@stacksjs/ts-cloud 0.2.15 → 0.2.16

package/dist/index.js

@@ -1188,6 +1188,7 @@ var init_dist2 = __esm(() => {
 // src/aws/client.ts
 var exports_client = {};
 __export(exports_client, {
+  resolveS3Endpoint: () => resolveS3Endpoint,
   detectCredentialSource: () => detectCredentialSource,
   buildQueryParams: () => buildQueryParams,
   AWSClient: () => AWSClient
@@ -1196,6 +1197,17 @@ import * as crypto2 from "node:crypto";
 import { existsSync as existsSync14, readFileSync as readFileSync4 } from "node:fs";
 import { homedir as homedir6 } from "node:os";
 import { join as join9 } from "node:path";
+function resolveS3Endpoint(options) {
+  const base = options.endpoint || `s3.${options.region}.amazonaws.com`;
+  if (!options.bucket) {
+    return { host: base, path: options.path };
+  }
+  if (options.forcePathStyle) {
+    const path = options.path === "/" ? `/${options.bucket}` : `/${options.bucket}${options.path}`;
+    return { host: base, path };
+  }
+  return { host: `${options.bucket}.${base}`, path: options.path };
+}
 
 class AWSClient {
   credentials;
@@ -1419,14 +1431,19 @@ class AWSClient {
     return result;
   }
   buildUrl(options) {
-    const { service, region, path, queryParams } = options;
+    const { service, region, queryParams } = options;
+    let { path } = options;
     let host;
     if (service === "s3") {
-      if (options.bucket) {
-        host = `${options.bucket}.s3.${region}.amazonaws.com`;
-      } else {
-        host = `s3.${region}.amazonaws.com`;
-      }
+      const resolved = resolveS3Endpoint({
+        region,
+        path,
+        bucket: options.bucket,
+        endpoint: this.config.endpoint,
+        forcePathStyle: this.config.forcePathStyle
+      });
+      host = resolved.host;
+      path = resolved.path;
     } else if (service === "cloudfront") {
       host = "cloudfront.amazonaws.com";
     } else if (service === "iam") {
@@ -1450,17 +1467,22 @@ class AWSClient {
     return url;
   }
   signRequest(options, credentials) {
-    const { service, region, method, path, queryParams, body } = options;
+    const { service, region, method, queryParams, body } = options;
+    let { path } = options;
     const now = new Date;
     const amzDate = this.getAmzDate(now);
     const dateStamp = this.getDateStamp(now);
     let host;
     if (service === "s3") {
-      if (options.bucket) {
-        host = `${options.bucket}.s3.${region}.amazonaws.com`;
-      } else {
-        host = `s3.${region}.amazonaws.com`;
-      }
+      const resolved = resolveS3Endpoint({
+        region,
+        path,
+        bucket: options.bucket,
+        endpoint: this.config.endpoint,
+        forcePathStyle: this.config.forcePathStyle
+      });
+      host = resolved.host;
+      path = resolved.path;
     } else if (service === "cloudfront") {
       host = "cloudfront.amazonaws.com";
     } else if (service === "iam") {
@@ -1752,999 +1774,415 @@ var init_client = __esm(() => {
   init_dist2();
 });
 
-// src/aws/cloudformation.ts
-class CloudFormationClient {
+// src/aws/credentials.ts
+function resolveCredentials2(profile) {
+  if (profile) {
+    const creds = loadProfileFromFile(profile);
+    if (!creds) {
+      throw new Error(`AWS profile '${profile}' not found in ~/.aws/credentials`);
+    }
+    return creds;
+  }
+  const envAccessKey = process.env.AWS_ACCESS_KEY_ID;
+  const envSecretKey = process.env.AWS_SECRET_ACCESS_KEY;
+  if (envAccessKey && envSecretKey) {
+    return {
+      accessKeyId: envAccessKey,
+      secretAccessKey: envSecretKey,
+      sessionToken: process.env.AWS_SESSION_TOKEN
+    };
+  }
+  return loadProfileFromFile(process.env.AWS_PROFILE || "default") ?? { accessKeyId: "", secretAccessKey: "" };
+}
+function loadProfileFromFile(profile) {
+  const { existsSync: existsSync15, readFileSync: readFileSync5 } = __require("node:fs");
+  const { homedir: homedir5 } = __require("node:os");
+  const { join: join8 } = __require("node:path");
+  const credentialsPath = process.env.AWS_SHARED_CREDENTIALS_FILE || join8(homedir5(), ".aws", "credentials");
+  if (!existsSync15(credentialsPath))
+    return null;
+  const content = readFileSync5(credentialsPath, "utf-8");
+  let currentProfile = null;
+  let accessKeyId;
+  let secretAccessKey;
+  let sessionToken;
+  for (const line of content.split(`
+`)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith(";"))
+      continue;
+    const profileMatch = trimmed.match(/^\[([^\]]+)\]$/);
+    if (profileMatch) {
+      if (currentProfile === profile && accessKeyId && secretAccessKey) {
+        return { accessKeyId, secretAccessKey, sessionToken };
+      }
+      currentProfile = profileMatch[1];
+      accessKeyId = undefined;
+      secretAccessKey = undefined;
+      sessionToken = undefined;
+      continue;
+    }
+    if (currentProfile === profile) {
+      const [key, ...valueParts] = trimmed.split("=");
+      const value = valueParts.join("=").trim();
+      switch (key.trim().toLowerCase()) {
+        case "aws_access_key_id":
+          accessKeyId = value;
+          break;
+        case "aws_secret_access_key":
+          secretAccessKey = value;
+          break;
+        case "aws_session_token":
+          sessionToken = value;
+          break;
+      }
+    }
+  }
+  if (currentProfile === profile && accessKeyId && secretAccessKey) {
+    return { accessKeyId, secretAccessKey, sessionToken };
+  }
+  return null;
+}
+
+// src/aws/s3.ts
+import * as crypto3 from "node:crypto";
+import { readdir as readdir4 } from "node:fs/promises";
+import { join as join10 } from "node:path";
+import { readFileSync as readFileSync6 } from "node:fs";
+function toFetchBody(data) {
+  const { buffer, byteOffset, byteLength } = data;
+  if (buffer instanceof ArrayBuffer) {
+    return buffer.slice(byteOffset, byteOffset + byteLength);
+  }
+  const copy = new ArrayBuffer(byteLength);
+  new Uint8Array(copy).set(new Uint8Array(data));
+  return copy;
+}
+
+class S3Client2 {
   client;
   region;
-  constructor(region = "us-east-1", profile) {
+  explicitProfile;
+  endpoint;
+  forcePathStyle;
+  explicitCredentials;
+  constructor(region = "us-east-1", profile, options) {
     this.region = region;
-    this.client = new AWSClient;
+    this.explicitProfile = profile;
+    this.endpoint = options?.endpoint;
+    this.forcePathStyle = options?.forcePathStyle;
+    this.explicitCredentials = options?.credentials;
+    this.client = new AWSClient(options?.credentials ?? resolveCredentials2(profile), { endpoint: options?.endpoint, forcePathStyle: options?.forcePathStyle });
   }
-  async createStack(options) {
-    const params = {
-      Action: "CreateStack",
-      StackName: options.stackName,
-      Version: "2010-05-15"
-    };
-    if (options.templateBody) {
-      params.TemplateBody = options.templateBody;
-    } else if (options.templateUrl) {
-      params.TemplateURL = options.templateUrl;
-    } else {
-      throw new Error("Either templateBody or templateUrl must be provided");
-    }
-    if (options.parameters) {
-      options.parameters.forEach((param, index) => {
-        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
-        params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
-      });
+  getCredentials() {
+    if (this.explicitCredentials?.accessKeyId && this.explicitCredentials.secretAccessKey) {
+      return this.explicitCredentials;
     }
-    if (options.capabilities) {
-      options.capabilities.forEach((cap, index) => {
-        params[`Capabilities.member.${index + 1}`] = cap;
-      });
+    const creds = resolveCredentials2(this.explicitProfile);
+    if (creds.accessKeyId && creds.secretAccessKey) {
+      return creds;
     }
-    if (options.roleArn) {
-      params.RoleARN = options.roleArn;
+    throw new Error("S3 credentials not found. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (or pass explicit credentials/profile), or configure ~/.aws/credentials.");
+  }
+  s3BaseHost() {
+    return this.endpoint || `s3.${this.region}.amazonaws.com`;
+  }
+  s3VirtualHost(bucket) {
+    return this.forcePathStyle ? this.s3BaseHost() : `${bucket}.${this.s3BaseHost()}`;
+  }
+  async listBuckets() {
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "GET",
+      path: "/"
+    });
+    const buckets = [];
+    const root = result?.ListAllMyBucketsResult ?? result;
+    const bucketList = root?.Buckets?.Bucket;
+    if (bucketList) {
+      const list = Array.isArray(bucketList) ? bucketList : [bucketList];
+      for (const b of list) {
+        buckets.push({
+          Name: b.Name,
+          CreationDate: b.CreationDate
+        });
+      }
     }
-    if (options.tags) {
-      options.tags.forEach((tag, index) => {
-        params[`Tags.member.${index + 1}.Key`] = tag.Key;
-        params[`Tags.member.${index + 1}.Value`] = tag.Value;
-      });
+    return { Buckets: buckets };
+  }
+  async createBucket(bucket, options) {
+    const headers = {};
+    if (options?.acl) {
+      headers["x-amz-acl"] = options.acl;
     }
-    if (options.timeoutInMinutes) {
-      params.TimeoutInMinutes = options.timeoutInMinutes;
+    let body;
+    if (this.region !== "us-east-1" && !this.endpoint) {
+      body = `<?xml version="1.0" encoding="UTF-8"?>
+<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+  <LocationConstraint>${this.region}</LocationConstraint>
+</CreateBucketConfiguration>`;
+      headers["Content-Type"] = "application/xml";
     }
-    if (options.onFailure) {
-      params.OnFailure = options.onFailure;
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "PUT",
+      path: `/${bucket}`,
+      headers,
+      body
+    });
+  }
+  async deleteBucket(bucket) {
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "DELETE",
+      path: `/${bucket}`
+    });
+  }
+  async emptyAndDeleteBucket(bucket) {
+    let hasMore = true;
+    while (hasMore) {
+      const objects = await this.listAllObjects({ bucket });
+      if (objects.length === 0) {
+        hasMore = false;
+        break;
+      }
+      const keys = objects.map((obj) => obj.Key);
+      for (let i = 0;i < keys.length; i += 1000) {
+        const batch2 = keys.slice(i, i + 1000);
+        await this.deleteObjects(bucket, batch2);
+      }
     }
+    await this.deleteBucket(bucket);
+  }
+  async listAllObjects(options) {
+    const allObjects = [];
+    let continuationToken;
+    do {
+      const params = {
+        "list-type": "2",
+        "max-keys": "1000"
+      };
+      if (options.prefix) {
+        params.prefix = options.prefix;
+      }
+      if (continuationToken) {
+        params["continuation-token"] = continuationToken;
+      }
+      const result = await this.client.request({
+        service: "s3",
+        region: this.region,
+        method: "GET",
+        path: `/${options.bucket}`,
+        queryParams: params
+      });
+      const root = result?.ListBucketResult ?? result;
+      const contents = root?.Contents;
+      if (contents) {
+        const list = Array.isArray(contents) ? contents : [contents];
+        for (const obj of list) {
+          allObjects.push({
+            Key: obj.Key,
+            LastModified: obj.LastModified || "",
+            Size: Number.parseInt(obj.Size || "0"),
+            ETag: obj.ETag
+          });
+        }
+      }
+      const isTruncated = root?.IsTruncated;
+      continuationToken = isTruncated === "true" || isTruncated === true ? root?.NextContinuationToken : undefined;
+    } while (continuationToken);
+    return allObjects;
+  }
+  async list(options) {
     const result = await this.client.request({
-      service: "cloudformation",
+      service: "s3",
       region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
+      method: "GET",
+      path: `/${options.bucket}`
     });
-    return { StackId: result.StackId || result.CreateStackResult?.StackId };
+    const objects = [];
+    const root = result?.ListBucketResult ?? result;
+    const contents = root?.Contents;
+    if (contents) {
+      const items = Array.isArray(contents) ? contents : [contents];
+      for (const item of items) {
+        if (options.prefix && !item.Key?.startsWith(options.prefix)) {
+          continue;
+        }
+        objects.push({
+          Key: item.Key || "",
+          LastModified: item.LastModified || "",
+          Size: Number.parseInt(item.Size || "0"),
+          ETag: item.ETag
+        });
+        if (options.maxKeys && objects.length >= options.maxKeys) {
+          break;
+        }
+      }
+    }
+    return objects;
   }
-  async updateStack(options) {
-    const params = {
-      Action: "UpdateStack",
-      StackName: options.stackName,
-      Version: "2010-05-15"
-    };
-    if (options.templateBody) {
-      params.TemplateBody = options.templateBody;
-    } else if (options.templateUrl) {
-      params.TemplateURL = options.templateUrl;
+  async putObject(options) {
+    const headers = {};
+    if (options.acl) {
+      headers["x-amz-acl"] = options.acl;
     }
-    if (options.parameters) {
-      options.parameters.forEach((param, index) => {
-        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
-        if (param.UsePreviousValue) {
-          params[`Parameters.member.${index + 1}.UsePreviousValue`] = "true";
-        } else {
-          params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
-        }
-      });
+    if (options.cacheControl) {
+      headers["Cache-Control"] = options.cacheControl;
     }
-    if (options.capabilities) {
-      options.capabilities.forEach((cap, index) => {
-        params[`Capabilities.member.${index + 1}`] = cap;
-      });
+    if (options.contentType) {
+      headers["Content-Type"] = options.contentType;
     }
-    if (options.roleArn) {
-      params.RoleARN = options.roleArn;
+    if (options.metadata) {
+      for (const [key, value] of Object.entries(options.metadata)) {
+        headers[`x-amz-meta-${key}`] = value;
+      }
     }
-    if (options.tags) {
-      options.tags.forEach((tag, index) => {
-        params[`Tags.member.${index + 1}.Key`] = tag.Key;
-        params[`Tags.member.${index + 1}.Value`] = tag.Value;
+    const normalizedBody = options.body instanceof Uint8Array && !Buffer.isBuffer(options.body) ? Buffer.from(options.body) : options.body;
+    if (Buffer.isBuffer(normalizedBody) || normalizedBody instanceof Uint8Array) {
+      const binaryBody = Buffer.isBuffer(normalizedBody) ? normalizedBody : Buffer.from(normalizedBody);
+      const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
+      const host = this.s3VirtualHost(options.bucket);
+      const url = `https://${host}/${options.key}`;
+      const now = new Date;
+      const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+      const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
+      const payloadHash = crypto3.createHash("sha256").update(binaryBody).digest("hex");
+      const requestHeaders = {
+        host,
+        "x-amz-date": amzDate,
+        "x-amz-content-sha256": payloadHash,
+        ...headers
+      };
+      if (sessionToken) {
+        requestHeaders["x-amz-security-token"] = sessionToken;
+      }
+      const canonicalHeaders = Object.keys(requestHeaders).sort().map((key) => `${key.toLowerCase()}:${requestHeaders[key].trim()}
+`).join("");
+      const signedHeaders = Object.keys(requestHeaders).sort().map((key) => key.toLowerCase()).join(";");
+      const canonicalRequest = [
+        "PUT",
+        `/${options.key}`,
+        "",
+        canonicalHeaders,
+        signedHeaders,
+        payloadHash
+      ].join(`
+`);
+      const algorithm = "AWS4-HMAC-SHA256";
+      const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
+      const stringToSign = [
+        algorithm,
+        amzDate,
+        credentialScope,
+        crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
+      ].join(`
+`);
+      const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
+      const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
+      const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
+      const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
+      const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
+      const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+      const response = await fetch(url, {
+        method: "PUT",
+        headers: {
+          ...requestHeaders,
+          Authorization: authorizationHeader
+        },
+        body: toFetchBody(binaryBody)
       });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`S3 PUT failed: ${response.status} ${errorText}`);
+      }
+      return;
     }
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "PUT",
+      path: `/${options.key}`,
+      bucket: options.bucket,
+      headers,
+      body: options.body
+    });
+  }
+  async getObject(bucket, key) {
     const result = await this.client.request({
-      service: "cloudformation",
+      service: "s3",
       region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
+      method: "GET",
+      path: `/${bucket}/${key}`,
+      rawResponse: true
     });
-    return { StackId: result.StackId || result.UpdateStackResult?.StackId };
+    return result;
   }
-  async deleteStack(stackName, roleArn, retainResources) {
-    const params = {
-      Action: "DeleteStack",
-      StackName: stackName,
-      Version: "2010-05-15"
+  async copyObject(options) {
+    const headers = {
+      "x-amz-copy-source": `/${options.sourceBucket}/${options.sourceKey}`
     };
-    if (roleArn) {
-      params.RoleARN = roleArn;
+    if (options.metadataDirective) {
+      headers["x-amz-metadata-directive"] = options.metadataDirective;
     }
-    if (retainResources && retainResources.length > 0) {
-      retainResources.forEach((resource, index) => {
-        params[`RetainResources.member.${index + 1}`] = resource;
-      });
+    if (options.contentType) {
+      headers["Content-Type"] = options.contentType;
+    }
+    if (options.metadata) {
+      for (const [key, value] of Object.entries(options.metadata)) {
+        headers[`x-amz-meta-${key}`] = value;
+      }
     }
     await this.client.request({
-      service: "cloudformation",
+      service: "s3",
       region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
+      method: "PUT",
+      path: `/${options.destinationBucket}/${options.destinationKey}`,
+      headers
     });
   }
-  async describeStacks(options = {}) {
-    const params = {
-      Action: "DescribeStacks",
-      Version: "2010-05-15"
-    };
-    if (options.stackName) {
-      params.StackName = options.stackName;
-    }
-    const result = await this.client.request({
-      service: "cloudformation",
+  async deleteObject(bucket, key) {
+    await this.client.request({
+      service: "s3",
       region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
+      method: "DELETE",
+      path: `/${bucket}/${key}`
     });
-    const stacks = this.parseStacksResponse(result);
-    return { Stacks: stacks };
   }
-  async describeStackEvents(stackName) {
-    const params = {
-      Action: "DescribeStackEvents",
-      StackName: stackName,
-      Version: "2010-05-15"
-    };
-    const result = await this.client.request({
-      service: "cloudformation",
+  async deleteObjects(bucket, keys) {
+    const deleteXml = `<?xml version="1.0" encoding="UTF-8"?>
+<Delete>
+  ${keys.map((key) => `<Object><Key>${key}</Key></Object>`).join(`
+  `)}
+</Delete>`;
+    const contentMd5 = crypto3.createHash("md5").update(deleteXml).digest("base64");
+    await this.client.request({
+      service: "s3",
       region: this.region,
       method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
+      path: `/${bucket}`,
+      queryParams: { delete: "" },
+      body: deleteXml,
+      headers: {
+        "Content-Type": "application/xml",
+        "Content-MD5": contentMd5
+      }
     });
-    return { StackEvents: this.parseStackEvents(result) };
   }
-  async listStackResources(stackName) {
-    const params = {
-      Action: "ListStackResources",
-      StackName: stackName,
-      Version: "2010-05-15"
-    };
-    const result = await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-    const member = result?.ListStackResourcesResult?.StackResourceSummaries?.member;
-    let resources = [];
-    if (member) {
-      resources = Array.isArray(member) ? member : [member];
-    }
-    return { StackResourceSummaries: resources };
-  }
-  async waitForStack(stackName, waitType) {
-    const targetStatuses = {
-      "stack-create-complete": ["CREATE_COMPLETE"],
-      "stack-update-complete": ["UPDATE_COMPLETE"],
-      "stack-delete-complete": ["DELETE_COMPLETE"]
-    };
-    const failureStatuses = [
-      "CREATE_FAILED",
-      "ROLLBACK_FAILED",
-      "ROLLBACK_COMPLETE",
-      "UPDATE_ROLLBACK_FAILED",
-      "UPDATE_ROLLBACK_COMPLETE"
-    ];
-    const targets = targetStatuses[waitType];
-    const maxAttempts = 360;
-    let attempts = 0;
-    while (attempts < maxAttempts) {
-      try {
-        const result = await this.describeStacks({ stackName });
-        if (result.Stacks.length === 0) {
-          if (waitType === "stack-delete-complete") {
-            return;
-          }
-          if (attempts % 10 === 0) {
-            console.log(`[waitForStack] Attempt ${attempts}: Stack not visible yet`);
-          }
-          await new Promise((resolve13) => setTimeout(resolve13, 2000));
-          attempts++;
-          continue;
-        }
-        const stack = result.Stacks[0];
-        if (attempts % 10 === 0) {
-          console.log(`[waitForStack] Attempt ${attempts}: Status = ${stack.StackStatus}${stack.StackStatusReason ? ` (${stack.StackStatusReason})` : ""}`);
-        }
-        if (targets.includes(stack.StackStatus)) {
-          return;
-        }
-        if ((waitType === "stack-create-complete" || waitType === "stack-update-complete") && (stack.StackStatus === "DELETE_IN_PROGRESS" || stack.StackStatus === "DELETE_COMPLETE")) {
-          console.log(`[waitForStack] Stack is being deleted (creation/update failed)`);
-          let failedEventReason = "";
-          try {
-            const eventsResult = await this.describeStackEvents(stackName);
-            console.log("[waitForStack] Stack events (most recent first):");
-            for (const event of eventsResult.StackEvents.slice(0, 15)) {
-              if (event.ResourceStatus.includes("FAILED") || event.ResourceStatusReason) {
-                console.log(`  ${event.LogicalResourceId}: ${event.ResourceStatus} - ${event.ResourceStatusReason || "No reason provided"}`);
-                if (event.ResourceStatus.includes("FAILED") && event.ResourceStatusReason && !failedEventReason) {
-                  failedEventReason = event.ResourceStatusReason;
-                }
-              }
-            }
-          } catch {}
-          const errorReason = failedEventReason || stack.StackStatusReason || "Check CloudFormation console for details.";
-          throw new Error(`Stack creation/update failed - stack is being deleted. Reason: ${errorReason}`);
-        }
-        if (stack.StackStatus === "DELETE_FAILED" && waitType === "stack-delete-complete") {
-          const error = new Error(`Stack deletion failed - may have resources that need to be retained`);
-          error.code = "DELETE_FAILED";
-          error.stackStatus = stack.StackStatus;
-          error.statusReason = stack.StackStatusReason;
-          throw error;
-        }
-        if (failureStatuses.includes(stack.StackStatus)) {
-          throw new Error(`Stack reached failure status: ${stack.StackStatus}`);
-        }
-        await new Promise((resolve13) => setTimeout(resolve13, 5000));
-        attempts++;
-      } catch (error) {
-        if (waitType === "stack-delete-complete" && error.message?.includes("does not exist")) {
-          return;
-        }
-        if (waitType === "stack-create-complete" && error.message?.includes("does not exist")) {
-          if (attempts % 10 === 0) {
-            console.log(`[waitForStack] Attempt ${attempts}: Stack does not exist (error), retrying...`);
-          }
-          await new Promise((resolve13) => setTimeout(resolve13, 2000));
-          attempts++;
-          continue;
-        }
-        console.log(`[waitForStack] Unexpected error: ${error.message}`);
-        throw error;
-      }
-    }
-    console.log(`[waitForStack] Timeout after ${attempts} attempts`);
-    throw new Error(`Timeout waiting for stack to reach ${waitType}`);
-  }
-  async validateTemplate(templateBody) {
-    const params = {
-      Action: "ValidateTemplate",
-      TemplateBody: templateBody,
-      Version: "2010-05-15"
-    };
-    return await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-  }
-  async listStacks(statusFilter) {
-    const params = {
-      Action: "ListStacks",
-      Version: "2010-05-15"
-    };
-    if (statusFilter) {
-      statusFilter.forEach((status, index) => {
-        params[`StackStatusFilter.member.${index + 1}`] = status;
-      });
-    }
-    const result = await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-    const response = result.ListStacksResponse || result;
-    const summariesResult = response.ListStacksResult || response;
-    const members = summariesResult.StackSummaries?.member || summariesResult.StackSummaries || [];
-    const items = Array.isArray(members) ? members : members ? [members] : [];
-    return {
-      StackSummaries: items.map((s) => ({
-        StackId: s.StackId || "",
-        StackName: s.StackName || "",
-        TemplateDescription: s.TemplateDescription,
-        CreationTime: s.CreationTime || "",
-        LastUpdatedTime: s.LastUpdatedTime,
-        DeletionTime: s.DeletionTime,
-        StackStatus: s.StackStatus || ""
-      }))
-    };
-  }
-  async createChangeSet(options) {
-    const params = {
-      Action: "CreateChangeSet",
-      StackName: options.stackName,
-      ChangeSetName: options.changeSetName,
-      Version: "2010-05-15"
-    };
-    if (options.templateBody) {
-      params.TemplateBody = options.templateBody;
-    } else if (options.templateUrl) {
-      params.TemplateURL = options.templateUrl;
-    }
-    if (options.parameters) {
-      options.parameters.forEach((param, index) => {
-        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
-        params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
-      });
-    }
-    if (options.capabilities) {
-      options.capabilities.forEach((cap, index) => {
-        params[`Capabilities.member.${index + 1}`] = cap;
-      });
-    }
-    if (options.changeSetType) {
-      params.ChangeSetType = options.changeSetType;
-    }
-    const result = await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-    return { Id: result.Id, StackId: result.StackId };
-  }
-  async describeChangeSet(stackName, changeSetName) {
-    const params = {
-      Action: "DescribeChangeSet",
-      StackName: stackName,
-      ChangeSetName: changeSetName,
-      Version: "2010-05-15"
-    };
-    return await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-  }
-  async executeChangeSet(stackName, changeSetName) {
-    const params = {
-      Action: "ExecuteChangeSet",
-      StackName: stackName,
-      ChangeSetName: changeSetName,
-      Version: "2010-05-15"
-    };
-    await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-  }
-  async deleteChangeSet(stackName, changeSetName) {
-    const params = {
-      Action: "DeleteChangeSet",
-      StackName: stackName,
-      ChangeSetName: changeSetName,
-      Version: "2010-05-15"
-    };
-    await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-  }
-  async getStackOutputs(stackName) {
-    const result = await this.describeStacks({ stackName });
-    if (!result.Stacks || result.Stacks.length === 0) {
-      throw new Error(`Stack ${stackName} not found`);
-    }
-    const stack = result.Stacks[0];
-    const outputs = {};
-    if (stack.Outputs) {
-      for (const output of stack.Outputs) {
-        outputs[output.OutputKey] = output.OutputValue;
-      }
-    }
-    return outputs;
-  }
-  async getTemplate(stackName) {
-    const params = {
-      Action: "GetTemplate",
-      StackName: stackName,
-      Version: "2010-05-15"
-    };
-    const result = await this.client.request({
-      service: "cloudformation",
-      region: this.region,
-      method: "POST",
-      path: "/",
-      body: new URLSearchParams(params).toString()
-    });
-    const templateBody = result?.GetTemplateResult?.TemplateBody || result?.TemplateBody || "";
-    return { TemplateBody: templateBody };
-  }
-  parseStacksResponse(result) {
-    const stacks = [];
-    let stackData = result?.DescribeStacksResult?.Stacks?.member || result?.Stacks?.member || result?.Stacks || result;
-    if (stackData && !Array.isArray(stackData)) {
-      stackData = [stackData];
-    }
-    if (Array.isArray(stackData)) {
-      for (const s of stackData) {
-        if (s.StackId || s.StackName) {
-          let outputs;
-          if (s.Outputs?.member) {
-            const outputData = Array.isArray(s.Outputs.member) ? s.Outputs.member : [s.Outputs.member];
-            outputs = outputData.map((o) => ({
-              OutputKey: o.OutputKey,
-              OutputValue: o.OutputValue,
-              Description: o.Description,
-              ExportName: o.ExportName
-            }));
-          }
-          stacks.push({
-            StackId: s.StackId,
-            StackName: s.StackName,
-            StackStatus: s.StackStatus,
-            CreationTime: s.CreationTime,
-            LastUpdatedTime: s.LastUpdatedTime,
-            StackStatusReason: s.StackStatusReason,
-            Outputs: outputs
-          });
-        }
-      }
-    } else if (result.StackId) {
-      stacks.push({
-        StackId: result.StackId,
-        StackName: result.StackName,
-        StackStatus: result.StackStatus,
-        CreationTime: result.CreationTime,
-        LastUpdatedTime: result.LastUpdatedTime
-      });
-    }
-    return stacks;
-  }
-  parseStackEvents(result) {
-    const events = [];
-    let eventData = result?.DescribeStackEventsResult?.StackEvents?.member || result?.StackEvents?.member || result?.StackEvents || [];
-    if (eventData && !Array.isArray(eventData)) {
-      eventData = [eventData];
-    }
-    for (const e of eventData) {
-      if (e.LogicalResourceId) {
-        events.push({
-          Timestamp: e.Timestamp,
-          ResourceType: e.ResourceType,
-          LogicalResourceId: e.LogicalResourceId,
-          ResourceStatus: e.ResourceStatus,
-          ResourceStatusReason: e.ResourceStatusReason
-        });
-      }
-    }
-    return events;
-  }
-  async waitForStackWithProgress(stackName, waitType, onProgress) {
-    const targetStatuses = {
-      "stack-create-complete": ["CREATE_COMPLETE"],
-      "stack-update-complete": ["UPDATE_COMPLETE"],
-      "stack-delete-complete": ["DELETE_COMPLETE"]
-    };
-    const failureStatuses = [
-      "CREATE_FAILED",
-      "ROLLBACK_FAILED",
-      "ROLLBACK_COMPLETE",
-      "UPDATE_ROLLBACK_FAILED",
-      "UPDATE_ROLLBACK_COMPLETE"
-    ];
-    const targets = targetStatuses[waitType];
-    const maxAttempts = 360;
-    let attempts = 0;
-    const seenEvents = new Set;
-    while (attempts < maxAttempts) {
-      try {
-        if (onProgress) {
-          try {
-            const eventsResult = await this.describeStackEvents(stackName);
-            const events = [...eventsResult.StackEvents || []].reverse();
-            for (const event of events) {
-              const eventKey = `${event.LogicalResourceId}-${event.ResourceStatus}-${event.Timestamp}`;
-              if (!seenEvents.has(eventKey)) {
-                seenEvents.add(eventKey);
-                onProgress({
-                  resourceId: event.LogicalResourceId,
-                  resourceType: event.ResourceType,
-                  status: event.ResourceStatus,
-                  reason: event.ResourceStatusReason,
-                  timestamp: event.Timestamp
-                });
-              }
-            }
-          } catch {}
-        }
-        const result = await this.describeStacks({ stackName });
-        if (result.Stacks.length === 0) {
-          if (waitType === "stack-delete-complete") {
-            return;
-          }
-          await new Promise((resolve13) => setTimeout(resolve13, 2000));
-          attempts++;
-          continue;
-        }
-        const stack = result.Stacks[0];
-        if (targets.includes(stack.StackStatus)) {
-          return;
-        }
-        if (stack.StackStatus === "DELETE_FAILED" && waitType === "stack-delete-complete") {
-          const error = new Error(`Stack deletion failed - may have resources that need to be retained`);
-          error.code = "DELETE_FAILED";
-          error.stackStatus = stack.StackStatus;
-          error.statusReason = stack.StackStatusReason;
-          throw error;
-        }
-        if (failureStatuses.includes(stack.StackStatus)) {
-          throw new Error(`Stack reached failure status: ${stack.StackStatus}`);
-        }
-        await new Promise((resolve13) => setTimeout(resolve13, 3000));
-        attempts++;
-      } catch (error) {
-        if (waitType === "stack-delete-complete" && error.message?.includes("does not exist")) {
-          return;
-        }
-        if (waitType === "stack-create-complete" && error.message?.includes("does not exist")) {
-          await new Promise((resolve13) => setTimeout(resolve13, 2000));
-          attempts++;
-          continue;
-        }
-        throw error;
-      }
-    }
-    throw new Error(`Timeout waiting for stack to reach ${waitType}`);
-  }
-  async waitForStackComplete(stackName, maxAttempts = 120, delayMs = 5000) {
-    const successStatuses = [
-      "CREATE_COMPLETE",
-      "UPDATE_COMPLETE",
-      "DELETE_COMPLETE"
-    ];
-    const failureStatuses = [
-      "CREATE_FAILED",
-      "UPDATE_FAILED",
-      "DELETE_FAILED",
-      "ROLLBACK_COMPLETE",
-      "ROLLBACK_FAILED",
-      "UPDATE_ROLLBACK_COMPLETE",
-      "UPDATE_ROLLBACK_FAILED"
-    ];
-    for (let i = 0;i < maxAttempts; i++) {
-      try {
-        const result = await this.describeStacks({ stackName });
-        if (result.Stacks.length === 0) {
-          return { success: true, status: "DELETE_COMPLETE" };
-        }
-        const stack = result.Stacks[0];
-        const status = stack.StackStatus;
-        if (successStatuses.includes(status)) {
-          return { success: true, status };
-        }
-        if (failureStatuses.includes(status)) {
-          return { success: false, status, reason: stack.StackStatusReason };
-        }
-        await new Promise((resolve13) => setTimeout(resolve13, delayMs));
-      } catch (error) {
-        if (error.message?.includes("does not exist")) {
-          return { success: true, status: "DELETE_COMPLETE" };
-        }
-        throw error;
-      }
-    }
-    return { success: false, status: "TIMEOUT", reason: "Timeout waiting for stack operation" };
-  }
-}
-var init_cloudformation = __esm(() => {
-  init_client();
-});
-
-// src/aws/credentials.ts
-function resolveCredentials2(profile) {
-  if (profile) {
-    const creds = loadProfileFromFile(profile);
-    if (!creds) {
-      throw new Error(`AWS profile '${profile}' not found in ~/.aws/credentials`);
-    }
-    return creds;
-  }
-  const envAccessKey = process.env.AWS_ACCESS_KEY_ID;
-  const envSecretKey = process.env.AWS_SECRET_ACCESS_KEY;
-  if (envAccessKey && envSecretKey) {
-    return {
-      accessKeyId: envAccessKey,
-      secretAccessKey: envSecretKey,
-      sessionToken: process.env.AWS_SESSION_TOKEN
-    };
-  }
-  return loadProfileFromFile(process.env.AWS_PROFILE || "default") ?? { accessKeyId: "", secretAccessKey: "" };
-}
-function loadProfileFromFile(profile) {
-  const { existsSync: existsSync15, readFileSync: readFileSync5 } = __require("node:fs");
-  const { homedir: homedir5 } = __require("node:os");
-  const { join: join8 } = __require("node:path");
-  const credentialsPath = process.env.AWS_SHARED_CREDENTIALS_FILE || join8(homedir5(), ".aws", "credentials");
-  if (!existsSync15(credentialsPath))
-    return null;
-  const content = readFileSync5(credentialsPath, "utf-8");
-  let currentProfile = null;
-  let accessKeyId;
-  let secretAccessKey;
-  let sessionToken;
-  for (const line of content.split(`
-`)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith(";"))
-      continue;
-    const profileMatch = trimmed.match(/^\[([^\]]+)\]$/);
-    if (profileMatch) {
-      if (currentProfile === profile && accessKeyId && secretAccessKey) {
-        return { accessKeyId, secretAccessKey, sessionToken };
-      }
-      currentProfile = profileMatch[1];
-      accessKeyId = undefined;
-      secretAccessKey = undefined;
-      sessionToken = undefined;
-      continue;
-    }
-    if (currentProfile === profile) {
-      const [key, ...valueParts] = trimmed.split("=");
-      const value = valueParts.join("=").trim();
-      switch (key.trim().toLowerCase()) {
-        case "aws_access_key_id":
-          accessKeyId = value;
-          break;
-        case "aws_secret_access_key":
-          secretAccessKey = value;
-          break;
-        case "aws_session_token":
-          sessionToken = value;
-          break;
-      }
-    }
-  }
-  if (currentProfile === profile && accessKeyId && secretAccessKey) {
-    return { accessKeyId, secretAccessKey, sessionToken };
-  }
-  return null;
-}
-
-// src/aws/s3.ts
-import * as crypto3 from "node:crypto";
-import { readdir as readdir4 } from "node:fs/promises";
-import { join as join10 } from "node:path";
-import { readFileSync as readFileSync6 } from "node:fs";
-function toFetchBody(data) {
-  const { buffer, byteOffset, byteLength } = data;
-  if (buffer instanceof ArrayBuffer) {
-    return buffer.slice(byteOffset, byteOffset + byteLength);
-  }
-  const copy = new ArrayBuffer(byteLength);
-  new Uint8Array(copy).set(new Uint8Array(data));
-  return copy;
-}
-
-class S3Client2 {
-  client;
-  region;
-  explicitProfile;
-  constructor(region = "us-east-1", profile) {
-    this.region = region;
-    this.explicitProfile = profile;
-    this.client = new AWSClient(resolveCredentials2(profile));
-  }
-  getCredentials() {
-    const creds = resolveCredentials2(this.explicitProfile);
-    if (creds.accessKeyId && creds.secretAccessKey) {
-      return creds;
-    }
-    throw new Error("AWS credentials not found. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, pass an explicit profile, or configure ~/.aws/credentials.");
-  }
-  async listBuckets() {
-    const result = await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "GET",
-      path: "/"
-    });
-    const buckets = [];
-    const root = result?.ListAllMyBucketsResult ?? result;
-    const bucketList = root?.Buckets?.Bucket;
-    if (bucketList) {
-      const list = Array.isArray(bucketList) ? bucketList : [bucketList];
-      for (const b of list) {
-        buckets.push({
-          Name: b.Name,
-          CreationDate: b.CreationDate
-        });
-      }
-    }
-    return { Buckets: buckets };
-  }
-  async createBucket(bucket, options) {
-    const headers = {};
-    if (options?.acl) {
-      headers["x-amz-acl"] = options.acl;
-    }
-    let body;
-    if (this.region !== "us-east-1") {
-      body = `<?xml version="1.0" encoding="UTF-8"?>
-<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
-  <LocationConstraint>${this.region}</LocationConstraint>
-</CreateBucketConfiguration>`;
-      headers["Content-Type"] = "application/xml";
-    }
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "PUT",
-      path: `/${bucket}`,
-      headers,
-      body
-    });
-  }
-  async deleteBucket(bucket) {
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "DELETE",
-      path: `/${bucket}`
-    });
-  }
-  async emptyAndDeleteBucket(bucket) {
-    let hasMore = true;
-    while (hasMore) {
-      const objects = await this.listAllObjects({ bucket });
-      if (objects.length === 0) {
-        hasMore = false;
-        break;
-      }
-      const keys = objects.map((obj) => obj.Key);
-      for (let i = 0;i < keys.length; i += 1000) {
-        const batch2 = keys.slice(i, i + 1000);
-        await this.deleteObjects(bucket, batch2);
-      }
-    }
-    await this.deleteBucket(bucket);
-  }
-  async listAllObjects(options) {
-    const allObjects = [];
-    let continuationToken;
-    do {
-      const params = {
-        "list-type": "2",
-        "max-keys": "1000"
-      };
-      if (options.prefix) {
-        params.prefix = options.prefix;
-      }
-      if (continuationToken) {
-        params["continuation-token"] = continuationToken;
-      }
-      const result = await this.client.request({
-        service: "s3",
-        region: this.region,
-        method: "GET",
-        path: `/${options.bucket}`,
-        queryParams: params
-      });
-      const root = result?.ListBucketResult ?? result;
-      const contents = root?.Contents;
-      if (contents) {
-        const list = Array.isArray(contents) ? contents : [contents];
-        for (const obj of list) {
-          allObjects.push({
-            Key: obj.Key,
-            LastModified: obj.LastModified || "",
-            Size: Number.parseInt(obj.Size || "0"),
-            ETag: obj.ETag
-          });
-        }
-      }
-      const isTruncated = root?.IsTruncated;
-      continuationToken = isTruncated === "true" || isTruncated === true ? root?.NextContinuationToken : undefined;
-    } while (continuationToken);
-    return allObjects;
-  }
-  async list(options) {
-    const result = await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "GET",
-      path: `/${options.bucket}`
-    });
-    const objects = [];
-    const root = result?.ListBucketResult ?? result;
-    const contents = root?.Contents;
-    if (contents) {
-      const items = Array.isArray(contents) ? contents : [contents];
-      for (const item of items) {
-        if (options.prefix && !item.Key?.startsWith(options.prefix)) {
-          continue;
-        }
-        objects.push({
-          Key: item.Key || "",
-          LastModified: item.LastModified || "",
-          Size: Number.parseInt(item.Size || "0"),
-          ETag: item.ETag
-        });
-        if (options.maxKeys && objects.length >= options.maxKeys) {
-          break;
-        }
-      }
-    }
-    return objects;
-  }
-  async putObject(options) {
-    const headers = {};
-    if (options.acl) {
-      headers["x-amz-acl"] = options.acl;
-    }
-    if (options.cacheControl) {
-      headers["Cache-Control"] = options.cacheControl;
-    }
-    if (options.contentType) {
-      headers["Content-Type"] = options.contentType;
-    }
-    if (options.metadata) {
-      for (const [key, value] of Object.entries(options.metadata)) {
-        headers[`x-amz-meta-${key}`] = value;
-      }
-    }
-    const normalizedBody = options.body instanceof Uint8Array && !Buffer.isBuffer(options.body) ? Buffer.from(options.body) : options.body;
-    if (Buffer.isBuffer(normalizedBody) || normalizedBody instanceof Uint8Array) {
-      const binaryBody = Buffer.isBuffer(normalizedBody) ? normalizedBody : Buffer.from(normalizedBody);
-      const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
-      const host = `${options.bucket}.s3.${this.region}.amazonaws.com`;
-      const url = `https://${host}/${options.key}`;
-      const now = new Date;
-      const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-      const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
-      const payloadHash = crypto3.createHash("sha256").update(binaryBody).digest("hex");
-      const requestHeaders = {
-        host,
-        "x-amz-date": amzDate,
-        "x-amz-content-sha256": payloadHash,
-        ...headers
-      };
-      if (sessionToken) {
-        requestHeaders["x-amz-security-token"] = sessionToken;
-      }
-      const canonicalHeaders = Object.keys(requestHeaders).sort().map((key) => `${key.toLowerCase()}:${requestHeaders[key].trim()}
-`).join("");
-      const signedHeaders = Object.keys(requestHeaders).sort().map((key) => key.toLowerCase()).join(";");
-      const canonicalRequest = [
-        "PUT",
-        `/${options.key}`,
-        "",
-        canonicalHeaders,
-        signedHeaders,
-        payloadHash
-      ].join(`
-`);
-      const algorithm = "AWS4-HMAC-SHA256";
-      const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
-      const stringToSign = [
-        algorithm,
-        amzDate,
-        credentialScope,
-        crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
-      ].join(`
-`);
-      const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
-      const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
-      const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
-      const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
-      const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
-      const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
-      const response = await fetch(url, {
-        method: "PUT",
-        headers: {
-          ...requestHeaders,
-          Authorization: authorizationHeader
-        },
-        body: toFetchBody(binaryBody)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`S3 PUT failed: ${response.status} ${errorText}`);
-      }
-      return;
-    }
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "PUT",
-      path: `/${options.key}`,
-      bucket: options.bucket,
-      headers,
-      body: options.body
-    });
-  }
-  async getObject(bucket, key) {
-    const result = await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "GET",
-      path: `/${bucket}/${key}`,
-      rawResponse: true
-    });
-    return result;
-  }
-  async copyObject(options) {
-    const headers = {
-      "x-amz-copy-source": `/${options.sourceBucket}/${options.sourceKey}`
-    };
-    if (options.metadataDirective) {
-      headers["x-amz-metadata-directive"] = options.metadataDirective;
-    }
-    if (options.contentType) {
-      headers["Content-Type"] = options.contentType;
-    }
-    if (options.metadata) {
-      for (const [key, value] of Object.entries(options.metadata)) {
-        headers[`x-amz-meta-${key}`] = value;
-      }
-    }
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "PUT",
-      path: `/${options.destinationBucket}/${options.destinationKey}`,
-      headers
-    });
-  }
-  async deleteObject(bucket, key) {
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "DELETE",
-      path: `/${bucket}/${key}`
-    });
-  }
-  async deleteObjects(bucket, keys) {
-    const deleteXml = `<?xml version="1.0" encoding="UTF-8"?>
-<Delete>
-  ${keys.map((key) => `<Object><Key>${key}</Key></Object>`).join(`
-  `)}
-</Delete>`;
-    const contentMd5 = crypto3.createHash("md5").update(deleteXml).digest("base64");
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "POST",
-      path: `/${bucket}`,
-      queryParams: { delete: "" },
-      body: deleteXml,
-      headers: {
-        "Content-Type": "application/xml",
-        "Content-MD5": contentMd5
-      }
-    });
-  }
-  async bucketExists(bucket) {
-    try {
-      await this.client.request({
-        service: "s3",
-        region: this.region,
-        method: "HEAD",
-        path: `/${bucket}`
-      });
-      return true;
-    } catch {
-      return false;
+  async bucketExists(bucket) {
+    try {
+      await this.client.request({
+        service: "s3",
+        region: this.region,
+        method: "HEAD",
+        path: `/${bucket}`
+      });
+      return true;
+    } catch {
+      return false;
     }
   }
   async copy(options) {
@@ -2814,7 +2252,7 @@ class S3Client2 {
   }
   async putBucketPolicy(bucket, policy) {
     const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
-    const host = `s3.${this.region}.amazonaws.com`;
+    const host = this.s3BaseHost();
     const policyString = typeof policy === "string" ? policy : JSON.stringify(policy);
     const now = new Date;
     const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
@@ -2874,7 +2312,7 @@ class S3Client2 {
   }
   async getBucketPolicy(bucket) {
     const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
-    const host = `s3.${this.region}.amazonaws.com`;
+    const host = this.s3BaseHost();
     const now = new Date;
     const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
     const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
@@ -3565,7 +3003,7 @@ class S3Client2 {
   }
   generatePresignedGetUrl(bucket, key, expiresInSeconds = 3600) {
     const { accessKeyId, secretAccessKey } = this.getCredentials();
-    const host = `${bucket}.s3.${this.region}.amazonaws.com`;
+    const host = this.s3VirtualHost(bucket);
     const now = new Date;
     const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
     const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
@@ -3605,7 +3043,7 @@ class S3Client2 {
   }
   generatePresignedPutUrl(bucket, key, contentType, expiresInSeconds = 3600) {
     const { accessKeyId, secretAccessKey } = this.getCredentials();
-    const host = `${bucket}.s3.${this.region}.amazonaws.com`;
+    const host = this.s3VirtualHost(bucket);
     const now = new Date;
     const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
     const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
@@ -3649,371 +3087,970 @@ host:${host}
     if (options?.contentType) {
       headers["Content-Type"] = options.contentType;
     }
-    if (options?.metadata) {
-      for (const [k, v] of Object.entries(options.metadata)) {
-        headers[`x-amz-meta-${k}`] = v;
-      }
+    if (options?.metadata) {
+      for (const [k, v] of Object.entries(options.metadata)) {
+        headers[`x-amz-meta-${k}`] = v;
+      }
+    }
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "POST",
+      path: `/${bucket}/${key}`,
+      queryParams: { uploads: "" },
+      headers
+    });
+    return { UploadId: result?.InitiateMultipartUploadResult?.UploadId };
+  }
+  async uploadPart(bucket, key, uploadId, partNumber, body) {
+    const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
+    const host = this.s3VirtualHost(bucket);
+    const url = `https://${host}/${key}?partNumber=${partNumber}&uploadId=${encodeURIComponent(uploadId)}`;
+    const now = new Date;
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+    const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
+    const payloadHash = crypto3.createHash("sha256").update(body).digest("hex");
+    const requestHeaders = {
+      host,
+      "x-amz-date": amzDate,
+      "x-amz-content-sha256": payloadHash
+    };
+    if (sessionToken) {
+      requestHeaders["x-amz-security-token"] = sessionToken;
+    }
+    const canonicalHeaders = Object.keys(requestHeaders).sort().map((k) => `${k.toLowerCase()}:${requestHeaders[k].trim()}
+`).join("");
+    const signedHeaders = Object.keys(requestHeaders).sort().map((k) => k.toLowerCase()).join(";");
+    const canonicalRequest = [
+      "PUT",
+      `/${key}`,
+      `partNumber=${partNumber}&uploadId=${encodeURIComponent(uploadId)}`,
+      canonicalHeaders,
+      signedHeaders,
+      payloadHash
+    ].join(`
+`);
+    const algorithm = "AWS4-HMAC-SHA256";
+    const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
+    const stringToSign = [
+      algorithm,
+      amzDate,
+      credentialScope,
+      crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
+    ].join(`
+`);
+    const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
+    const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
+    const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
+    const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
+    const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
+    const authHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+    const response = await fetch(url, {
+      method: "PUT",
+      headers: {
+        ...requestHeaders,
+        Authorization: authHeader
+      },
+      body: toFetchBody(body)
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Upload part failed: ${response.status} ${text}`);
+    }
+    return { ETag: response.headers.get("etag") || "" };
+  }
+  async completeMultipartUpload(bucket, key, uploadId, parts) {
+    const partsXml = parts.sort((a, b) => a.PartNumber - b.PartNumber).map((p) => `<Part><PartNumber>${p.PartNumber}</PartNumber><ETag>${p.ETag}</ETag></Part>`).join("");
+    const body = `<?xml version="1.0" encoding="UTF-8"?>
+<CompleteMultipartUpload>${partsXml}</CompleteMultipartUpload>`;
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "POST",
+      path: `/${bucket}/${key}`,
+      queryParams: { uploadId },
+      headers: { "Content-Type": "application/xml" },
+      body
+    });
+  }
+  async abortMultipartUpload(bucket, key, uploadId) {
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "DELETE",
+      path: `/${bucket}/${key}`,
+      queryParams: { uploadId }
+    });
+  }
+  async listMultipartUploads(bucket) {
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "GET",
+      path: `/${bucket}`,
+      queryParams: { uploads: "" }
+    });
+    const uploads = result?.ListMultipartUploadsResult?.Upload;
+    if (!uploads)
+      return [];
+    const list = Array.isArray(uploads) ? uploads : [uploads];
+    return list.map((u) => ({
+      Key: u.Key,
+      UploadId: u.UploadId,
+      Initiated: u.Initiated
+    }));
+  }
+  async restoreObject(bucket, key, days, tier = "Standard") {
+    const body = `<?xml version="1.0" encoding="UTF-8"?>
+<RestoreRequest>
+  <Days>${days}</Days>
+  <GlacierJobParameters>
+    <Tier>${tier}</Tier>
+  </GlacierJobParameters>
+</RestoreRequest>`;
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "POST",
+      path: `/${bucket}/${key}`,
+      queryParams: { restore: "" },
+      headers: { "Content-Type": "application/xml" },
+      body
+    });
+  }
+  async selectObjectContent(bucket, key, expression, inputFormat, outputFormat = "JSON") {
+    let inputSerialization = "";
+    if (inputFormat === "CSV") {
+      inputSerialization = "<CSV><FileHeaderInfo>USE</FileHeaderInfo></CSV>";
+    } else if (inputFormat === "JSON") {
+      inputSerialization = "<JSON><Type>DOCUMENT</Type></JSON>";
+    } else {
+      inputSerialization = "<Parquet/>";
+    }
+    let outputSerialization = "";
+    if (outputFormat === "CSV") {
+      outputSerialization = "<CSV/>";
+    } else {
+      outputSerialization = "<JSON/>";
+    }
+    const body = `<?xml version="1.0" encoding="UTF-8"?>
+<SelectObjectContentRequest>
+  <Expression>${expression}</Expression>
+  <ExpressionType>SQL</ExpressionType>
+  <InputSerialization>${inputSerialization}</InputSerialization>
+  <OutputSerialization>${outputSerialization}</OutputSerialization>
+</SelectObjectContentRequest>`;
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "POST",
+      path: `/${bucket}/${key}`,
+      queryParams: { select: "", "select-type": "2" },
+      headers: { "Content-Type": "application/xml" },
+      body,
+      rawResponse: true
+    });
+    return result;
+  }
+  async getSignedUrl(options) {
+    const { bucket, key, expiresIn = 3600, operation = "getObject" } = options;
+    const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
+    const now = new Date;
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+    const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
+    const host = this.s3VirtualHost(bucket);
+    const method = operation === "putObject" ? "PUT" : "GET";
+    const algorithm = "AWS4-HMAC-SHA256";
+    const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
+    const credential = `${accessKeyId}/${credentialScope}`;
+    const queryParams = {
+      "X-Amz-Algorithm": algorithm,
+      "X-Amz-Credential": credential,
+      "X-Amz-Date": amzDate,
+      "X-Amz-Expires": expiresIn.toString(),
+      "X-Amz-SignedHeaders": "host"
+    };
+    if (sessionToken) {
+      queryParams["X-Amz-Security-Token"] = sessionToken;
+    }
+    const sortedParams = Object.keys(queryParams).sort();
+    const canonicalQuerystring = sortedParams.map((k) => `${encodeURIComponent(k)}=${encodeURIComponent(queryParams[k])}`).join("&");
+    const canonicalUri = "/" + key;
+    const canonicalHeaders = `host:${host}
+`;
+    const signedHeaders = "host";
+    const payloadHash = "UNSIGNED-PAYLOAD";
+    const canonicalRequest = [
+      method,
+      canonicalUri,
+      canonicalQuerystring,
+      canonicalHeaders,
+      signedHeaders,
+      payloadHash
+    ].join(`
+`);
+    const stringToSign = [
+      algorithm,
+      amzDate,
+      credentialScope,
+      crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
+    ].join(`
+`);
+    const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
+    const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
+    const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
+    const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
+    const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
+    const presignedUrl = `https://${host}${canonicalUri}?${canonicalQuerystring}&X-Amz-Signature=${signature}`;
+    return presignedUrl;
+  }
+  async listObjects(options) {
+    const { bucket, prefix, maxKeys = 1000, continuationToken } = options;
+    const queryParams = {
+      "list-type": "2",
+      "max-keys": maxKeys.toString()
+    };
+    if (prefix)
+      queryParams.prefix = prefix;
+    if (continuationToken)
+      queryParams["continuation-token"] = continuationToken;
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "GET",
+      path: `/${bucket}`,
+      queryParams
+    });
+    const objects = [];
+    const listResult = result?.ListBucketResult ?? result;
+    if (listResult?.Contents) {
+      const items = Array.isArray(listResult.Contents) ? listResult.Contents : [listResult.Contents];
+      for (const item of items) {
+        objects.push({
+          Key: item.Key || "",
+          LastModified: item.LastModified || "",
+          Size: Number.parseInt(item.Size || "0"),
+          ETag: item.ETag
+        });
+      }
+    }
+    return {
+      objects,
+      nextContinuationToken: listResult?.NextContinuationToken
+    };
+  }
+  async emptyBucket(bucket) {
+    let deletedCount = 0;
+    const objects = await this.listAllObjects({ bucket });
+    if (objects.length > 0) {
+      for (let i = 0;i < objects.length; i += 1000) {
+        const batch2 = objects.slice(i, i + 1000);
+        const keys = batch2.map((obj) => obj.Key);
+        await this.deleteObjects(bucket, keys);
+        deletedCount += keys.length;
+      }
+    }
+    try {
+      let keyMarker;
+      let versionIdMarker;
+      do {
+        const versionsResult = await this.listObjectVersions({
+          bucket,
+          keyMarker,
+          versionIdMarker,
+          maxKeys: 1000
+        });
+        const versionsToDelete = [];
+        if (versionsResult.versions) {
+          for (const version2 of versionsResult.versions) {
+            versionsToDelete.push({ Key: version2.Key, VersionId: version2.VersionId });
+          }
+        }
+        if (versionsResult.deleteMarkers) {
+          for (const marker of versionsResult.deleteMarkers) {
+            versionsToDelete.push({ Key: marker.Key, VersionId: marker.VersionId });
+          }
+        }
+        if (versionsToDelete.length > 0) {
+          await this.deleteObjectVersions(bucket, versionsToDelete);
+          deletedCount += versionsToDelete.length;
+        }
+        keyMarker = versionsResult.nextKeyMarker;
+        versionIdMarker = versionsResult.nextVersionIdMarker;
+      } while (keyMarker);
+    } catch {}
+    return { deletedCount };
+  }
+  async listObjectVersions(options) {
+    const { bucket, prefix, keyMarker, versionIdMarker, maxKeys = 1000 } = options;
+    const queryParams = {
+      versions: "",
+      "max-keys": maxKeys.toString()
+    };
+    if (prefix)
+      queryParams.prefix = prefix;
+    if (keyMarker)
+      queryParams["key-marker"] = keyMarker;
+    if (versionIdMarker)
+      queryParams["version-id-marker"] = versionIdMarker;
+    const result = await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "GET",
+      path: `/${bucket}`,
+      queryParams
+    });
+    const versions = [];
+    const deleteMarkers = [];
+    if (result.Version) {
+      const versionList = Array.isArray(result.Version) ? result.Version : [result.Version];
+      for (const v of versionList) {
+        versions.push({
+          Key: v.Key,
+          VersionId: v.VersionId,
+          IsLatest: v.IsLatest === "true"
+        });
+      }
+    }
+    if (result.DeleteMarker) {
+      const markerList = Array.isArray(result.DeleteMarker) ? result.DeleteMarker : [result.DeleteMarker];
+      for (const m of markerList) {
+        deleteMarkers.push({
+          Key: m.Key,
+          VersionId: m.VersionId,
+          IsLatest: m.IsLatest === "true"
+        });
+      }
+    }
+    return {
+      versions,
+      deleteMarkers,
+      nextKeyMarker: result.NextKeyMarker,
+      nextVersionIdMarker: result.NextVersionIdMarker
+    };
+  }
+  async deleteObjectVersions(bucket, objects) {
+    const deleteXml = `<?xml version="1.0" encoding="UTF-8"?>
+<Delete>
+  <Quiet>true</Quiet>
+  ${objects.map((obj) => `<Object><Key>${obj.Key}</Key>${obj.VersionId ? `<VersionId>${obj.VersionId}</VersionId>` : ""}</Object>`).join(`
+  `)}
+</Delete>`;
+    const contentMd5 = crypto3.createHash("md5").update(deleteXml).digest("base64");
+    await this.client.request({
+      service: "s3",
+      region: this.region,
+      method: "POST",
+      path: `/${bucket}`,
+      queryParams: { delete: "" },
+      body: deleteXml,
+      headers: {
+        "Content-Type": "application/xml",
+        "Content-MD5": contentMd5
+      }
+    });
+  }
+}
+var init_s3 = __esm(() => {
+  init_client();
+});
+
+// src/aws/cloudformation.ts
+class CloudFormationClient {
+  client;
+  region;
+  constructor(region = "us-east-1", profile) {
+    this.region = region;
+    this.client = new AWSClient;
+  }
+  async createStack(options) {
+    const params = {
+      Action: "CreateStack",
+      StackName: options.stackName,
+      Version: "2010-05-15"
+    };
+    if (options.templateBody) {
+      params.TemplateBody = options.templateBody;
+    } else if (options.templateUrl) {
+      params.TemplateURL = options.templateUrl;
+    } else {
+      throw new Error("Either templateBody or templateUrl must be provided");
+    }
+    if (options.parameters) {
+      options.parameters.forEach((param, index) => {
+        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
+        params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
+      });
+    }
+    if (options.capabilities) {
+      options.capabilities.forEach((cap, index) => {
+        params[`Capabilities.member.${index + 1}`] = cap;
+      });
+    }
+    if (options.roleArn) {
+      params.RoleARN = options.roleArn;
+    }
+    if (options.tags) {
+      options.tags.forEach((tag, index) => {
+        params[`Tags.member.${index + 1}.Key`] = tag.Key;
+        params[`Tags.member.${index + 1}.Value`] = tag.Value;
+      });
+    }
+    if (options.timeoutInMinutes) {
+      params.TimeoutInMinutes = options.timeoutInMinutes;
+    }
+    if (options.onFailure) {
+      params.OnFailure = options.onFailure;
     }
     const result = await this.client.request({
-      service: "s3",
+      service: "cloudformation",
       region: this.region,
       method: "POST",
-      path: `/${bucket}/${key}`,
-      queryParams: { uploads: "" },
-      headers
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
-    return { UploadId: result?.InitiateMultipartUploadResult?.UploadId };
+    return { StackId: result.StackId || result.CreateStackResult?.StackId };
   }
-  async uploadPart(bucket, key, uploadId, partNumber, body) {
-    const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
-    const host = `${bucket}.s3.${this.region}.amazonaws.com`;
-    const url = `https://${host}/${key}?partNumber=${partNumber}&uploadId=${encodeURIComponent(uploadId)}`;
-    const now = new Date;
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-    const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
-    const payloadHash = crypto3.createHash("sha256").update(body).digest("hex");
-    const requestHeaders = {
-      host,
-      "x-amz-date": amzDate,
-      "x-amz-content-sha256": payloadHash
+  async updateStack(options) {
+    const params = {
+      Action: "UpdateStack",
+      StackName: options.stackName,
+      Version: "2010-05-15"
     };
-    if (sessionToken) {
-      requestHeaders["x-amz-security-token"] = sessionToken;
+    if (options.templateBody) {
+      params.TemplateBody = options.templateBody;
+    } else if (options.templateUrl) {
+      params.TemplateURL = options.templateUrl;
     }
-    const canonicalHeaders = Object.keys(requestHeaders).sort().map((k) => `${k.toLowerCase()}:${requestHeaders[k].trim()}
-`).join("");
-    const signedHeaders = Object.keys(requestHeaders).sort().map((k) => k.toLowerCase()).join(";");
-    const canonicalRequest = [
-      "PUT",
-      `/${key}`,
-      `partNumber=${partNumber}&uploadId=${encodeURIComponent(uploadId)}`,
-      canonicalHeaders,
-      signedHeaders,
-      payloadHash
-    ].join(`
-`);
-    const algorithm = "AWS4-HMAC-SHA256";
-    const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
-    const stringToSign = [
-      algorithm,
-      amzDate,
-      credentialScope,
-      crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
-    ].join(`
-`);
-    const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
-    const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
-    const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
-    const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
-    const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
-    const authHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
-    const response = await fetch(url, {
-      method: "PUT",
-      headers: {
-        ...requestHeaders,
-        Authorization: authHeader
-      },
-      body: toFetchBody(body)
-    });
-    if (!response.ok) {
-      const text = await response.text();
-      throw new Error(`Upload part failed: ${response.status} ${text}`);
+    if (options.parameters) {
+      options.parameters.forEach((param, index) => {
+        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
+        if (param.UsePreviousValue) {
+          params[`Parameters.member.${index + 1}.UsePreviousValue`] = "true";
+        } else {
+          params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
+        }
+      });
     }
-    return { ETag: response.headers.get("etag") || "" };
+    if (options.capabilities) {
+      options.capabilities.forEach((cap, index) => {
+        params[`Capabilities.member.${index + 1}`] = cap;
+      });
+    }
+    if (options.roleArn) {
+      params.RoleARN = options.roleArn;
+    }
+    if (options.tags) {
+      options.tags.forEach((tag, index) => {
+        params[`Tags.member.${index + 1}.Key`] = tag.Key;
+        params[`Tags.member.${index + 1}.Value`] = tag.Value;
+      });
+    }
+    const result = await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+    return { StackId: result.StackId || result.UpdateStackResult?.StackId };
   }
-  async completeMultipartUpload(bucket, key, uploadId, parts) {
-    const partsXml = parts.sort((a, b) => a.PartNumber - b.PartNumber).map((p) => `<Part><PartNumber>${p.PartNumber}</PartNumber><ETag>${p.ETag}</ETag></Part>`).join("");
-    const body = `<?xml version="1.0" encoding="UTF-8"?>
-<CompleteMultipartUpload>${partsXml}</CompleteMultipartUpload>`;
+  async deleteStack(stackName, roleArn, retainResources) {
+    const params = {
+      Action: "DeleteStack",
+      StackName: stackName,
+      Version: "2010-05-15"
+    };
+    if (roleArn) {
+      params.RoleARN = roleArn;
+    }
+    if (retainResources && retainResources.length > 0) {
+      retainResources.forEach((resource, index) => {
+        params[`RetainResources.member.${index + 1}`] = resource;
+      });
+    }
     await this.client.request({
-      service: "s3",
+      service: "cloudformation",
       region: this.region,
       method: "POST",
-      path: `/${bucket}/${key}`,
-      queryParams: { uploadId },
-      headers: { "Content-Type": "application/xml" },
-      body
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
   }
-  async abortMultipartUpload(bucket, key, uploadId) {
-    await this.client.request({
-      service: "s3",
+  async describeStacks(options = {}) {
+    const params = {
+      Action: "DescribeStacks",
+      Version: "2010-05-15"
+    };
+    if (options.stackName) {
+      params.StackName = options.stackName;
+    }
+    const result = await this.client.request({
+      service: "cloudformation",
       region: this.region,
-      method: "DELETE",
-      path: `/${bucket}/${key}`,
-      queryParams: { uploadId }
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
+    const stacks = this.parseStacksResponse(result);
+    return { Stacks: stacks };
   }
-  async listMultipartUploads(bucket) {
+  async describeStackEvents(stackName) {
+    const params = {
+      Action: "DescribeStackEvents",
+      StackName: stackName,
+      Version: "2010-05-15"
+    };
     const result = await this.client.request({
-      service: "s3",
+      service: "cloudformation",
       region: this.region,
-      method: "GET",
-      path: `/${bucket}`,
-      queryParams: { uploads: "" }
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
-    const uploads = result?.ListMultipartUploadsResult?.Upload;
-    if (!uploads)
-      return [];
-    const list = Array.isArray(uploads) ? uploads : [uploads];
-    return list.map((u) => ({
-      Key: u.Key,
-      UploadId: u.UploadId,
-      Initiated: u.Initiated
-    }));
+    return { StackEvents: this.parseStackEvents(result) };
   }
-  async restoreObject(bucket, key, days, tier = "Standard") {
-    const body = `<?xml version="1.0" encoding="UTF-8"?>
-<RestoreRequest>
-  <Days>${days}</Days>
-  <GlacierJobParameters>
-    <Tier>${tier}</Tier>
-  </GlacierJobParameters>
-</RestoreRequest>`;
-    await this.client.request({
-      service: "s3",
+  async listStackResources(stackName) {
+    const params = {
+      Action: "ListStackResources",
+      StackName: stackName,
+      Version: "2010-05-15"
+    };
+    const result = await this.client.request({
+      service: "cloudformation",
       region: this.region,
       method: "POST",
-      path: `/${bucket}/${key}`,
-      queryParams: { restore: "" },
-      headers: { "Content-Type": "application/xml" },
-      body
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
+    const member = result?.ListStackResourcesResult?.StackResourceSummaries?.member;
+    let resources = [];
+    if (member) {
+      resources = Array.isArray(member) ? member : [member];
+    }
+    return { StackResourceSummaries: resources };
   }
-  async selectObjectContent(bucket, key, expression, inputFormat, outputFormat = "JSON") {
-    let inputSerialization = "";
-    if (inputFormat === "CSV") {
-      inputSerialization = "<CSV><FileHeaderInfo>USE</FileHeaderInfo></CSV>";
-    } else if (inputFormat === "JSON") {
-      inputSerialization = "<JSON><Type>DOCUMENT</Type></JSON>";
-    } else {
-      inputSerialization = "<Parquet/>";
+  async waitForStack(stackName, waitType) {
+    const targetStatuses = {
+      "stack-create-complete": ["CREATE_COMPLETE"],
+      "stack-update-complete": ["UPDATE_COMPLETE"],
+      "stack-delete-complete": ["DELETE_COMPLETE"]
+    };
+    const failureStatuses = [
+      "CREATE_FAILED",
+      "ROLLBACK_FAILED",
+      "ROLLBACK_COMPLETE",
+      "UPDATE_ROLLBACK_FAILED",
+      "UPDATE_ROLLBACK_COMPLETE"
+    ];
+    const targets = targetStatuses[waitType];
+    const maxAttempts = 360;
+    let attempts = 0;
+    while (attempts < maxAttempts) {
+      try {
+        const result = await this.describeStacks({ stackName });
+        if (result.Stacks.length === 0) {
+          if (waitType === "stack-delete-complete") {
+            return;
+          }
+          if (attempts % 10 === 0) {
+            console.log(`[waitForStack] Attempt ${attempts}: Stack not visible yet`);
+          }
+          await new Promise((resolve13) => setTimeout(resolve13, 2000));
+          attempts++;
+          continue;
+        }
+        const stack = result.Stacks[0];
+        if (attempts % 10 === 0) {
+          console.log(`[waitForStack] Attempt ${attempts}: Status = ${stack.StackStatus}${stack.StackStatusReason ? ` (${stack.StackStatusReason})` : ""}`);
+        }
+        if (targets.includes(stack.StackStatus)) {
+          return;
+        }
+        if ((waitType === "stack-create-complete" || waitType === "stack-update-complete") && (stack.StackStatus === "DELETE_IN_PROGRESS" || stack.StackStatus === "DELETE_COMPLETE")) {
+          console.log(`[waitForStack] Stack is being deleted (creation/update failed)`);
+          let failedEventReason = "";
+          try {
+            const eventsResult = await this.describeStackEvents(stackName);
+            console.log("[waitForStack] Stack events (most recent first):");
+            for (const event of eventsResult.StackEvents.slice(0, 15)) {
+              if (event.ResourceStatus.includes("FAILED") || event.ResourceStatusReason) {
+                console.log(`  ${event.LogicalResourceId}: ${event.ResourceStatus} - ${event.ResourceStatusReason || "No reason provided"}`);
+                if (event.ResourceStatus.includes("FAILED") && event.ResourceStatusReason && !failedEventReason) {
+                  failedEventReason = event.ResourceStatusReason;
+                }
+              }
+            }
+          } catch {}
+          const errorReason = failedEventReason || stack.StackStatusReason || "Check CloudFormation console for details.";
+          throw new Error(`Stack creation/update failed - stack is being deleted. Reason: ${errorReason}`);
+        }
+        if (stack.StackStatus === "DELETE_FAILED" && waitType === "stack-delete-complete") {
+          const error = new Error(`Stack deletion failed - may have resources that need to be retained`);
+          error.code = "DELETE_FAILED";
+          error.stackStatus = stack.StackStatus;
+          error.statusReason = stack.StackStatusReason;
+          throw error;
+        }
+        if (failureStatuses.includes(stack.StackStatus)) {
+          throw new Error(`Stack reached failure status: ${stack.StackStatus}`);
+        }
+        await new Promise((resolve13) => setTimeout(resolve13, 5000));
+        attempts++;
+      } catch (error) {
+        if (waitType === "stack-delete-complete" && error.message?.includes("does not exist")) {
+          return;
+        }
+        if (waitType === "stack-create-complete" && error.message?.includes("does not exist")) {
+          if (attempts % 10 === 0) {
+            console.log(`[waitForStack] Attempt ${attempts}: Stack does not exist (error), retrying...`);
+          }
+          await new Promise((resolve13) => setTimeout(resolve13, 2000));
+          attempts++;
+          continue;
+        }
+        console.log(`[waitForStack] Unexpected error: ${error.message}`);
+        throw error;
+      }
     }
-    let outputSerialization = "";
-    if (outputFormat === "CSV") {
-      outputSerialization = "<CSV/>";
-    } else {
-      outputSerialization = "<JSON/>";
+    console.log(`[waitForStack] Timeout after ${attempts} attempts`);
+    throw new Error(`Timeout waiting for stack to reach ${waitType}`);
+  }
+  async validateTemplate(templateBody) {
+    const params = {
+      Action: "ValidateTemplate",
+      TemplateBody: templateBody,
+      Version: "2010-05-15"
+    };
+    return await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+  }
+  async listStacks(statusFilter) {
+    const params = {
+      Action: "ListStacks",
+      Version: "2010-05-15"
+    };
+    if (statusFilter) {
+      statusFilter.forEach((status, index) => {
+        params[`StackStatusFilter.member.${index + 1}`] = status;
+      });
     }
-    const body = `<?xml version="1.0" encoding="UTF-8"?>
-<SelectObjectContentRequest>
-  <Expression>${expression}</Expression>
-  <ExpressionType>SQL</ExpressionType>
-  <InputSerialization>${inputSerialization}</InputSerialization>
-  <OutputSerialization>${outputSerialization}</OutputSerialization>
-</SelectObjectContentRequest>`;
     const result = await this.client.request({
-      service: "s3",
+      service: "cloudformation",
       region: this.region,
       method: "POST",
-      path: `/${bucket}/${key}`,
-      queryParams: { select: "", "select-type": "2" },
-      headers: { "Content-Type": "application/xml" },
-      body,
-      rawResponse: true
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
-    return result;
+    const response = result.ListStacksResponse || result;
+    const summariesResult = response.ListStacksResult || response;
+    const members = summariesResult.StackSummaries?.member || summariesResult.StackSummaries || [];
+    const items = Array.isArray(members) ? members : members ? [members] : [];
+    return {
+      StackSummaries: items.map((s) => ({
+        StackId: s.StackId || "",
+        StackName: s.StackName || "",
+        TemplateDescription: s.TemplateDescription,
+        CreationTime: s.CreationTime || "",
+        LastUpdatedTime: s.LastUpdatedTime,
+        DeletionTime: s.DeletionTime,
+        StackStatus: s.StackStatus || ""
+      }))
+    };
   }
-  async getSignedUrl(options) {
-    const { bucket, key, expiresIn = 3600, operation = "getObject" } = options;
-    const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
-    const now = new Date;
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-    const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
-    const host = `${bucket}.s3.${this.region}.amazonaws.com`;
-    const method = operation === "putObject" ? "PUT" : "GET";
-    const algorithm = "AWS4-HMAC-SHA256";
-    const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
-    const credential = `${accessKeyId}/${credentialScope}`;
-    const queryParams = {
-      "X-Amz-Algorithm": algorithm,
-      "X-Amz-Credential": credential,
-      "X-Amz-Date": amzDate,
-      "X-Amz-Expires": expiresIn.toString(),
-      "X-Amz-SignedHeaders": "host"
+  async createChangeSet(options) {
+    const params = {
+      Action: "CreateChangeSet",
+      StackName: options.stackName,
+      ChangeSetName: options.changeSetName,
+      Version: "2010-05-15"
     };
-    if (sessionToken) {
-      queryParams["X-Amz-Security-Token"] = sessionToken;
+    if (options.templateBody) {
+      params.TemplateBody = options.templateBody;
+    } else if (options.templateUrl) {
+      params.TemplateURL = options.templateUrl;
     }
-    const sortedParams = Object.keys(queryParams).sort();
-    const canonicalQuerystring = sortedParams.map((k) => `${encodeURIComponent(k)}=${encodeURIComponent(queryParams[k])}`).join("&");
-    const canonicalUri = "/" + key;
-    const canonicalHeaders = `host:${host}
-`;
-    const signedHeaders = "host";
-    const payloadHash = "UNSIGNED-PAYLOAD";
-    const canonicalRequest = [
-      method,
-      canonicalUri,
-      canonicalQuerystring,
-      canonicalHeaders,
-      signedHeaders,
-      payloadHash
-    ].join(`
-`);
-    const stringToSign = [
-      algorithm,
-      amzDate,
-      credentialScope,
-      crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
-    ].join(`
-`);
-    const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
-    const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
-    const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
-    const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
-    const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
-    const presignedUrl = `https://${host}${canonicalUri}?${canonicalQuerystring}&X-Amz-Signature=${signature}`;
-    return presignedUrl;
+    if (options.parameters) {
+      options.parameters.forEach((param, index) => {
+        params[`Parameters.member.${index + 1}.ParameterKey`] = param.ParameterKey;
+        params[`Parameters.member.${index + 1}.ParameterValue`] = param.ParameterValue;
+      });
+    }
+    if (options.capabilities) {
+      options.capabilities.forEach((cap, index) => {
+        params[`Capabilities.member.${index + 1}`] = cap;
+      });
+    }
+    if (options.changeSetType) {
+      params.ChangeSetType = options.changeSetType;
+    }
+    const result = await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+    return { Id: result.Id, StackId: result.StackId };
+  }
+  async describeChangeSet(stackName, changeSetName) {
+    const params = {
+      Action: "DescribeChangeSet",
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+      Version: "2010-05-15"
+    };
+    return await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+  }
+  async executeChangeSet(stackName, changeSetName) {
+    const params = {
+      Action: "ExecuteChangeSet",
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+      Version: "2010-05-15"
+    };
+    await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+  }
+  async deleteChangeSet(stackName, changeSetName) {
+    const params = {
+      Action: "DeleteChangeSet",
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+      Version: "2010-05-15"
+    };
+    await this.client.request({
+      service: "cloudformation",
+      region: this.region,
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
+    });
+  }
+  async getStackOutputs(stackName) {
+    const result = await this.describeStacks({ stackName });
+    if (!result.Stacks || result.Stacks.length === 0) {
+      throw new Error(`Stack ${stackName} not found`);
+    }
+    const stack = result.Stacks[0];
+    const outputs = {};
+    if (stack.Outputs) {
+      for (const output of stack.Outputs) {
+        outputs[output.OutputKey] = output.OutputValue;
+      }
+    }
+    return outputs;
   }
-  async listObjects(options) {
-    const { bucket, prefix, maxKeys = 1000, continuationToken } = options;
-    const queryParams = {
-      "list-type": "2",
-      "max-keys": maxKeys.toString()
+  async getTemplate(stackName) {
+    const params = {
+      Action: "GetTemplate",
+      StackName: stackName,
+      Version: "2010-05-15"
     };
-    if (prefix)
-      queryParams.prefix = prefix;
-    if (continuationToken)
-      queryParams["continuation-token"] = continuationToken;
     const result = await this.client.request({
-      service: "s3",
+      service: "cloudformation",
       region: this.region,
-      method: "GET",
-      path: `/${bucket}`,
-      queryParams
+      method: "POST",
+      path: "/",
+      body: new URLSearchParams(params).toString()
     });
-    const objects = [];
-    const listResult = result?.ListBucketResult ?? result;
-    if (listResult?.Contents) {
-      const items = Array.isArray(listResult.Contents) ? listResult.Contents : [listResult.Contents];
-      for (const item of items) {
-        objects.push({
-          Key: item.Key || "",
-          LastModified: item.LastModified || "",
-          Size: Number.parseInt(item.Size || "0"),
-          ETag: item.ETag
-        });
+    const templateBody = result?.GetTemplateResult?.TemplateBody || result?.TemplateBody || "";
+    return { TemplateBody: templateBody };
+  }
+  parseStacksResponse(result) {
+    const stacks = [];
+    let stackData = result?.DescribeStacksResult?.Stacks?.member || result?.Stacks?.member || result?.Stacks || result;
+    if (stackData && !Array.isArray(stackData)) {
+      stackData = [stackData];
+    }
+    if (Array.isArray(stackData)) {
+      for (const s of stackData) {
+        if (s.StackId || s.StackName) {
+          let outputs;
+          if (s.Outputs?.member) {
+            const outputData = Array.isArray(s.Outputs.member) ? s.Outputs.member : [s.Outputs.member];
+            outputs = outputData.map((o) => ({
+              OutputKey: o.OutputKey,
+              OutputValue: o.OutputValue,
+              Description: o.Description,
+              ExportName: o.ExportName
+            }));
+          }
+          stacks.push({
+            StackId: s.StackId,
+            StackName: s.StackName,
+            StackStatus: s.StackStatus,
+            CreationTime: s.CreationTime,
+            LastUpdatedTime: s.LastUpdatedTime,
+            StackStatusReason: s.StackStatusReason,
+            Outputs: outputs
+          });
+        }
       }
+    } else if (result.StackId) {
+      stacks.push({
+        StackId: result.StackId,
+        StackName: result.StackName,
+        StackStatus: result.StackStatus,
+        CreationTime: result.CreationTime,
+        LastUpdatedTime: result.LastUpdatedTime
+      });
     }
-    return {
-      objects,
-      nextContinuationToken: listResult?.NextContinuationToken
-    };
+    return stacks;
   }
-  async emptyBucket(bucket) {
-    let deletedCount = 0;
-    const objects = await this.listAllObjects({ bucket });
-    if (objects.length > 0) {
-      for (let i = 0;i < objects.length; i += 1000) {
-        const batch2 = objects.slice(i, i + 1000);
-        const keys = batch2.map((obj) => obj.Key);
-        await this.deleteObjects(bucket, keys);
-        deletedCount += keys.length;
-      }
+  parseStackEvents(result) {
+    const events = [];
+    let eventData = result?.DescribeStackEventsResult?.StackEvents?.member || result?.StackEvents?.member || result?.StackEvents || [];
+    if (eventData && !Array.isArray(eventData)) {
+      eventData = [eventData];
     }
-    try {
-      let keyMarker;
-      let versionIdMarker;
-      do {
-        const versionsResult = await this.listObjectVersions({
-          bucket,
-          keyMarker,
-          versionIdMarker,
-          maxKeys: 1000
+    for (const e of eventData) {
+      if (e.LogicalResourceId) {
+        events.push({
+          Timestamp: e.Timestamp,
+          ResourceType: e.ResourceType,
+          LogicalResourceId: e.LogicalResourceId,
+          ResourceStatus: e.ResourceStatus,
+          ResourceStatusReason: e.ResourceStatusReason
         });
-        const versionsToDelete = [];
-        if (versionsResult.versions) {
-          for (const version2 of versionsResult.versions) {
-            versionsToDelete.push({ Key: version2.Key, VersionId: version2.VersionId });
-          }
+      }
+    }
+    return events;
+  }
+  async waitForStackWithProgress(stackName, waitType, onProgress) {
+    const targetStatuses = {
+      "stack-create-complete": ["CREATE_COMPLETE"],
+      "stack-update-complete": ["UPDATE_COMPLETE"],
+      "stack-delete-complete": ["DELETE_COMPLETE"]
+    };
+    const failureStatuses = [
+      "CREATE_FAILED",
+      "ROLLBACK_FAILED",
+      "ROLLBACK_COMPLETE",
+      "UPDATE_ROLLBACK_FAILED",
+      "UPDATE_ROLLBACK_COMPLETE"
+    ];
+    const targets = targetStatuses[waitType];
+    const maxAttempts = 360;
+    let attempts = 0;
+    const seenEvents = new Set;
+    while (attempts < maxAttempts) {
+      try {
+        if (onProgress) {
+          try {
+            const eventsResult = await this.describeStackEvents(stackName);
+            const events = [...eventsResult.StackEvents || []].reverse();
+            for (const event of events) {
+              const eventKey = `${event.LogicalResourceId}-${event.ResourceStatus}-${event.Timestamp}`;
+              if (!seenEvents.has(eventKey)) {
+                seenEvents.add(eventKey);
+                onProgress({
+                  resourceId: event.LogicalResourceId,
+                  resourceType: event.ResourceType,
+                  status: event.ResourceStatus,
+                  reason: event.ResourceStatusReason,
+                  timestamp: event.Timestamp
+                });
+              }
+            }
+          } catch {}
         }
-        if (versionsResult.deleteMarkers) {
-          for (const marker of versionsResult.deleteMarkers) {
-            versionsToDelete.push({ Key: marker.Key, VersionId: marker.VersionId });
+        const result = await this.describeStacks({ stackName });
+        if (result.Stacks.length === 0) {
+          if (waitType === "stack-delete-complete") {
+            return;
           }
+          await new Promise((resolve13) => setTimeout(resolve13, 2000));
+          attempts++;
+          continue;
         }
-        if (versionsToDelete.length > 0) {
-          await this.deleteObjectVersions(bucket, versionsToDelete);
-          deletedCount += versionsToDelete.length;
+        const stack = result.Stacks[0];
+        if (targets.includes(stack.StackStatus)) {
+          return;
         }
-        keyMarker = versionsResult.nextKeyMarker;
-        versionIdMarker = versionsResult.nextVersionIdMarker;
-      } while (keyMarker);
-    } catch {}
-    return { deletedCount };
-  }
-  async listObjectVersions(options) {
-    const { bucket, prefix, keyMarker, versionIdMarker, maxKeys = 1000 } = options;
-    const queryParams = {
-      versions: "",
-      "max-keys": maxKeys.toString()
-    };
-    if (prefix)
-      queryParams.prefix = prefix;
-    if (keyMarker)
-      queryParams["key-marker"] = keyMarker;
-    if (versionIdMarker)
-      queryParams["version-id-marker"] = versionIdMarker;
-    const result = await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "GET",
-      path: `/${bucket}`,
-      queryParams
-    });
-    const versions = [];
-    const deleteMarkers = [];
-    if (result.Version) {
-      const versionList = Array.isArray(result.Version) ? result.Version : [result.Version];
-      for (const v of versionList) {
-        versions.push({
-          Key: v.Key,
-          VersionId: v.VersionId,
-          IsLatest: v.IsLatest === "true"
-        });
-      }
-    }
-    if (result.DeleteMarker) {
-      const markerList = Array.isArray(result.DeleteMarker) ? result.DeleteMarker : [result.DeleteMarker];
-      for (const m of markerList) {
-        deleteMarkers.push({
-          Key: m.Key,
-          VersionId: m.VersionId,
-          IsLatest: m.IsLatest === "true"
-        });
+        if (stack.StackStatus === "DELETE_FAILED" && waitType === "stack-delete-complete") {
+          const error = new Error(`Stack deletion failed - may have resources that need to be retained`);
+          error.code = "DELETE_FAILED";
+          error.stackStatus = stack.StackStatus;
+          error.statusReason = stack.StackStatusReason;
+          throw error;
+        }
+        if (failureStatuses.includes(stack.StackStatus)) {
+          throw new Error(`Stack reached failure status: ${stack.StackStatus}`);
+        }
+        await new Promise((resolve13) => setTimeout(resolve13, 3000));
+        attempts++;
+      } catch (error) {
+        if (waitType === "stack-delete-complete" && error.message?.includes("does not exist")) {
+          return;
+        }
+        if (waitType === "stack-create-complete" && error.message?.includes("does not exist")) {
+          await new Promise((resolve13) => setTimeout(resolve13, 2000));
+          attempts++;
+          continue;
+        }
+        throw error;
       }
     }
-    return {
-      versions,
-      deleteMarkers,
-      nextKeyMarker: result.NextKeyMarker,
-      nextVersionIdMarker: result.NextVersionIdMarker
-    };
+    throw new Error(`Timeout waiting for stack to reach ${waitType}`);
   }
-  async deleteObjectVersions(bucket, objects) {
-    const deleteXml = `<?xml version="1.0" encoding="UTF-8"?>
-<Delete>
-  <Quiet>true</Quiet>
-  ${objects.map((obj) => `<Object><Key>${obj.Key}</Key>${obj.VersionId ? `<VersionId>${obj.VersionId}</VersionId>` : ""}</Object>`).join(`
-  `)}
-</Delete>`;
-    const contentMd5 = crypto3.createHash("md5").update(deleteXml).digest("base64");
-    await this.client.request({
-      service: "s3",
-      region: this.region,
-      method: "POST",
-      path: `/${bucket}`,
-      queryParams: { delete: "" },
-      body: deleteXml,
-      headers: {
-        "Content-Type": "application/xml",
-        "Content-MD5": contentMd5
+  async waitForStackComplete(stackName, maxAttempts = 120, delayMs = 5000) {
+    const successStatuses = [
+      "CREATE_COMPLETE",
+      "UPDATE_COMPLETE",
+      "DELETE_COMPLETE"
+    ];
+    const failureStatuses = [
+      "CREATE_FAILED",
+      "UPDATE_FAILED",
+      "DELETE_FAILED",
+      "ROLLBACK_COMPLETE",
+      "ROLLBACK_FAILED",
+      "UPDATE_ROLLBACK_COMPLETE",
+      "UPDATE_ROLLBACK_FAILED"
+    ];
+    for (let i = 0;i < maxAttempts; i++) {
+      try {
+        const result = await this.describeStacks({ stackName });
+        if (result.Stacks.length === 0) {
+          return { success: true, status: "DELETE_COMPLETE" };
+        }
+        const stack = result.Stacks[0];
+        const status = stack.StackStatus;
+        if (successStatuses.includes(status)) {
+          return { success: true, status };
+        }
+        if (failureStatuses.includes(status)) {
+          return { success: false, status, reason: stack.StackStatusReason };
+        }
+        await new Promise((resolve13) => setTimeout(resolve13, delayMs));
+      } catch (error) {
+        if (error.message?.includes("does not exist")) {
+          return { success: true, status: "DELETE_COMPLETE" };
+        }
+        throw error;
       }
-    });
+    }
+    return { success: false, status: "TIMEOUT", reason: "Timeout waiting for stack operation" };
   }
 }
-var init_s3 = __esm(() => {
+var init_cloudformation = __esm(() => {
   init_client();
 });
 
@@ -4106,18 +4143,20 @@ class CloudFrontClient {
     const distributions = [];
     const distList = result.DistributionList || result;
     const items = distList.Items;
-    const summaryData = items?.DistributionSummary;
-    if (summaryData) {
-      const summaries = Array.isArray(summaryData) ? summaryData : [summaryData];
-      distributions.push(...summaries.map((item) => ({
-        Id: item.Id,
-        ARN: item.ARN,
-        Status: item.Status,
-        DomainName: item.DomainName,
-        Aliases: item.Aliases || undefined,
-        Enabled: item.Enabled === "true" || item.Enabled === true
-      })));
-    }
+    let summaries = [];
+    if (Array.isArray(items)) {
+      summaries = items;
+    } else if (items?.DistributionSummary) {
+      summaries = Array.isArray(items.DistributionSummary) ? items.DistributionSummary : [items.DistributionSummary];
+    }
+    distributions.push(...summaries.map((item) => ({
+      Id: item.Id,
+      ARN: item.ARN,
+      Status: item.Status,
+      DomainName: item.DomainName,
+      Aliases: item.Aliases || undefined,
+      Enabled: item.Enabled === "true" || item.Enabled === true
+    })));
     return distributions;
   }
   async getDistribution(distributionId) {
@@ -4445,6 +4484,70 @@ ${children}${indent}</${name}>
 <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/">
 ${Object.entries(config6).filter(([k]) => !k.startsWith("@_")).map(([key, val]) => buildXmlElement(key, val, "  ", "DistributionConfig")).join("")}</DistributionConfig>`;
   }
+  async ensureDynamicHttpMethods(distributionId) {
+    const getResult = await this.client.request({
+      service: "cloudfront",
+      region: "us-east-1",
+      method: "GET",
+      path: `/2020-05-31/distribution/${distributionId}/config`,
+      returnHeaders: true
+    });
+    const etag = getResult.headers?.etag || getResult.headers?.ETag || "";
+    const currentConfig = getResult.body?.DistributionConfig || getResult.DistributionConfig || getResult.body;
+    if (!currentConfig) {
+      throw new Error("Failed to get current distribution config");
+    }
+    let changed = false;
+    const dynamicMethods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"];
+    const parseAllowedMethods = (allowedMethods) => {
+      if (!allowedMethods)
+        return [];
+      const items = allowedMethods.Items;
+      if (!items)
+        return [];
+      if (Array.isArray(items))
+        return items.map(String);
+      if (typeof items === "object" && items.Method) {
+        const method = items.Method;
+        return Array.isArray(method) ? method.map(String) : [String(method)];
+      }
+      if (items.Item) {
+        return Array.isArray(items.Item) ? items.Item.map(String) : [String(items.Item)];
+      }
+      return [];
+    };
+    const defaultBehavior = currentConfig.DefaultCacheBehavior;
+    if (defaultBehavior) {
+      const allowed = parseAllowedMethods(defaultBehavior.AllowedMethods);
+      if (!allowed.includes("POST")) {
+        defaultBehavior.AllowedMethods = {
+          Quantity: dynamicMethods.length,
+          Items: { Method: dynamicMethods },
+          CachedMethods: {
+            Quantity: 2,
+            Items: { Method: ["GET", "HEAD"] }
+          }
+        };
+        changed = true;
+      }
+    }
+    if (!changed) {
+      return false;
+    }
+    const configXml = this.buildDistributionConfigXml(currentConfig);
+    await this.client.request({
+      service: "cloudfront",
+      region: "us-east-1",
+      method: "PUT",
+      path: `/2020-05-31/distribution/${distributionId}/config`,
+      body: configXml,
+      headers: {
+        "Content-Type": "application/xml",
+        "If-Match": etag
+      }
+    });
+    return true;
+  }
   async addAliases(distributionId, aliases, certificateArn) {
     return this.updateDistribution({
       distributionId,
@@ -6912,8 +7015,8 @@ class DnsProviderFactory {
     const godaddyApiKey = process.env.GODADDY_API_KEY;
     const godaddyApiSecret = process.env.GODADDY_API_SECRET;
     if (godaddyApiKey && godaddyApiSecret) {
-      const env = process.env.GODADDY_ENVIRONMENT;
-      this.addGoDaddy(godaddyApiKey, godaddyApiSecret, env);
+      const env2 = process.env.GODADDY_ENVIRONMENT;
+      this.addGoDaddy(godaddyApiKey, godaddyApiSecret, env2);
     }
     const cloudflareApiToken = process.env.CLOUDFLARE_API_TOKEN;
     if (cloudflareApiToken) {
@@ -7419,12 +7522,22 @@ function generateExternalDnsStaticSiteTemplate(config6) {
     defaultRootObject = "index.html",
     errorDocument = "404.html",
     passthroughUrls = false,
-    singlePageApp = false
+    singlePageApp = false,
+    dynamicApp = false,
+    computeOriginDomain,
+    computeOriginPort = 3008,
+    computeOriginId = "app-compute",
+    retainOnStackDelete = false
   } = config6;
+  const retainPolicy = retainOnStackDelete ? { DeletionPolicy: "Retain", UpdateReplacePolicy: "Retain" } : {};
+  const useComputeOrigin = dynamicApp && !!computeOriginDomain;
+  const defaultAllowedMethods = useComputeOrigin ? ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] : ["GET", "HEAD"];
+  const defaultCachedMethods = useComputeOrigin ? ["GET", "HEAD"] : ["GET", "HEAD"];
   const resources = {};
   const outputs = {};
   resources.S3Bucket = {
     Type: "AWS::S3::Bucket",
+    ...retainPolicy,
     Properties: {
       BucketName: bucketName,
       PublicAccessBlockConfiguration: {
@@ -7449,6 +7562,7 @@ function generateExternalDnsStaticSiteTemplate(config6) {
   };
   resources.CloudFrontOAC = {
     Type: "AWS::CloudFront::OriginAccessControl",
+    ...retainPolicy,
     Properties: {
       OriginAccessControlConfig: {
         Name: `OAC-${bucketName}`,
@@ -7459,6 +7573,34 @@ function generateExternalDnsStaticSiteTemplate(config6) {
       }
     }
   };
+  let installRootRedirectLogicalId;
+  if (passthroughUrls && useComputeOrigin) {
+    installRootRedirectLogicalId = "InstallRootRedirectFunction";
+    resources[installRootRedirectLogicalId] = {
+      Type: "AWS::CloudFront::Function",
+      Properties: {
+        Name: { "Fn::Sub": "${AWS::StackName}-install-root-redirect" },
+        AutoPublish: true,
+        FunctionConfig: {
+          Comment: "Redirect curl pantry.dev | bash (GET /) to /install.sh on S3",
+          Runtime: "cloudfront-js-2.0"
+        },
+        FunctionCode: `function handler(event) {
+  var request = event.request;
+  if (request.uri === '/' || request.uri === '') {
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        location: { value: 'https://' + request.headers.host.value + '/install.sh' }
+      }
+    };
+  }
+  return request;
+}`
+      }
+    };
+  }
   if (!passthroughUrls) {
     resources.UrlRewriteFunction = {
       Type: "AWS::CloudFront::Function",
@@ -7487,38 +7629,72 @@ function generateExternalDnsStaticSiteTemplate(config6) {
       }
     };
   }
+  const s3Origin = {
+    Id: `S3-${bucketName}`,
+    DomainName: { "Fn::GetAtt": ["S3Bucket", "RegionalDomainName"] },
+    S3OriginConfig: {
+      OriginAccessIdentity: ""
+    },
+    OriginAccessControlId: { "Fn::GetAtt": ["CloudFrontOAC", "Id"] }
+  };
+  const computeOrigin = useComputeOrigin ? {
+    Id: computeOriginId,
+    DomainName: computeOriginDomain,
+    CustomOriginConfig: {
+      HTTPPort: computeOriginPort,
+      HTTPSPort: 443,
+      OriginProtocolPolicy: "http-only",
+      OriginSSLProtocols: ["TLSv1.2"]
+    }
+  } : null;
+  const defaultTargetOriginId = useComputeOrigin ? computeOriginId : `S3-${bucketName}`;
   const distributionConfig = {
     Enabled: true,
     DefaultRootObject: defaultRootObject,
     HttpVersion: "http2and3",
     IPV6Enabled: true,
     PriceClass: "PriceClass_100",
-    Origins: [
-      {
-        Id: `S3-${bucketName}`,
-        DomainName: { "Fn::GetAtt": ["S3Bucket", "RegionalDomainName"] },
-        S3OriginConfig: {
-          OriginAccessIdentity: ""
-        },
-        OriginAccessControlId: { "Fn::GetAtt": ["CloudFrontOAC", "Id"] }
-      }
-    ],
+    Origins: computeOrigin ? [computeOrigin, s3Origin] : [s3Origin],
     DefaultCacheBehavior: {
-      TargetOriginId: `S3-${bucketName}`,
+      TargetOriginId: defaultTargetOriginId,
       ViewerProtocolPolicy: "redirect-to-https",
-      AllowedMethods: ["GET", "HEAD"],
-      CachedMethods: ["GET", "HEAD"],
+      AllowedMethods: defaultAllowedMethods,
+      CachedMethods: defaultCachedMethods,
       Compress: true,
-      CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6",
-      ...!passthroughUrls && {
-        FunctionAssociations: [
-          {
+      ...useComputeOrigin ? {
+        CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
+        OriginRequestPolicyId: "b689b0a8-53d0-40ab-baf2-68738e2966ac",
+        ...passthroughUrls && installRootRedirectLogicalId ? {
+          FunctionAssociations: [{
             EventType: "viewer-request",
-            FunctionARN: { "Fn::GetAtt": ["UrlRewriteFunction", "FunctionARN"] }
-          }
-        ]
+            FunctionARN: { "Fn::GetAtt": [installRootRedirectLogicalId, "FunctionARN"] }
+          }]
+        } : {}
+      } : {
+        CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6",
+        ...!passthroughUrls && {
+          FunctionAssociations: [
+            {
+              EventType: "viewer-request",
+              FunctionARN: { "Fn::GetAtt": ["UrlRewriteFunction", "FunctionARN"] }
+            }
+          ]
+        }
       }
     },
+    ...useComputeOrigin && passthroughUrls ? {
+      CacheBehaviors: [
+        {
+          PathPattern: "/install.sh",
+          TargetOriginId: `S3-${bucketName}`,
+          ViewerProtocolPolicy: "redirect-to-https",
+          AllowedMethods: ["GET", "HEAD", "OPTIONS"],
+          CachedMethods: ["GET", "HEAD", "OPTIONS"],
+          Compress: true,
+          CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
+        }
+      ]
+    } : {},
     CustomErrorResponses: singlePageApp ? [
       {
         ErrorCode: 403,
@@ -7561,7 +7737,13 @@ function generateExternalDnsStaticSiteTemplate(config6) {
   }
   resources.CloudFrontDistribution = {
     Type: "AWS::CloudFront::Distribution",
-    DependsOn: passthroughUrls ? ["S3Bucket", "CloudFrontOAC"] : ["S3Bucket", "CloudFrontOAC", "UrlRewriteFunction"],
+    ...retainPolicy,
+    DependsOn: [
+      "S3Bucket",
+      "CloudFrontOAC",
+      ...passthroughUrls && useComputeOrigin && installRootRedirectLogicalId ? [installRootRedirectLogicalId] : [],
+      ...!passthroughUrls ? ["UrlRewriteFunction"] : []
+    ],
     Properties: {
       DistributionConfig: distributionConfig
     }
@@ -7576,6 +7758,7 @@ function generateExternalDnsStaticSiteTemplate(config6) {
   };
   resources.S3BucketPolicy = {
     Type: "AWS::S3::BucketPolicy",
+    ...retainPolicy,
     DependsOn: ["S3Bucket", "CloudFrontDistribution"],
     Properties: {
       Bucket: { Ref: "S3Bucket" },
@@ -7810,7 +7993,11 @@ async function deployStaticSiteWithExternalDns(config6) {
     defaultRootObject: config6.defaultRootObject,
     errorDocument: config6.errorDocument,
     passthroughUrls: config6.passthroughUrls,
-    singlePageApp: config6.singlePageApp
+    singlePageApp: config6.singlePageApp,
+    dynamicApp: config6.dynamicApp,
+    computeOriginDomain: config6.computeOriginDomain,
+    computeOriginPort: config6.computeOriginPort,
+    computeOriginId: config6.computeOriginId
   });
   const tags = Object.entries(config6.tags || {}).map(([Key, Value]) => ({ Key, Value }));
   tags.push({ Key: "ManagedBy", Value: "ts-cloud" });
@@ -18819,6 +19006,13 @@ var RealtimePresets = {
     }
   }
 };
+function resolveCloudProvider(config6) {
+  if (config6.cloud?.provider)
+    return config6.cloud.provider;
+  if (config6.hetzner?.apiToken)
+    return "hetzner";
+  return "aws";
+}
 
 class TemplateBuilder {
   template;
@@ -18974,6 +19168,28 @@ function getTimestamp() {
 function sanitizeName(name) {
   return name.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/^-+|-+$/g, "").replace(/-+/g, "-");
 }
+function resolveProjectStackName(config6, environment) {
+  return config6.project.stackName ?? `${config6.project.slug}-${environment}`;
+}
+function resolveSiteStackName(config6, siteKey, site, environment) {
+  return site.stackName ?? `${config6.project.slug}-${environment}-${siteKey}-site`;
+}
+function resolveSiteResourceName(config6, siteKey) {
+  return `${config6.project.slug}-${siteKey}`;
+}
+function resolveSiteBucketName(slug, environment, siteKey, explicitBucket) {
+  if (explicitBucket)
+    return explicitBucket;
+  if (siteKey === "main")
+    return `${slug}-${environment}-site`;
+  return `${slug}-${environment}-${siteKey}`;
+}
+function resolveStorageBucketName(slug, environment, bucketKey, explicitBucket) {
+  return explicitBucket ?? `${slug}-${environment}-${bucketKey}`;
+}
+function resolveDeployBucketName(slug, environment) {
+  return `${slug}-${environment}-deploy`;
+}
 
 class DependencyGraph {
   nodes = new Map;
@@ -19322,6 +19538,7 @@ class Storage {
   static createBucket(options) {
     const {
       name,
+      bucketName: explicitBucketName,
       slug,
       environment,
       public: isPublic = false,
@@ -19332,7 +19549,7 @@ class Storage {
       cors,
       lifecycleRules
     } = options;
-    const resourceName = generateResourceName({
+    const resourceName = explicitBucketName ?? generateResourceName({
       slug,
       environment,
       resourceType: "s3",
@@ -23470,7 +23687,8 @@ echo "Server setup complete!"
         runtime = "bun",
         runtimeVersion = "latest",
         systemPackages = [],
-        database
+        database,
+        caddyfile
       } = options;
       const packages = new Set(systemPackages);
       if (database === "sqlite")
@@ -23528,7 +23746,57 @@ ln -sf /root/.deno/bin/deno /usr/local/bin/deno
       script += `
 # Reserved root for site deploys (each site lands at /var/www/<site>/)
 mkdir -p /var/www
+`;
+      if (caddyfile) {
+        const escaped = caddyfile.replace(/\$/g, "\\$");
+        script += `
+# Caddy (reverse proxy + automatic TLS via Let's Encrypt)
+ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=\${ARCH}" -o /usr/local/bin/caddy
+chmod +x /usr/local/bin/caddy
+
+# Dedicated service account
+getent group caddy >/dev/null || groupadd --system caddy
+getent passwd caddy >/dev/null || useradd --system --gid caddy \\
+  --create-home --home-dir /var/lib/caddy \\
+  --shell /usr/sbin/nologin --comment "Caddy web server" caddy
+
+mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy
+chown -R caddy:caddy /var/lib/caddy /var/log/caddy
+
+cat > /etc/systemd/system/caddy.service <<'CADDY_UNIT_EOF'
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+CADDY_UNIT_EOF
 
+cat > /etc/caddy/Caddyfile <<'CADDY_CONFIG_EOF'
+${escaped}
+CADDY_CONFIG_EOF
+
+systemctl daemon-reload
+systemctl enable caddy
+systemctl start caddy
+`;
+      }
+      script += `
 echo "ts-cloud bootstrap complete — instance is ready for site deploys"
 `;
       return script;
@@ -29998,8 +30266,8 @@ class Messaging {
     return topic;
   }
   static FilterPolicies = {
-    eventType: (types) => ({
-      eventType: types
+    eventType: (types2) => ({
+      eventType: types2
     }),
     status: (statuses) => ({
       status: statuses
@@ -62098,6 +62366,125 @@ class InfrastructureGenerator {
     const port = Number(configuredPort || 3008);
     return Number.isFinite(port) && port > 0 ? port : 3008;
   }
+  defaultComputeCachePathPatterns() {
+    return [
+      "/api/*",
+      "/auth/*",
+      "/publisher/api/*",
+      "/publisher/*",
+      "/publish",
+      "/publish/*",
+      "/analytics/*",
+      "/packages/*",
+      "/npm/*",
+      "/zig/*",
+      "/php/*",
+      "/commits/*",
+      "/health",
+      "/dashboard/*",
+      "/search",
+      "/login",
+      "/logout",
+      "/signup",
+      "/account",
+      "/account/*"
+    ];
+  }
+  shouldRouteStorageBucketToCompute(name, storageConfig) {
+    return name === "public" || storageConfig.routeCompute === true;
+  }
+  resolveComputeCachePathPatterns(routes) {
+    if (routes && routes.length > 0) {
+      return routes;
+    }
+    return this.defaultComputeCachePathPatterns();
+  }
+  createComputeCacheBehavior(pathPattern, apiOriginId) {
+    return {
+      PathPattern: pathPattern,
+      TargetOriginId: apiOriginId,
+      ViewerProtocolPolicy: "redirect-to-https",
+      AllowedMethods: ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"],
+      CachedMethods: ["GET", "HEAD"],
+      Compress: true,
+      CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
+      OriginRequestPolicyId: "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    };
+  }
+  appendComputeAppOrigin(origins, cacheBehaviors, extraDependsOn, slug, env, pathPatterns) {
+    const appEipId = this.serverEipLogicalIds.get("app");
+    const appInstanceId = this.serverEipLogicalIds.get("appInstance");
+    if (!appEipId) {
+      return;
+    }
+    const apiOriginId = `EC2-${slug}-${env}-api`;
+    const serverRegion = this.mergedConfig.infrastructure?.servers?.app?.region || this.mergedConfig.project?.region || "us-east-1";
+    const dnsSuffix = serverRegion === "us-east-1" ? ".compute-1.amazonaws.com" : `.${serverRegion}.compute.amazonaws.com`;
+    const originDomainName = {
+      "Fn::Join": ["", [
+        "ec2-",
+        { "Fn::Join": ["-", { "Fn::Split": [".", { Ref: appEipId }] }] },
+        dnsSuffix
+      ]]
+    };
+    const apiOriginPort = this.resolveApiOriginPort();
+    origins.push({
+      Id: apiOriginId,
+      DomainName: originDomainName,
+      CustomOriginConfig: {
+        HTTPPort: apiOriginPort,
+        HTTPSPort: 443,
+        OriginProtocolPolicy: "http-only",
+        OriginSSLProtocols: ["TLSv1.2"]
+      }
+    });
+    extraDependsOn.push(appEipId);
+    if (appInstanceId) {
+      extraDependsOn.push(appInstanceId);
+    }
+    for (const pathPattern of pathPatterns) {
+      cacheBehaviors.push(this.createComputeCacheBehavior(pathPattern, apiOriginId));
+    }
+  }
+  buildCaddyfile(allSites) {
+    const sitesWithDomain = allSites.filter(([, s]) => typeof s.domain === "string" && s.domain && typeof s.port === "number");
+    if (sitesWithDomain.length === 0)
+      return;
+    const byDomain = new Map;
+    for (const [, site] of sitesWithDomain) {
+      const list = byDomain.get(site.domain) ?? [];
+      list.push({ port: site.port, path: site.path });
+      byDomain.set(site.domain, list);
+    }
+    const blocks = [];
+    for (const [domain, sites] of byDomain) {
+      const sorted = [...sites].sort((a, b) => {
+        const aIsCatchAll = !a.path || a.path === "/";
+        const bIsCatchAll = !b.path || b.path === "/";
+        if (aIsCatchAll && !bIsCatchAll)
+          return 1;
+        if (!aIsCatchAll && bIsCatchAll)
+          return -1;
+        return (b.path?.length ?? 0) - (a.path?.length ?? 0);
+      });
+      const handles = sorted.map((s) => {
+        const isCatchAll = !s.path || s.path === "/";
+        const inner = `reverse_proxy localhost:${s.port}`;
+        return isCatchAll ? `  handle {
+    ${inner}
+  }` : `  handle ${s.path} {
+    ${inner}
+  }`;
+      });
+      blocks.push(`${domain} {
+${handles.join(`
+`)}
+}`);
+    }
+    return blocks.join(`
+
+`);
+  }
   normalizeMountPath(config6) {
     const rawPath = config6?.mountPath || config6?.path;
     if (!rawPath || rawPath === "/")
@@ -62785,11 +63172,13 @@ class InfrastructureGenerator {
     if (!this.builder.hasResource("VPC")) {
       this.generateNetworkInfrastructure(slug, env);
     }
+    const caddyfile = this.buildCaddyfile(allSites);
     const userData = Compute.UserData.generateBunAppScript({
       runtime: compute.runtime || "bun",
       runtimeVersion: compute.runtimeVersion || "latest",
       systemPackages: compute.systemPackages,
-      database: dbEngine
+      database: dbEngine,
+      caddyfile
     });
     const sitePorts = allSites.map(([, s]) => s.port).filter((p) => typeof p === "number" && ![80, 443].includes(p));
     const apiOriginPort = this.resolveApiOriginPort();
@@ -63003,11 +63392,12 @@ class InfrastructureGenerator {
       })).filter((bucket) => bucket.name !== "public" && bucket.config.website && bucket.mountPath);
       for (const [name, storageConfig] of Object.entries(this.mergedConfig.infrastructure.storage)) {
         const serveViaCloudFront = !!(storageConfig.website && sharedOacLogicalId);
+        const physicalBucketName = storageConfig.bucket ?? `${slug}-${env}-${name}`;
         const { bucket, logicalId } = Storage.createBucket({
           slug,
           name,
           environment: env,
-          bucketName: `${slug}-${env}-${name}`,
+          bucketName: physicalBucketName,
           versioning: storageConfig.versioning,
           encryption: storageConfig.encryption,
           public: serveViaCloudFront ? false : storageConfig.public
@@ -63090,45 +63480,8 @@ else if (!uri.includes('.')) { request.uri += '.html'; } return request; }`
           }];
           const cacheBehaviors = [];
           const extraDependsOn = [];
-          if (name === "public") {
-            const appEipId = this.serverEipLogicalIds.get("app");
-            const appInstanceId = this.serverEipLogicalIds.get("appInstance");
-            if (appEipId) {
-              const apiOriginId = `EC2-${slug}-${env}-api`;
-              const serverRegion = this.mergedConfig.infrastructure?.servers?.app?.region || this.mergedConfig.project?.region || "us-east-1";
-              const dnsSuffix = serverRegion === "us-east-1" ? ".compute-1.amazonaws.com" : `.${serverRegion}.compute.amazonaws.com`;
-              const originDomainName = {
-                "Fn::Join": ["", [
-                  "ec2-",
-                  { "Fn::Join": ["-", { "Fn::Split": [".", { Ref: appEipId }] }] },
-                  dnsSuffix
-                ]]
-              };
-              const apiOriginPort = this.resolveApiOriginPort();
-              origins.push({
-                Id: apiOriginId,
-                DomainName: originDomainName,
-                CustomOriginConfig: {
-                  HTTPPort: apiOriginPort,
-                  HTTPSPort: 443,
-                  OriginProtocolPolicy: "http-only",
-                  OriginSSLProtocols: ["TLSv1.2"]
-                }
-              });
-              extraDependsOn.push(appEipId);
-              if (appInstanceId)
-                extraDependsOn.push(appInstanceId);
-              cacheBehaviors.push({
-                PathPattern: "/api/*",
-                TargetOriginId: apiOriginId,
-                ViewerProtocolPolicy: "redirect-to-https",
-                AllowedMethods: ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"],
-                CachedMethods: ["GET", "HEAD"],
-                Compress: true,
-                CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
-                OriginRequestPolicyId: "b689b0a8-53d0-40ab-baf2-68738e2966ac"
-              });
-            }
+          if (this.shouldRouteStorageBucketToCompute(name, storageConfig)) {
+            this.appendComputeAppOrigin(origins, cacheBehaviors, extraDependsOn, slug, env, this.resolveComputeCachePathPatterns(storageConfig.computeRoutes));
             for (const mountedBucket of pathMountedWebsiteBuckets) {
               const mountedOriginId = `S3-${slug}-${env}-${mountedBucket.name}`;
               const mountedFunctionLogicalId = `${slug}${env}${mountedBucket.name}PathMountRewrite`.replace(/[^a-zA-Z0-9]/g, "");
@@ -63233,7 +63586,7 @@ else if (!uri.includes('.')) { request.uri += '.html'; } return request; }`
               }
             }
           });
-          if (name === "public") {
+          if (this.shouldRouteStorageBucketToCompute(name, storageConfig)) {
             for (const mountedBucket of pathMountedWebsiteBuckets) {
               const mountedPolicyLogicalId = `${mountedBucket.logicalId}CloudFrontPolicy`;
               this.builder.addResource(mountedPolicyLogicalId, {
@@ -63377,15 +63730,78 @@ else if (!uri.includes('.')) { request.uri += '.html'; } return request; }`
     }
     if (this.mergedConfig.infrastructure?.cdn) {
       for (const [name, cdnConfig] of Object.entries(this.mergedConfig.infrastructure.cdn)) {
-        const { distribution, logicalId } = CDN.createDistribution({
-          slug,
-          environment: env,
-          origin: {
-            domainName: cdnConfig.origin,
-            originId: `${slug}-origin`
+        if (!cdnConfig.origin) {
+          continue;
+        }
+        const customDomain = typeof cdnConfig.customDomain === "string" ? cdnConfig.customDomain : cdnConfig.customDomain?.domain || cdnConfig.domain;
+        const explicitCertificateArn = typeof cdnConfig.customDomain === "object" ? cdnConfig.customDomain?.certificateArn : cdnConfig.certificateArn;
+        const resolvedCertArn = explicitCertificateArn || cfCertificateArn;
+        const distLogicalId = `${slug}${env}${name}CDN`.replace(/[^a-zA-Z0-9]/g, "");
+        const originId = `S3-${slug}-${env}-${name}-cdn`;
+        const origins = [{
+          Id: originId,
+          DomainName: cdnConfig.origin,
+          OriginPath: "",
+          S3OriginConfig: {
+            OriginAccessIdentity: ""
           }
-        });
-        this.builder.addResource(logicalId, distribution);
+        }];
+        const cacheBehaviors = [];
+        const extraDependsOn = [];
+        if (cdnConfig.routeCompute) {
+          this.appendComputeAppOrigin(origins, cacheBehaviors, extraDependsOn, slug, env, this.resolveComputeCachePathPatterns(cdnConfig.computeRoutes));
+        }
+        const viewerCertificate = resolvedCertArn && customDomain ? {
+          AcmCertificateArn: cfCertificateLogicalId && !explicitCertificateArn ? { Ref: cfCertificateLogicalId } : resolvedCertArn,
+          SslSupportMethod: "sni-only",
+          MinimumProtocolVersion: "TLSv1.2_2021"
+        } : { CloudFrontDefaultCertificate: true };
+        const distributionDependsOn = [...extraDependsOn];
+        if (cfCertificateLogicalId && !explicitCertificateArn && customDomain) {
+          distributionDependsOn.push(cfCertificateLogicalId);
+        }
+        const distribution = {
+          Type: "AWS::CloudFront::Distribution",
+          ...distributionDependsOn.length > 0 ? { DependsOn: distributionDependsOn } : {},
+          Properties: {
+            DistributionConfig: {
+              Enabled: true,
+              Comment: `${slug} ${env} ${name} CDN`,
+              DefaultRootObject: "index.html",
+              Origins: origins,
+              DefaultCacheBehavior: {
+                TargetOriginId: originId,
+                ViewerProtocolPolicy: "redirect-to-https",
+                AllowedMethods: ["GET", "HEAD", "OPTIONS"],
+                CachedMethods: ["GET", "HEAD", "OPTIONS"],
+                Compress: cdnConfig.compress !== false,
+                CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
+              },
+              ...cacheBehaviors.length > 0 ? { CacheBehaviors: cacheBehaviors } : {},
+              ...customDomain && resolvedCertArn ? { Aliases: [customDomain] } : {},
+              ViewerCertificate: viewerCertificate,
+              PriceClass: "PriceClass_100",
+              HttpVersion: cdnConfig.http3 ? "http2and3" : "http2"
+            }
+          }
+        };
+        this.builder.addResource(distLogicalId, distribution);
+        if (hostedZoneId && customDomain && resolvedCertArn) {
+          const safeName = customDomain.replace(/\./g, "").replace(/[^a-zA-Z0-9]/g, "");
+          this.builder.addResource(`${safeName}CdnARecord`, {
+            Type: "AWS::Route53::RecordSet",
+            DependsOn: [distLogicalId, ...cfCertificateLogicalId && !explicitCertificateArn ? [cfCertificateLogicalId] : []],
+            Properties: {
+              HostedZoneId: hostedZoneId,
+              Name: customDomain,
+              Type: "A",
+              AliasTarget: {
+                HostedZoneId: "Z2FDTNDATAQYW2",
+                DNSName: { "Fn::GetAtt": [distLogicalId, "DomainName"] }
+              }
+            }
+          });
+        }
       }
     }
     if (this.mergedConfig.infrastructure?.queues) {
@@ -65146,6 +65562,84 @@ function validateResourceLimits(template) {
 }
 // src/aws/index.ts
 init_client();
+
+// src/object-storage/index.ts
+init_s3();
+var DEFAULT_REGION = {
+  aws: "us-east-1",
+  backblaze: "us-west-004",
+  hetzner: "fsn1"
+};
+function providerEndpoint(provider, region) {
+  switch (provider) {
+    case "backblaze":
+      return `s3.${region}.backblazeb2.com`;
+    case "hetzner":
+      return `${region}.your-objectstorage.com`;
+    case "aws":
+    default:
+      return;
+  }
+}
+function env(...names) {
+  for (const name of names) {
+    const value = process.env[name];
+    if (value)
+      return value;
+  }
+  return;
+}
+function resolveCredentials3(provider, explicit) {
+  if (explicit?.accessKeyId && explicit.secretAccessKey)
+    return explicit;
+  let accessKeyId;
+  let secretAccessKey;
+  if (provider === "backblaze") {
+    accessKeyId = env("B2_APPLICATION_KEY_ID", "B2_KEY_ID", "S3_ACCESS_KEY_ID", "AWS_ACCESS_KEY_ID");
+    secretAccessKey = env("B2_APPLICATION_KEY", "B2_SECRET_KEY", "S3_SECRET_ACCESS_KEY", "AWS_SECRET_ACCESS_KEY");
+  } else if (provider === "hetzner") {
+    accessKeyId = env("HETZNER_S3_ACCESS_KEY", "HETZNER_ACCESS_KEY", "S3_ACCESS_KEY_ID", "AWS_ACCESS_KEY_ID");
+    secretAccessKey = env("HETZNER_S3_SECRET_KEY", "HETZNER_SECRET_KEY", "S3_SECRET_ACCESS_KEY", "AWS_SECRET_ACCESS_KEY");
+  } else {
+    accessKeyId = env("S3_ACCESS_KEY_ID");
+    secretAccessKey = env("S3_SECRET_ACCESS_KEY");
+  }
+  if (accessKeyId && secretAccessKey) {
+    return { accessKeyId, secretAccessKey, sessionToken: env("AWS_SESSION_TOKEN") };
+  }
+  return;
+}
+function resolveObjectStorage(config6 = {}) {
+  const provider = config6.provider || env("OBJECT_STORAGE_PROVIDER", "STORAGE_PROVIDER") || "aws";
+  const region = config6.region || (provider === "backblaze" ? env("B2_REGION") : undefined) || (provider === "hetzner" ? env("HETZNER_S3_REGION", "HETZNER_REGION") : undefined) || env("S3_REGION", "AWS_REGION", "AWS_DEFAULT_REGION") || DEFAULT_REGION[provider];
+  const endpoint = config6.endpoint || env("S3_ENDPOINT") || providerEndpoint(provider, region);
+  const forcePathStyle = config6.forcePathStyle ?? env("S3_FORCE_PATH_STYLE") === "true";
+  const credentials = resolveCredentials3(provider, config6.credentials);
+  const publicBaseUrl = (bucket) => {
+    const base = endpoint || `s3.${region}.amazonaws.com`;
+    return forcePathStyle ? `https://${base}/${bucket}` : `https://${bucket}.${base}`;
+  };
+  return {
+    provider,
+    region,
+    endpoint,
+    forcePathStyle,
+    credentials,
+    profile: config6.profile,
+    publicBaseUrl
+  };
+}
+function createObjectStorageClient(config6 = {}) {
+  const resolved = resolveObjectStorage(config6);
+  const options = {
+    endpoint: resolved.endpoint,
+    forcePathStyle: resolved.forcePathStyle,
+    credentials: resolved.credentials
+  };
+  return new S3Client2(resolved.region, resolved.profile, options);
+}
+
+// src/aws/index.ts
 init_cloudformation();
 
 // src/aws/cost-explorer.ts
@@ -68299,9 +68793,9 @@ init_client();
 class SESClient {
   client;
   region;
-  constructor(region = "us-east-1") {
+  constructor(region = "us-east-1", credentials) {
     this.region = region;
-    this.client = new AWSClient;
+    this.client = new AWSClient(credentials);
   }
   async createEmailIdentity(params) {
     const result = await this.client.request({
@@ -80512,10 +81006,922 @@ function resolveDnsProvider(input) {
 function fail(start, message) {
   return { success: false, message, durationMs: Date.now() - start };
 }
+// src/drivers/aws/driver.ts
+import { readFileSync as readFileSync9 } from "node:fs";
+init_cloudformation();
+init_s3();
+class AwsDriver {
+  name = "aws";
+  usesCloudFormation = true;
+  region;
+  constructor(options = {}) {
+    this.region = options.region || "us-east-1";
+  }
+  resolveRegion(config6) {
+    return config6.project.region || this.region;
+  }
+  async getComputeOutputs(options) {
+    const region = this.resolveRegion(options.config);
+    const stackName = resolveProjectStackName(options.config, options.environment);
+    const cfn = new CloudFormationClient(region);
+    const outputs = await cfn.getStackOutputs(stackName);
+    return {
+      deployBucketName: outputs.deployBucketName,
+      appInstanceId: outputs.appInstanceId,
+      appPublicIp: outputs.appPublicIp,
+      sshUser: "ec2-user"
+    };
+  }
+  async uploadRelease(options) {
+    const region = this.resolveRegion(options.config);
+    const outputs = await this.getComputeOutputs({
+      config: options.config,
+      environment: options.environment
+    });
+    const bucket = outputs.deployBucketName;
+    if (!bucket) {
+      throw new Error("No deployBucketName in stack outputs. Re-deploy infrastructure to add the staging bucket.");
+    }
+    const s32 = new S3Client2(region);
+    await s32.putObject({
+      bucket,
+      key: options.remoteKey,
+      body: readFileSync9(options.localPath),
+      contentType: "application/gzip"
+    });
+    return { artifactRef: `s3://${bucket}/${options.remoteKey}` };
+  }
+  async findComputeTargets(options) {
+    const region = this.region;
+    const ec22 = new EC2Client(region);
+    const filters = [
+      { Name: "tag:Project", Values: [options.slug] },
+      { Name: "tag:Environment", Values: [options.environment] },
+      { Name: "tag:Role", Values: [options.role || "app"] },
+      { Name: "instance-state-name", Values: ["running", "pending"] }
+    ];
+    const result = await ec22.describeInstances({ Filters: filters });
+    const targets = [];
+    for (const reservation of result.Reservations || []) {
+      for (const instance of reservation.Instances || []) {
+        if (!instance.InstanceId)
+          continue;
+        const nameTag = instance.Tags?.find((tag) => tag.Key === "Name")?.Value;
+        targets.push({
+          id: instance.InstanceId,
+          name: nameTag,
+          publicIp: instance.PublicIpAddress,
+          privateIp: instance.PrivateIpAddress,
+          status: instance.State?.Name
+        });
+      }
+    }
+    return targets;
+  }
+  async runRemoteDeploy(options) {
+    const region = this.region;
+    const ssm2 = new SSMClient(region);
+    if (options.targets.length > 0) {
+      const sendResult = await ssm2.sendCommand({
+        InstanceIds: options.targets.map((target) => target.id),
+        DocumentName: "AWS-RunShellScript",
+        Parameters: { commands: options.commands },
+        TimeoutSeconds: options.timeoutSeconds || 600,
+        Comment: options.comment
+      });
+      if (!sendResult.CommandId) {
+        return { success: false, instanceCount: 0, perInstance: [], error: "Failed to send SSM command" };
+      }
+      return this.pollSsmCommand(ssm2, sendResult.CommandId, options.targets.length);
+    }
+    if (!options.tags || Object.keys(options.tags).length === 0) {
+      return { success: false, instanceCount: 0, perInstance: [], error: "No targets or tags provided for AWS deploy" };
+    }
+    const result = await ssm2.sendCommandByTags({
+      tags: options.tags,
+      commands: options.commands,
+      timeoutSeconds: options.timeoutSeconds || 600,
+      comment: options.comment
+    });
+    return {
+      success: result.success,
+      instanceCount: result.instanceCount,
+      perInstance: result.perInstance.map((item) => ({
+        instanceId: item.instanceId,
+        status: item.status,
+        output: item.output,
+        error: item.error
+      })),
+      error: result.error
+    };
+  }
+  async pollSsmCommand(ssm2, commandId, expectedCount) {
+    const pollInterval = 3000;
+    const maxWait = 600000;
+    const startTime = Date.now();
+    const terminalStatuses = new Set(["Success", "Failed", "Cancelled", "TimedOut"]);
+    let lastInvocations = [];
+    while (Date.now() - startTime < maxWait) {
+      await new Promise((resolve13) => setTimeout(resolve13, pollInterval));
+      try {
+        const invocations = await ssm2.listCommandInvocations({ CommandId: commandId, Details: true });
+        lastInvocations = invocations;
+        if (lastInvocations.length >= expectedCount && lastInvocations.every((i) => terminalStatuses.has(i.Status || ""))) {
+          break;
+        }
+      } catch {}
+    }
+    const perInstance = lastInvocations.map((item) => ({
+      instanceId: item.InstanceId,
+      status: item.Status || "Unknown",
+      output: item.StandardOutputContent,
+      error: item.StandardErrorContent
+    }));
+    const success = perInstance.length > 0 && perInstance.every((item) => item.status === "Success");
+    return {
+      success,
+      instanceCount: perInstance.length,
+      perInstance,
+      error: success ? undefined : "One or more SSM command invocations failed"
+    };
+  }
+}
+
+// src/drivers/hetzner/driver.ts
+import { homedir as homedir7 } from "node:os";
+import { join as join13 } from "node:path";
+import { execSync } from "node:child_process";
+
+// src/drivers/shared/caddyfile.ts
+function buildCaddyfile(sites) {
+  const allSites = Object.entries(sites);
+  const sitesWithDomain = allSites.filter(([, s]) => typeof s.domain === "string" && s.domain && typeof s.port === "number");
+  if (sitesWithDomain.length === 0)
+    return;
+  const byDomain = new Map;
+  for (const [, site] of sitesWithDomain) {
+    const list = byDomain.get(site.domain) ?? [];
+    list.push({ port: site.port, path: site.path });
+    byDomain.set(site.domain, list);
+  }
+  const blocks = [];
+  for (const [domain, domainSites] of byDomain) {
+    const sorted = [...domainSites].sort((a, b) => {
+      const aIsCatchAll = !a.path || a.path === "/";
+      const bIsCatchAll = !b.path || b.path === "/";
+      if (aIsCatchAll && !bIsCatchAll)
+        return 1;
+      if (!aIsCatchAll && bIsCatchAll)
+        return -1;
+      return (b.path?.length ?? 0) - (a.path?.length ?? 0);
+    });
+    const handles = sorted.map((s) => {
+      const isCatchAll = !s.path || s.path === "/";
+      const inner = `reverse_proxy localhost:${s.port}`;
+      return isCatchAll ? `  handle {
+    ${inner}
+  }` : `  handle ${s.path} {
+    ${inner}
+  }`;
+    });
+    blocks.push(`${domain} {
+${handles.join(`
+`)}
+}`);
+  }
+  return blocks.join(`
+
+`);
+}
+
+// src/drivers/hetzner/client.ts
+var DEFAULT_API_URL = "https://api.hetzner.cloud/v1";
+
+class HetznerClient {
+  name = "hetzner";
+  apiToken;
+  baseUrl;
+  fetchImpl;
+  constructor(options) {
+    this.apiToken = options.apiToken;
+    this.baseUrl = options.baseUrl ?? DEFAULT_API_URL;
+    this.fetchImpl = options.fetchImpl ?? fetch;
+  }
+  async request(method, path, body) {
+    const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.apiToken}`,
+        "Content-Type": "application/json"
+      },
+      body: body === undefined ? undefined : JSON.stringify(body)
+    });
+    const text = await response.text();
+    const data = text ? JSON.parse(text) : {};
+    if (!response.ok) {
+      const message = data.error?.message || response.statusText || "Hetzner API error";
+      throw new Error(`Hetzner API ${method} ${path}: ${message}`);
+    }
+    return data;
+  }
+  async listServers() {
+    const data = await this.request("GET", "/servers");
+    return data.servers;
+  }
+  async getServer(id) {
+    const data = await this.request("GET", `/servers/${id}`);
+    return data.server;
+  }
+  async createServer(options) {
+    const data = await this.request("POST", "/servers", {
+      name: options.name,
+      server_type: options.serverType,
+      image: options.image,
+      location: options.location,
+      datacenter: options.datacenter,
+      ssh_keys: options.sshKeys,
+      user_data: options.userData,
+      labels: options.labels,
+      firewalls: options.firewalls,
+      start_after_create: true
+    });
+    return { server: data.server, action: data.action };
+  }
+  async deleteServer(id) {
+    const data = await this.request("DELETE", `/servers/${id}`);
+    return data.action;
+  }
+  async listFirewalls() {
+    const data = await this.request("GET", "/firewalls");
+    return data.firewalls;
+  }
+  async createFirewall(options) {
+    const data = await this.request("POST", "/firewalls", {
+      name: options.name,
+      rules: options.rules,
+      labels: options.labels,
+      apply_to: options.applyTo
+    });
+    return { firewall: data.firewall, actions: data.actions };
+  }
+  async applyFirewallToResources(firewallId, applyTo) {
+    const data = await this.request("POST", `/firewalls/${firewallId}/actions/apply_to_resources`, {
+      apply_to: applyTo
+    });
+    return data.actions;
+  }
+  async listSshKeys() {
+    const data = await this.request("GET", "/ssh_keys");
+    return data.ssh_keys;
+  }
+  async waitForAction(actionId, options) {
+    const pollInterval = options?.pollIntervalMs ?? 2000;
+    const maxWait = options?.maxWaitMs ?? 300000;
+    const start = Date.now();
+    while (Date.now() - start < maxWait) {
+      const data = await this.request("GET", `/actions/${actionId}`);
+      if (data.action.status === "success")
+        return data.action;
+      if (data.action.status === "error") {
+        throw new Error(data.action.error?.message || "Hetzner action failed");
+      }
+      await new Promise((resolve13) => setTimeout(resolve13, pollInterval));
+    }
+    throw new Error(`Timed out waiting for Hetzner action ${actionId}`);
+  }
+  async waitForServerRunning(serverId, options) {
+    const pollInterval = options?.pollIntervalMs ?? 3000;
+    const maxWait = options?.maxWaitMs ?? 600000;
+    const start = Date.now();
+    while (Date.now() - start < maxWait) {
+      const server = await this.getServer(serverId);
+      if (server.status === "running")
+        return server;
+      await new Promise((resolve13) => setTimeout(resolve13, pollInterval));
+    }
+    throw new Error(`Timed out waiting for server ${serverId} to reach running state`);
+  }
+}
+function resolveHetznerApiToken(configToken) {
+  const token = configToken || process.env.HCLOUD_TOKEN || process.env.HETZNER_API_TOKEN;
+  if (!token) {
+    throw new Error("Hetzner API token required. Set hetzner.apiToken in cloud.config.ts or HCLOUD_TOKEN / HETZNER_API_TOKEN.");
+  }
+  return token;
+}
+
+// src/drivers/hetzner/cloud-init.ts
+function generateUbuntuAppCloudInit(options = {}) {
+  const {
+    runtime = "bun",
+    runtimeVersion = "latest",
+    systemPackages = [],
+    database,
+    caddyfile
+  } = options;
+  const packages = new Set(systemPackages);
+  if (database === "sqlite")
+    packages.add("sqlite3");
+  else if (database === "mysql")
+    packages.add("mysql-client");
+  else if (database === "postgres")
+    packages.add("postgresql-client");
+  let script = `#!/bin/bash
+set -euo pipefail
+
+export DEBIAN_FRONTEND=noninteractive
+apt-get update -y
+apt-get upgrade -y
+apt-get install -y curl tar gzip unzip git ca-certificates
+`;
+  if (packages.size > 0) {
+    script += `
+apt-get install -y ${[...packages].join(" ")}
+`;
+  }
+  if (runtime === "bun") {
+    script += `
+export BUN_INSTALL="/root/.bun"
+curl -fsSL https://bun.sh/install | bash${runtimeVersion === "latest" ? "" : ` -s "bun-v${runtimeVersion}"`}
+ln -sf /root/.bun/bin/bun /usr/local/bin/bun
+echo 'export BUN_INSTALL="/root/.bun"' > /etc/profile.d/bun.sh
+echo 'export PATH="$BUN_INSTALL/bin:$PATH"' >> /etc/profile.d/bun.sh
+`;
+  } else if (runtime === "node") {
+    const nodeMajor = runtimeVersion === "latest" || !runtimeVersion ? "20" : runtimeVersion.split(".")[0];
+    script += `
+curl -fsSL https://deb.nodesource.com/setup_${nodeMajor}.x | bash -
+apt-get install -y nodejs
+ln -sf /usr/bin/node /usr/local/bin/node
+ln -sf /usr/bin/npm /usr/local/bin/npm
+`;
+  } else if (runtime === "deno") {
+    script += `
+curl -fsSL https://deno.land/install.sh | sh
+ln -sf /root/.deno/bin/deno /usr/local/bin/deno
+`;
+  }
+  script += `
+mkdir -p /var/www /var/ts-cloud/staging /var/ts-cloud/releases
+`;
+  if (caddyfile) {
+    const escaped = caddyfile.replace(/\$/g, "\\$");
+    script += `
+ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=\${ARCH}" -o /usr/local/bin/caddy
+chmod +x /usr/local/bin/caddy
+
+getent group caddy >/dev/null || groupadd --system caddy
+getent passwd caddy >/dev/null || useradd --system --gid caddy \\
+  --create-home --home-dir /var/lib/caddy \\
+  --shell /usr/sbin/nologin --comment "Caddy web server" caddy
+
+mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy
+chown -R caddy:caddy /var/lib/caddy /var/log/caddy
+
+cat > /etc/systemd/system/caddy.service <<'CADDY_UNIT_EOF'
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+CADDY_UNIT_EOF
+
+cat > /etc/caddy/Caddyfile <<'CADDY_CONFIG_EOF'
+${escaped}
+CADDY_CONFIG_EOF
+
+systemctl daemon-reload
+systemctl enable caddy
+systemctl start caddy
+`;
+  }
+  script += `
+echo "ts-cloud bootstrap complete — instance is ready for site deploys"
+`;
+  return script;
+}
+function wrapCloudInitUserData(bootstrapScript) {
+  return `#cloud-config
+runcmd:
+  - |
+    ${bootstrapScript.split(`
+`).join(`
+    `)}
+`;
+}
+
+// src/drivers/hetzner/firewall-rules.ts
+function buildHetznerFirewallRules(config6) {
+  const openPorts = new Set([80, 443, ...config6.sitePorts]);
+  if (config6.allowSsh) {
+    openPorts.add(22);
+  }
+  return [...openPorts].map((port) => {
+    return {
+      direction: "in",
+      protocol: "tcp",
+      port: String(port),
+      source_ips: ["0.0.0.0/0", "::/0"],
+      description: `ts-cloud port ${port}`
+    };
+  });
+}
+
+// src/drivers/hetzner/instance-sizes.ts
+var HETZNER_INSTANCE_TYPES = {
+  micro: "cpx11",
+  small: "cx22",
+  medium: "cx32",
+  large: "cx42",
+  xlarge: "cx52",
+  "2xlarge": "ccx33"
+};
+function resolveHetznerServerType(size) {
+  if (!size)
+    return HETZNER_INSTANCE_TYPES.micro;
+  if (size in HETZNER_INSTANCE_TYPES) {
+    return HETZNER_INSTANCE_TYPES[size];
+  }
+  return size;
+}
+var TS_CLOUD_LABEL_PREFIX = "ts-cloud";
+function tsCloudLabels(slug, environment, role = "app") {
+  return {
+    [`${TS_CLOUD_LABEL_PREFIX}/project`]: slug,
+    [`${TS_CLOUD_LABEL_PREFIX}/environment`]: environment,
+    [`${TS_CLOUD_LABEL_PREFIX}/role`]: role,
+    [`${TS_CLOUD_LABEL_PREFIX}/managed-by`]: "ts-cloud"
+  };
+}
+function matchesTsCloudLabels(labels, slug, environment, role = "app") {
+  if (!labels)
+    return false;
+  return labels[`${TS_CLOUD_LABEL_PREFIX}/project`] === slug && labels[`${TS_CLOUD_LABEL_PREFIX}/environment`] === environment && labels[`${TS_CLOUD_LABEL_PREFIX}/role`] === role;
+}
+
+// src/drivers/hetzner/state.ts
+import { mkdir as mkdir4, readFile, writeFile as writeFile4 } from "node:fs/promises";
+import { join as join12 } from "node:path";
+var STATE_DIR = ".ts-cloud/state";
+function driverStatePath(stackName) {
+  return join12(process.cwd(), STATE_DIR, `${stackName}.json`);
+}
+async function readDriverState(stackName) {
+  try {
+    const raw = await readFile(driverStatePath(stackName), "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeDriverState(stackName, state) {
+  const path = driverStatePath(stackName);
+  await mkdir4(join12(process.cwd(), STATE_DIR), { recursive: true });
+  await writeFile4(path, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+}
+
+// src/drivers/hetzner/driver.ts
+function expandHome(path) {
+  return path.startsWith("~/") ? join13(homedir7(), path.slice(2)) : path;
+}
+
+class HetznerDriver {
+  name = "hetzner";
+  usesCloudFormation = false;
+  client;
+  sshPrivateKeyPath;
+  sshUser;
+  location;
+  constructor(options = {}) {
+    this.client = options.client ?? new HetznerClient({
+      apiToken: resolveHetznerApiToken(options.apiToken)
+    });
+    this.sshPrivateKeyPath = expandHome(options.sshPrivateKeyPath || process.env.HCLOUD_SSH_KEY || "~/.ssh/id_ed25519");
+    this.sshUser = options.sshUser || process.env.HCLOUD_SSH_USER || "root";
+    this.location = options.location || process.env.HCLOUD_LOCATION || "fsn1";
+  }
+  async provisionComputeInfrastructure(options) {
+    const { config: config6, environment } = options;
+    const slug = config6.project.slug;
+    const compute = config6.infrastructure?.compute;
+    if (!compute) {
+      throw new Error("infrastructure.compute is required to provision Hetzner compute");
+    }
+    const stackName = resolveProjectStackName(config6, environment);
+    const existing = await readDriverState(stackName);
+    if (existing?.serverId) {
+      const server2 = await this.client.getServer(existing.serverId);
+      if (server2.status !== "off") {
+        return this.outputsFromState(existing, server2);
+      }
+    }
+    const sites = config6.sites || {};
+    const sitePorts = Object.values(sites).map((site) => site.port).filter((port) => typeof port === "number" && ![80, 443].includes(port));
+    const caddyfile = buildCaddyfile(sites);
+    const bootstrap = generateUbuntuAppCloudInit({
+      runtime: compute.runtime || "bun",
+      runtimeVersion: compute.runtimeVersion || "latest",
+      systemPackages: compute.systemPackages,
+      database: config6.infrastructure?.database,
+      caddyfile
+    });
+    const userData = wrapCloudInitUserData(bootstrap);
+    const serverName = `${slug}-${environment}-app`;
+    const serverType = resolveHetznerServerType(compute.size);
+    const image = compute.image || config6.hetzner?.image || "ubuntu-24.04";
+    const labels = tsCloudLabels(slug, environment, "app");
+    const firewallName = `${slug}-${environment}-app-fw`;
+    const { firewall } = await this.client.createFirewall({
+      name: firewallName,
+      labels,
+      rules: buildHetznerFirewallRules({
+        allowSsh: compute.allowSsh,
+        sitePorts
+      })
+    });
+    const { server, action } = await this.client.createServer({
+      name: serverName,
+      serverType,
+      image,
+      location: config6.hetzner?.location || this.location,
+      userData,
+      labels,
+      firewalls: [{ firewall: firewall.id }]
+    });
+    await this.client.waitForAction(action.id);
+    const running = await this.client.waitForServerRunning(server.id);
+    const state = {
+      provider: "hetzner",
+      stackName,
+      serverId: running.id,
+      serverName: running.name,
+      firewallId: firewall.id,
+      publicIp: running.public_net.ipv4?.ip,
+      deployStoragePath: "/var/ts-cloud/staging",
+      sshUser: this.sshUser
+    };
+    await writeDriverState(stackName, state);
+    return this.outputsFromState(state, running);
+  }
+  async getComputeOutputs(options) {
+    const stackName = resolveProjectStackName(options.config, options.environment);
+    const state = await readDriverState(stackName);
+    if (state?.serverId) {
+      const server = await this.client.getServer(state.serverId);
+      return this.outputsFromState(state, server);
+    }
+    const targets = await this.findComputeTargets({
+      slug: options.config.project.slug,
+      environment: options.environment,
+      role: "app"
+    });
+    const first = targets[0];
+    return {
+      deployStoragePath: "/var/ts-cloud/staging",
+      appInstanceId: first?.id,
+      appPublicIp: first?.publicIp,
+      sshUser: this.sshUser
+    };
+  }
+  async uploadRelease(options) {
+    const targets = options.targets?.length ? options.targets : await this.findComputeTargets({
+      slug: options.config.project.slug,
+      environment: options.environment,
+      role: "app"
+    });
+    if (targets.length === 0) {
+      throw new Error("No Hetzner compute targets found for release upload");
+    }
+    const remotePath = `/var/ts-cloud/staging/${options.remoteKey.split("/").pop()}`;
+    for (const target of targets) {
+      if (!target.publicIp) {
+        throw new Error(`Target ${target.id} has no public IP for SCP upload`);
+      }
+      this.scpToHost(target.publicIp, options.localPath, remotePath);
+    }
+    return { artifactRef: remotePath };
+  }
+  async findComputeTargets(options) {
+    const servers = await this.client.listServers();
+    return servers.filter((server) => matchesTsCloudLabels(server.labels, options.slug, options.environment, options.role || "app")).map((server) => ({
+      id: String(server.id),
+      name: server.name,
+      publicIp: server.public_net.ipv4?.ip,
+      privateIp: server.private_net?.[0]?.ip,
+      status: server.status
+    }));
+  }
+  async runRemoteDeploy(options) {
+    if (options.targets.length === 0) {
+      return { success: false, instanceCount: 0, perInstance: [], error: "No targets provided" };
+    }
+    const script = options.commands.join(`
+`);
+    const perInstance = [];
+    for (const target of options.targets) {
+      if (!target.publicIp) {
+        perInstance.push({
+          instanceId: target.id,
+          status: "Failed",
+          error: "Missing public IP"
+        });
+        continue;
+      }
+      try {
+        const output = this.sshExec(target.publicIp, script);
+        perInstance.push({
+          instanceId: target.id,
+          status: "Success",
+          output
+        });
+      } catch (err) {
+        perInstance.push({
+          instanceId: target.id,
+          status: "Failed",
+          error: err.message
+        });
+      }
+    }
+    const success = perInstance.every((r) => r.status === "Success");
+    return {
+      success,
+      instanceCount: options.targets.length,
+      perInstance,
+      error: success ? undefined : "One or more SSH deploy commands failed"
+    };
+  }
+  outputsFromState(state, server) {
+    return {
+      deployStoragePath: state.deployStoragePath || "/var/ts-cloud/staging",
+      appInstanceId: String(state.serverId),
+      appPublicIp: server?.public_net.ipv4?.ip || state.publicIp,
+      sshUser: state.sshUser || this.sshUser
+    };
+  }
+  sshBaseArgs(host) {
+    return [
+      "-i",
+      this.sshPrivateKeyPath,
+      "-o",
+      "StrictHostKeyChecking=accept-new",
+      "-o",
+      "BatchMode=yes",
+      `${this.sshUser}@${host}`
+    ];
+  }
+  scpToHost(host, localPath, remotePath) {
+    execSync([
+      "scp",
+      "-i",
+      this.sshPrivateKeyPath,
+      "-o",
+      "StrictHostKeyChecking=accept-new",
+      "-o",
+      "BatchMode=yes",
+      localPath,
+      `${this.sshUser}@${host}:${remotePath}`
+    ].map((arg) => `"${arg.replace(/"/g, "\\\"")}"`).join(" "), { stdio: "pipe" });
+  }
+  sshExec(host, script) {
+    const escaped = script.replace(/'/g, `'\\''`);
+    return execSync(`ssh ${this.sshBaseArgs(host).map((a) => `"${a.replace(/"/g, "\\\"")}"`).join(" ")} '${escaped}'`, {
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+  }
+}
+
+// src/drivers/factory.ts
+function createCloudDriver(options) {
+  const provider = options.provider ?? resolveCloudProvider(options.config);
+  switch (provider) {
+    case "aws":
+      return new AwsDriver({ region: options.config.project.region });
+    case "hetzner":
+      return new HetznerDriver({
+        apiToken: options.config.hetzner?.apiToken,
+        sshPrivateKeyPath: options.config.hetzner?.sshPrivateKeyPath,
+        sshUser: options.config.hetzner?.sshUser,
+        location: options.config.hetzner?.location
+      });
+    default:
+      throw new Error(`Unknown cloud provider: ${options.provider ?? resolveCloudProvider(options.config)}`);
+  }
+}
+
+class CloudDriverFactory {
+  drivers = new Map;
+  getDriver(config6, provider) {
+    const name = provider ?? resolveCloudProvider(config6);
+    const cacheKey = `${name}:${config6.project.slug}:${config6.project.region || "default"}`;
+    const cached = this.drivers.get(cacheKey);
+    if (cached)
+      return cached;
+    const driver = createCloudDriver({ config: config6, provider: name });
+    this.drivers.set(cacheKey, driver);
+    return driver;
+  }
+}
+var cloudDrivers = new CloudDriverFactory;
+// src/drivers/shared/deploy-script.ts
+function resolveExecStart(start, runtime) {
+  const bin = runtime === "bun" ? "/usr/local/bin/bun" : runtime === "deno" ? "/usr/local/bin/deno" : "/usr/local/bin/node";
+  const args = start.replace(/^(bun|node|deno)\s+/, "");
+  return `${bin} ${args}`;
+}
+function buildSiteDeployScript(options) {
+  const {
+    siteName,
+    slug,
+    artifactFetch,
+    execStart,
+    envEntries,
+    port
+  } = options;
+  const appDir = options.appDir ?? `/var/www/${siteName}`;
+  const serviceName = `${slug}-${siteName}.service`;
+  const envFile = Object.entries(envEntries).map(([k, v]) => `${k}=${JSON.stringify(String(v))}`).join(`
+`);
+  return [
+    "set -euo pipefail",
+    ...artifactFetch,
+    `mkdir -p ${appDir}`,
+    `find ${appDir} -mindepth 1 -maxdepth 1 ! -name '.env' -exec rm -rf {} +`,
+    `tar xzf /tmp/${siteName}-release.tar.gz -C ${appDir}`,
+    `cat > ${appDir}/.env <<'TS_CLOUD_ENV_EOF'`,
+    envFile,
+    "TS_CLOUD_ENV_EOF",
+    `chmod 600 ${appDir}/.env`,
+    `cat > /etc/systemd/system/${serviceName} <<'TS_CLOUD_UNIT_EOF'`,
+    "[Unit]",
+    `Description=${siteName} (managed by ts-cloud)`,
+    "After=network.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `WorkingDirectory=${appDir}`,
+    `ExecStart=${execStart}`,
+    "Restart=always",
+    "RestartSec=5",
+    `EnvironmentFile=${appDir}/.env`,
+    ...port ? [`Environment=PORT=${port}`] : [],
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    "TS_CLOUD_UNIT_EOF",
+    "systemctl daemon-reload",
+    `systemctl enable ${serviceName}`,
+    `systemctl restart ${serviceName}`,
+    `systemctl is-active ${serviceName}`
+  ];
+}
+function buildAwsArtifactFetch(bucket, key, region, siteName) {
+  return [
+    `aws s3 cp "s3://${bucket}/${key}" /tmp/${siteName}-release.tar.gz --region ${region}`
+  ];
+}
+function buildLocalArtifactFetch(localPath, siteName) {
+  return [
+    `cp "${localPath}" /tmp/${siteName}-release.tar.gz`
+  ];
+}
+// src/drivers/shared/compute-deploy.ts
+var noopLogger = {
+  info: () => {},
+  warn: () => {},
+  error: () => {},
+  step: () => {},
+  success: () => {}
+};
+async function deploySiteRelease(driver, options, logger4 = noopLogger) {
+  const {
+    config: config6,
+    environment,
+    siteName,
+    site,
+    slug,
+    sha,
+    runtime,
+    localTarballPath
+  } = options;
+  const remoteKey = `releases/${siteName}/${sha}.tar.gz`;
+  const stackName = resolveProjectStackName(config6, environment);
+  const outputs = await driver.getComputeOutputs({ config: config6, environment });
+  const targets = await driver.findComputeTargets({
+    slug,
+    environment,
+    role: "app"
+  });
+  if (targets.length === 0) {
+    const hint = driver.name === "aws" ? `Stack '${stackName}' has no EC2 instances tagged Project=${slug} Environment=${environment} Role=app.` : `No Hetzner servers labeled ts-cloud/project=${slug} ts-cloud/environment=${environment} ts-cloud/role=app.`;
+    return { success: false, error: hint };
+  }
+  const uploadResult = await driver.uploadRelease({
+    config: config6,
+    environment,
+    localPath: localTarballPath,
+    remoteKey,
+    targets
+  });
+  const artifactFetch = driver.name === "aws" ? buildAwsArtifactFetch(outputs.deployBucketName, remoteKey, config6.project.region || "us-east-1", siteName) : buildLocalArtifactFetch(uploadResult.artifactRef, siteName);
+  const remoteScript = buildSiteDeployScript({
+    siteName,
+    slug,
+    artifactFetch,
+    execStart: resolveExecStart(site.start, runtime),
+    envEntries: site.env || {},
+    port: site.port
+  });
+  logger4.step(`Deploying to ${targets.length} target(s)...`);
+  const result = await driver.runRemoteDeploy({
+    targets,
+    commands: remoteScript,
+    comment: `ts-cloud deploy ${slug}/${siteName}@${sha}`,
+    tags: {
+      Project: slug,
+      Environment: environment,
+      Role: "app"
+    }
+  });
+  if (!result.success) {
+    return {
+      success: false,
+      error: result.error || "Remote deploy failed",
+      instanceCount: result.instanceCount,
+      perInstance: result.perInstance
+    };
+  }
+  return {
+    success: true,
+    instanceCount: result.instanceCount,
+    perInstance: result.perInstance
+  };
+}
+async function deployAllComputeSites(options) {
+  const { config: config6, environment, driver, sha, runtime, tarballForSite, logger: logger4 = noopLogger } = options;
+  const slug = config6.project.slug;
+  const sites = config6.sites || {};
+  const deployable = Object.entries(sites).filter(([name, site]) => {
+    if (!site?.start) {
+      logger4.warn(`Site '${name}' has no \`start\` command — skipping (compute mode requires every site to declare how to run).`);
+      return false;
+    }
+    return true;
+  });
+  if (deployable.length === 0)
+    return true;
+  for (const [siteName, site] of deployable) {
+    logger4.step(`Deploying site: ${siteName}`);
+    const result = await deploySiteRelease(driver, {
+      config: config6,
+      environment,
+      siteName,
+      site,
+      slug,
+      sha,
+      runtime,
+      localTarballPath: tarballForSite(siteName)
+    }, logger4);
+    if (!result.success) {
+      logger4.error(`Deploy of '${siteName}' failed: ${result.error || "unknown error"}`);
+      if (result.perInstance) {
+        for (const inst of result.perInstance) {
+          logger4.error(`  ${inst.instanceId}: ${inst.status}${inst.error ? ` — ${inst.error}` : ""}`);
+        }
+      }
+      return false;
+    }
+    logger4.success(`Deployed ${slug}/${siteName}@${sha} to ${result.instanceCount} target(s)`);
+    if (result.perInstance) {
+      for (const inst of result.perInstance) {
+        logger4.info(`  ✓ ${inst.instanceId}: ${inst.status}`);
+      }
+    }
+  }
+  return true;
+}
 // src/index.ts
 init_dns();
 export {
   xrayManager,
+  wrapCloudInitUserData,
   withTimeout,
   withSecurity,
   withQueue,
@@ -80558,13 +81964,24 @@ export {
   route53RoutingManager,
   route53ResolverManager,
   resourceManagementManager,
+  resolveStorageBucketName,
+  resolveSiteStackName,
+  resolveSiteResourceName,
+  resolveSiteBucketName,
   resolveRegion,
+  resolveProjectStackName,
+  resolveObjectStorage,
+  resolveHetznerApiToken,
+  resolveExecStart,
+  resolveDeployBucketName,
   resolveCredentials,
+  resolveCloudProvider,
   requiresReplacement,
   replicaManager,
   regionPairManager,
   quickHash,
   queueManagementManager,
+  providerEndpoint,
   progressiveDeploymentManager,
   processInChunks,
   previewNotifications,
@@ -80634,6 +82051,7 @@ export {
   getClosestRegion,
   getAllRegions,
   getAccountId,
+  generateUbuntuAppCloudInit,
   generateStaticSiteTemplate,
   generateScheduledWorkflow,
   generateScheduledPipeline,
@@ -80696,7 +82114,9 @@ export {
   deployStaticSiteWithExternalDns,
   deployStaticSiteFull,
   deployStaticSite,
+  deploySiteRelease,
   deploySite,
+  deployAllComputeSites,
   deleteStaticSite,
   defaultLocalConfig,
   defaultConfig4 as defaultConfig,
@@ -80712,6 +82132,7 @@ export {
   createPresignedUrl,
   createPreset,
   createPorkbunValidator,
+  createObjectStorageClient,
   createNodeJsServerlessPreset,
   createNodeJsServerPreset,
   createMockAWS,
@@ -80724,11 +82145,13 @@ export {
   createDnsProvider,
   createDataPipelinePreset,
   createCredentialProvider,
+  createCloudDriver,
   createApiBackendPreset,
   containerRegistryManager,
   config5 as config,
   composePresets,
   cloudTrailManager,
+  cloudDrivers,
   cloud_config_schema_default as cloudConfigSchema,
   clearSigningKeyCache,
   cleanupDns01Challenge,
@@ -80738,8 +82161,10 @@ export {
   certificateManager,
   categorizeChanges,
   canaryManager,
+  buildSiteDeployScript,
   buildOptimizationManager,
   buildCloudFormationTemplate,
+  buildCaddyfile,
   bounceComplaintHandler,
   blueGreenManager,
   batchProcessingManager,
@@ -80853,6 +82278,8 @@ export {
   InfrastructureGenerator,
   ImageScanningManager,
   IAMClient,
+  HetznerDriver,
+  HetznerClient,
   HealthCheckManager,
   HashCache,
   GuardDutyManager,
@@ -80904,6 +82331,7 @@ export {
   CloudFormationClient,
   CloudFormationBuilder,
   CloudError,
+  CloudDriverFactory,
   CertificateManager,
   CanaryManager,
   Cache,
@@ -80916,6 +82344,7 @@ export {
   BedrockClient,
   BatchProcessingManager,
   BackupManager,
+  AwsDriver,
   Auth,
   AssetHasher,
   Arn,