, cause downtime, or perform malicious activities. Bot Control provides additional visibility through Amazon CloudWatch and generates labels that you can use to control bot traffic to your applications. Uses 50 WCU."
@@ -1546,14 +1562,14 @@ var WafSettingsSchema = z23.object({
 }).describe(
   "WAF settings for the router. Each rule consumes Web ACL capacity units (WCUs). The total WCUs for a web ACL can't exceed 5000. Using over 1500 WCUs affects your costs."
 );
-var RouterDefaultSchema = z23.record(
+var RouterDefaultSchema = z24.record(
   ResourceIdSchema,
-  z23.object({
+  z24.object({
     domain: ResourceIdSchema.describe("The domain id to link your Router.").optional(),
-    subDomain: z23.string().optional(),
+    subDomain: z24.string().optional(),
     waf: WafSettingsSchema.optional(),
-    geoRestrictions: z23.array(z23.string().length(2).toUpperCase()).default([]).describe("Specifies a blacklist of countries that should be blocked."),
-    errors: z23.object({
+    geoRestrictions: z24.array(z24.string().length(2).toUpperCase()).default([]).describe("Specifies a blacklist of countries that should be blocked."),
+    errors: z24.object({
       400: ErrorResponseSchema.describe("Customize a `400 Bad Request` response."),
       403: ErrorResponseSchema.describe("Customize a `403 Forbidden` response."),
       404: ErrorResponseSchema.describe("Customize a `404 Not Found` response."),
@@ -1566,19 +1582,22 @@ var RouterDefaultSchema = z23.record(
       503: ErrorResponseSchema.describe("Customize a `503 Service Unavailable` response."),
       504: ErrorResponseSchema.describe("Customize a `504 Gateway Timeout` response.")
     }).optional().describe("Customize the error responses for specific HTTP status codes."),
-    cors: z23.object({
-      override: z23.boolean().default(false),
+    cors: z24.object({
+      override: z24.boolean().default(false),
       maxAge: DurationSchema.default("365 days"),
-      exposeHeaders: z23.string().array().optional(),
-      credentials: z23.boolean().default(false),
-      headers: z23.string().array().default(["*"]),
-      origins: z23.string().array().default(["*"]),
-      methods: z23.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
+      exposeHeaders: z24.string().array().optional(),
+      credentials: z24.boolean().default(false),
+      headers: z24.string().array().default(["*"]),
+      origins: z24.string().array().default(["*"]),
+      methods: z24.enum(["GET", "DELETE", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "ALL"]).array().default(["ALL"])
     }).optional().describe("Specify the cors headers."),
-    basicAuth: z23.object({
-      username: z23.string().describe("Basic auth username."),
-      password: z23.string().describe("Basic auth password.")
-    }).optional().describe("Enable basic authentication for the site."),
+    passwordAuth: z24.object({
+      password: z24.string().describe("Password.")
+    }).optional().describe("Enable password authentication for the router."),
+    basicAuth: z24.object({
+      username: z24.string().describe("Basic auth username."),
+      password: z24.string().describe("Basic auth password.")
+    }).optional().describe("Enable basic authentication for the router."),
     // security: z
     // 	.object({
     // 		contentSecurityPolicy: z.object({
@@ -1624,10 +1643,10 @@ var RouterDefaultSchema = z23.record(
     // 	})
     // 	.optional()
     // 	.describe('Specify the security policy.'),
-    cache: z23.object({
-      cookies: z23.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
-      headers: z23.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
-      queries: z23.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
+    cache: z24.object({
+      cookies: z24.string().array().optional().describe("Specifies the cookies that CloudFront includes in the cache key."),
+      headers: z24.string().array().optional().describe("Specifies the headers that CloudFront includes in the cache key."),
+      queries: z24.string().array().optional().describe("Specifies the query values that CloudFront includes in the cache key.")
     }).optional().describe(
       "Specifies the cookies, headers, and query values that CloudFront includes in the cache key."
     )
@@ -1642,9 +1661,9 @@ var TimeoutSchema2 = DurationSchema.refine(durationMin(seconds3(10)), "Minimum t
     "The timeouts of all inner RPC functions will be capped at 80% of this timeout."
   ].join(" ")
 );
-var RpcDefaultSchema = z24.record(
+var RpcDefaultSchema = z25.record(
   ResourceIdSchema,
-  z24.object({
+  z25.object({
     // domain: ResourceIdSchema.describe('The domain id to link your RPC API with.').optional(),
     // subDomain: z.string().optional(),
     //
@@ -1655,18 +1674,18 @@ var RpcDefaultSchema = z24.record(
     timeout: TimeoutSchema2.default("1 minutes")
   })
 ).describe(`Define the global RPC API's.`).optional();
-var RpcSchema = z24.record(
+var RpcSchema = z25.record(
   ResourceIdSchema,
-  z24.record(
-    z24.string(),
-    z24.union([
+  z25.record(
+    z25.string(),
+    z25.union([
       FunctionSchema.transform((f) => ({
         function: f,
         lock: false
       })),
-      z24.object({
+      z25.object({
         function: FunctionSchema.describe("The RPC function to execute."),
-        lock: z24.boolean().describe(
+        lock: z25.boolean().describe(
           [
             "Specify if the function should be locked on the `lockKey` returned from the auth function.",
             "An example would be returning the user ID as `lockKey`."
@@ -1680,8 +1699,8 @@ var RpcSchema = z24.record(
 // src/feature/instance/schema.ts
 import { days as days4, toDays as toDays2 } from "@awsless/duration";
 import { toMebibytes } from "@awsless/size";
-import { z as z25 } from "zod";
-var CpuSchema = z25.union([z25.literal(0.25), z25.literal(0.5), z25.literal(1), z25.literal(2), z25.literal(4), z25.literal(8), z25.literal(16)]).transform((v) => `${v} vCPU`).describe(
+import { z as z26 } from "zod";
+var CpuSchema = z26.union([z26.literal(0.25), z26.literal(0.5), z26.literal(1), z26.literal(2), z26.literal(4), z26.literal(8), z26.literal(16)]).transform((v) => `${v} vCPU`).describe(
   "The number of virtual CPU units (vCPU) used by the instance. Valid values: 0.25, 0.5, 1, 2, 4, 8, 16 vCPU."
 );
 var validMemorySize = [
@@ -1721,10 +1740,10 @@ var MemorySizeSchema2 = SizeSchema.refine(
   (s) => validMemorySize.includes(toMebibytes(s)),
   `Invalid memory size. Allowed sizes: ${validMemorySize.join(", ")} MiB`
 ).describe("The amount of memory (in MiB) used by the instance. Valid memory values depend on the CPU configuration.");
-var HealthCheckSchema = z25.object({
-  path: z25.string().describe("The path that the container runs to determine if it is healthy."),
+var HealthCheckSchema = z26.object({
+  path: z26.string().describe("The path that the container runs to determine if it is healthy."),
   interval: DurationSchema.describe("The time period in seconds between each health check execution."),
-  retries: z25.number().int().min(1).max(10).describe(
+  retries: z26.number().int().min(1).max(10).describe(
     "The number of times to retry a failed health check before the container is considered unhealthy."
   ),
   startPeriod: DurationSchema.describe(
@@ -1734,22 +1753,22 @@ var HealthCheckSchema = z25.object({
     "The time period in seconds to wait for a health check to succeed before it is considered a failure."
   )
 }).describe("The health check command and associated configuration parameters for the container.");
-var EnvironmentSchema2 = z25.record(z25.string(), z25.string()).optional().describe("Environment variable key-value pairs.");
-var ArchitectureSchema3 = z25.enum(["x86_64", "arm64"]).describe("The instruction set architecture that the instance supports.");
-var ActionSchema2 = z25.string();
-var ActionsSchema2 = z25.union([ActionSchema2.transform((v) => [v]), ActionSchema2.array()]);
-var ArnSchema2 = z25.string().startsWith("arn:");
-var WildcardSchema2 = z25.literal("*");
-var ResourceSchema2 = z25.union([ArnSchema2, WildcardSchema2]);
-var ResourcesSchema2 = z25.union([ResourceSchema2.transform((v) => [v]), ResourceSchema2.array()]);
-var PermissionSchema2 = z25.object({
-  effect: z25.enum(["allow", "deny"]).default("allow"),
+var EnvironmentSchema2 = z26.record(z26.string(), z26.string()).optional().describe("Environment variable key-value pairs.");
+var ArchitectureSchema3 = z26.enum(["x86_64", "arm64"]).describe("The instruction set architecture that the instance supports.");
+var ActionSchema2 = z26.string();
+var ActionsSchema2 = z26.union([ActionSchema2.transform((v) => [v]), ActionSchema2.array()]);
+var ArnSchema2 = z26.string().startsWith("arn:");
+var WildcardSchema2 = z26.literal("*");
+var ResourceSchema2 = z26.union([ArnSchema2, WildcardSchema2]);
+var ResourcesSchema2 = z26.union([ResourceSchema2.transform((v) => [v]), ResourceSchema2.array()]);
+var PermissionSchema2 = z26.object({
+  effect: z26.enum(["allow", "deny"]).default("allow"),
   actions: ActionsSchema2,
   resources: ResourcesSchema2
 });
-var PermissionsSchema2 = z25.union([PermissionSchema2.transform((v) => [v]), PermissionSchema2.array()]).describe("Add IAM permissions to your instance.");
-var DescriptionSchema2 = z25.string().describe("A description of the instance.");
-var ImageSchema = z25.string().optional().describe("The URL of the container image to use.");
+var PermissionsSchema2 = z26.union([PermissionSchema2.transform((v) => [v]), PermissionSchema2.array()]).describe("Add IAM permissions to your instance.");
+var DescriptionSchema2 = z26.string().describe("A description of the instance.");
+var ImageSchema = z26.string().optional().describe("The URL of the container image to use.");
 var validLogRetentionDays2 = [
   ...[1, 3, 5, 7, 14, 30, 60, 90, 120, 150],
   ...[180, 365, 400, 545, 731, 1096, 1827, 2192],
@@ -1764,23 +1783,23 @@ var LogRetentionSchema2 = DurationSchema.refine(
   },
   `Invalid log retention. Valid days are: ${validLogRetentionDays2.map((days8) => `${days8}`).join(", ")}`
 ).describe("The log retention duration.");
-var LogSchema2 = z25.union([
-  z25.boolean().transform((enabled) => ({ retention: enabled ? days4(7) : days4(0) })),
+var LogSchema2 = z26.union([
+  z26.boolean().transform((enabled) => ({ retention: enabled ? days4(7) : days4(0) })),
   LogRetentionSchema2.transform((retention) => ({ retention })),
-  z25.object({
+  z26.object({
     retention: LogRetentionSchema2.optional()
   })
 ]).describe("Enable logging to a CloudWatch log group. Providing a duration value will set the log retention time.");
-var FileCodeSchema2 = z25.object({
+var FileCodeSchema2 = z26.object({
   file: LocalFileSchema.describe("The file path of the instance code.")
 });
-var CodeSchema2 = z25.union([
+var CodeSchema2 = z26.union([
   LocalFileSchema.transform((file) => ({
     file
   })).pipe(FileCodeSchema2),
   FileCodeSchema2
 ]).describe("Specify the code of your instance.");
-var ISchema = z25.object({
+var ISchema = z26.object({
   code: CodeSchema2,
   description: DescriptionSchema2.optional(),
   image: ImageSchema.optional(),
@@ -1793,14 +1812,14 @@ var ISchema = z25.object({
   healthCheck: HealthCheckSchema.optional()
   // restartPolicy: RestartPolicySchema.optional(),
 });
-var InstanceSchema = z25.union([
+var InstanceSchema = z26.union([
   LocalFileSchema.transform((code) => ({
     code
   })).pipe(ISchema),
   ISchema
 ]);
-var InstancesSchema = z25.record(ResourceIdSchema, InstanceSchema).optional().describe("Define the instances in your stack.");
-var InstanceDefaultSchema = z25.object({
+var InstancesSchema = z26.record(ResourceIdSchema, InstanceSchema).optional().describe("Define the instances in your stack.");
+var InstanceDefaultSchema = z26.object({
   image: ImageSchema.optional(),
   cpu: CpuSchema.default(0.25),
   memorySize: MemorySizeSchema2.default("512 MB"),
@@ -1816,15 +1835,15 @@ var InstanceDefaultSchema = z25.object({
 
 // src/feature/topic/schema.ts
 import { kebabCase as kebabCase3 } from "change-case";
-import { z as z26 } from "zod";
-var TopicNameSchema = z26.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => kebabCase3(value)).describe("Define event topic name.");
-var TopicsDefaultSchema = z26.array(TopicNameSchema).refine((topics) => {
+import { z as z27 } from "zod";
+var TopicNameSchema = z27.string().min(3).max(256).regex(/^[a-z0-9\-]+$/i, "Invalid topic name").transform((value) => kebabCase3(value)).describe("Define event topic name.");
+var TopicsDefaultSchema = z27.array(TopicNameSchema).refine((topics) => {
   return topics.length === new Set(topics).size;
 }, "Must be a list of unique topic names").optional().describe("Define the event topics for your app.");
-var SubscribersSchema = z26.record(TopicNameSchema, FunctionSchema).optional().describe("Define the event topics to subscribe too in your stack.");
+var SubscribersSchema = z27.record(TopicNameSchema, FunctionSchema).optional().describe("Define the event topics to subscribe too in your stack.");
 
 // src/config/schema/region.ts
-import { z as z27 } from "zod";
+import { z as z28 } from "zod";
 var US = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"];
 var AF = ["af-south-1"];
 var AP = [
@@ -1853,16 +1872,16 @@ var EU = [
 var ME = ["me-south-1", "me-central-1"];
 var SA = ["sa-east-1"];
 var regions = [...US, ...AF, ...AP, ...CA, ...EU, ...ME, ...SA];
-var RegionSchema = z27.enum(regions);
+var RegionSchema = z28.enum(regions);
 
 // src/config/app.ts
-var AppSchema = z28.object({
-  $schema: z28.string().optional(),
+var AppSchema = z29.object({
+  $schema: z29.string().optional(),
   name: ResourceIdSchema.describe("App name."),
   region: RegionSchema.describe("The AWS region to deploy to."),
-  profile: z28.string().describe("The AWS profile to deploy to."),
-  protect: z28.boolean().default(false).describe("Protect your app & stacks from being deleted."),
-  removal: z28.enum(["remove", "retain"]).default("remove").describe(
+  profile: z29.string().describe("The AWS profile to deploy to."),
+  protect: z29.boolean().default(false).describe("Protect your app & stacks from being deleted."),
+  removal: z29.enum(["remove", "retain"]).default("remove").describe(
     [
       "Configure how your resources are handled when they have to be removed.",
       "",
@@ -1876,7 +1895,7 @@ var AppSchema = z28.object({
   // 	.default('prod')
   // 	.describe('The deployment stage.'),
   // onFailure: OnFailureSchema,
-  defaults: z28.object({
+  defaults: z29.object({
     onFailure: OnFailureDefaultSchema,
     onLog: OnLogDefaultSchema,
     auth: AuthDefaultSchema,
@@ -1900,11 +1919,11 @@ var AppSchema = z28.object({
 });
 
 // src/config/stack.ts
-import { z as z44 } from "zod";
+import { z as z45 } from "zod";
 
 // src/feature/cache/schema.ts
 import { gibibytes as gibibytes2 } from "@awsless/size";
-import { z as z29 } from "zod";
+import { z as z30 } from "zod";
 var StorageSchema = SizeSchema.refine(sizeMin(gibibytes2(1)), "Minimum storage size is 1 GB").refine(
   sizeMax(gibibytes2(5e3)),
   "Maximum storage size is 5000 GB"
@@ -1915,31 +1934,31 @@ var MinimumStorageSchema = StorageSchema.describe(
 var MaximumStorageSchema = StorageSchema.describe(
   "The upper limit for data storage the cache is set to use. You can specify a size value from 1 GB to 5000 GB."
 );
-var EcpuSchema = z29.number().int().min(1e3).max(15e6);
+var EcpuSchema = z30.number().int().min(1e3).max(15e6);
 var MinimumEcpuSchema = EcpuSchema.describe(
   "The minimum number of ECPUs the cache can consume per second. You can specify a integer from 1,000 to 15,000,000."
 );
 var MaximumEcpuSchema = EcpuSchema.describe(
   "The maximum number of ECPUs the cache can consume per second. You can specify a integer from 1,000 to 15,000,000."
 );
-var CachesSchema = z29.record(
+var CachesSchema = z30.record(
   ResourceIdSchema,
-  z29.object({
+  z30.object({
     minStorage: MinimumStorageSchema.optional(),
     maxStorage: MaximumStorageSchema.optional(),
     minECPU: MinimumEcpuSchema.optional(),
     maxECPU: MaximumEcpuSchema.optional(),
-    snapshotRetentionLimit: z29.number().int().positive().default(1)
+    snapshotRetentionLimit: z30.number().int().positive().default(1)
   })
 ).optional().describe("Define the caches in your stack. For access to the cache put your functions inside the global VPC.");
 
 // src/feature/command/schema.ts
-import { z as z30 } from "zod";
-var CommandSchema = z30.union([
-  z30.object({
+import { z as z31 } from "zod";
+var CommandSchema = z31.union([
+  z31.object({
     file: LocalFileSchema,
-    handler: z30.string().default("default").describe("The name of the handler that needs to run"),
-    description: z30.string().optional().describe("A description of the command")
+    handler: z31.string().default("default").describe("The name of the handler that needs to run"),
+    description: z31.string().optional().describe("A description of the command")
     // options: z.record(ResourceIdSchema, OptionSchema).optional(),
     // arguments: z.record(ResourceIdSchema, ArgumentSchema).optional(),
   }),
@@ -1949,22 +1968,22 @@ var CommandSchema = z30.union([
     description: void 0
   }))
 ]);
-var CommandsSchema = z30.record(ResourceIdSchema, CommandSchema).optional().describe("Define the custom commands for your stack.");
+var CommandsSchema = z31.record(ResourceIdSchema, CommandSchema).optional().describe("Define the custom commands for your stack.");
 
 // src/feature/config/schema.ts
-import { z as z31 } from "zod";
-var ConfigNameSchema = z31.string().regex(/[a-z0-9\-]/g, "Invalid config name");
-var ConfigsSchema = z31.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
+import { z as z32 } from "zod";
+var ConfigNameSchema = z32.string().regex(/[a-z0-9\-]/g, "Invalid config name");
+var ConfigsSchema = z32.array(ConfigNameSchema).optional().describe("Define the config values for your stack.");
 
 // src/feature/cron/schema/index.ts
-import { z as z33 } from "zod";
+import { z as z34 } from "zod";
 
 // src/feature/cron/schema/schedule.ts
-import { z as z32 } from "zod";
+import { z as z33 } from "zod";
 import { awsCronExpressionValidator } from "aws-cron-expression-validator";
-var RateExpressionSchema = z32.custom(
+var RateExpressionSchema = z33.custom(
   (value) => {
-    return z32.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
+    return z33.string().regex(/^[0-9]+ (seconds?|minutes?|hours?|days?)$/).refine((rate) => {
       const [str] = rate.split(" ");
       const number = parseInt(str);
       return number > 0;
@@ -1980,9 +1999,9 @@ var RateExpressionSchema = z32.custom(
   }
   return `rate(${rate})`;
 });
-var CronExpressionSchema = z32.custom(
+var CronExpressionSchema = z33.custom(
   (value) => {
-    return z32.string().safeParse(value).success;
+    return z33.string().safeParse(value).success;
   },
   { message: "Invalid cron expression" }
 ).superRefine((value, ctx) => {
@@ -1991,12 +2010,12 @@ var CronExpressionSchema = z32.custom(
   } catch (error) {
     if (error instanceof Error) {
       ctx.addIssue({
-        code: z32.ZodIssueCode.custom,
+        code: z33.ZodIssueCode.custom,
         message: `Invalid cron expression: ${error.message}`
       });
     } else {
       ctx.addIssue({
-        code: z32.ZodIssueCode.custom,
+        code: z33.ZodIssueCode.custom,
         message: "Invalid cron expression"
       });
     }
@@ -2007,28 +2026,28 @@ var CronExpressionSchema = z32.custom(
 var ScheduleExpressionSchema = RateExpressionSchema.or(CronExpressionSchema);
 
 // src/feature/cron/schema/index.ts
-var CronsSchema = z33.record(
+var CronsSchema = z34.record(
   ResourceIdSchema,
-  z33.object({
-    enabled: z33.boolean().default(true).describe("If the cron is enabled."),
+  z34.object({
+    enabled: z34.boolean().default(true).describe("If the cron is enabled."),
     consumer: FunctionSchema.describe("The consuming lambda function properties."),
     schedule: ScheduleExpressionSchema.describe(
       'The scheduling expression.\n\nexample: "0 20 * * ? *"\nexample: "5 minutes"'
     ),
-    payload: z33.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
+    payload: z34.unknown().optional().describe("The JSON payload that will be passed to the consumer.")
   })
 ).optional().describe(`Define the cron jobs in your stack.`);
 
 // src/feature/search/schema.ts
 import { gibibytes as gibibytes3 } from "@awsless/size";
-import { z as z34 } from "zod";
-var VersionSchema = z34.union([
+import { z as z35 } from "zod";
+var VersionSchema = z35.union([
   //
-  z34.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]),
-  z34.string()
+  z35.enum(["2.13", "2.11", "2.9", "2.7", "2.5", "2.3", "1.3"]),
+  z35.string()
 ]).describe("Specify the OpenSearch engine version.");
-var TypeSchema = z34.union([
-  z34.enum([
+var TypeSchema = z35.union([
+  z35.enum([
     "t3.small",
     "t3.medium",
     "m3.medium",
@@ -2102,13 +2121,13 @@ var TypeSchema = z34.union([
     "r6gd.12xlarge",
     "r6gd.16xlarge"
   ]),
-  z34.string()
+  z35.string()
 ]).describe("Instance type of data nodes in the cluster.");
-var CountSchema = z34.number().int().min(1).describe("Number of instances in the cluster.");
+var CountSchema = z35.number().int().min(1).describe("Number of instances in the cluster.");
 var StorageSizeSchema = SizeSchema.refine(sizeMin(gibibytes3(10)), "Minimum storage size is 10 GB").refine(sizeMax(gibibytes3(100)), "Maximum storage size is 100 GB").describe("The size of the function's /tmp directory. You can specify a size value from 512 MB to 10 GiB.");
-var SearchsSchema = z34.record(
+var SearchsSchema = z35.record(
   ResourceIdSchema,
-  z34.object({
+  z35.object({
     type: TypeSchema.default("t3.small"),
     count: CountSchema.default(1),
     version: VersionSchema.default("2.13"),
@@ -2119,12 +2138,12 @@ var SearchsSchema = z34.record(
 ).optional().describe("Define the search instances in your stack. Backed by OpenSearch.");
 
 // src/feature/site/schema.ts
-import { z as z36 } from "zod";
+import { z as z37 } from "zod";
 
 // src/config/schema/local-entry.ts
 import { stat as stat3 } from "fs/promises";
-import { z as z35 } from "zod";
-var LocalEntrySchema = z35.union([
+import { z as z36 } from "zod";
+var LocalEntrySchema = z36.union([
   RelativePathSchema.refine(async (path) => {
     try {
       const s = await stat3(path);
@@ -2133,7 +2152,7 @@ var LocalEntrySchema = z35.union([
       return false;
     }
   }, `File or directory doesn't exist`),
-  z35.object({
+  z36.object({
     nocheck: RelativePathSchema.describe(
       "Specifies a local file or directory without checking if the file or directory exists."
     )
@@ -2141,21 +2160,21 @@ var LocalEntrySchema = z35.union([
 ]);
 
 // src/feature/site/schema.ts
-var SitesSchema = z36.record(
+var SitesSchema = z37.record(
   ResourceIdSchema,
-  z36.object({
+  z37.object({
     router: ResourceIdSchema.describe("The router id to link your site with."),
     path: RouteSchema2.describe("The path inside the router to link your site to."),
-    build: z36.object({
-      command: z36.string().describe(
+    build: z37.object({
+      command: z37.string().describe(
         `Specifies the files and directories to generate the cache key for your custom build command.`
       ),
-      cacheKey: z36.union([LocalEntrySchema.transform((v) => [v]), LocalEntrySchema.array()]).describe(
+      cacheKey: z37.union([LocalEntrySchema.transform((v) => [v]), LocalEntrySchema.array()]).describe(
         `Specifies the files and directories to generate the cache key for your custom build command.`
       ),
-      configs: z36.string().array().optional().describe("Define the config values for your build command.")
+      configs: z37.string().array().optional().describe("Define the config values for your build command.")
     }).optional().describe(`Specifies the build process for sites that need a build step.`),
-    static: z36.union([LocalDirectorySchema, z36.boolean()]).optional().describe(
+    static: z37.union([LocalDirectorySchema, z37.boolean()]).optional().describe(
       "Specifies the path to the static files directory. Additionally you can also pass `true` when you don't have local static files, but still want to make an S3 bucket."
     ),
     ssr: FunctionSchema.optional().describe("Specifies the file that will render the site on the server.")
@@ -2163,21 +2182,21 @@ var SitesSchema = z36.record(
 ).optional().describe("Define the sites in your stack.");
 
 // src/feature/store/schema.ts
-import { z as z37 } from "zod";
-var StoresSchema = z37.union([
-  z37.array(ResourceIdSchema).transform((list3) => {
+import { z as z38 } from "zod";
+var StoresSchema = z38.union([
+  z38.array(ResourceIdSchema).transform((list3) => {
     const stores = {};
     for (const key of list3) {
       stores[key] = {};
     }
     return stores;
   }),
-  z37.record(
+  z38.record(
     ResourceIdSchema,
-    z37.object({
+    z38.object({
       static: LocalDirectorySchema.optional().describe("Specifies the path to the static files directory."),
-      versioning: z37.boolean().default(false).describe("Enable versioning of your store."),
-      events: z37.object({
+      versioning: z38.boolean().default(false).describe("Enable versioning of your store."),
+      events: z38.object({
         // create
         "created:*": FunctionSchema.optional().describe(
           "Subscribe to notifications regardless of the API that was used to create an object."
@@ -2210,30 +2229,30 @@ var StoresSchema = z37.union([
 ]).optional().describe("Define the stores in your stack.");
 
 // src/feature/icon/schema.ts
-import { z as z38 } from "zod";
+import { z as z39 } from "zod";
 var staticOriginSchema = LocalDirectorySchema.describe(
   "Specifies the path to a local image directory that will be uploaded in S3."
 );
 var functionOriginSchema = FunctionSchema.describe(
   "Specifies the file that will be called when an image isn't found in the (cache) bucket."
 );
-var IconsSchema = z38.record(
+var IconsSchema = z39.record(
   ResourceIdSchema,
-  z38.object({
+  z39.object({
     // domain: ResourceIdSchema.describe('The domain id to link your site with.').optional(),
     // subDomain: z.string().optional(),
     router: ResourceIdSchema.describe("The router id to link your icon proxy."),
     path: RouteSchema2.describe("The path inside the router to link your icon proxy to."),
     log: LogSchema.optional(),
     cacheDuration: DurationSchema.optional().describe("The cache duration of the cached icons."),
-    preserveIds: z38.boolean().optional().default(false).describe("Preserve the IDs of the icons."),
-    symbols: z38.boolean().optional().default(false).describe(`Convert the SVG's to SVG symbols.`),
-    origin: z38.union([
-      z38.object({
+    preserveIds: z39.boolean().optional().default(false).describe("Preserve the IDs of the icons."),
+    symbols: z39.boolean().optional().default(false).describe(`Convert the SVG's to SVG symbols.`),
+    origin: z39.union([
+      z39.object({
         static: staticOriginSchema,
         function: functionOriginSchema.optional()
       }),
-      z38.object({
+      z39.object({
         static: staticOriginSchema.optional(),
         function: functionOriginSchema
       })
@@ -2260,13 +2279,13 @@ var IconsSchema = z38.record(
 ).optional().describe("Define an svg icon proxy in your stack. Store, optimize, and deliver svg icons at scale.");
 
 // src/feature/image/schema.ts
-import { z as z39 } from "zod";
-var transformationOptionsSchema = z39.object({
-  width: z39.number().int().positive().optional(),
-  height: z39.number().int().positive().optional(),
-  fit: z39.enum(["cover", "contain", "fill", "inside", "outside"]).optional(),
-  position: z39.enum(["top", "right top", "right", "right bottom", "bottom", "left bottom", "left", "left top", "center"]).optional(),
-  quality: z39.number().int().min(1).max(100).optional()
+import { z as z40 } from "zod";
+var transformationOptionsSchema = z40.object({
+  width: z40.number().int().positive().optional(),
+  height: z40.number().int().positive().optional(),
+  fit: z40.enum(["cover", "contain", "fill", "inside", "outside"]).optional(),
+  position: z40.enum(["top", "right top", "right", "right bottom", "bottom", "left bottom", "left", "left top", "center"]).optional(),
+  quality: z40.number().int().min(1).max(100).optional()
 });
 var staticOriginSchema2 = LocalDirectorySchema.describe(
   "Specifies the path to a local image directory that will be uploaded in S3."
@@ -2274,38 +2293,38 @@ var staticOriginSchema2 = LocalDirectorySchema.describe(
 var functionOriginSchema2 = FunctionSchema.describe(
   "Specifies the file that will be called when an image isn't found in the (cache) bucket."
 );
-var ImagesSchema = z39.record(
+var ImagesSchema = z40.record(
   ResourceIdSchema,
-  z39.object({
+  z40.object({
     // domain: ResourceIdSchema.describe('The domain id to link your site with.').optional(),
     // subDomain: z.string().optional(),
     router: ResourceIdSchema.describe("The router id to link your image proxy."),
     path: RouteSchema2.describe("The path inside the router to link your image proxy to."),
     log: LogSchema.optional(),
     cacheDuration: DurationSchema.optional().describe("Cache duration of the cached images."),
-    presets: z39.record(z39.string(), transformationOptionsSchema).describe("Named presets for image transformations"),
-    extensions: z39.object({
-      jpg: z39.object({
-        mozjpeg: z39.boolean().optional(),
-        progressive: z39.boolean().optional()
+    presets: z40.record(z40.string(), transformationOptionsSchema).describe("Named presets for image transformations"),
+    extensions: z40.object({
+      jpg: z40.object({
+        mozjpeg: z40.boolean().optional(),
+        progressive: z40.boolean().optional()
       }).optional(),
-      webp: z39.object({
-        effort: z39.number().int().min(1).max(10).default(7).optional(),
-        lossless: z39.boolean().optional(),
-        nearLossless: z39.boolean().optional()
+      webp: z40.object({
+        effort: z40.number().int().min(1).max(10).default(7).optional(),
+        lossless: z40.boolean().optional(),
+        nearLossless: z40.boolean().optional()
       }).optional(),
-      png: z39.object({
-        compressionLevel: z39.number().int().min(0).max(9).default(6).optional()
+      png: z40.object({
+        compressionLevel: z40.number().int().min(0).max(9).default(6).optional()
       }).optional()
     }).refine((data) => {
       return Object.keys(data).length > 0;
     }, "At least one extension must be defined.").describe("Specify the allowed extensions."),
-    origin: z39.union([
-      z39.object({
+    origin: z40.union([
+      z40.object({
         static: staticOriginSchema2,
         function: functionOriginSchema2.optional()
       }),
-      z39.object({
+      z40.object({
         static: staticOriginSchema2.optional(),
         function: functionOriginSchema2
       })
@@ -2320,7 +2339,7 @@ var ImagesSchema = z39.record(
 ).optional().describe("Define an image proxy in your stack. Store, transform, optimize, and deliver images at scale.");
 
 // src/feature/metric/schema.ts
-import { z as z40 } from "zod";
+import { z as z41 } from "zod";
 var ops = {
   ">": "GreaterThanThreshold",
   ">=": "GreaterThanOrEqualToThreshold",
@@ -2334,15 +2353,15 @@ var stats = {
   min: "Minimum",
   max: "Maximum"
 };
-var WhereSchema = z40.union([
-  z40.string().regex(/(count|avg|sum|min|max) (>|>=|<|<=) (\d)/, "Invalid where query").transform((where) => {
+var WhereSchema = z41.union([
+  z41.string().regex(/(count|avg|sum|min|max) (>|>=|<|<=) (\d)/, "Invalid where query").transform((where) => {
     const [stat4, op, value] = where.split(" ");
     return { stat: stat4, op, value: parseFloat(value) };
   }),
-  z40.object({
-    stat: z40.enum(["count", "avg", "sum", "min", "max"]),
-    op: z40.enum([">", ">=", "<", "<="]),
-    value: z40.number()
+  z41.object({
+    stat: z41.enum(["count", "avg", "sum", "min", "max"]),
+    op: z41.enum([">", ">=", "<", "<="]),
+    value: z41.number()
   })
 ]).transform((where) => {
   return {
@@ -2351,39 +2370,39 @@ var WhereSchema = z40.union([
     value: where.value
   };
 });
-var AlarmSchema = z40.object({
-  description: z40.string().optional(),
+var AlarmSchema = z41.object({
+  description: z41.string().optional(),
   where: WhereSchema,
   period: DurationSchema,
-  minDataPoints: z40.number().int().default(1),
-  trigger: z40.union([EmailSchema.transform((v) => [v]), EmailSchema.array(), FunctionSchema])
+  minDataPoints: z41.number().int().default(1),
+  trigger: z41.union([EmailSchema.transform((v) => [v]), EmailSchema.array(), FunctionSchema])
 });
-var MetricsSchema = z40.record(
+var MetricsSchema = z41.record(
   ResourceIdSchema,
-  z40.object({
-    type: z40.enum(["number", "size", "duration"]),
+  z41.object({
+    type: z41.enum(["number", "size", "duration"]),
     alarms: AlarmSchema.array().optional()
   })
 ).optional().describe("Define the metrics in your stack.");
 
 // src/feature/table/schema.ts
 import { minutes as minutes5, seconds as seconds4 } from "@awsless/duration";
-import { z as z41 } from "zod";
-var KeySchema = z41.string().min(1).max(255);
-var TablesSchema = z41.record(
+import { z as z42 } from "zod";
+var KeySchema = z42.string().min(1).max(255);
+var TablesSchema = z42.record(
   ResourceIdSchema,
-  z41.object({
+  z42.object({
     hash: KeySchema.describe(
       "Specifies the name of the partition / hash key that makes up the primary key for the table."
     ),
     sort: KeySchema.optional().describe(
       "Specifies the name of the range / sort key that makes up the primary key for the table."
     ),
-    fields: z41.record(z41.string(), z41.enum(["string", "number", "binary"])).optional().describe(
+    fields: z42.record(z42.string(), z42.enum(["string", "number", "binary"])).optional().describe(
       'A list of attributes that describe the key schema for the table and indexes. If no attribute field is defined we default to "string".'
     ),
-    class: z41.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
-    pointInTimeRecovery: z41.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
+    class: z42.enum(["standard", "standard-infrequent-access"]).default("standard").describe("The table class of the table."),
+    pointInTimeRecovery: z42.boolean().default(false).describe("Indicates whether point in time recovery is enabled on the table."),
     ttl: KeySchema.optional().describe(
       [
         "The name of the TTL attribute used to store the expiration time for items in the table.",
@@ -2391,8 +2410,8 @@ var TablesSchema = z41.record(
       ].join("\n")
     ),
     // deletionProtection: DeletionProtectionSchema.optional(),
-    stream: z41.object({
-      type: z41.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
+    stream: z42.object({
+      type: z42.enum(["keys-only", "new-image", "old-image", "new-and-old-images"]).describe(
         [
           "When an item in the table is modified, you can determines what information is written to the stream for this table.",
           "Valid values are:",
@@ -2402,7 +2421,7 @@ var TablesSchema = z41.record(
           "- new-and-old-images - Both the new and the old item images of the item are written to the stream."
         ].join("\n")
       ),
-      batchSize: z41.number().min(1).max(1e4).default(1).describe(
+      batchSize: z42.number().min(1).max(1e4).default(1).describe(
         [
           "The maximum number of records in each batch that Lambda pulls from your stream and sends to your function.",
           "Lambda passes all of the records in the batch to the function in a single call, up to the payload limit for synchronous invocation (6 MB).",
@@ -2418,29 +2437,26 @@ var TablesSchema = z41.record(
           "You can specify a duration from 1 seconds to 5 minutes."
         ].join("\n")
       ),
-      // maxRecordAge: DurationSchema.refine(
-      // 	durationMin(seconds(1)),
-      // 	'Minimum record age duration is 1 second'
-      // )
-      // 	.refine(durationMax(minutes(5)), 'Maximum batch window duration is 5 minutes')
-      // 	.optional()
-      // 	.describe(
-      // 		[
-      // 			'Discard records after the specified number of retries.',
-      // 			'The default value is -1, which sets the maximum number of retries to infinite.',
-      // 			'When maxRetryAttempts is infinite, Lambda retries failed records until the record expires in the event source.',
-      // 			'You can specify a number from -1 to 10000.',
-      // 		].join('\n')
-      // 	),
-      retryAttempts: z41.number().min(-1).max(1e4).default(-1).describe(
+      maxRecordAge: DurationSchema.refine(
+        durationMin(seconds4(1)),
+        "Minimum record age duration is 1 second"
+      ).refine(durationMax(minutes5(1)), "Maximum record age duration is 1 minute").default("60 seconds").describe(
+        [
+          "Discard records older than the specified age.",
+          "The maximum valid value for maximum record age is 60s.",
+          "The default value is 60s"
+        ].join("\n")
+      ),
+      retryAttempts: z42.number().min(-1).max(1e4).default(2).describe(
         [
           "Discard records after the specified number of retries.",
-          "The default value is -1, which sets the maximum number of retries to infinite.",
+          "-1 will sets the maximum number of retries to infinite.",
           "When maxRetryAttempts is infinite, Lambda retries failed records until the record expires in the event source.",
-          "You can specify a number from -1 to 10000."
+          "You can specify a number from -1 to 10000.",
+          "The default value is 2"
         ].join("\n")
       ),
-      concurrencyPerShard: z41.number().min(1).max(10).default(1).describe(
+      concurrencyPerShard: z42.number().min(1).max(10).default(1).describe(
         [
           "The number of batches to process concurrently from each shard.",
           "You can specify a number from 1 to 10."
@@ -2450,16 +2466,16 @@ var TablesSchema = z41.record(
     }).optional().describe(
       "The settings for the DynamoDB table stream, which capture changes to items stored in the table."
     ),
-    indexes: z41.record(
-      z41.string(),
-      z41.object({
-        hash: z41.union([KeySchema.transform((v) => [v]), KeySchema.array()]).describe(
+    indexes: z42.record(
+      z42.string(),
+      z42.object({
+        hash: z42.union([KeySchema.transform((v) => [v]), KeySchema.array()]).describe(
           "Specifies the name of the partition / hash key that makes up the primary key for the global secondary index."
         ),
-        sort: z41.union([KeySchema.transform((v) => [v]), KeySchema.array()]).optional().describe(
+        sort: z42.union([KeySchema.transform((v) => [v]), KeySchema.array()]).optional().describe(
           "Specifies the name of the range / sort key that makes up the primary key for the global secondary index."
         ),
-        projection: z41.enum(["all", "keys-only"]).default("all").describe(
+        projection: z42.enum(["all", "keys-only"]).default("all").describe(
           [
             "The set of attributes that are projected into the index:",
             "- all - All of the table attributes are projected into the index.",
@@ -2473,11 +2489,11 @@ var TablesSchema = z41.record(
 ).optional().describe("Define the tables in your stack.");
 
 // src/feature/task/schema.ts
-import { z as z42 } from "zod";
-var RetryAttemptsSchema2 = z42.number().int().min(0).max(2).describe(
+import { z as z43 } from "zod";
+var RetryAttemptsSchema3 = z43.number().int().min(0).max(2).describe(
   "The maximum number of times to retry when the function returns an error. You can specify a number from 0 to 2."
 );
-var TaskSchema = z42.union([
+var TaskSchema = z43.union([
   LocalFileSchema.transform((file) => ({
     consumer: {
       code: {
@@ -2488,20 +2504,20 @@ var TaskSchema = z42.union([
     },
     retryAttempts: void 0
   })),
-  z42.object({
+  z43.object({
     consumer: FunctionSchema,
-    retryAttempts: RetryAttemptsSchema2.optional()
+    retryAttempts: RetryAttemptsSchema3.optional()
   })
 ]);
-var TasksSchema = z42.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
+var TasksSchema = z43.record(ResourceIdSchema, TaskSchema).optional().describe("Define the tasks in your stack.");
 
 // src/feature/test/schema.ts
-import { z as z43 } from "zod";
-var TestsSchema = z43.union([
+import { z as z44 } from "zod";
+var TestsSchema = z44.union([
   //
   LocalDirectorySchema.transform((v) => [v]),
   LocalDirectorySchema.array(),
-  z43.literal(false)
+  z44.literal(false)
 ]).describe("Define the location of your tests for your stack.").optional();
 
 // src/config/stack.ts
@@ -2509,8 +2525,8 @@ var DependsSchema = ResourceIdSchema.array().optional().describe("Define the sta
 var NameSchema = ResourceIdSchema.refine((name) => !["base", "hostedzones"].includes(name), {
   message: `Stack name can't be a reserved name.`
 }).describe("Stack name.");
-var StackSchema = z44.object({
-  $schema: z44.string().optional(),
+var StackSchema = z45.object({
+  $schema: z45.string().optional(),
   name: NameSchema,
   depends: DependsSchema,
   commands: CommandsSchema,
@@ -2547,37 +2563,37 @@ import { basename, dirname as dirname2, extname, join as join4 } from "path";
 
 // src/config/stage-patch.ts
 import jsonPatch from "fast-json-patch";
-import { z as z45 } from "zod";
-var AddOperationSchema = z45.object({
-  op: z45.literal("add"),
-  path: z45.string(),
-  value: z45.unknown()
+import { z as z46 } from "zod";
+var AddOperationSchema = z46.object({
+  op: z46.literal("add"),
+  path: z46.string(),
+  value: z46.unknown()
 }).strict();
-var RemoveOperationSchema = z45.object({
-  op: z45.literal("remove"),
-  path: z45.string()
+var RemoveOperationSchema = z46.object({
+  op: z46.literal("remove"),
+  path: z46.string()
 }).strict();
-var ReplaceOperationSchema = z45.object({
-  op: z45.literal("replace"),
-  path: z45.string(),
-  value: z45.unknown()
+var ReplaceOperationSchema = z46.object({
+  op: z46.literal("replace"),
+  path: z46.string(),
+  value: z46.unknown()
 }).strict();
-var MoveOperationSchema = z45.object({
-  op: z45.literal("move"),
-  from: z45.string(),
-  path: z45.string()
+var MoveOperationSchema = z46.object({
+  op: z46.literal("move"),
+  from: z46.string(),
+  path: z46.string()
 }).strict();
-var CopyOperationSchema = z45.object({
-  op: z45.literal("copy"),
-  from: z45.string(),
-  path: z45.string()
+var CopyOperationSchema = z46.object({
+  op: z46.literal("copy"),
+  from: z46.string(),
+  path: z46.string()
 }).strict();
-var TestOperationSchema = z45.object({
-  op: z45.literal("test"),
-  path: z45.string(),
-  value: z45.unknown()
+var TestOperationSchema = z46.object({
+  op: z46.literal("test"),
+  path: z46.string(),
+  value: z46.unknown()
 }).strict();
-var JsonPatchOperationSchema = z45.discriminatedUnion("op", [
+var JsonPatchOperationSchema = z46.discriminatedUnion("op", [
   AddOperationSchema,
   RemoveOperationSchema,
   ReplaceOperationSchema,
@@ -2585,8 +2601,8 @@ var JsonPatchOperationSchema = z45.discriminatedUnion("op", [
   CopyOperationSchema,
   TestOperationSchema
 ]);
-var StagePatchSchema = z45.object({
-  $schema: z45.string().optional(),
+var StagePatchSchema = z46.object({
+  $schema: z46.string().optional(),
   operations: JsonPatchOperationSchema.array()
 }).strict();
 var applyStagePatch = (source, patch, file) => {
@@ -2602,13 +2618,13 @@ var applyStagePatch = (source, patch, file) => {
 };
 
 // src/config/load/validate.ts
-import { z as z46 } from "zod";
+import { z as z47 } from "zod";
 var validateConfig = async (schema, file, data) => {
   try {
     const result = await schema.parseAsync(data);
     return result;
   } catch (error) {
-    if (error instanceof z46.ZodError) {
+    if (error instanceof z47.ZodError) {
       throw new ConfigError(file, error, data);
     }
     throw error;
@@ -3419,7 +3435,7 @@ var formatByteSize = (size) => {
 
 // src/feature/on-failure/util.ts
 var getGlobalOnFailure = (ctx) => {
-  return ctx.shared.get("on-failure", "queue-arn");
+  return ctx.shared.get("on-failure", "bucket-arn");
 };
 
 // src/feature/function/build/zip.ts
@@ -3967,8 +3983,15 @@ var createAsyncLambdaFunction = (group, ctx, ns, id, local) => {
     }
   );
   result.addPermission({
-    actions: ["sqs:SendMessage", "sqs:GetQueueUrl"],
-    resources: [onFailure]
+    actions: ["s3:PutObject", "s3:ListBucket"],
+    resources: [onFailure, $interpolate`${onFailure}/*`],
+    conditions: {
+      StringEquals: {
+        // This will protect anyone from taking our bucket name,
+        // and us sending our failed items to the wrong s3 bucket
+        "s3:ResourceAccount": ctx.accountId
+      }
+    }
   });
   return result;
 };
@@ -4448,146 +4471,509 @@ var onLogFeature = defineFeature({
 });
 
 // src/feature/on-failure/index.ts
-import { Group as Group8 } from "@terraforge/core";
+import { Group as Group9 } from "@terraforge/core";
+import { aws as aws10 } from "@terraforge/aws";
+
+// src/feature/function/prebuild.ts
+import { days as days5, seconds as seconds5, toDays as toDays5, toSeconds as toSeconds3 } from "@awsless/duration";
+import { mebibytes as mebibytes2, toMebibytes as toMebibytes3 } from "@awsless/size";
 import { aws as aws9 } from "@terraforge/aws";
-import { days as days5, toSeconds as toSeconds3 } from "@awsless/duration";
-var onFailureFeature = defineFeature({
-  name: "on-failure",
-  onApp(ctx) {
-    const group = new Group8(ctx.base, "on-failure", "main");
-    const deadletter = new aws9.sqs.Queue(group, "deadletter", {
-      name: formatGlobalResourceName({
-        appName: ctx.app.name,
-        resourceType: "on-failure",
-        resourceName: "deadletter"
-      }),
-      messageRetentionSeconds: toSeconds3(days5(14))
+import { Output as Output4, findInputDeps as findInputDeps2, resolveInputs as resolveInputs2 } from "@terraforge/core";
+import { pascalCase as pascalCase2 } from "change-case";
+var createPrebuildLambdaFunction = (group, ctx, ns, id, props) => {
+  let name;
+  let roleName;
+  if ("stack" in ctx) {
+    name = formatLocalResourceName({
+      appName: ctx.app.name,
+      stackName: ctx.stack.name,
+      resourceType: ns,
+      resourceName: id
     });
-    const queue2 = new aws9.sqs.Queue(group, "on-failure", {
-      name: formatGlobalResourceName({
-        appName: ctx.app.name,
-        resourceType: "on-failure",
-        resourceName: "failure"
-      }),
-      redrivePolicy: deadletter.arn.pipe((deadLetterTargetArn) => {
-        return JSON.stringify({
-          deadLetterTargetArn,
-          maxReceiveCount: 100
-        });
-      })
+    roleName = formatLocalResourceName({
+      appName: ctx.app.name,
+      stackName: ctx.stack.name,
+      resourceType: ns,
+      resourceName: id,
+      postfix: ctx.appId
     });
-    ctx.shared.set("on-failure", "queue-arn", queue2.arn);
-    if (!ctx.appConfig.defaults.onFailure) {
-      return;
-    }
-    const result = createLambdaFunction(group, ctx, "on-failure", "consumer", ctx.appConfig.defaults.onFailure);
-    new aws9.lambda.EventSourceMapping(
-      group,
-      "on-failure",
-      {
-        functionName: result.lambda.functionName,
-        eventSourceArn: queue2.arn,
-        batchSize: 10
-      },
-      {
-        dependsOn: [result.policy]
-      }
-    );
-    result.addPermission({
-      actions: [
-        "sqs:SendMessage",
-        "sqs:DeleteMessage",
-        "sqs:ReceiveMessage",
-        "sqs:GetQueueUrl",
-        "sqs:GetQueueAttributes"
-      ],
-      resources: [queue2.arn]
+  } else {
+    name = formatGlobalResourceName({
+      appName: ctx.appConfig.name,
+      resourceType: ns,
+      resourceName: id
     });
-    result.addPermission({
-      effect: "deny",
-      actions: ["lambda:InvokeFunction", "lambda:InvokeAsync", "sqs:SendMessage", "sns:Publish"],
-      resources: ["*"]
+    roleName = formatGlobalResourceName({
+      appName: ctx.appConfig.name,
+      resourceType: ns,
+      resourceName: id,
+      postfix: ctx.appId
     });
   }
-});
-
-// src/feature/pubsub/index.ts
-import { Group as Group9 } from "@terraforge/core";
-import { aws as aws10 } from "@terraforge/aws";
-import { constantCase as constantCase5 } from "change-case";
-
-// src/feature/domain/util.ts
-var getDomainNameById = (config2, id) => {
-  const domains = config2.defaults.domains ?? {};
-  if (id in domains) {
-    if (domains[id]) {
-      return domains[id].domain;
-    }
-  }
-  throw new TypeError(`No domain registered with id: ${id}`);
-};
-var formatFullDomainName = (config2, id, subDomain) => {
-  const domain2 = getDomainNameById(config2, id);
-  if (subDomain) {
-    return `${subDomain.replace(/\.$/, "")}.${domain2}`;
-  }
-  return domain2;
-};
-
-// src/feature/pubsub/index.ts
-import { minutes as minutes7, toSeconds as toSeconds4 } from "@awsless/duration";
-var pubsubFeature = defineFeature({
-  name: "pubsub",
-  onApp(ctx) {
-    ctx.addGlobalPermission({
-      actions: ["iot:Publish"],
-      resources: [
-        // `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/*`,
-        `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/${ctx.app.name}/pubsub/*`
-      ]
-    });
-    for (const [id, props] of Object.entries(ctx.appConfig.defaults.pubsub ?? {})) {
-      const group = new Group9(ctx.base, "pubsub", id);
-      const { lambda } = createLambdaFunction(group, ctx, "pubsub-authorizer", id, props.auth);
-      const name = formatGlobalResourceName({
-        appName: ctx.app.name,
-        resourceType: "pubsub",
-        resourceName: id
-      });
-      const authorizer = new aws10.iot.Authorizer(group, "authorizer", {
-        name,
-        authorizerFunctionArn: lambda.arn,
-        status: "ACTIVE",
-        signingDisabled: true,
-        enableCachingForHttp: false
-      });
-      new aws10.lambda.Permission(group, "permission", {
-        functionName: lambda.functionName,
-        action: "lambda:InvokeFunction",
-        principal: "iot.amazonaws.com",
-        sourceArn: authorizer.arn
-      });
-      ctx.bind(`PUBSUB_${constantCase5(id)}_AUTHORIZER`, name);
-      const endpoint = aws10.iot.getEndpoint(group, "endpoint", {
-        endpointType: "iot:Data-ATS"
-      });
-      if (props.domain) {
-        const domainName = formatFullDomainName(ctx.appConfig, props.domain, props.subDomain);
-        new aws10.iot.DomainConfiguration(group, "domain", {
-          name,
-          domainName,
-          serverCertificateArns: [ctx.shared.entry("domain", `certificate-arn`, props.domain)],
-          authorizerConfig: {
-            defaultAuthorizerName: authorizer.name
+  const code = new aws9.s3.BucketObject(group, "code", {
+    bucket: ctx.shared.get("function", "bucket-name"),
+    key: `/lambda/${name}.zip`,
+    source: props.bundleFile,
+    sourceHash: $hash(props.bundleFile)
+    // body: Asset.fromFile(props.bundleFile),
+  });
+  const role = new aws9.iam.Role(group, "role", {
+    name: roleName,
+    assumeRolePolicy: JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Action: "sts:AssumeRole",
+          Principal: {
+            Service: ["lambda.amazonaws.com"]
           }
-          // validationCertificate: ctx.shared.get(`global-certificate-${props.domain}-arn`),
-        });
-        new aws10.route53.Record(group, "record", {
-          zoneId: ctx.shared.entry("domain", `zone-id`, props.domain),
-          name: domainName,
-          type: "CNAME",
-          ttl: toSeconds4(minutes7(5)),
-          records: [endpoint.endpointAddress]
+        }
+      ]
+    })
+  });
+  const statements = [];
+  const statementDeps = /* @__PURE__ */ new Set();
+  const addPermission = (...permissions) => {
+    statements.push(...permissions);
+    for (const dep of findInputDeps2(permissions)) {
+      statementDeps.add(dep);
+    }
+  };
+  ctx.onPermission((statement) => {
+    addPermission(statement);
+  });
+  const policy = new aws9.iam.RolePolicy(group, "policy", {
+    role: role.name,
+    name: "lambda-policy",
+    policy: new Output4(statementDeps, async (resolve) => {
+      const list3 = await resolveInputs2(statements);
+      resolve(
+        JSON.stringify({
+          Version: "2012-10-17",
+          Statement: list3.map((statement) => ({
+            Effect: pascalCase2(statement.effect ?? "allow"),
+            Action: statement.actions,
+            Resource: statement.resources
+          }))
+        })
+      );
+    })
+  });
+  const variables = {};
+  const logFormats = {
+    text: "Text",
+    json: "JSON"
+  };
+  const lambda = new aws9.lambda.Function(group, `function`, {
+    functionName: name,
+    role: role.arn,
+    // code,
+    // runtime: props.runtime === 'container' ? undefined : props.runtime,
+    runtime: props.runtime,
+    handler: props.handler,
+    timeout: toSeconds3(props.timeout ?? seconds5(10)),
+    memorySize: toMebibytes3(props.memorySize ?? mebibytes2(128)),
+    architectures: [props.architecture ?? "arm64"],
+    layers: props.layers?.map((id2) => ctx.shared.entry("layer", "arn", id2)),
+    s3Bucket: code.bucket,
+    s3ObjectVersion: code.versionId,
+    s3Key: code.key.pipe((name2) => {
+      if (name2.startsWith("/")) {
+        return name2.substring(1);
+      }
+      return name2;
+    }),
+    sourceCodeHash: $hash(props.bundleFile),
+    environment: {
+      variables
+    },
+    loggingConfig: {
+      logGroup: `/aws/lambda/${name}`,
+      logFormat: logFormats[props.log && "format" in props.log && props.log.format || "json"],
+      applicationLogLevel: props.log && "format" in props.log && props.log.format === "json" ? props.log.level?.toUpperCase() : void 0,
+      systemLogLevel: props.log && "format" in props.log && props.log.format === "json" ? props.log.system?.toUpperCase() : void 0
+    }
+  });
+  ctx.onEnv((name2, value) => {
+    variables[name2] = value;
+  });
+  variables.APP = ctx.appConfig.name;
+  variables.APP_ID = ctx.appId;
+  variables.AWS_ACCOUNT_ID = ctx.accountId;
+  if ("stackConfig" in ctx) {
+    variables.STACK = ctx.stackConfig.name;
+  }
+  if (props.log?.retention && props.log?.retention?.value > 0n) {
+    const logGroup = new aws9.cloudwatch.LogGroup(group, "log", {
+      name: `/aws/lambda/${name}`,
+      retentionInDays: toDays5(props.log.retention ?? days5(7))
+    });
+    addPermission({
+      actions: ["logs:PutLogEvents", "logs:CreateLogStream"],
+      resources: [logGroup.arn.pipe((arn) => `${arn}:*`)]
+    });
+    const onLogArn = getGlobalOnLog(ctx);
+    if (onLogArn && ctx.appConfig.defaults.onLog) {
+      const logFilter = ctx.appConfig.defaults.onLog.filter;
+      new aws9.cloudwatch.LogSubscriptionFilter(group, `on-log`, {
+        name: "log-subscription",
+        destinationArn: onLogArn,
+        logGroupName: logGroup.name,
+        filterPattern: formatFilterPattern(logFilter)
+      });
+    }
+  }
+  if (props.warm) {
+    const rule = new aws9.cloudwatch.EventRule(group, "warm", {
+      name: `${name}--warm`,
+      description: "Lambda Warmer",
+      scheduleExpression: "rate(5 minutes)",
+      isEnabled: true
+    });
+    new aws9.cloudwatch.EventTarget(group, "warm", {
+      rule: rule.name,
+      targetId: "warmer",
+      arn: lambda.arn,
+      input: JSON.stringify({
+        warmer: true,
+        concurrency: props.warm
+      })
+    });
+    new aws9.lambda.Permission(group, `warm`, {
+      action: "lambda:InvokeFunction",
+      principal: "events.amazonaws.com",
+      functionName: lambda.functionName,
+      sourceArn: rule.arn
+    });
+  }
+  return {
+    name,
+    lambda,
+    policy,
+    code,
+    setEnvironment(name2, value) {
+      variables[name2] = value;
+    },
+    addPermission(statement) {
+      addPermission(statement);
+    }
+  };
+};
+
+// src/feature/on-failure/index.ts
+import { join as join10 } from "node:path";
+import { mebibytes as mebibytes3 } from "@awsless/size";
+import { days as days6, toSeconds as toSeconds4 } from "@awsless/duration";
+var onFailureFeature = defineFeature({
+  name: "on-failure",
+  onApp(ctx) {
+    const group = new Group9(ctx.base, "on-failure", "main");
+    const deadletter = new aws10.sqs.Queue(group, "deadletter", {
+      name: formatGlobalResourceName({
+        appName: ctx.app.name,
+        resourceType: "on-failure",
+        resourceName: "deadletter"
+      }),
+      messageRetentionSeconds: toSeconds4(days6(14))
+    });
+    const queue2 = new aws10.sqs.Queue(group, "on-failure", {
+      name: formatGlobalResourceName({
+        appName: ctx.app.name,
+        resourceType: "on-failure",
+        resourceName: "failure"
+      }),
+      redrivePolicy: deadletter.arn.pipe((deadLetterTargetArn) => {
+        return JSON.stringify({
+          deadLetterTargetArn,
+          maxReceiveCount: 3
+        });
+      })
+    });
+    ctx.shared.set("on-failure", "queue-arn", queue2.arn);
+    const bucket = new aws10.s3.Bucket(group, "bucket", {
+      bucket: formatGlobalResourceName({
+        appName: ctx.app.name,
+        resourceType: "on-failure",
+        resourceName: "failure",
+        postfix: ctx.appId
+      }),
+      lifecycleRule: [
+        {
+          id: "ttl",
+          enabled: true,
+          expiration: {
+            days: 14
+          }
+        }
+      ]
+    });
+    ctx.shared.set("on-failure", "bucket-arn", bucket.arn);
+    const props = ctx.appConfig.defaults.onFailure;
+    if (props) {
+      if (props.notify) {
+        const topic = new aws10.sns.Topic(group, "deadletter-topic", {
+          name: formatGlobalResourceName({
+            appName: ctx.app.name,
+            resourceType: "on-failure",
+            resourceName: "deadletter"
+          })
+        });
+        for (const email of props.notify) {
+          new aws10.sns.TopicSubscription(group, email, {
+            topicArn: topic.arn,
+            protocol: "email",
+            endpoint: email
+          });
+        }
+        const role = new aws10.iam.Role(group, "deadletter-topic-role", {
+          name: formatGlobalResourceName({
+            appName: ctx.app.name,
+            resourceType: "on-failure",
+            resourceName: "pipe"
+          }),
+          description: `${ctx.app.name} on-failure deadletter notification pipe`,
+          assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Action: "sts:AssumeRole",
+                Principal: {
+                  Service: ["pipes.amazonaws.com"]
+                }
+              }
+            ]
+          }),
+          inlinePolicy: [
+            {
+              name: "deadletter-topic",
+              policy: topic.arn.pipe(
+                (topicArn) => deadletter.arn.pipe(
+                  (queueArn) => JSON.stringify({
+                    Version: "2012-10-17",
+                    Statement: [
+                      {
+                        Effect: "Allow",
+                        Action: [
+                          "sqs:ReceiveMessage",
+                          "sqs:DeleteMessage",
+                          "sqs:GetQueueAttributes",
+                          "sqs:ChangeMessageVisibility"
+                        ],
+                        Resource: queueArn
+                      },
+                      {
+                        Effect: "Allow",
+                        Action: ["sns:Publish"],
+                        Resource: topicArn
+                      }
+                    ]
+                  })
+                )
+              )
+            }
+          ]
+        });
+        new aws10.pipes.Pipe(group, "deadletter-topic-pipe", {
+          name: formatGlobalResourceName({
+            appName: ctx.app.name,
+            resourceType: "on-failure",
+            resourceName: "notify"
+          }),
+          roleArn: role.arn,
+          source: deadletter.arn,
+          target: topic.arn,
+          sourceParameters: {
+            sqsQueueParameters: {
+              batchSize: 1
+            }
+          },
+          targetParameters: {
+            inputTemplate: [
+              `Awsless on-failure DLQ message`,
+              `App: ${ctx.app.name}`,
+              `Sent: <$.attributes.SentTimestamp>`,
+              "",
+              `Body:
+<$.body>`
+            ].join("\n")
+          }
+        });
+      }
+      const consumer = createLambdaFunction(group, ctx, "on-failure", "consumer", props.consumer);
+      consumer.addPermission({
+        effect: "deny",
+        actions: [
+          //
+          "lambda:InvokeFunction",
+          "lambda:InvokeAsync",
+          "sqs:SendMessage",
+          "sns:Publish"
+        ],
+        resources: ["*"]
+      });
+      const prebuild = createPrebuildLambdaFunction(group, ctx, "on-failure", "normalizer", {
+        bundleFile: join10(__dirname, "/prebuild/on-failure/bundle.zip"),
+        bundleHash: join10(__dirname, "/prebuild/on-failure/HASH"),
+        memorySize: mebibytes3(256),
+        timeout: props.consumer.timeout,
+        handler: "index.default",
+        runtime: "nodejs24.x",
+        log: {
+          format: "json",
+          level: "warn",
+          retention: days6(3),
+          system: "warn"
+        }
+      });
+      prebuild.setEnvironment("CONSUMER", consumer.name);
+      prebuild.addPermission({
+        actions: ["lambda:InvokeFunction"],
+        resources: [consumer.lambda.arn]
+      });
+      prebuild.addPermission({
+        actions: ["s3:GetObject", "s3:DeleteObject"],
+        resources: [bucket.arn, $interpolate`${bucket.arn}/*`]
+      });
+      prebuild.addPermission({
+        actions: ["sqs:SendMessage"],
+        resources: [deadletter.arn]
+      });
+      new aws10.lambda.FunctionEventInvokeConfig(
+        group,
+        "async",
+        {
+          functionName: prebuild.lambda.arn,
+          maximumRetryAttempts: 2,
+          destinationConfig: {
+            onFailure: {
+              destination: deadletter.arn
+            }
+          }
+        },
+        {
+          dependsOn: [prebuild.policy]
+        }
+      );
+      prebuild.addPermission({
+        actions: [
+          "sqs:SendMessage",
+          "sqs:DeleteMessage",
+          "sqs:ReceiveMessage",
+          "sqs:GetQueueUrl",
+          "sqs:GetQueueAttributes"
+        ],
+        resources: [queue2.arn]
+      });
+      new aws10.lambda.EventSourceMapping(
+        group,
+        "on-failure",
+        {
+          functionName: prebuild.lambda.functionName,
+          eventSourceArn: queue2.arn,
+          batchSize: 10
+        },
+        {
+          dependsOn: [prebuild.policy]
+        }
+      );
+      new aws10.lambda.Permission(group, "permission", {
+        action: "lambda:InvokeFunction",
+        principal: "s3.amazonaws.com",
+        functionName: prebuild.lambda.functionName,
+        sourceArn: bucket.arn
+      });
+      new aws10.s3.BucketNotification(group, "notification", {
+        bucket: bucket.bucket,
+        lambdaFunction: [
+          {
+            lambdaFunctionArn: prebuild.lambda.arn,
+            events: ["s3:ObjectCreated:*"]
+          }
+        ]
+      });
+    }
+  }
+});
+
+// src/feature/pubsub/index.ts
+import { Group as Group10 } from "@terraforge/core";
+import { aws as aws11 } from "@terraforge/aws";
+import { constantCase as constantCase5 } from "change-case";
+
+// src/feature/domain/util.ts
+var getDomainNameById = (config2, id) => {
+  const domains = config2.defaults.domains ?? {};
+  if (id in domains) {
+    if (domains[id]) {
+      return domains[id].domain;
+    }
+  }
+  throw new TypeError(`No domain registered with id: ${id}`);
+};
+var formatFullDomainName = (config2, id, subDomain) => {
+  const domain2 = getDomainNameById(config2, id);
+  if (subDomain) {
+    return `${subDomain.replace(/\.$/, "")}.${domain2}`;
+  }
+  return domain2;
+};
+
+// src/feature/pubsub/index.ts
+import { minutes as minutes7, toSeconds as toSeconds5 } from "@awsless/duration";
+var pubsubFeature = defineFeature({
+  name: "pubsub",
+  onApp(ctx) {
+    ctx.addGlobalPermission({
+      actions: ["iot:Publish"],
+      resources: [
+        // `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/*`,
+        `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/${ctx.app.name}/pubsub/*`
+      ]
+    });
+    for (const [id, props] of Object.entries(ctx.appConfig.defaults.pubsub ?? {})) {
+      const group = new Group10(ctx.base, "pubsub", id);
+      const { lambda } = createLambdaFunction(group, ctx, "pubsub-authorizer", id, props.auth);
+      const name = formatGlobalResourceName({
+        appName: ctx.app.name,
+        resourceType: "pubsub",
+        resourceName: id
+      });
+      const authorizer = new aws11.iot.Authorizer(group, "authorizer", {
+        name,
+        authorizerFunctionArn: lambda.arn,
+        status: "ACTIVE",
+        signingDisabled: true,
+        enableCachingForHttp: false
+      });
+      new aws11.lambda.Permission(group, "permission", {
+        functionName: lambda.functionName,
+        action: "lambda:InvokeFunction",
+        principal: "iot.amazonaws.com",
+        sourceArn: authorizer.arn
+      });
+      ctx.bind(`PUBSUB_${constantCase5(id)}_AUTHORIZER`, name);
+      const endpoint = aws11.iot.getEndpoint(group, "endpoint", {
+        endpointType: "iot:Data-ATS"
+      });
+      if (props.domain) {
+        const domainName = formatFullDomainName(ctx.appConfig, props.domain, props.subDomain);
+        new aws11.iot.DomainConfiguration(group, "domain", {
+          name,
+          domainName,
+          serverCertificateArns: [ctx.shared.entry("domain", `certificate-arn`, props.domain)],
+          authorizerConfig: {
+            defaultAuthorizerName: authorizer.name
+          }
+          // validationCertificate: ctx.shared.get(`global-certificate-${props.domain}-arn`),
+        });
+        new aws11.route53.Record(group, "record", {
+          zoneId: ctx.shared.entry("domain", `zone-id`, props.domain),
+          name: domainName,
+          type: "CNAME",
+          ttl: toSeconds5(minutes7(5)),
+          records: [endpoint.endpointAddress]
         });
         ctx.bind(`PUBSUB_${constantCase5(id)}_ENDPOINT`, domainName);
       } else {
@@ -4597,7 +4983,7 @@ var pubsubFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, props] of Object.entries(ctx.stackConfig.pubsub ?? {})) {
-      const group = new Group9(ctx.stack, "pubsub", id);
+      const group = new Group10(ctx.stack, "pubsub", id);
       const { lambda } = createAsyncLambdaFunction(group, ctx, `pubsub`, id, props.consumer);
       const name = formatLocalResourceName({
         appName: ctx.app.name,
@@ -4605,14 +4991,14 @@ var pubsubFeature = defineFeature({
         resourceType: "pubsub",
         resourceName: id
       });
-      const topic = new aws10.iot.TopicRule(group, "rule", {
+      const topic = new aws11.iot.TopicRule(group, "rule", {
         name: name.replaceAll("-", "_"),
         enabled: true,
         sql: props.sql,
         sqlVersion: props.sqlVersion,
         lambda: [{ functionArn: lambda.arn }]
       });
-      new aws10.lambda.Permission(group, "permission", {
+      new aws11.lambda.Permission(group, "permission", {
         action: "lambda:InvokeFunction",
         principal: "iot.amazonaws.com",
         functionName: lambda.functionName,
@@ -4623,12 +5009,12 @@ var pubsubFeature = defineFeature({
 });
 
 // src/feature/queue/index.ts
-import { Group as Group10 } from "@terraforge/core";
-import { aws as aws11 } from "@terraforge/aws";
+import { Group as Group11 } from "@terraforge/core";
+import { aws as aws12 } from "@terraforge/aws";
 import { camelCase as camelCase5, constantCase as constantCase6 } from "change-case";
 import deepmerge3 from "deepmerge";
 import { relative as relative5 } from "path";
-import { seconds as seconds5, toSeconds as toSeconds5 } from "@awsless/duration";
+import { seconds as seconds6, toSeconds as toSeconds6 } from "@awsless/duration";
 import { toBytes } from "@awsless/size";
 var typeGenCode4 = `
 import { SendMessageOptions, SendMessageBatchOptions, BatchItem } from '@awsless/sqs'
@@ -4688,42 +5074,44 @@ var queueFeature = defineFeature({
     gen.addInterface("QueueMockResponse", mockResponses);
     await ctx.write("queue.d.ts", gen, true);
   },
+  onApp(ctx) {
+  },
   onStack(ctx) {
     for (const [id, local] of Object.entries(ctx.stackConfig.queues || {})) {
       const props = deepmerge3(ctx.appConfig.defaults.queue, typeof local === "object" ? local : {});
-      const group = new Group10(ctx.stack, "queue", id);
+      const group = new Group11(ctx.stack, "queue", id);
       const name = formatLocalResourceName({
         appName: ctx.app.name,
         stackName: ctx.stack.name,
         resourceType: "queue",
         resourceName: id
       });
-      const onFailure = getGlobalOnFailure(ctx);
-      const queue2 = new aws11.sqs.Queue(group, "queue", {
+      const onFailure = ctx.shared.get("on-failure", "queue-arn");
+      const queue2 = new aws12.sqs.Queue(group, "queue", {
         name,
-        delaySeconds: toSeconds5(props.deliveryDelay),
-        visibilityTimeoutSeconds: toSeconds5(props.visibilityTimeout),
-        receiveWaitTimeSeconds: toSeconds5(props.receiveMessageWaitTime ?? seconds5(0)),
-        messageRetentionSeconds: toSeconds5(props.retentionPeriod),
+        delaySeconds: toSeconds6(props.deliveryDelay),
+        visibilityTimeoutSeconds: toSeconds6(props.visibilityTimeout),
+        receiveWaitTimeSeconds: toSeconds6(props.receiveMessageWaitTime ?? seconds6(0)),
+        messageRetentionSeconds: toSeconds6(props.retentionPeriod),
         maxMessageSize: toBytes(props.maxMessageSize),
         redrivePolicy: onFailure.pipe(
           (arn) => JSON.stringify({
             deadLetterTargetArn: arn,
-            maxReceiveCount: 100
+            maxReceiveCount: props.retryAttempts + 1
           })
         )
       });
       if (local.consumer) {
         const lambdaConsumer = createLambdaFunction(group, ctx, `queue`, id, local.consumer);
         lambdaConsumer.setEnvironment("THROW_EXPECTED_ERRORS", "1");
-        new aws11.lambda.EventSourceMapping(
+        new aws12.lambda.EventSourceMapping(
           group,
           "event",
           {
             functionName: lambdaConsumer.lambda.functionName,
             eventSourceArn: queue2.arn,
             batchSize: props.batchSize,
-            maximumBatchingWindowInSeconds: props.maxBatchingWindow && toSeconds5(props.maxBatchingWindow),
+            maximumBatchingWindowInSeconds: props.maxBatchingWindow && toSeconds6(props.maxBatchingWindow),
             scalingConfig: {
               maximumConcurrency: props.maxConcurrency
             }
@@ -4759,24 +5147,24 @@ var queueFeature = defineFeature({
 });
 
 // src/feature/rest/index.ts
-import { Group as Group11 } from "@terraforge/core";
-import { aws as aws12 } from "@terraforge/aws";
+import { Group as Group12 } from "@terraforge/core";
+import { aws as aws13 } from "@terraforge/aws";
 import { constantCase as constantCase7 } from "change-case";
 var restFeature = defineFeature({
   name: "rest",
   onApp(ctx) {
     for (const [id, props] of Object.entries(ctx.appConfig.defaults?.rest ?? {})) {
-      const group = new Group11(ctx.base, "rest", id);
+      const group = new Group12(ctx.base, "rest", id);
       const name = formatGlobalResourceName({
         appName: ctx.app.name,
         resourceType: "rest",
         resourceName: id
       });
-      const api = new aws12.apigatewayv2.Api(group, "api", {
+      const api = new aws13.apigatewayv2.Api(group, "api", {
         name,
         protocolType: "HTTP"
       });
-      const stage = new aws12.apigatewayv2.Stage(group, "stage", {
+      const stage = new aws13.apigatewayv2.Stage(group, "stage", {
         name: "v1",
         apiId: api.id,
         autoDeploy: true
@@ -4786,7 +5174,7 @@ var restFeature = defineFeature({
         const domainName = formatFullDomainName(ctx.appConfig, props.domain, props.subDomain);
         const zoneId = ctx.shared.entry("domain", `zone-id`, props.domain);
         const certificateArn = ctx.shared.entry("domain", `certificate-arn`, props.domain);
-        const domain2 = new aws12.apigatewayv2.DomainName(group, "domain", {
+        const domain2 = new aws13.apigatewayv2.DomainName(group, "domain", {
           domainName,
           domainNameConfiguration: {
             certificateArn,
@@ -4794,12 +5182,12 @@ var restFeature = defineFeature({
             securityPolicy: "TLS_1_2"
           }
         });
-        const mapping = new aws12.apigatewayv2.ApiMapping(group, "mapping", {
+        const mapping = new aws13.apigatewayv2.ApiMapping(group, "mapping", {
           apiId: api.id,
           domainName: domain2.domainName,
           stage: stage.name
         });
-        new aws12.route53.Record(
+        new aws13.route53.Record(
           group,
           "record",
           {
@@ -4827,21 +5215,21 @@ var restFeature = defineFeature({
   },
   onStack(ctx) {
     for (const [id, routes] of Object.entries(ctx.stackConfig.rest ?? {})) {
-      const restGroup = new Group11(ctx.stack, "rest", id);
+      const restGroup = new Group12(ctx.stack, "rest", id);
       for (const [routeKey, props] of Object.entries(routes)) {
-        const group = new Group11(restGroup, "route", routeKey);
+        const group = new Group12(restGroup, "route", routeKey);
         const apiId = ctx.shared.entry("rest", "id", id);
         const routeId = shortId(routeKey);
         const { lambda } = createLambdaFunction(group, ctx, "rest", `${id}-${routeId}`, {
           ...props,
           description: `${id} ${routeKey}`
         });
-        const permission = new aws12.lambda.Permission(group, "permission", {
+        const permission = new aws13.lambda.Permission(group, "permission", {
           action: "lambda:InvokeFunction",
           principal: "apigateway.amazonaws.com",
           functionName: lambda.functionName
         });
-        const integration = new aws12.apigatewayv2.Integration(group, "integration", {
+        const integration = new aws13.apigatewayv2.Integration(group, "integration", {
           apiId,
           description: `${id} ${routeKey}`,
           integrationType: "AWS_PROXY",
@@ -4851,7 +5239,7 @@ var restFeature = defineFeature({
             return `arn:aws:apigateway:${ctx.appConfig.region}:lambda:path/2015-03-31/functions/${arn}/invocations`;
           })
         });
-        new aws12.apigatewayv2.Route(
+        new aws13.apigatewayv2.Route(
           group,
           "route",
           {
@@ -4872,200 +5260,11 @@ var restFeature = defineFeature({
 import { camelCase as camelCase6, constantCase as constantCase8, kebabCase as kebabCase6 } from "change-case";
 import { Group as Group13 } from "@terraforge/core";
 import { aws as aws14 } from "@terraforge/aws";
-import { mebibytes as mebibytes3 } from "@awsless/size";
-import { dirname as dirname5, join as join10, relative as relative6 } from "path";
+import { mebibytes as mebibytes4 } from "@awsless/size";
+import { dirname as dirname5, join as join11, relative as relative6 } from "path";
 import { fileURLToPath } from "node:url";
-
-// src/feature/function/prebuild.ts
-import { days as days6, seconds as seconds6, toDays as toDays5, toSeconds as toSeconds6 } from "@awsless/duration";
-import { mebibytes as mebibytes2, toMebibytes as toMebibytes3 } from "@awsless/size";
-import { aws as aws13 } from "@terraforge/aws";
-import { Output as Output4, findInputDeps as findInputDeps2, resolveInputs as resolveInputs2 } from "@terraforge/core";
-import { pascalCase as pascalCase2 } from "change-case";
-var createPrebuildLambdaFunction = (group, ctx, ns, id, props) => {
-  let name;
-  let roleName;
-  if ("stack" in ctx) {
-    name = formatLocalResourceName({
-      appName: ctx.app.name,
-      stackName: ctx.stack.name,
-      resourceType: ns,
-      resourceName: id
-    });
-    roleName = formatLocalResourceName({
-      appName: ctx.app.name,
-      stackName: ctx.stack.name,
-      resourceType: ns,
-      resourceName: id,
-      postfix: ctx.appId
-    });
-  } else {
-    name = formatGlobalResourceName({
-      appName: ctx.appConfig.name,
-      resourceType: ns,
-      resourceName: id
-    });
-    roleName = formatGlobalResourceName({
-      appName: ctx.appConfig.name,
-      resourceType: ns,
-      resourceName: id,
-      postfix: ctx.appId
-    });
-  }
-  const code = new aws13.s3.BucketObject(group, "code", {
-    bucket: ctx.shared.get("function", "bucket-name"),
-    key: `/lambda/${name}.zip`,
-    source: props.bundleFile,
-    sourceHash: $hash(props.bundleFile)
-    // body: Asset.fromFile(props.bundleFile),
-  });
-  const role = new aws13.iam.Role(group, "role", {
-    name: roleName,
-    assumeRolePolicy: JSON.stringify({
-      Version: "2012-10-17",
-      Statement: [
-        {
-          Effect: "Allow",
-          Action: "sts:AssumeRole",
-          Principal: {
-            Service: ["lambda.amazonaws.com"]
-          }
-        }
-      ]
-    })
-  });
-  const statements = [];
-  const statementDeps = /* @__PURE__ */ new Set();
-  const addPermission = (...permissions) => {
-    statements.push(...permissions);
-    for (const dep of findInputDeps2(permissions)) {
-      statementDeps.add(dep);
-    }
-  };
-  ctx.onPermission((statement) => {
-    addPermission(statement);
-  });
-  const policy = new aws13.iam.RolePolicy(group, "policy", {
-    role: role.name,
-    name: "lambda-policy",
-    policy: new Output4(statementDeps, async (resolve) => {
-      const list3 = await resolveInputs2(statements);
-      resolve(
-        JSON.stringify({
-          Version: "2012-10-17",
-          Statement: list3.map((statement) => ({
-            Effect: pascalCase2(statement.effect ?? "allow"),
-            Action: statement.actions,
-            Resource: statement.resources
-          }))
-        })
-      );
-    })
-  });
-  const variables = {};
-  const logFormats = {
-    text: "Text",
-    json: "JSON"
-  };
-  const lambda = new aws13.lambda.Function(group, `function`, {
-    functionName: name,
-    role: role.arn,
-    // code,
-    // runtime: props.runtime === 'container' ? undefined : props.runtime,
-    runtime: props.runtime,
-    handler: props.handler,
-    timeout: toSeconds6(props.timeout ?? seconds6(10)),
-    memorySize: toMebibytes3(props.memorySize ?? mebibytes2(128)),
-    architectures: [props.architecture ?? "arm64"],
-    layers: props.layers?.map((id2) => ctx.shared.entry("layer", "arn", id2)),
-    s3Bucket: code.bucket,
-    s3ObjectVersion: code.versionId,
-    s3Key: code.key.pipe((name2) => {
-      if (name2.startsWith("/")) {
-        return name2.substring(1);
-      }
-      return name2;
-    }),
-    sourceCodeHash: $hash(props.bundleFile),
-    environment: {
-      variables
-    },
-    loggingConfig: {
-      logGroup: `/aws/lambda/${name}`,
-      logFormat: logFormats[props.log && "format" in props.log && props.log.format || "json"],
-      applicationLogLevel: props.log && "format" in props.log && props.log.format === "json" ? props.log.level?.toUpperCase() : void 0,
-      systemLogLevel: props.log && "format" in props.log && props.log.format === "json" ? props.log.system?.toUpperCase() : void 0
-    }
-  });
-  ctx.onEnv((name2, value) => {
-    variables[name2] = value;
-  });
-  variables.APP = ctx.appConfig.name;
-  variables.APP_ID = ctx.appId;
-  variables.AWS_ACCOUNT_ID = ctx.accountId;
-  if ("stackConfig" in ctx) {
-    variables.STACK = ctx.stackConfig.name;
-  }
-  if (props.log?.retention && props.log?.retention?.value > 0n) {
-    const logGroup = new aws13.cloudwatch.LogGroup(group, "log", {
-      name: `/aws/lambda/${name}`,
-      retentionInDays: toDays5(props.log.retention ?? days6(7))
-    });
-    addPermission({
-      actions: ["logs:PutLogEvents", "logs:CreateLogStream"],
-      resources: [logGroup.arn.pipe((arn) => `${arn}:*`)]
-    });
-    const onLogArn = getGlobalOnLog(ctx);
-    if (onLogArn && ctx.appConfig.defaults.onLog) {
-      const logFilter = ctx.appConfig.defaults.onLog.filter;
-      new aws13.cloudwatch.LogSubscriptionFilter(group, `on-log`, {
-        name: "log-subscription",
-        destinationArn: onLogArn,
-        logGroupName: logGroup.name,
-        filterPattern: formatFilterPattern(logFilter)
-      });
-    }
-  }
-  if (props.warm) {
-    const rule = new aws13.cloudwatch.EventRule(group, "warm", {
-      name: `${name}--warm`,
-      description: "Lambda Warmer",
-      scheduleExpression: "rate(5 minutes)",
-      isEnabled: true
-    });
-    new aws13.cloudwatch.EventTarget(group, "warm", {
-      rule: rule.name,
-      targetId: "warmer",
-      arn: lambda.arn,
-      input: JSON.stringify({
-        warmer: true,
-        concurrency: props.warm
-      })
-    });
-    new aws13.lambda.Permission(group, `warm`, {
-      action: "lambda:InvokeFunction",
-      principal: "events.amazonaws.com",
-      functionName: lambda.functionName,
-      sourceArn: rule.arn
-    });
-  }
-  return {
-    name,
-    lambda,
-    policy,
-    code,
-    setEnvironment(name2, value) {
-      variables[name2] = value;
-    },
-    addPermission(statement) {
-      addPermission(statement);
-    }
-  };
-};
-
-// src/feature/rpc/index.ts
 import { toSeconds as toSeconds7 } from "@awsless/duration";
-var __dirname = dirname5(fileURLToPath(import.meta.url));
+var __dirname2 = dirname5(fileURLToPath(import.meta.url));
 var rpcFeature = defineFeature({
   name: "rpc",
   async onTypeGen(ctx) {
@@ -5125,9 +5324,9 @@ var rpcFeature = defineFeature({
     for (const [id, props] of Object.entries(ctx.appConfig.defaults.rpc ?? {})) {
       const group = new Group13(ctx.base, "rpc", id);
       const result = createPrebuildLambdaFunction(group, ctx, "rpc", id, {
-        bundleFile: join10(__dirname, "/prebuild/rpc/bundle.zip"),
-        bundleHash: join10(__dirname, "/prebuild/rpc/HASH"),
-        memorySize: mebibytes3(256),
+        bundleFile: join11(__dirname2, "/prebuild/rpc/bundle.zip"),
+        bundleHash: join11(__dirname2, "/prebuild/rpc/HASH"),
+        memorySize: mebibytes4(256),
         timeout: props.timeout,
         handler: "index.default",
         runtime: "nodejs22.x",
@@ -5394,7 +5593,7 @@ var searchFeature = defineFeature({
 import { Group as Group15 } from "@terraforge/core";
 import { aws as aws16 } from "@terraforge/aws";
 import { glob as glob2 } from "glob";
-import { dirname as dirname6, join as join11 } from "path";
+import { dirname as dirname6, join as join12 } from "path";
 
 // src/feature/site/util.ts
 import { contentType, lookup } from "mime-types";
@@ -5440,7 +5639,7 @@ var siteFeature = defineFeature({
           return build3(fingerprint, async (write) => {
             const credentialProvider = await getCredentials(ctx.appConfig.profile);
             const credentials = await credentialProvider();
-            const cwd = join11(directories.root, dirname6(ctx.stackConfig.file));
+            const cwd = join12(directories.root, dirname6(ctx.stackConfig.file));
             const env = {
               ...process.env,
               // Pass the app config name
@@ -5585,20 +5784,20 @@ var siteFeature = defineFeature({
             });
             const staticRoutes = {};
             for (const file of files) {
-              const prefixedFile = join11("/", file);
+              const prefixedFile = join12("/", file);
               const object = new aws16.s3.BucketObject(group, prefixedFile, {
                 bucket: bucket.bucket,
                 key: prefixedFile,
                 cacheControl: getCacheControl(file),
                 contentType: getContentType(file),
-                source: join11(props.static, file),
-                sourceHash: $hash(join11(props.static, file))
+                source: join12(props.static, file),
+                sourceHash: $hash(join12(props.static, file))
               });
               versions.push(object.key);
               versions.push(object.sourceHash);
               const strippedHtmlFile = file.endsWith("index.html") ? file.slice(0, -11) : file.endsWith(".html") ? file.slice(0, -5) : file;
               const urlFriendlyFile = strippedHtmlFile.endsWith("/") ? strippedHtmlFile.slice(0, -1) : strippedHtmlFile;
-              const routeFileKey = join11(props.path, urlFriendlyFile);
+              const routeFileKey = join12(props.path, urlFriendlyFile);
               staticRoutes[routeFileKey] = {
                 type: "s3",
                 domainName: bucket.bucketRegionalDomainName,
@@ -5641,7 +5840,7 @@ var getContentType2 = (file) => {
 };
 
 // src/feature/store/index.ts
-import { join as join12 } from "path";
+import { join as join13 } from "path";
 var typeGenCode6 = `
 import { Body, PutObjectProps, BodyStream } from '@awsless/s3'
 
@@ -5697,7 +5896,14 @@ var storeFeature = defineFeature({
         //
         `arn:aws:s3:::${name}`,
         `arn:aws:s3:::${name}/*`
-      ]
+      ],
+      conditions: {
+        StringEquals: {
+          // This will protect anyone from taking our bucket name,
+          // and us sending our items to the wrong s3 bucket
+          "s3:ResourceAccount": ctx.accountId
+        }
+      }
     });
   },
   onStack(ctx) {
@@ -5746,8 +5952,8 @@ var storeFeature = defineFeature({
               key: file,
               cacheControl: getCacheControl2(file),
               contentType: getContentType2(file),
-              source: join12(props.static, file),
-              sourceHash: $hash(join12(props.static, file))
+              source: join13(props.static, file),
+              sourceHash: $hash(join13(props.static, file))
             });
           }
         }
@@ -5800,7 +6006,14 @@ var storeFeature = defineFeature({
           //
           bucket.arn,
           bucket.arn.pipe((arn) => `${arn}/*`)
-        ]
+        ],
+        conditions: {
+          StringEquals: {
+            // This will protect anyone from taking our bucket name,
+            // and us sending our items to the wrong s3 bucket
+            "s3:ResourceAccount": ctx.accountId
+          }
+        }
       });
     }
   }
@@ -5939,7 +6152,7 @@ var tableFeature = defineFeature({
             functionName: result.lambda.functionName,
             eventSourceArn: table.streamArn,
             // tumblingWindowInSeconds
-            // maximumRecordAgeInSeconds: props.stream.
+            maximumRecordAgeInSeconds: toSeconds8(props.stream.maxRecordAge),
             // bisectBatchOnFunctionError: true,
             batchSize: props.stream.batchSize,
             maximumBatchingWindowInSeconds: props.stream.batchWindow ? toSeconds8(props.stream.batchWindow) : void 0,
@@ -5955,6 +6168,17 @@ var tableFeature = defineFeature({
           },
           { dependsOn: [result.policy] }
         );
+        result.addPermission({
+          actions: ["s3:PutObject", "s3:ListBucket"],
+          resources: [onFailure, $interpolate`${onFailure}/*`],
+          conditions: {
+            StringEquals: {
+              // This will protect anyone from taking our bucket name,
+              // and us sending our failed items to the wrong s3 bucket
+              "s3:ResourceAccount": ctx.accountId
+            }
+          }
+        });
         result.addPermission({
           actions: [
             "dynamodb:ListStreams",
@@ -5964,10 +6188,6 @@ var tableFeature = defineFeature({
           ],
           resources: [table.streamArn]
         });
-        result.addPermission({
-          actions: ["sqs:SendMessage", "sqs:GetQueueUrl"],
-          resources: [onFailure]
-        });
       }
       ctx.addStackPermission({
         actions: [
@@ -6497,12 +6717,12 @@ var layerFeature = defineFeature({
 // src/feature/image/index.ts
 import { Group as Group23 } from "@terraforge/core";
 import { aws as aws24 } from "@terraforge/aws";
-import { join as join13, dirname as dirname7 } from "path";
-import { mebibytes as mebibytes4 } from "@awsless/size";
+import { join as join14, dirname as dirname7 } from "path";
+import { mebibytes as mebibytes5 } from "@awsless/size";
 import { seconds as seconds7, toDays as toDays6 } from "@awsless/duration";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { glob as glob4 } from "glob";
-var __dirname2 = dirname7(fileURLToPath2(import.meta.url));
+var __dirname3 = dirname7(fileURLToPath2(import.meta.url));
 var imageFeature = defineFeature({
   name: "image",
   onApp(ctx) {
@@ -6513,7 +6733,7 @@ var imageFeature = defineFeature({
       return;
     }
     const group = new Group23(ctx.base, "image", "layer");
-    const path = join13(__dirname2, "/layers/sharp-arm.zip");
+    const path = join14(__dirname3, "/layers/sharp-arm.zip");
     const layerId = formatGlobalResourceName({
       appName: ctx.appConfig.name,
       resourceType: "layer",
@@ -6602,9 +6822,9 @@ var imageFeature = defineFeature({
         resourceName: "sharp"
       });
       const serverLambda = createPrebuildLambdaFunction(group, ctx, "image", id, {
-        bundleFile: join13(__dirname2, "/prebuild/image/bundle.zip"),
-        bundleHash: join13(__dirname2, "/prebuild/image/HASH"),
-        memorySize: mebibytes4(512),
+        bundleFile: join14(__dirname3, "/prebuild/image/bundle.zip"),
+        bundleHash: join14(__dirname3, "/prebuild/image/HASH"),
+        memorySize: mebibytes5(512),
         timeout: seconds7(10),
         handler: "index.default",
         runtime: "nodejs22.x",
@@ -6678,8 +6898,8 @@ var imageFeature = defineFeature({
             new aws24.s3.BucketObject(group, `static-${file}`, {
               bucket: s3Origin.bucket,
               key: file,
-              source: join13(props.origin.static, file),
-              sourceHash: $hash(join13(props.origin.static, file))
+              source: join14(props.origin.static, file),
+              sourceHash: $hash(join14(props.origin.static, file))
             });
           }
         }
@@ -6694,12 +6914,12 @@ var imageFeature = defineFeature({
 // src/feature/icon/index.ts
 import { Group as Group24 } from "@terraforge/core";
 import { aws as aws25 } from "@terraforge/aws";
-import { join as join14, dirname as dirname8 } from "path";
-import { mebibytes as mebibytes5 } from "@awsless/size";
+import { join as join15, dirname as dirname8 } from "path";
+import { mebibytes as mebibytes6 } from "@awsless/size";
 import { seconds as seconds8, toDays as toDays7 } from "@awsless/duration";
 import { fileURLToPath as fileURLToPath3 } from "url";
 import { glob as glob5 } from "glob";
-var __dirname3 = dirname8(fileURLToPath3(import.meta.url));
+var __dirname4 = dirname8(fileURLToPath3(import.meta.url));
 var iconFeature = defineFeature({
   name: "icon",
   onStack(ctx) {
@@ -6748,9 +6968,9 @@ var iconFeature = defineFeature({
         } : {}
       });
       const serverLambda = createPrebuildLambdaFunction(group, ctx, "icon", id, {
-        bundleFile: join14(__dirname3, "/prebuild/icon/bundle.zip"),
-        bundleHash: join14(__dirname3, "/prebuild/icon/HASH"),
-        memorySize: mebibytes5(512),
+        bundleFile: join15(__dirname4, "/prebuild/icon/bundle.zip"),
+        bundleHash: join15(__dirname4, "/prebuild/icon/HASH"),
+        memorySize: mebibytes6(512),
         timeout: seconds8(10),
         handler: "index.default",
         runtime: "nodejs22.x",
@@ -6826,8 +7046,8 @@ var iconFeature = defineFeature({
             new aws25.s3.BucketObject(group, `static-${file}`, {
               bucket: s3Origin.bucket,
               key: file,
-              source: join14(props.origin.static, file),
-              sourceHash: $hash(join14(props.origin.static, file))
+              source: join15(props.origin.static, file),
+              sourceHash: $hash(join15(props.origin.static, file))
             });
           }
         }
@@ -6851,14 +7071,14 @@ import { aws as aws26 } from "@terraforge/aws";
 import { Group as Group25, Output as Output6, findInputDeps as findInputDeps3, resolveInputs as resolveInputs3 } from "@terraforge/core";
 import { constantCase as constantCase12, pascalCase as pascalCase3 } from "change-case";
 import deepmerge4 from "deepmerge";
-import { join as join16 } from "path";
+import { join as join17 } from "path";
 
 // src/feature/instance/build/executable.ts
 import { createHash as createHash3 } from "crypto";
 import { readFile as readFile4 } from "fs/promises";
-import { join as join15 } from "path";
+import { join as join16 } from "path";
 var buildExecutable = async (input, outputPath, architecture) => {
-  const filePath = join15(outputPath, "program");
+  const filePath = join16(outputPath, "program");
   const target = architecture === "x86_64" ? "bun-linux-x64" : "bun-linux-arm64";
   let result;
   try {
@@ -7102,7 +7322,7 @@ var createFargateTask = (parentGroup, ctx, ns, id, local) => {
               healthCheck: props.healthCheck ? {
                 command: [
                   "CMD-SHELL",
-                  `curl -f http://${join16("localhost", props.healthCheck.path)} || exit 1`
+                  `curl -f http://${join17("localhost", props.healthCheck.path)} || exit 1`
                 ],
                 interval: toSeconds9(props.healthCheck.interval),
                 retries: props.healthCheck.retries,
@@ -7387,7 +7607,13 @@ import { camelCase as camelCase8, constantCase as constantCase14 } from "change-
 var getViewerRequestFunctionCode = (props) => {
   return CODE([
     props.blockDirectAccess ? BLOCK_DIRECT_ACCESS_TO_CLOUDFRONT : "",
-    props.basicAuth ? BASIC_AUTH_CHECK(props.basicAuth.username, props.basicAuth.password) : ""
+    props.passwordAuth ?? props.basicAuth ? AUTH_WRAPPER(
+      [
+        //
+        props.basicAuth ? BASIC_AUTH_CHECK(props.basicAuth.username, props.basicAuth.password) : "",
+        props.passwordAuth ? PASSWORD_AUTH_CHECK(props.passwordAuth.password) : ""
+      ].join("\n")
+    ) : ""
   ]);
 };
 var BLOCK_DIRECT_ACCESS_TO_CLOUDFRONT = `
@@ -7398,13 +7624,36 @@ if (headers.host && headers.host.value.includes('cloudfront.net')) {
 	};
 }`;
 var BASIC_AUTH_CHECK = (username, password) => `
-const auth = headers.authorization && headers.authorization.value;
-if (!auth || !auth.startsWith('Basic ') || auth.slice(6) !== '${Buffer.from(`${username}:${password}`).toString("base64")}') {
+authMethods.push('Basic realm="Protected"');
+
+if(!isAuthorized) {
+	if(authHeader && authHeader.startsWith('Basic ') && authHeader.slice(6) === '${Buffer.from(`${username}:${password}`).toString("base64")}') {
+		isAuthorized = true;
+	}
+}
+`;
+var PASSWORD_AUTH_CHECK = (password) => `
+authMethods.push('Password realm="Protected"');
+
+if(!isAuthorized) {
+	if(authHeader && authHeader.startsWith('Password ') && authHeader.slice(9) === '${password}') {
+		isAuthorized = true;
+	}
+}
+`;
+var AUTH_WRAPPER = (code) => `
+const authHeader = headers.authorization && headers.authorization.value;
+const authMethods = [];
+let isAuthorized = false;
+
+${code}
+
+if (!isAuthorized) {
 	return {
 		statusCode: 401,
 		headers: {
 			'www-authenticate': {
-				value: 'Basic realm="Protected"'
+				value: authMethods.join(', ')
 			}
 		}
 	};
@@ -7723,7 +7972,8 @@ var routerFeature = defineFeature({
         keyValueStoreAssociations: [routeStore.arn],
         code: getViewerRequestFunctionCode({
           blockDirectAccess: !!props.domain,
-          basicAuth: props.basicAuth
+          basicAuth: props.basicAuth,
+          passwordAuth: props.passwordAuth
         })
       });
       const wafSettingsConfig = props.waf;
@@ -9085,20 +9335,20 @@ import wildstring4 from "wildstring";
 // src/cli/ui/complex/run-tests.ts
 import { log as log18 } from "@awsless/clui";
 import { mkdir as mkdir4, readFile as readFile5, writeFile as writeFile3 } from "fs/promises";
-import { join as join18 } from "path";
+import { join as join19 } from "path";
 import wildstring3 from "wildstring";
 import { parse as parse4, stringify } from "@awsless/json";
 import { generateFolderHash, loadWorkspace as loadWorkspace2 } from "@awsless/ts-file-cache";
 
 // src/test/start.ts
-import { dirname as dirname9, join as join17 } from "path";
+import { dirname as dirname9, join as join18 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 import { configDefaults } from "vitest/config";
 import { startVitest } from "vitest/node";
 var NullReporter = class {
 };
 var startTest = async (props) => {
-  const __dirname4 = dirname9(fileURLToPath4(import.meta.url));
+  const __dirname5 = dirname9(fileURLToPath4(import.meta.url));
   const startTime = process.hrtime.bigint();
   process.noDeprecation = true;
   const vitest = await startVitest(
@@ -9129,7 +9379,7 @@ var startTest = async (props) => {
       // },
       setupFiles: [
         //
-        join17(__dirname4, "test-global-setup.js")
+        join18(__dirname5, "test-global-setup.js")
       ]
       // globalSetup: [
       // 	//
@@ -9323,7 +9573,7 @@ var logTestErrors = (event) => {
 };
 var runTest = async (stack, dir, filters, workspace, opts) => {
   await mkdir4(directories.test, { recursive: true });
-  const file = join18(directories.test, `${stack}.json`);
+  const file = join19(directories.test, `${stack}.json`);
   const fingerprint = await generateFolderHash(workspace, dir);
   if (!process.env.NO_CACHE) {
     const exists = await fileExist(file);
@@ -10008,7 +10258,7 @@ import { log as log25 } from "@awsless/clui";
 
 // src/type-gen/generate.ts
 import { mkdir as mkdir5, writeFile as writeFile4 } from "fs/promises";
-import { dirname as dirname10, join as join19, relative as relative8 } from "path";
+import { dirname as dirname10, join as join20, relative as relative8 } from "path";
 var generateTypes = async (props) => {
   const files = [];
   await Promise.all(
@@ -10017,7 +10267,7 @@ var generateTypes = async (props) => {
         ...props,
         async write(file, data, include = false) {
           const code = data?.toString("utf8");
-          const path = join19(directories.types, file);
+          const path = join20(directories.types, file);
           if (code) {
             if (include) {
               files.push(relative8(directories.root, path));
@@ -10031,7 +10281,7 @@ var generateTypes = async (props) => {
   );
   if (files.length) {
     const code = files.map((file) => `/// <reference path='${file}' />`).join("\n");
-    await writeFile4(join19(directories.root, `awsless.d.ts`), code);
+    await writeFile4(join20(directories.root, `awsless.d.ts`), code);
   }
 };