npm - effortless-aws - Versions diffs - 0.23.0 → 0.24.0 - Mend

effortless-aws 0.23.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/chunk-3RG5ZIWI.js +10 -0
package/dist/{chunk-OB5R34Y7.js → chunk-MJMAXSVJ.js} +94 -1
package/dist/index.d.ts +158 -30
package/dist/index.js +42 -3
package/dist/index.js.map +1 -1
package/dist/runtime/wrap-api.js +10 -2
package/dist/runtime/wrap-bucket.js +2 -1
package/dist/runtime/wrap-fifo-queue.js +2 -1
package/dist/runtime/wrap-middleware.js +9 -3
package/dist/runtime/wrap-table-stream.js +2 -1
package/package.json +1 -1

package/dist/chunk-3RG5ZIWI.js ADDED Viewed

@@ -0,0 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+export {
+  __require
+};

package/dist/{chunk-OB5R34Y7.js → chunk-MJMAXSVJ.js} RENAMED Viewed

@@ -1,3 +1,7 @@
+import {
+  __require
+} from "./chunk-3RG5ZIWI.js";
 // src/runtime/table-client.ts
 import { DynamoDB } from "@aws-sdk/client-dynamodb";
 import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
@@ -219,6 +223,76 @@ var createTableClient = (tableName, options) => {
   };
 };
+// src/handlers/handler-options.ts
+var toSeconds = (d) => {
+  if (typeof d === "number") return d;
+  const match = d.match(/^(\d+(?:\.\d+)?)(s|m|h|d)$/);
+  if (!match) throw new Error(`Invalid duration: "${d}"`);
+  const n = Number(match[1]);
+  const unit = match[2];
+  if (unit === "d") return n * 86400;
+  if (unit === "h") return n * 3600;
+  if (unit === "m") return n * 60;
+  return n;
+};
+// src/handlers/auth.ts
+var AUTH_COOKIE_NAME = "__eff_session";
+var createAuthRuntime = (secret, defaultExpiresIn) => {
+  const crypto = __require("crypto");
+  const sign = (payload) => crypto.createHmac("sha256", secret).update(payload).digest("base64url");
+  const cookieBase = `${AUTH_COOKIE_NAME}=`;
+  const cookieAttrs = "; HttpOnly; Secure; SameSite=Lax; Path=/";
+  const decodeSession = (cookieValue) => {
+    if (!cookieValue) return void 0;
+    const dot = cookieValue.indexOf(".");
+    if (dot === -1) return void 0;
+    const payload = cookieValue.slice(0, dot);
+    const sig = cookieValue.slice(dot + 1);
+    if (sign(payload) !== sig) return void 0;
+    try {
+      const parsed = JSON.parse(Buffer.from(payload, "base64url").toString("utf-8"));
+      if (parsed.exp <= Math.floor(Date.now() / 1e3)) return void 0;
+      const { exp: _, ...data } = parsed;
+      return Object.keys(data).length > 0 ? data : void 0;
+    } catch {
+      return void 0;
+    }
+  };
+  return {
+    forRequest(cookieValue) {
+      return {
+        grant(...args) {
+          const hasData = args.length > 0 && (typeof args[0] === "object" && args[0] !== null && !("expiresIn" in args[0]));
+          const data = hasData ? args[0] : void 0;
+          const options = hasData ? args[1] : args[0];
+          const seconds = options?.expiresIn ? toSeconds(options.expiresIn) : defaultExpiresIn;
+          const exp = Math.floor(Date.now() / 1e3) + seconds;
+          const payload = Buffer.from(JSON.stringify({ exp, ...data }), "utf-8").toString("base64url");
+          const sig = sign(payload);
+          return {
+            status: 200,
+            body: { ok: true },
+            headers: {
+              "set-cookie": `${cookieBase}${payload}.${sig}${cookieAttrs}; Max-Age=${seconds}`
+            }
+          };
+        },
+        revoke() {
+          return {
+            status: 200,
+            body: { ok: true },
+            headers: {
+              "set-cookie": `${cookieBase}${cookieAttrs}; Max-Age=0`
+            }
+          };
+        },
+        session: decodeSession(cookieValue)
+      };
+    }
+  };
+};
 // src/runtime/bucket-client.ts
 import { S3 } from "@aws-sdk/client-s3";
 var createBucketClient = (bucketName) => {
@@ -392,6 +466,7 @@ var getParameters = async (names) => {
 // src/runtime/handler-utils.ts
 var ENV_DEP_PREFIX = "EFF_DEP_";
 var ENV_PARAM_PREFIX = "EFF_PARAM_";
+var ENV_AUTH_SECRET = "EFF_AUTH_SECRET";
 var LOG_RANK = { error: 0, info: 1, debug: 2 };
 var truncate = (value, maxLength = 4096) => {
   if (value === void 0 || value === null) return value;
@@ -460,12 +535,27 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
   let ctx = null;
   let resolvedDeps;
   let resolvedParams = null;
+  let resolvedAuthRuntime = null;
   const getDeps = () => resolvedDeps ??= buildDeps(handler.deps);
   const getParams = async () => {
     if (resolvedParams !== null) return resolvedParams;
     resolvedParams = await buildParams(handler.config);
     return resolvedParams;
   };
+  const getAuthRuntime = async () => {
+    if (resolvedAuthRuntime !== null) return resolvedAuthRuntime;
+    const ssmPath = process.env[ENV_AUTH_SECRET];
+    if (!ssmPath || !handler.auth) {
+      resolvedAuthRuntime = void 0;
+      return void 0;
+    }
+    const values = await getParameters([ssmPath]);
+    const secret = values.get(ssmPath);
+    if (!secret) throw new Error(`Auth secret not found at ${ssmPath}`);
+    const defaultExpires = handler.auth.expiresIn ? toSeconds(handler.auth.expiresIn) : 604800;
+    resolvedAuthRuntime = createAuthRuntime(secret, defaultExpires);
+    return resolvedAuthRuntime;
+  };
   const getSetup = async () => {
     if (ctx !== null) return ctx;
     if (handler.setup) {
@@ -480,7 +570,7 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
     }
     return ctx;
   };
-  const commonArgs = async () => {
+  const commonArgs = async (cookieValue) => {
     const args = {};
     if (handler.setup) args.ctx = await getSetup();
     const deps = getDeps();
@@ -488,6 +578,8 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
     const params = await getParams();
     if (params) args.config = params;
     if (handler.static) args.files = staticFiles;
+    const authRuntime = await getAuthRuntime();
+    if (authRuntime) args.auth = authRuntime.forRequest(cookieValue);
     return args;
   };
   const logExecution = (startTime, input, output) => {
@@ -537,6 +629,7 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
 export {
   createTableClient,
+  AUTH_COOKIE_NAME,
   createBucketClient,
   createHandlerRuntime
 };

package/dist/index.d.ts CHANGED Viewed

@@ -134,54 +134,97 @@ type LambdaWithPermissions = LambdaConfig & {
     /** Additional IAM permissions for the Lambda */
     permissions?: Permission[];
 };
-type AnyParamRef = ParamRef<any> | string;
+type AnySecretRef = SecretRef<any>;
 /**
- * Reference to an SSM Parameter Store parameter.
+ * Reference to an SSM Parameter Store secret.
  *
  * @typeParam T - The resolved type after optional transform (default: string)
  */
-type ParamRef<T = string> = {
-    readonly __brand: "effortless-param";
-    readonly key: string;
+type SecretRef<T = string> = {
+    readonly __brand: "effortless-secret";
+    readonly key?: string;
+    readonly generate?: () => string;
     readonly transform?: (raw: string) => T;
 };
 /**
  * Maps a config declaration to resolved value types.
- * Plain strings resolve to `string`, `ParamRef<T>` resolves to `T`.
+ * `SecretRef<T>` resolves to `T`.
  *
- * @typeParam P - Record of config keys to string or ParamRef instances
+ * @typeParam P - Record of config keys to SecretRef instances
  */
 type ResolveConfig<P> = {
-    [K in keyof P]: P[K] extends ParamRef<infer T> ? T : string;
+    [K in keyof P]: P[K] extends SecretRef<infer T> ? T : string;
+};
+/** Options for `secret()` without a transform. */
+type SecretOptions = {
+    /** Custom SSM key (default: derived from config property name in kebab-case) */
+    key?: string;
+    /** Generator function called at deploy time if the SSM parameter doesn't exist yet */
+    generate?: () => string;
+};
+/** Options for `secret()` with a transform. */
+type SecretOptionsWithTransform<T> = SecretOptions & {
+    /** Transform the raw SSM string value into a typed value */
+    transform: (raw: string) => T;
 };
 /**
- * Declare an SSM Parameter Store parameter.
+ * Declare an SSM Parameter Store secret.
  *
- * The key is combined with project and stage at deploy time to form the full
- * SSM path: `/${project}/${stage}/${key}`.
+ * The SSM key is derived from the config property name (camelCase → kebab-case)
+ * unless overridden with `key`. The full SSM path is `/${project}/${stage}/${key}`.
  *
- * @param key - Parameter key (e.g., "database-url")
- * @param transform - Optional function to transform the raw string value
- * @returns A ParamRef used by the deployment and runtime systems
+ * @param options - Optional configuration (key override, generator, transform)
+ * @returns A SecretRef used by the deployment and runtime systems
  *
- * @example Simple string parameter
+ * @example Simple secret
  * ```typescript
  * config: {
- *   dbUrl: param("database-url"),
+ *   dbUrl: secret(),
+ *   // → SSM path: /${project}/${stage}/db-url
  * }
  * ```
  *
- * @example With transform (e.g., TOML parsing)
+ * @example Auto-generated secret
  * ```typescript
- * import TOML from "smol-toml";
+ * config: {
+ *   authSecret: secret({ generate: generateHex(64) }),
+ *   // → auto-creates SSM param if missing
+ * }
+ * ```
  *
+ * @example With transform
+ * ```typescript
  * config: {
- *   appConfig: param("app-config", TOML.parse),
+ *   appConfig: secret({ transform: TOML.parse }),
  * }
  * ```
  */
-declare function param(key: string): ParamRef<string>;
-declare function param<T>(key: string, transform: (raw: string) => T): ParamRef<T>;
+declare function secret(): SecretRef<string>;
+declare function secret(options: SecretOptions): SecretRef<string>;
+declare function secret<T>(options: SecretOptionsWithTransform<T>): SecretRef<T>;
+/**
+ * Returns a generator that produces a random hex string.
+ * @param bytes - Number of random bytes (output will be 2x this length in hex chars)
+ */
+declare const generateHex: (bytes: number) => () => string;
+/**
+ * Returns a generator that produces a random base64url string.
+ * @param bytes - Number of random bytes
+ */
+declare const generateBase64: (bytes: number) => () => string;
+/**
+ * Returns a generator that produces a random UUID v4.
+ */
+declare const generateUuid: () => () => string;
+/** @deprecated Use `SecretRef` instead */
+type ParamRef<T = string> = SecretRef<T>;
+/** @deprecated Use `AnySecretRef` instead */
+type AnyParamRef = AnySecretRef;
+/**
+ * @deprecated Use `secret()` instead. `param("key")` is equivalent to `secret({ key: "key" })`.
+ */
+declare function param(key: string): SecretRef<string>;
+declare function param<T>(key: string, transform: (raw: string) => T): SecretRef<T>;
 /**
  * DynamoDB table key (always pk + sk strings in single-table design).
  */
@@ -1200,6 +1243,80 @@ type AppHandler = {
  */
 declare const defineApp: (options: AppConfig) => AppHandler;
+type CookieAuthConfig<_T = undefined> = {
+    /** Path to redirect unauthenticated users to */
+    loginPath: string;
+    /** Paths that don't require authentication. Supports trailing `*` wildcard. */
+    public?: string[];
+    /** Default session lifetime (default: "7d"). Accepts seconds or duration string. */
+    expiresIn?: Duration;
+};
+/**
+ * Branded cookie auth object returned by `defineAuth()`.
+ * Pass to `defineApi({ auth })` and `defineStaticSite({ auth })`.
+ */
+type CookieAuth<T = undefined> = CookieAuthConfig<T> & {
+    readonly __brand: "effortless-cookie-auth";
+    /** @internal phantom type marker for session data */
+    readonly __session?: T;
+};
+/**
+ * Define cookie-based authentication using HMAC-signed tokens.
+ *
+ * - Middleware (Lambda@Edge) verifies cookie signatures without external calls
+ * - API handler gets `auth.grant()` / `auth.revoke()` / `auth.session` helpers
+ * - Secret is auto-generated and stored in SSM Parameter Store
+ *
+ * @typeParam T - Session data type. When provided, `grant(data)` requires typed payload
+ *   and `auth.session` is typed as `T` in handler args.
+ *
+ * @example
+ * ```typescript
+ * type Session = { userId: string; role: "admin" | "user" };
+ *
+ * const protect = defineAuth<Session>({
+ *   loginPath: '/login',
+ *   public: ['/login', '/assets/*'],
+ *   expiresIn: '7d',
+ * })
+ *
+ * export const api = defineApi({ auth: protect, ... })
+ * export const webapp = defineStaticSite({ auth: protect, ... })
+ * ```
+ */
+declare const defineAuth: <T = undefined>(options: CookieAuthConfig<T>) => CookieAuth<T>;
+/** Grant options for creating a session */
+type GrantOptions = {
+    expiresIn?: Duration;
+};
+/** Grant response with Set-Cookie header */
+type GrantResponse = {
+    status: 200;
+    body: {
+        ok: true;
+    };
+    headers: Record<string, string>;
+};
+/**
+ * Auth helpers injected into API handler callback args when `auth` is configured.
+ * @typeParam T - Session data type (undefined = no custom data)
+ */
+type AuthHelpers<T = undefined> = {
+    revoke(): {
+        status: 200;
+        body: {
+            ok: true;
+        };
+        headers: Record<string, string>;
+    };
+    /** The current session data (decoded from cookie). Undefined if no valid session. */
+    session: T extends undefined ? undefined : T | undefined;
+} & ([T] extends [undefined] ? {
+    grant(options?: GrantOptions): GrantResponse;
+} : {
+    grant(data: T, options?: GrantOptions): GrantResponse;
+});
 /** Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) */
 type AnyRoutableHandler = {
     readonly __brand: string;
@@ -1259,6 +1376,8 @@ type StaticSiteConfig = {
     errorPage?: string;
     /** Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. */
     middleware?: MiddlewareHandler;
+    /** Cookie-based authentication. Auto-generates Lambda@Edge middleware that verifies signed cookies. */
+    auth?: CookieAuth<any>;
     /** SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API */
     seo?: StaticSiteSeo;
 };
@@ -1307,8 +1426,10 @@ type StaticSiteHandler = {
  */
 declare const defineStaticSite: (options: StaticSiteConfig) => StaticSiteHandler;
+/** Extract session type T from CookieAuth<T> */
+type SessionOf<A> = A extends CookieAuth<infer T> ? T : undefined;
 /** GET route handler — no schema, no data */
-type ApiGetHandlerFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined> = (args: {
+type ApiGetHandlerFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends CookieAuth<any> | undefined = undefined> = (args: {
     req: HttpRequest;
 } & ([C] extends [undefined] ? {} : {
     ctx: C;
@@ -1320,9 +1441,11 @@ type ApiGetHandlerFn<C = undefined, D = undefined, P = undefined, S extends stri
     files: StaticFiles;
 }) & ([ST] extends [true] ? {
     stream: ResponseStream;
-} : {})) => Promise<HttpResponse | void> | HttpResponse | void;
+} : {}) & ([A] extends [undefined] ? {} : {
+    auth: AuthHelpers<SessionOf<A>>;
+})) => Promise<HttpResponse | void> | HttpResponse | void;
 /** POST handler — with typed data from schema */
-type ApiPostHandlerFn<T = undefined, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined> = (args: {
+type ApiPostHandlerFn<T = undefined, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends CookieAuth<any> | undefined = undefined> = (args: {
     req: HttpRequest;
 } & ([T] extends [undefined] ? {} : {
     data: T;
@@ -1336,7 +1459,9 @@ type ApiPostHandlerFn<T = undefined, C = undefined, D = undefined, P = undefined
     files: StaticFiles;
 }) & ([ST] extends [true] ? {
     stream: ResponseStream;
-} : {})) => Promise<HttpResponse | void> | HttpResponse | void;
+} : {}) & ([A] extends [undefined] ? {} : {
+    auth: AuthHelpers<SessionOf<A>>;
+})) => Promise<HttpResponse | void> | HttpResponse | void;
 /** Setup factory — receives deps/config/files when declared */
 type SetupFactory<C, D, P, S extends string[] | undefined = undefined> = (args: ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
@@ -1360,13 +1485,15 @@ type ApiConfig = {
  * - `get` routes handle queries (path-based routing, no body)
  * - `post` handles commands (single entry point, discriminated union via `schema`)
  */
-type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined> = {
+type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends CookieAuth<any> | undefined = undefined> = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
     lambda?: LambdaWithPermissions;
     /** Base path prefix for all routes (e.g., "/api") */
     basePath: string;
     /** Enable response streaming. When true, routes receive a `stream` arg for SSE. Routes can still return HttpResponse normally. */
     stream?: ST;
+    /** Cookie-based authentication. Injects `auth` helpers (grant/revoke) into handler args. */
+    auth?: A;
     /**
      * Factory function to initialize shared state.
      * Called once on cold start, result is cached and reused across invocations.
@@ -1381,7 +1508,7 @@ type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, Any
     /** Error handler called when schema validation or handler throws */
     onError?: (error: unknown, req: HttpRequest) => HttpResponse;
     /** GET routes — query handlers keyed by relative path (e.g., "/users/{id}") */
-    get?: Record<string, ApiGetHandlerFn<C, D, P, S, ST>>;
+    get?: Record<string, ApiGetHandlerFn<C, D, P, S, ST, A>>;
     /**
      * Schema for POST body validation. Use with discriminated unions:
      * ```typescript
@@ -1391,7 +1518,7 @@ type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, Any
      */
     schema?: (input: unknown) => T;
     /** POST handler — single entry point for commands */
-    post?: ApiPostHandlerFn<T, C, D, P, S, ST>;
+    post?: ApiPostHandlerFn<T, C, D, P, S, ST, A>;
 };
 /** Internal handler object created by defineApi */
 type ApiHandler<T = undefined, C = undefined> = {
@@ -1403,6 +1530,7 @@ type ApiHandler<T = undefined, C = undefined> = {
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
+    readonly auth?: CookieAuth;
     readonly get?: Record<string, (...args: any[]) => any>;
     readonly post?: (...args: any[]) => any;
 };
@@ -1440,6 +1568,6 @@ type ApiHandler<T = undefined, C = undefined> = {
  * })
  * ```
  */
-declare const defineApi: <T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined>(options: DefineApiOptions<T, C, D, P, S, ST>) => ApiHandler<T, C>;
+declare const defineApi: <T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends CookieAuth<any> | undefined = undefined>(options: DefineApiOptions<T, C, D, P, S, ST, A>) => ApiHandler<T, C>;
-export { type AnyParamRef, type ApiConfig, type ApiHandler, type AppConfig, type AppHandler, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ContentType, type Duration, type EffortlessConfig, type EmailClient, type FailedRecord, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineStaticSite, defineTable, param, result, toSeconds, unsafeAs };
+export { type AnyParamRef, type AnySecretRef, type ApiConfig, type ApiHandler, type AppConfig, type AppHandler, type AuthHelpers, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ContentType, type CookieAuth, type CookieAuthConfig, type Duration, type EffortlessConfig, type EmailClient, type FailedRecord, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineAuth, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineStaticSite, defineTable, generateBase64, generateHex, generateUuid, param, result, secret, toSeconds, unsafeAs };

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 // src/config.ts
 var defineConfig = (config) => config;
@@ -72,7 +79,7 @@ var defineMailer = (options) => ({
 // src/handlers/define-api.ts
 var defineApi = (options) => {
-  const { get, post, schema, onError, setup, deps, config, static: staticFiles, ...__spec } = options;
+  const { get, post, schema, onError, setup, deps, config, auth: authConfig, static: staticFiles, ...__spec } = options;
   return {
     __brand: "effortless-api",
     __spec,
@@ -83,7 +90,8 @@ var defineApi = (options) => {
     ...setup ? { setup } : {},
     ...deps ? { deps } : {},
     ...config ? { config } : {},
-    ...staticFiles ? { static: staticFiles } : {}
+    ...staticFiles ? { static: staticFiles } : {},
+    ...authConfig ? { auth: authConfig } : {}
   };
 };
@@ -99,9 +107,29 @@ var toSeconds = (d) => {
   if (unit === "m") return n * 60;
   return n;
 };
+function secret(options) {
+  return {
+    __brand: "effortless-secret",
+    ...options?.key ? { key: options.key } : {},
+    ...options?.generate ? { generate: options.generate } : {},
+    ..."transform" in (options ?? {}) ? { transform: options.transform } : {}
+  };
+}
+var generateHex = (bytes) => () => {
+  const crypto = __require("crypto");
+  return crypto.randomBytes(bytes).toString("hex");
+};
+var generateBase64 = (bytes) => () => {
+  const crypto = __require("crypto");
+  return crypto.randomBytes(bytes).toString("base64url");
+};
+var generateUuid = () => () => {
+  const crypto = __require("crypto");
+  return crypto.randomUUID();
+};
 function param(key, transform) {
   return {
-    __brand: "effortless-param",
+    __brand: "effortless-secret",
     key,
     ...transform ? { transform } : {}
   };
@@ -110,6 +138,12 @@ function unsafeAs() {
   return (input) => input;
 }
+// src/handlers/auth.ts
+var defineAuth = (options) => ({
+  __brand: "effortless-cookie-auth",
+  ...options
+});
 // src/handlers/shared.ts
 var result = {
   /** Return a JSON response */
@@ -125,14 +159,19 @@ var result = {
 export {
   defineApi,
   defineApp,
+  defineAuth,
   defineBucket,
   defineConfig,
   defineFifoQueue,
   defineMailer,
   defineStaticSite,
   defineTable,
+  generateBase64,
+  generateHex,
+  generateUuid,
   param,
   result,
+  secret,
   toSeconds,
   unsafeAs
 };

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/config.ts","../src/handlers/define-table.ts","../src/handlers/define-app.ts","../src/handlers/define-static-site.ts","../src/handlers/define-fifo-queue.ts","../src/handlers/define-bucket.ts","../src/handlers/define-mailer.ts","../src/handlers/define-api.ts","../src/handlers/handler-options.ts","../src/handlers/shared.ts"],"sourcesContent":["/*\n Configuration for an Effortless project.\n \n @example\n * ```typescript\n * // effortless.config.ts\n * import { defineConfig } from \"effortless-aws\";\n \n export default defineConfig({\n * name: \"my-service\",\n * region: \"eu-central-1\",\n * handlers: \"src\",\n * });\n * ```\n /\nexport type EffortlessConfig = {\n /\n Project root directory. All relative paths (handlers, server, assets, etc.)\n * are resolved from this directory.\n * Resolved relative to where the CLI runs (process.cwd()).\n * @default \".\" (current working directory)\n /\n root?: string;\n\n /\n Project name used for resource naming and tagging.\n * This becomes part of Lambda function names, IAM roles, etc.\n /\n name: string;\n\n /\n Default AWS region for all handlers.\n * Can be overridden per-handler or via CLI `--region` flag.\n * @default \"eu-central-1\"\n /\n region?: string;\n\n /\n Deployment stage (e.g., \"dev\", \"staging\", \"prod\").\n * Used for resource isolation and tagging.\n * @default \"dev\"\n /\n stage?: string;\n\n /\n Glob patterns or directory paths to scan for handlers.\n * Used by `eff deploy` (without file argument) to auto-discover handlers.\n \n @example\n * ```typescript\n * // Single directory - scans for all .ts files\n * handlers: \"src\"\n \n // Glob patterns\n * handlers: [\"src/*\\/.ts\", \"lib/*\\/.handler.ts\"]\n * ```\n /\n handlers?: string \| string[];\n\n /\n Default Lambda settings applied to all handlers unless overridden.\n \n All Lambdas run on ARM64 (Graviton2) architecture — ~20% cheaper than x86_64\n * with better price-performance for most workloads.\n /\n lambda?: {\n /\n Lambda memory in MB. AWS allocates proportional CPU —\n * 1769 MB gives one full vCPU.\n * @default 256\n /\n memory?: number;\n\n /\n Lambda timeout as a human-readable string.\n * AWS maximum is 15 minutes.\n * @example \"30 seconds\", \"5 minutes\"\n /\n timeout?: string;\n\n /\n Node.js Lambda runtime version.\n * @default \"nodejs24.x\"\n /\n runtime?: string;\n };\n};\n\n/\n Helper function for type-safe configuration.\n * Returns the config object as-is, but provides TypeScript autocompletion.\n \n @example\n * ```typescript\n * import { defineConfig } from \"effortless-aws\";\n \n export default defineConfig({\n * name: \"my-service\",\n * region: \"eu-central-1\",\n * handlers: \"src\",\n * });\n * ```\n /\nexport const defineConfig = (config: EffortlessConfig): EffortlessConfig => config;\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig, TableItem, Duration } from \"./handler-options\";\nimport type { TableClient } from \"../runtime/table-client\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\n\n/* DynamoDB attribute types for keys /\nexport type KeyType = \"string\" \| \"number\" \| \"binary\";\n\n/\n DynamoDB table key definition\n /\nexport type TableKey = {\n /* Attribute name /\n name: string;\n /* Attribute type /\n type: KeyType;\n};\n\n/* DynamoDB Streams view type - determines what data is captured in stream records /\nexport type StreamView = \"NEW_AND_OLD_IMAGES\" \| \"NEW_IMAGE\" \| \"OLD_IMAGE\" \| \"KEYS_ONLY\";\n\n/\n Configuration options for defineTable (single-table design).\n \n Tables always use `pk (S)` + `sk (S)` keys, `tag (S)` discriminator,\n * `data (M)` for domain fields, and `ttl (N)` for optional expiration.\n /\nexport type TableConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* DynamoDB billing mode (default: \"PAY_PER_REQUEST\") /\n billingMode?: \"PAY_PER_REQUEST\" \| \"PROVISIONED\";\n /* Stream view type - what data to include in stream records (default: \"NEW_AND_OLD_IMAGES\") /\n streamView?: StreamView;\n /* Number of records to process in each Lambda invocation (1-10000, default: 100) /\n batchSize?: number;\n /* Maximum time to gather records before invoking (default: `\"2s\"`). Accepts `\"5s\"`, `\"1m\"`, etc. /\n batchWindow?: Duration;\n /* Where to start reading the stream (default: \"LATEST\") /\n startingPosition?: \"LATEST\" \| \"TRIM_HORIZON\";\n /\n Name of the field in `data` that serves as the entity type discriminant.\n * Effortless auto-copies `data[tagField]` to the top-level DynamoDB `tag` attribute on `put()`.\n * Defaults to `\"tag\"`.\n \n @example\n * ```typescript\n * export const orders = defineTable<{ type: \"order\"; amount: number }>({\n * tagField: \"type\",\n * onRecord: async ({ record }) => { ... }\n * });\n * ```\n /\n tagField?: string;\n};\n\n/\n DynamoDB stream record passed to onRecord callback.\n \n `new` and `old` are full `TableItem<T>` objects with the single-table envelope.\n \n @typeParam T - Type of the domain data (inside `data`)\n /\nexport type TableRecord<T = Record<string, unknown>> = {\n /* Type of modification: INSERT, MODIFY, or REMOVE /\n eventName: \"INSERT\" \| \"MODIFY\" \| \"REMOVE\";\n /* New item value (present for INSERT and MODIFY) /\n new?: TableItem<T>;\n /* Old item value (present for MODIFY and REMOVE) /\n old?: TableItem<T>;\n /* Primary key of the affected item /\n keys: { pk: string; sk: string };\n /* Sequence number for ordering /\n sequenceNumber?: string;\n /* Approximate timestamp when the modification occurred /\n timestamp?: number;\n};\n\n/\n Information about a failed record during batch processing\n \n @typeParam T - Type of the domain data\n /\nexport type FailedRecord<T = Record<string, unknown>> = {\n /* The record that failed to process /\n record: TableRecord<T>;\n /* The error that occurred /\n error: unknown;\n};\n\n/\n Setup factory type for table handlers.\n * Always receives `table: TableClient<T>` (self-client for the handler's own table).\n * Also receives `deps` and/or `config` when declared.\n /\ntype SetupFactory<C, T, D, P, S extends string[] \| undefined = undefined> = (args:\n & { table: TableClient<T> }\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/\n Callback function type for processing a single DynamoDB stream record\n /\nexport type TableRecordFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { record: TableRecord<T>; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<R>;\n\n/\n Callback function type for processing accumulated batch results\n /\nexport type TableBatchCompleteFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { results: R[]; failures: FailedRecord<T>[]; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Callback function type for processing all records in a batch at once\n /\nexport type TableBatchFn<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { records: TableRecord<T>[]; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/* Base options shared by all defineTable variants /\ntype DefineTableBase<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = Omit<TableConfig, \"tagField\"> & {\n /* Name of the field in `data` that serves as the entity type discriminant (default: `\"tag\"`). /\n tagField?: Extract<keyof T, string>;\n /\n Decode/validate function for the `data` portion of stream record items.\n * Called with the unmarshalled `data` attribute; should return typed data or throw on validation failure.\n * When provided, T is inferred from the return type — no need to specify generic parameters.\n /\n schema?: (input: unknown) => T;\n /\n Error handler called when onRecord, onBatch, or onBatchComplete throws.\n * Receives the error. If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for callbacks.\n * Called once on cold start, result is cached and reused across invocations.\n * When deps/params are declared, receives them as argument.\n * Supports both sync and async return values.\n /\n setup?: SetupFactory<C, T, D, P, S>;\n /\n Dependencies on other handlers (tables, queues, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ orders })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n * Typed values are injected into the handler via the `config` argument.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* Per-record processing: onRecord with optional onBatchComplete /\ntype DefineTableWithOnRecord<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onRecord: TableRecordFn<T, C, R, D, P, S>;\n onBatchComplete?: TableBatchCompleteFn<T, C, R, D, P, S>;\n onBatch?: never;\n};\n\n/* Batch processing: onBatch processes all records at once /\ntype DefineTableWithOnBatch<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onBatch: TableBatchFn<T, C, D, P, S>;\n onRecord?: never;\n onBatchComplete?: never;\n};\n\n/* Resource-only: no handler, just creates the table /\ntype DefineTableResourceOnly<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onRecord?: never;\n onBatch?: never;\n onBatchComplete?: never;\n};\n\nexport type DefineTableOptions<\n T = Record<string, unknown>,\n C = undefined,\n R = void,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineTableWithOnRecord<T, C, R, D, P, S>\n \| DefineTableWithOnBatch<T, C, D, P, S>\n \| DefineTableResourceOnly<T, C, D, P, S>;\n\n/\n Internal handler object created by defineTable\n * @internal\n /\nexport type TableHandler<T = Record<string, unknown>, C = any> = {\n readonly __brand: \"effortless-table\";\n readonly __spec: TableConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onRecord?: (...args: any[]) => any;\n readonly onBatchComplete?: (...args: any[]) => any;\n readonly onBatch?: (...args: any[]) => any;\n};\n\n/\n Define a DynamoDB table with optional stream handler (single-table design).\n \n Creates a table with fixed key schema: `pk (S)` + `sk (S)`, plus `tag (S)`,\n * `data (M)`, and `ttl (N)` attributes. TTL is always enabled.\n \n @example Table with stream handler\n * ```typescript\n * type OrderData = { amount: number; status: string };\n \n export const orders = defineTable<OrderData>({\n * streamView: \"NEW_AND_OLD_IMAGES\",\n * batchSize: 10,\n * onRecord: async ({ record }) => {\n * if (record.eventName === \"INSERT\") {\n * console.log(\"New order:\", record.new?.data.amount);\n * }\n * }\n * });\n * ```\n \n @example Table only (no Lambda)\n * ```typescript\n * export const users = defineTable({});\n * ```\n /\nexport const defineTable = <\n T = Record<string, unknown>,\n C = undefined,\n R = void,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineTableOptions<T, C, R, D, P, S>\n): TableHandler<T, C> => {\n const { onRecord, onBatchComplete, onBatch, onError, schema, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-table\",\n __spec,\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onRecord ? { onRecord } : {}),\n ...(onBatchComplete ? { onBatchComplete } : {}),\n ...(onBatch ? { onBatch } : {})\n } as TableHandler<T, C>;\n};\n","import type { LambdaWithPermissions } from \"./handler-options\";\n\n/\n Configuration for deploying an SSR framework (Nuxt, Astro, etc.)\n * via CloudFront + S3 (static assets) + Lambda Function URL (server-side rendering).\n /\nexport type AppConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Directory containing the Lambda server handler (e.g., \".output/server\").\n * Must contain an `index.mjs` (or `index.js`) that exports a `handler` function. /\n server: string;\n /* Directory containing static assets for S3 (e.g., \".output/public\") /\n assets: string;\n /* Base URL path (default: \"/\") /\n path?: string;\n /* Shell command to build the framework output (e.g., \"nuxt build\") /\n build?: string;\n /* Custom domain name. String or stage-keyed record (e.g., { prod: \"app.example.com\" }). /\n domain?: string \| Record<string, string>;\n /* CloudFront route overrides: path patterns forwarded to API Gateway instead of the SSR Lambda.\n * Keys are CloudFront path patterns (e.g., \"/api/\"), values are handler references.\n Example: `routes: { \"/api/\": api }` /\n routes?: Record<string, { readonly __brand: string }>;\n};\n\n/*\n Internal handler object created by defineApp\n * @internal\n /\nexport type AppHandler = {\n readonly __brand: \"effortless-app\";\n readonly __spec: AppConfig;\n};\n\n/\n Deploy an SSR framework application via CloudFront + Lambda Function URL.\n \n Static assets from the `assets` directory are served via S3 + CloudFront CDN.\n * Server-rendered pages are handled by a Lambda function using the framework's\n * built output from the `server` directory.\n \n For static-only sites (no SSR), use {@link defineStaticSite} instead.\n \n @param options - App configuration: server directory, assets directory, optional build command\n * @returns Handler object used by the deployment system\n \n @example Nuxt SSR\n * ```typescript\n * export const app = defineApp({\n * build: \"nuxt build\",\n * server: \".output/server\",\n * assets: \".output/public\",\n * lambda: { memory: 1024 },\n * });\n * ```\n /\nexport const defineApp = (options: AppConfig): AppHandler => ({\n __brand: \"effortless-app\",\n __spec: options,\n});\n","/* Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) /\ntype AnyRoutableHandler = { readonly __brand: string };\n\n/* Simplified request object passed to middleware /\nexport type MiddlewareRequest = {\n uri: string;\n method: string;\n querystring: string;\n headers: Record<string, string>;\n cookies: Record<string, string>;\n};\n\n/* Redirect the user to another URL /\nexport type MiddlewareRedirect = {\n redirect: string;\n status?: 301 \| 302 \| 307 \| 308;\n};\n\n/* Deny access with a 403 status /\nexport type MiddlewareDeny = {\n status: 403;\n body?: string;\n};\n\n/* Middleware return type: redirect, deny, or void (continue serving) /\nexport type MiddlewareResult = MiddlewareRedirect \| MiddlewareDeny \| void;\n\n/* Function that runs before serving static files via Lambda@Edge /\nexport type MiddlewareHandler = (\n request: MiddlewareRequest\n) => Promise<MiddlewareResult> \| MiddlewareResult;\n\n/* SEO options for auto-generating sitemap.xml, robots.txt, and submitting to Google Indexing API /\nexport type StaticSiteSeo = {\n /* Sitemap filename (e.g. \"sitemap.xml\", \"sitemap-v2.xml\") /\n sitemap: string;\n /* Path to Google service account JSON key file for Indexing API batch submission.\n * Requires adding the service account email as an owner in Google Search Console. /\n googleIndexing?: string;\n};\n\n/\n Configuration for a static site handler (S3 + CloudFront)\n /\nexport type StaticSiteConfig = {\n /* Handler name. Defaults to export name if not specified /\n name?: string;\n /* Directory containing the static site files, relative to project root /\n dir: string;\n /* Default file for directory requests (default: \"index.html\") /\n index?: string;\n /* SPA mode: serve index.html for all paths that don't match a file (default: false) /\n spa?: boolean;\n /* Shell command to run before deploy to generate site content (e.g., \"npx astro build\") /\n build?: string;\n /* Custom domain name. Accepts a string (same domain for all stages) or a Record mapping stage names to domains (e.g., `{ prod: \"example.com\", dev: \"dev.example.com\" }`). Requires an ACM certificate in us-east-1. If the cert also covers www, a 301 redirect from www to non-www is set up automatically. /\n domain?: string \| Record<string, string>;\n /* CloudFront route overrides: path patterns forwarded to API Gateway instead of S3.\n * Keys are CloudFront path patterns (e.g., \"/api/\"), values are HTTP handlers.\n Example: `routes: { \"/api/\": api }` /\n routes?: Record<string, AnyRoutableHandler>;\n /** Custom 404 error page path relative to `dir` (e.g. \"404.html\").\n * For non-SPA sites only. If not set, a default page is generated automatically. /\n errorPage?: string;\n /* Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. /\n middleware?: MiddlewareHandler;\n /* SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API /\n seo?: StaticSiteSeo;\n};\n\n/\n Internal handler object created by defineStaticSite\n * @internal\n /\nexport type StaticSiteHandler = {\n readonly __brand: \"effortless-static-site\";\n readonly __spec: StaticSiteConfig;\n};\n\n/\n Deploy a static site via S3 + CloudFront CDN.\n \n @param options - Static site configuration: directory, optional SPA mode, build command\n * @returns Handler object used by the deployment system\n \n @example Documentation site\n * ```typescript\n * export const docs = defineStaticSite({\n * dir: \"dist\",\n * build: \"npx astro build\",\n * });\n * ```\n \n @example SPA with client-side routing\n * ```typescript\n * export const app = defineStaticSite({\n * dir: \"dist\",\n * spa: true,\n * build: \"npm run build\",\n * });\n * ```\n \n @example Protected site with middleware (Lambda@Edge)\n * ```typescript\n * export const admin = defineStaticSite({\n * dir: \"admin/dist\",\n * middleware: async (request) => {\n * if (!request.cookies.session) {\n * return { redirect: \"/login\" };\n * }\n * },\n * });\n * ```\n /\nexport const defineStaticSite = (options: StaticSiteConfig): StaticSiteHandler => ({\n __brand: \"effortless-static-site\",\n __spec: options,\n});\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig, Duration } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\n\n/\n Parsed SQS FIFO message passed to the handler callbacks.\n \n @typeParam T - Type of the decoded message body (from schema function)\n /\nexport type FifoQueueMessage<T = unknown> = {\n /* Unique message identifier /\n messageId: string;\n /* Receipt handle for acknowledgement /\n receiptHandle: string;\n /* Parsed message body (JSON-decoded, then optionally schema-validated) /\n body: T;\n /* Raw unparsed message body string /\n rawBody: string;\n /* Message group ID (FIFO ordering key) /\n messageGroupId: string;\n /* Message deduplication ID /\n messageDeduplicationId?: string;\n /* SQS message attributes /\n messageAttributes: Record<string, { dataType?: string; stringValue?: string }>;\n /* Approximate first receive timestamp /\n approximateFirstReceiveTimestamp?: string;\n /* Approximate receive count /\n approximateReceiveCount?: string;\n /* Sent timestamp /\n sentTimestamp?: string;\n};\n\n/\n Configuration options for a FIFO queue handler\n /\nexport type FifoQueueConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Number of messages per Lambda invocation (1-10 for FIFO, default: 10) /\n batchSize?: number;\n /* Maximum time to gather messages before invoking (default: 0). Accepts `\"5s\"`, `\"1m\"`, etc. /\n batchWindow?: Duration;\n /* Visibility timeout (default: max of timeout or 30s). Accepts `\"30s\"`, `\"5m\"`, etc. /\n visibilityTimeout?: Duration;\n /* Message retention period (default: `\"4d\"`). Accepts `\"1h\"`, `\"7d\"`, etc. /\n retentionPeriod?: Duration;\n /* Delivery delay for all messages in the queue (default: 0). Accepts `\"30s\"`, `\"5m\"`, etc. /\n delay?: Duration;\n /* Enable content-based deduplication (default: true) /\n contentBasedDeduplication?: boolean;\n};\n\n/\n Setup factory type — always receives an args object.\n * Args include `deps` and/or `config` when declared (empty `{}` otherwise).\n /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> =\n (args:\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/\n Per-message handler function.\n * Called once per message in the batch. Failures are reported individually.\n /\nexport type FifoQueueMessageFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { message: FifoQueueMessage<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Batch handler function.\n * Called once with all messages in the batch.\n /\nexport type FifoQueueBatchFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { messages: FifoQueueMessage<T>[] }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/* Base options shared by all defineFifoQueue variants /\ntype DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = FifoQueueConfig & {\n /\n Decode/validate function for the message body.\n * Called with the JSON-parsed body; should return typed data or throw on validation failure.\n /\n schema?: (input: unknown) => T;\n /\n Error handler called when onMessage or onBatch throws.\n * If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for the handler.\n * Called once on cold start, result is cached and reused across invocations.\n * When deps/params are declared, receives them as argument.\n /\n setup?: SetupFactory<C, D, P, S>;\n /\n Dependencies on other handlers (tables, queues, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ orders })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* Per-message processing /\ntype DefineFifoQueueWithOnMessage<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {\n onMessage: FifoQueueMessageFn<T, C, D, P, S>;\n onBatch?: never;\n};\n\n/* Batch processing: all messages at once /\ntype DefineFifoQueueWithOnBatch<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {\n onBatch: FifoQueueBatchFn<T, C, D, P, S>;\n onMessage?: never;\n};\n\nexport type DefineFifoQueueOptions<\n T = unknown,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineFifoQueueWithOnMessage<T, C, D, P, S>\n \| DefineFifoQueueWithOnBatch<T, C, D, P, S>;\n\n/\n Internal handler object created by defineFifoQueue\n * @internal\n /\nexport type FifoQueueHandler<T = unknown, C = any> = {\n readonly __brand: \"effortless-fifo-queue\";\n readonly __spec: FifoQueueConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onMessage?: (...args: any[]) => any;\n readonly onBatch?: (...args: any[]) => any;\n};\n\n/\n Define a FIFO SQS queue with a Lambda message handler\n \n Creates:\n * - SQS FIFO queue (with `.fifo` suffix)\n * - Lambda function triggered by the queue\n * - Event source mapping with partial batch failure support\n \n @example Per-message processing\n * ```typescript\n * type OrderEvent = { orderId: string; action: string };\n \n export const orderQueue = defineFifoQueue<OrderEvent>({\n * onMessage: async ({ message }) => {\n * console.log(\"Processing order:\", message.body.orderId);\n * }\n * });\n * ```\n \n @example Batch processing with schema\n * ```typescript\n * export const notifications = defineFifoQueue({\n * schema: (input) => NotificationSchema.parse(input),\n * batchSize: 5,\n * onBatch: async ({ messages }) => {\n * await sendAll(messages.map(m => m.body));\n * }\n * });\n * ```\n /\nexport const defineFifoQueue = <\n T = unknown,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineFifoQueueOptions<T, C, D, P, S>\n): FifoQueueHandler<T, C> => {\n const { onMessage, onBatch, onError, schema, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-fifo-queue\",\n __spec,\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onMessage ? { onMessage } : {}),\n ...(onBatch ? { onBatch } : {})\n } as FifoQueueHandler<T, C>;\n};\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\nimport type { BucketClient } from \"../runtime/bucket-client\";\n\n/\n Configuration options for defineBucket.\n /\nexport type BucketConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* S3 key prefix filter for event notifications (e.g., \"uploads/\") /\n prefix?: string;\n /* S3 key suffix filter for event notifications (e.g., \".jpg\") /\n suffix?: string;\n};\n\n/\n S3 event record passed to onObjectCreated/onObjectRemoved callbacks.\n /\nexport type BucketEvent = {\n /* S3 event name (e.g., \"ObjectCreated:Put\", \"ObjectRemoved:Delete\") /\n eventName: string;\n /* Object key (path within the bucket) /\n key: string;\n /* Object size in bytes (present for created events) /\n size?: number;\n /* Object ETag (present for created events) /\n eTag?: string;\n /* ISO 8601 timestamp of when the event occurred /\n eventTime?: string;\n /* S3 bucket name /\n bucketName: string;\n};\n\n/\n Callback function type for S3 ObjectCreated events\n /\nexport type BucketObjectCreatedFn<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { event: BucketEvent; bucket: BucketClient }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Callback function type for S3 ObjectRemoved events\n /\nexport type BucketObjectRemovedFn<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { event: BucketEvent; bucket: BucketClient }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Setup factory type for bucket handlers.\n * Always receives `bucket: BucketClient` (self-client for the handler's own bucket).\n * Also receives `deps` and/or `config` when declared.\n /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> = (args:\n & { bucket: BucketClient }\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/* Base options shared by all defineBucket variants /\ntype DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = BucketConfig & {\n /\n Error handler called when onObjectCreated or onObjectRemoved throws.\n * If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for callbacks.\n * Called once on cold start, result is cached and reused across invocations.\n * Always receives `bucket: BucketClient` (self-client). When deps/config\n * are declared, receives them as well.\n /\n setup?: SetupFactory<C, D, P, S>;\n /\n Dependencies on other handlers (tables, buckets, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ uploads })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* With event handlers (at least one callback) /\ntype DefineBucketWithHandlers<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineBucketBase<C, D, P, S> & {\n onObjectCreated?: BucketObjectCreatedFn<C, D, P, S>;\n onObjectRemoved?: BucketObjectRemovedFn<C, D, P, S>;\n};\n\n/* Resource-only: no Lambda, just creates the bucket /\ntype DefineBucketResourceOnly<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineBucketBase<C, D, P, S> & {\n onObjectCreated?: never;\n onObjectRemoved?: never;\n};\n\nexport type DefineBucketOptions<\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineBucketWithHandlers<C, D, P, S>\n \| DefineBucketResourceOnly<C, D, P, S>;\n\n/\n Internal handler object created by defineBucket\n * @internal\n /\nexport type BucketHandler<C = any> = {\n readonly __brand: \"effortless-bucket\";\n readonly __spec: BucketConfig;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onObjectCreated?: (...args: any[]) => any;\n readonly onObjectRemoved?: (...args: any[]) => any;\n};\n\n/\n Define an S3 bucket with optional event handlers.\n \n Creates an S3 bucket. When event handlers are provided, also creates a Lambda\n * function triggered by S3 event notifications.\n \n @example Bucket with event handler\n * ```typescript\n * export const uploads = defineBucket({\n * prefix: \"images/\",\n * suffix: \".jpg\",\n * onObjectCreated: async ({ event, bucket }) => {\n * const file = await bucket.get(event.key);\n * console.log(\"New upload:\", event.key, file?.body.length);\n * }\n * });\n * ```\n \n @example Resource-only bucket (no Lambda)\n * ```typescript\n * export const assets = defineBucket({});\n * ```\n \n @example As a dependency\n * ```typescript\n * export const api = defineApi({\n * basePath: \"/process\",\n * deps: { uploads },\n * post: async ({ req, deps }) => {\n * await deps.uploads.put(\"output.jpg\", buffer);\n * return { status: 200, body: \"OK\" };\n * },\n * });\n * ```\n /\nexport const defineBucket = <\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineBucketOptions<C, D, P, S>\n): BucketHandler<C> => {\n const { onObjectCreated, onObjectRemoved, onError, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-bucket\",\n __spec,\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onObjectCreated ? { onObjectCreated } : {}),\n ...(onObjectRemoved ? { onObjectRemoved } : {}),\n } as BucketHandler<C>;\n};\n","/\n Configuration options for defining a mailer (SES email identity)\n /\nexport type MailerConfig = {\n /* Domain to verify and send emails from (e.g., \"myapp.com\") /\n domain: string;\n};\n\n/\n Internal handler object created by defineMailer\n * @internal\n /\nexport type MailerHandler = {\n readonly __brand: \"effortless-mailer\";\n readonly __spec: MailerConfig;\n};\n\n/\n Define an email sender backed by Amazon SES.\n \n Creates an SES Email Identity for the specified domain and provides\n * a typed `EmailClient` to other handlers via `deps`.\n \n On first deploy, DKIM DNS records are printed to the console.\n * Add them to your DNS provider to verify the domain.\n \n @param options - Mailer configuration with the domain to send from\n * @returns Handler object used by the deployment system and as a `deps` value\n \n @example Basic mailer with HTTP handler\n * ```typescript\n * export const mailer = defineMailer({ domain: \"myapp.com\" });\n \n export const api = defineApi({\n * basePath: \"/signup\",\n * deps: { mailer },\n * post: async ({ req, deps }) => {\n * await deps.mailer.send({\n * from: \"hello@myapp.com\",\n * to: req.body.email,\n * subject: \"Welcome!\",\n * html: \"<h1>Hi!</h1>\",\n * });\n * return { status: 200, body: { ok: true } };\n * },\n * });\n * ```\n /\nexport const defineMailer = (options: MailerConfig): MailerHandler => ({\n __brand: \"effortless-mailer\",\n __spec: options,\n});\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles, ResponseStream } from \"./shared\";\nimport type { HttpRequest, HttpResponse } from \"./shared\";\n\n/* GET route handler — no schema, no data /\nexport type ApiGetHandlerFn<\n C = undefined,\n D = undefined,\n P = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined\n> =\n (args: { req: HttpRequest }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n & ([ST] extends [true] ? { stream: ResponseStream } : {})\n ) => Promise<HttpResponse \| void> \| HttpResponse \| void;\n\n/* POST handler — with typed data from schema /\nexport type ApiPostHandlerFn<\n T = undefined,\n C = undefined,\n D = undefined,\n P = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined\n> =\n (args: { req: HttpRequest }\n & ([T] extends [undefined] ? {} : { data: T })\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n & ([ST] extends [true] ? { stream: ResponseStream } : {})\n ) => Promise<HttpResponse \| void> \| HttpResponse \| void;\n\n/* Setup factory — receives deps/config/files when declared /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> =\n (args:\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/* Static config extracted by AST (no runtime callbacks) /\nexport type ApiConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Base path prefix for all routes (e.g., \"/api\") /\n basePath: string;\n /* Enable response streaming. When true, the Lambda Function URL uses RESPONSE_STREAM invoke mode. /\n stream?: boolean;\n};\n\n/\n Options for defining a CQRS-style API endpoint.\n \n - `get` routes handle queries (path-based routing, no body)\n * - `post` handles commands (single entry point, discriminated union via `schema`)\n /\nexport type DefineApiOptions<\n T = undefined,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined\n> = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Base path prefix for all routes (e.g., \"/api\") /\n basePath: string;\n /* Enable response streaming. When true, routes receive a `stream` arg for SSE. Routes can still return HttpResponse normally. /\n stream?: ST;\n /\n Factory function to initialize shared state.\n * Called once on cold start, result is cached and reused across invocations.\n /\n setup?: SetupFactory<C, D, P, S>;\n /* Dependencies on other handlers (tables, queues, etc.): `deps: () => ({ users })` /\n deps?: () => D & {};\n /* SSM Parameter Store parameters /\n config?: P;\n /* Static file glob patterns to bundle into the Lambda ZIP /\n static?: S;\n /* Error handler called when schema validation or handler throws /\n onError?: (error: unknown, req: HttpRequest) => HttpResponse;\n\n /* GET routes — query handlers keyed by relative path (e.g., \"/users/{id}\") /\n get?: Record<string, ApiGetHandlerFn<C, D, P, S, ST>>;\n\n /\n Schema for POST body validation. Use with discriminated unions:\n * ```typescript\n * schema: Action.parse,\n * post: async ({ data }) => { switch (data.action) { ... } }\n * ```\n /\n schema?: (input: unknown) => T;\n /* POST handler — single entry point for commands /\n post?: ApiPostHandlerFn<T, C, D, P, S, ST>;\n};\n\n/* Internal handler object created by defineApi /\nexport type ApiHandler<\n T = undefined,\n C = undefined,\n> = {\n readonly __brand: \"effortless-api\";\n readonly __spec: ApiConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown, req: HttpRequest) => HttpResponse;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly get?: Record<string, (...args: any[]) => any>;\n readonly post?: (...args: any[]) => any;\n};\n\n/\n Define a CQRS-style API with typed GET routes and POST commands.\n \n GET routes handle queries — path-based routing, no request body.\n * POST handles commands — single entry point with discriminated union schema.\n * Deploys as a single Lambda (fat Lambda) with one API Gateway catch-all route.\n \n @example\n * ```typescript\n * export default defineApi({\n * basePath: \"/api\",\n * deps: { users },\n \n get: {\n * \"/users\": async ({ req, deps }) => ({\n * status: 200,\n * body: await deps.users.scan()\n * }),\n * \"/users/{id}\": async ({ req, deps }) => ({\n * status: 200,\n * body: await deps.users.get(req.params.id)\n * }),\n * },\n \n schema: Action.parse,\n * post: async ({ data, deps }) => {\n * switch (data.action) {\n * case \"create\": return { status: 201, body: await deps.users.put(data) }\n * case \"delete\": return { status: 200, body: await deps.users.delete(data.id) }\n * }\n * },\n * })\n * ```\n /\nexport const defineApi = <\n T = undefined,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined\n>(\n options: DefineApiOptions<T, C, D, P, S, ST>\n): ApiHandler<T, C> => {\n const { get, post, schema, onError, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-api\",\n __spec,\n ...(get ? { get } : {}),\n ...(post ? { post } : {}),\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n } as ApiHandler<T, C>;\n};\n","// Public helpers — this file must have ZERO heavy imports (no effect, no AWS SDK, no deploy code).\n// It is the source of truth for param(), unsafeAs(), and related types used by the public API.\n\n// ============ Permissions ============\n\ntype AwsService =\n \| \"dynamodb\"\n \| \"s3\"\n \| \"sqs\"\n \| \"sns\"\n \| \"ses\"\n \| \"ssm\"\n \| \"lambda\"\n \| \"events\"\n \| \"secretsmanager\"\n \| \"cognito-idp\"\n \| \"logs\";\n\nexport type Permission = `${AwsService}:${string}` \| (string & {});\n\n// ============ Duration ============\n\n/\n Human-readable duration. Accepts a plain number (seconds) or a string\n * with a unit suffix: `\"30s\"`, `\"5m\"`, `\"1h\"`, `\"2d\"`.\n \n @example\n * ```typescript\n * timeout: 30 // 30 seconds\n * timeout: \"30s\" // 30 seconds\n * timeout: \"5m\" // 300 seconds\n * timeout: \"1h\" // 3600 seconds\n * retentionPeriod: \"4d\" // 345600 seconds\n * ```\n /\nexport type Duration = number \| `${number}s` \| `${number}m` \| `${number}h` \| `${number}d`;\n\n/* Convert a Duration to seconds. /\nexport const toSeconds = (d: Duration): number => {\n if (typeof d === \"number\") return d;\n const match = d.match(/^(\\d+(?:\\.\\d+)?)(s\|m\|h\|d)$/);\n if (!match) throw new Error(`Invalid duration: \"${d}\"`);\n const n = Number(match[1]);\n const unit = match[2];\n if (unit === \"d\") return n 86400;\n if (unit === \"h\") return n * 3600;\n if (unit === \"m\") return n * 60;\n return n;\n};\n\n// ============ Lambda config ============\n\n/** Logging verbosity level for Lambda handlers /\nexport type LogLevel = \"error\" \| \"info\" \| \"debug\";\n\n/\n Common Lambda configuration shared by all handler types.\n /\nexport type LambdaConfig = {\n /* Lambda memory in MB (default: 256) /\n memory?: number;\n /* Lambda timeout (default: 30s). Accepts seconds or duration string: `\"30s\"`, `\"5m\"` /\n timeout?: Duration;\n /* Logging verbosity: \"error\" (errors only), \"info\" (+ execution summary), \"debug\" (+ input/output). Default: \"info\" /\n logLevel?: LogLevel;\n};\n\n/\n Lambda configuration with additional IAM permissions.\n * Used by handler types that support custom permissions (http, table, fifo-queue).\n /\nexport type LambdaWithPermissions = LambdaConfig & {\n /* Additional IAM permissions for the Lambda /\n permissions?: Permission[];\n};\n\n// ============ Params ============\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport type AnyParamRef = ParamRef<any> \| string;\n\n/\n Reference to an SSM Parameter Store parameter.\n \n @typeParam T - The resolved type after optional transform (default: string)\n /\nexport type ParamRef<T = string> = {\n readonly __brand: \"effortless-param\";\n readonly key: string;\n readonly transform?: (raw: string) => T;\n};\n\n/\n Maps a config declaration to resolved value types.\n * Plain strings resolve to `string`, `ParamRef<T>` resolves to `T`.\n \n @typeParam P - Record of config keys to string or ParamRef instances\n /\nexport type ResolveConfig<P> = {\n [K in keyof P]: P[K] extends ParamRef<infer T> ? T : string;\n};\n\n/\n Declare an SSM Parameter Store parameter.\n \n The key is combined with project and stage at deploy time to form the full\n * SSM path: `/${project}/${stage}/${key}`.\n \n @param key - Parameter key (e.g., \"database-url\")\n * @param transform - Optional function to transform the raw string value\n * @returns A ParamRef used by the deployment and runtime systems\n \n @example Simple string parameter\n * ```typescript\n * config: {\n * dbUrl: param(\"database-url\"),\n * }\n * ```\n \n @example With transform (e.g., TOML parsing)\n * ```typescript\n * import TOML from \"smol-toml\";\n \n config: {\n * appConfig: param(\"app-config\", TOML.parse),\n * }\n * ```\n /\nexport function param(key: string): ParamRef<string>;\nexport function param<T>(key: string, transform: (raw: string) => T): ParamRef<T>;\nexport function param<T = string>(\n key: string,\n transform?: (raw: string) => T\n): ParamRef<T> {\n return {\n __brand: \"effortless-param\",\n key,\n ...(transform ? { transform } : {}),\n } as ParamRef<T>;\n}\n\n// ============ Single-table types ============\n\n/\n DynamoDB table key (always pk + sk strings in single-table design).\n /\nexport type TableKey = { pk: string; sk: string };\n\n/\n Full DynamoDB item in the single-table design.\n \n Every item has a fixed envelope: `pk`, `sk`, `tag`, `data`, and optional `ttl`.\n * `tag` is stored as a top-level DynamoDB attribute (GSI-ready).\n * If your domain type `T` includes a `tag` field, effortless auto-copies\n * `data.tag` to the top-level `tag` on `put()`, so you don't have to pass it twice.\n \n @typeParam T - The domain data type stored in the `data` attribute\n /\nexport type TableItem<T> = {\n pk: string;\n sk: string;\n tag: string;\n data: T;\n ttl?: number;\n};\n\n/\n Input type for `TableClient.put()`.\n \n Unlike `TableItem<T>`, this does NOT include `tag` — effortless auto-extracts\n * the top-level DynamoDB `tag` attribute from your data using the configured\n * tag field (defaults to `data.tag`, configurable via `defineTable({ tag: \"type\" })`).\n \n @typeParam T - The domain data type stored in the `data` attribute\n /\nexport type PutInput<T> = {\n pk: string;\n sk: string;\n data: T;\n ttl?: number;\n};\n\n/\n Create a schema function that casts input to T without runtime validation.\n * Use when you need T inference alongside other generics (deps, config).\n * For handlers without deps/config, prefer `defineTable<Order>({...})`.\n * For untrusted input, prefer a real parser (Zod, Effect Schema).\n \n @example\n * ```typescript\n * export const orders = defineTable({\n * schema: unsafeAs<Order>(),\n * deps: () => ({ notifications }),\n * onRecord: async ({ record, deps }) => { ... }\n * });\n * ```\n /\nexport function unsafeAs<T>(): (input: unknown) => T {\n return (input: unknown) => input as T;\n}\n","/* HTTP methods supported by Lambda Function URLs /\nexport type HttpMethod = \"GET\" \| \"POST\" \| \"PUT\" \| \"DELETE\" \| \"PATCH\" \| \"ANY\";\n\n/* Short content-type aliases for common response formats /\nexport type ContentType = \"json\" \| \"html\" \| \"text\" \| \"css\" \| \"js\" \| \"xml\" \| \"csv\" \| \"svg\";\n\n/\n Incoming HTTP request object passed to the handler\n /\nexport type HttpRequest = {\n /* HTTP method (GET, POST, etc.) /\n method: string;\n /* Request path (e.g., \"/users/123\") /\n path: string;\n /* Request headers /\n headers: Record<string, string \| undefined>;\n /* Query string parameters /\n query: Record<string, string \| undefined>;\n /* Path parameters extracted from route (e.g., {id} -> params.id) /\n params: Record<string, string \| undefined>;\n /* Parsed request body (JSON parsed if Content-Type is application/json) /\n body: unknown;\n /* Raw unparsed request body /\n rawBody?: string;\n};\n\n/\n HTTP response returned from the handler\n /\nexport type HttpResponse = {\n /* HTTP status code (e.g., 200, 404, 500) /\n status: number;\n /* Response body — JSON-serialized by default, or sent as string when contentType is set /\n body?: unknown;\n /\n Short content-type alias. Resolves to full MIME type automatically:\n * - `\"json\"` → `application/json` (default if omitted)\n * - `\"html\"` → `text/html; charset=utf-8`\n * - `\"text\"` → `text/plain; charset=utf-8`\n * - `\"css\"` → `text/css; charset=utf-8`\n * - `\"js\"` → `application/javascript; charset=utf-8`\n * - `\"xml\"` → `application/xml; charset=utf-8`\n * - `\"csv\"` → `text/csv; charset=utf-8`\n * - `\"svg\"` → `image/svg+xml; charset=utf-8`\n /\n contentType?: ContentType;\n /* Response headers (use for custom content-types not covered by contentType) /\n headers?: Record<string, string>;\n /\n Set to `true` to return binary data.\n * When enabled, `body` must be a base64-encoded string and the response\n * will include `isBase64Encoded: true` so Lambda Function URLs / API Gateway\n * decode it back to binary for the client.\n /\n binary?: boolean;\n};\n\n/* Response helpers for defineApi handlers /\nexport const result = {\n /* Return a JSON response /\n json: (body: unknown, status: number = 200): HttpResponse => ({ status, body }),\n /* Return a binary response. Accepts a Buffer and converts to base64 automatically. /\n binary: (body: Buffer, contentType: string, headers?: Record<string, string>): HttpResponse => ({\n status: 200,\n body: body.toString(\"base64\"),\n binary: true,\n headers: { \"content-type\": contentType, ...headers },\n }),\n};\n\n/* Stream helper injected into route args when `stream: true` is set on defineApi /\nexport type ResponseStream = {\n /* Write a raw string chunk to the response stream /\n write(chunk: string): void;\n /* End the response stream /\n end(): void;\n /* Switch to SSE mode: sets Content-Type to text/event-stream /\n sse(): void;\n /* Write an SSE event: `data: JSON.stringify(data)\\n\\n` /\n event(data: unknown): void;\n};\n\n/* Service for reading static files bundled into the Lambda ZIP /\nexport type StaticFiles = {\n /* Read file as UTF-8 string /\n read(path: string): string;\n /* Read file as Buffer (for binary content) /\n readBuffer(path: string): Buffer;\n /* Resolve absolute path to the bundled file */\n path(path: string): string;\n};\n"],"mappings":";AAuGO,IAAM,eAAe,CAAC,WAA+C;;;ACsJrE,IAAM,cAAc,CAQzB,YACuB;AACvB,QAAM,EAAE,UAAU,iBAAiB,SAAS,SAAS,QAAQ,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AACrH,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,IAC/B,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,IAC7C,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/B;AACF;;;AC5NO,IAAM,YAAY,CAAC,aAAoC;AAAA,EAC5D,SAAS;AAAA,EACT,QAAQ;AACV;;;ACsDO,IAAM,mBAAmB,CAAC,aAAkD;AAAA,EACjF,SAAS;AAAA,EACT,QAAQ;AACV;;;AC2EO,IAAM,kBAAkB,CAO7B,YAC2B;AAC3B,QAAM,EAAE,WAAW,SAAS,SAAS,QAAQ,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AACrG,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,IACjC,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/B;AACF;;;ACzCO,IAAM,eAAe,CAM1B,YACqB;AACrB,QAAM,EAAE,iBAAiB,iBAAiB,SAAS,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AAC3G,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,IAC7C,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,EAC/C;AACF;;;ACjJO,IAAM,eAAe,CAAC,aAA0C;AAAA,EACrE,SAAS;AAAA,EACT,QAAQ;AACV;;;AC0GO,IAAM,YAAY,CAQvB,YACqB;AACrB,QAAM,EAAE,KAAK,MAAM,QAAQ,SAAS,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AAC5F,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,MAAM,EAAE,IAAI,IAAI,CAAC;AAAA,IACrB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,EAC/C;AACF;;;AC9IO,IAAM,YAAY,CAAC,MAAwB;AAChD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,QAAQ,EAAE,MAAM,4BAA4B;AAClD,MAAI,CAAC,MAAO,OAAM,IAAI,MAAM,sBAAsB,CAAC,GAAG;AACtD,QAAM,IAAI,OAAO,MAAM,CAAC,CAAC;AACzB,QAAM,OAAO,MAAM,CAAC;AACpB,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,SAAO;AACT;AAkFO,SAAS,MACd,KACA,WACa;AACb,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,EACnC;AACF;AA0DO,SAAS,WAAqC;AACnD,SAAO,CAAC,UAAmB;AAC7B;;;AC7IO,IAAM,SAAS;AAAA;AAAA,EAEpB,MAAM,CAAC,MAAe,SAAiB,SAAuB,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE7E,QAAQ,CAAC,MAAc,aAAqB,aAAoD;AAAA,IAC9F,QAAQ;AAAA,IACR,MAAM,KAAK,SAAS,QAAQ;AAAA,IAC5B,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,aAAa,GAAG,QAAQ;AAAA,EACrD;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/config.ts","../src/handlers/define-table.ts","../src/handlers/define-app.ts","../src/handlers/define-static-site.ts","../src/handlers/define-fifo-queue.ts","../src/handlers/define-bucket.ts","../src/handlers/define-mailer.ts","../src/handlers/define-api.ts","../src/handlers/handler-options.ts","../src/handlers/auth.ts","../src/handlers/shared.ts"],"sourcesContent":["/*\n Configuration for an Effortless project.\n \n @example\n * ```typescript\n * // effortless.config.ts\n * import { defineConfig } from \"effortless-aws\";\n \n export default defineConfig({\n * name: \"my-service\",\n * region: \"eu-central-1\",\n * handlers: \"src\",\n * });\n * ```\n /\nexport type EffortlessConfig = {\n /\n Project root directory. All relative paths (handlers, server, assets, etc.)\n * are resolved from this directory.\n * Resolved relative to where the CLI runs (process.cwd()).\n * @default \".\" (current working directory)\n /\n root?: string;\n\n /\n Project name used for resource naming and tagging.\n * This becomes part of Lambda function names, IAM roles, etc.\n /\n name: string;\n\n /\n Default AWS region for all handlers.\n * Can be overridden per-handler or via CLI `--region` flag.\n * @default \"eu-central-1\"\n /\n region?: string;\n\n /\n Deployment stage (e.g., \"dev\", \"staging\", \"prod\").\n * Used for resource isolation and tagging.\n * @default \"dev\"\n /\n stage?: string;\n\n /\n Glob patterns or directory paths to scan for handlers.\n * Used by `eff deploy` (without file argument) to auto-discover handlers.\n \n @example\n * ```typescript\n * // Single directory - scans for all .ts files\n * handlers: \"src\"\n \n // Glob patterns\n * handlers: [\"src/*\\/.ts\", \"lib/*\\/.handler.ts\"]\n * ```\n /\n handlers?: string \| string[];\n\n /\n Default Lambda settings applied to all handlers unless overridden.\n \n All Lambdas run on ARM64 (Graviton2) architecture — ~20% cheaper than x86_64\n * with better price-performance for most workloads.\n /\n lambda?: {\n /\n Lambda memory in MB. AWS allocates proportional CPU —\n * 1769 MB gives one full vCPU.\n * @default 256\n /\n memory?: number;\n\n /\n Lambda timeout as a human-readable string.\n * AWS maximum is 15 minutes.\n * @example \"30 seconds\", \"5 minutes\"\n /\n timeout?: string;\n\n /\n Node.js Lambda runtime version.\n * @default \"nodejs24.x\"\n /\n runtime?: string;\n };\n\n};\n\n/\n Helper function for type-safe configuration.\n * Returns the config object as-is, but provides TypeScript autocompletion.\n \n @example\n * ```typescript\n * import { defineConfig } from \"effortless-aws\";\n \n export default defineConfig({\n * name: \"my-service\",\n * region: \"eu-central-1\",\n * handlers: \"src\",\n * });\n * ```\n /\nexport const defineConfig = (config: EffortlessConfig): EffortlessConfig => config;\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig, TableItem, Duration } from \"./handler-options\";\nimport type { TableClient } from \"../runtime/table-client\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\n\n/* DynamoDB attribute types for keys /\nexport type KeyType = \"string\" \| \"number\" \| \"binary\";\n\n/\n DynamoDB table key definition\n /\nexport type TableKey = {\n /* Attribute name /\n name: string;\n /* Attribute type /\n type: KeyType;\n};\n\n/* DynamoDB Streams view type - determines what data is captured in stream records /\nexport type StreamView = \"NEW_AND_OLD_IMAGES\" \| \"NEW_IMAGE\" \| \"OLD_IMAGE\" \| \"KEYS_ONLY\";\n\n/\n Configuration options for defineTable (single-table design).\n \n Tables always use `pk (S)` + `sk (S)` keys, `tag (S)` discriminator,\n * `data (M)` for domain fields, and `ttl (N)` for optional expiration.\n /\nexport type TableConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* DynamoDB billing mode (default: \"PAY_PER_REQUEST\") /\n billingMode?: \"PAY_PER_REQUEST\" \| \"PROVISIONED\";\n /* Stream view type - what data to include in stream records (default: \"NEW_AND_OLD_IMAGES\") /\n streamView?: StreamView;\n /* Number of records to process in each Lambda invocation (1-10000, default: 100) /\n batchSize?: number;\n /* Maximum time to gather records before invoking (default: `\"2s\"`). Accepts `\"5s\"`, `\"1m\"`, etc. /\n batchWindow?: Duration;\n /* Where to start reading the stream (default: \"LATEST\") /\n startingPosition?: \"LATEST\" \| \"TRIM_HORIZON\";\n /\n Name of the field in `data` that serves as the entity type discriminant.\n * Effortless auto-copies `data[tagField]` to the top-level DynamoDB `tag` attribute on `put()`.\n * Defaults to `\"tag\"`.\n \n @example\n * ```typescript\n * export const orders = defineTable<{ type: \"order\"; amount: number }>({\n * tagField: \"type\",\n * onRecord: async ({ record }) => { ... }\n * });\n * ```\n /\n tagField?: string;\n};\n\n/\n DynamoDB stream record passed to onRecord callback.\n \n `new` and `old` are full `TableItem<T>` objects with the single-table envelope.\n \n @typeParam T - Type of the domain data (inside `data`)\n /\nexport type TableRecord<T = Record<string, unknown>> = {\n /* Type of modification: INSERT, MODIFY, or REMOVE /\n eventName: \"INSERT\" \| \"MODIFY\" \| \"REMOVE\";\n /* New item value (present for INSERT and MODIFY) /\n new?: TableItem<T>;\n /* Old item value (present for MODIFY and REMOVE) /\n old?: TableItem<T>;\n /* Primary key of the affected item /\n keys: { pk: string; sk: string };\n /* Sequence number for ordering /\n sequenceNumber?: string;\n /* Approximate timestamp when the modification occurred /\n timestamp?: number;\n};\n\n/\n Information about a failed record during batch processing\n \n @typeParam T - Type of the domain data\n /\nexport type FailedRecord<T = Record<string, unknown>> = {\n /* The record that failed to process /\n record: TableRecord<T>;\n /* The error that occurred /\n error: unknown;\n};\n\n/\n Setup factory type for table handlers.\n * Always receives `table: TableClient<T>` (self-client for the handler's own table).\n * Also receives `deps` and/or `config` when declared.\n /\ntype SetupFactory<C, T, D, P, S extends string[] \| undefined = undefined> = (args:\n & { table: TableClient<T> }\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/\n Callback function type for processing a single DynamoDB stream record\n /\nexport type TableRecordFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { record: TableRecord<T>; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<R>;\n\n/\n Callback function type for processing accumulated batch results\n /\nexport type TableBatchCompleteFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { results: R[]; failures: FailedRecord<T>[]; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Callback function type for processing all records in a batch at once\n /\nexport type TableBatchFn<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { records: TableRecord<T>[]; table: TableClient<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/* Base options shared by all defineTable variants /\ntype DefineTableBase<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = Omit<TableConfig, \"tagField\"> & {\n /* Name of the field in `data` that serves as the entity type discriminant (default: `\"tag\"`). /\n tagField?: Extract<keyof T, string>;\n /\n Decode/validate function for the `data` portion of stream record items.\n * Called with the unmarshalled `data` attribute; should return typed data or throw on validation failure.\n * When provided, T is inferred from the return type — no need to specify generic parameters.\n /\n schema?: (input: unknown) => T;\n /\n Error handler called when onRecord, onBatch, or onBatchComplete throws.\n * Receives the error. If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for callbacks.\n * Called once on cold start, result is cached and reused across invocations.\n * When deps/params are declared, receives them as argument.\n * Supports both sync and async return values.\n /\n setup?: SetupFactory<C, T, D, P, S>;\n /\n Dependencies on other handlers (tables, queues, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ orders })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n * Typed values are injected into the handler via the `config` argument.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* Per-record processing: onRecord with optional onBatchComplete /\ntype DefineTableWithOnRecord<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onRecord: TableRecordFn<T, C, R, D, P, S>;\n onBatchComplete?: TableBatchCompleteFn<T, C, R, D, P, S>;\n onBatch?: never;\n};\n\n/* Batch processing: onBatch processes all records at once /\ntype DefineTableWithOnBatch<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onBatch: TableBatchFn<T, C, D, P, S>;\n onRecord?: never;\n onBatchComplete?: never;\n};\n\n/* Resource-only: no handler, just creates the table /\ntype DefineTableResourceOnly<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineTableBase<T, C, D, P, S> & {\n onRecord?: never;\n onBatch?: never;\n onBatchComplete?: never;\n};\n\nexport type DefineTableOptions<\n T = Record<string, unknown>,\n C = undefined,\n R = void,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineTableWithOnRecord<T, C, R, D, P, S>\n \| DefineTableWithOnBatch<T, C, D, P, S>\n \| DefineTableResourceOnly<T, C, D, P, S>;\n\n/\n Internal handler object created by defineTable\n * @internal\n /\nexport type TableHandler<T = Record<string, unknown>, C = any> = {\n readonly __brand: \"effortless-table\";\n readonly __spec: TableConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onRecord?: (...args: any[]) => any;\n readonly onBatchComplete?: (...args: any[]) => any;\n readonly onBatch?: (...args: any[]) => any;\n};\n\n/\n Define a DynamoDB table with optional stream handler (single-table design).\n \n Creates a table with fixed key schema: `pk (S)` + `sk (S)`, plus `tag (S)`,\n * `data (M)`, and `ttl (N)` attributes. TTL is always enabled.\n \n @example Table with stream handler\n * ```typescript\n * type OrderData = { amount: number; status: string };\n \n export const orders = defineTable<OrderData>({\n * streamView: \"NEW_AND_OLD_IMAGES\",\n * batchSize: 10,\n * onRecord: async ({ record }) => {\n * if (record.eventName === \"INSERT\") {\n * console.log(\"New order:\", record.new?.data.amount);\n * }\n * }\n * });\n * ```\n \n @example Table only (no Lambda)\n * ```typescript\n * export const users = defineTable({});\n * ```\n /\nexport const defineTable = <\n T = Record<string, unknown>,\n C = undefined,\n R = void,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineTableOptions<T, C, R, D, P, S>\n): TableHandler<T, C> => {\n const { onRecord, onBatchComplete, onBatch, onError, schema, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-table\",\n __spec,\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onRecord ? { onRecord } : {}),\n ...(onBatchComplete ? { onBatchComplete } : {}),\n ...(onBatch ? { onBatch } : {})\n } as TableHandler<T, C>;\n};\n","import type { LambdaWithPermissions } from \"./handler-options\";\n\n/\n Configuration for deploying an SSR framework (Nuxt, Astro, etc.)\n * via CloudFront + S3 (static assets) + Lambda Function URL (server-side rendering).\n /\nexport type AppConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Directory containing the Lambda server handler (e.g., \".output/server\").\n * Must contain an `index.mjs` (or `index.js`) that exports a `handler` function. /\n server: string;\n /* Directory containing static assets for S3 (e.g., \".output/public\") /\n assets: string;\n /* Base URL path (default: \"/\") /\n path?: string;\n /* Shell command to build the framework output (e.g., \"nuxt build\") /\n build?: string;\n /* Custom domain name. String or stage-keyed record (e.g., { prod: \"app.example.com\" }). /\n domain?: string \| Record<string, string>;\n /* CloudFront route overrides: path patterns forwarded to API Gateway instead of the SSR Lambda.\n * Keys are CloudFront path patterns (e.g., \"/api/\"), values are handler references.\n Example: `routes: { \"/api/\": api }` /\n routes?: Record<string, { readonly __brand: string }>;\n};\n\n/*\n Internal handler object created by defineApp\n * @internal\n /\nexport type AppHandler = {\n readonly __brand: \"effortless-app\";\n readonly __spec: AppConfig;\n};\n\n/\n Deploy an SSR framework application via CloudFront + Lambda Function URL.\n \n Static assets from the `assets` directory are served via S3 + CloudFront CDN.\n * Server-rendered pages are handled by a Lambda function using the framework's\n * built output from the `server` directory.\n \n For static-only sites (no SSR), use {@link defineStaticSite} instead.\n \n @param options - App configuration: server directory, assets directory, optional build command\n * @returns Handler object used by the deployment system\n \n @example Nuxt SSR\n * ```typescript\n * export const app = defineApp({\n * build: \"nuxt build\",\n * server: \".output/server\",\n * assets: \".output/public\",\n * lambda: { memory: 1024 },\n * });\n * ```\n /\nexport const defineApp = (options: AppConfig): AppHandler => ({\n __brand: \"effortless-app\",\n __spec: options,\n});\n","import type { CookieAuth } from \"./auth\";\n\n/* Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) /\ntype AnyRoutableHandler = { readonly __brand: string };\n\n/* Simplified request object passed to middleware /\nexport type MiddlewareRequest = {\n uri: string;\n method: string;\n querystring: string;\n headers: Record<string, string>;\n cookies: Record<string, string>;\n};\n\n/* Redirect the user to another URL /\nexport type MiddlewareRedirect = {\n redirect: string;\n status?: 301 \| 302 \| 307 \| 308;\n};\n\n/* Deny access with a 403 status /\nexport type MiddlewareDeny = {\n status: 403;\n body?: string;\n};\n\n/* Middleware return type: redirect, deny, or void (continue serving) /\nexport type MiddlewareResult = MiddlewareRedirect \| MiddlewareDeny \| void;\n\n/* Function that runs before serving static files via Lambda@Edge /\nexport type MiddlewareHandler = (\n request: MiddlewareRequest\n) => Promise<MiddlewareResult> \| MiddlewareResult;\n\n/* SEO options for auto-generating sitemap.xml, robots.txt, and submitting to Google Indexing API /\nexport type StaticSiteSeo = {\n /* Sitemap filename (e.g. \"sitemap.xml\", \"sitemap-v2.xml\") /\n sitemap: string;\n /* Path to Google service account JSON key file for Indexing API batch submission.\n * Requires adding the service account email as an owner in Google Search Console. /\n googleIndexing?: string;\n};\n\n/\n Configuration for a static site handler (S3 + CloudFront)\n /\nexport type StaticSiteConfig = {\n /* Handler name. Defaults to export name if not specified /\n name?: string;\n /* Directory containing the static site files, relative to project root /\n dir: string;\n /* Default file for directory requests (default: \"index.html\") /\n index?: string;\n /* SPA mode: serve index.html for all paths that don't match a file (default: false) /\n spa?: boolean;\n /* Shell command to run before deploy to generate site content (e.g., \"npx astro build\") /\n build?: string;\n /* Custom domain name. Accepts a string (same domain for all stages) or a Record mapping stage names to domains (e.g., `{ prod: \"example.com\", dev: \"dev.example.com\" }`). Requires an ACM certificate in us-east-1. If the cert also covers www, a 301 redirect from www to non-www is set up automatically. /\n domain?: string \| Record<string, string>;\n /* CloudFront route overrides: path patterns forwarded to API Gateway instead of S3.\n * Keys are CloudFront path patterns (e.g., \"/api/\"), values are HTTP handlers.\n Example: `routes: { \"/api/\": api }` /\n routes?: Record<string, AnyRoutableHandler>;\n /** Custom 404 error page path relative to `dir` (e.g. \"404.html\").\n * For non-SPA sites only. If not set, a default page is generated automatically. /\n errorPage?: string;\n /* Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. /\n middleware?: MiddlewareHandler;\n /* Cookie-based authentication. Auto-generates Lambda@Edge middleware that verifies signed cookies. /\n auth?: CookieAuth<any>;\n /* SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API /\n seo?: StaticSiteSeo;\n};\n\n/\n Internal handler object created by defineStaticSite\n * @internal\n /\nexport type StaticSiteHandler = {\n readonly __brand: \"effortless-static-site\";\n readonly __spec: StaticSiteConfig;\n};\n\n/\n Deploy a static site via S3 + CloudFront CDN.\n \n @param options - Static site configuration: directory, optional SPA mode, build command\n * @returns Handler object used by the deployment system\n \n @example Documentation site\n * ```typescript\n * export const docs = defineStaticSite({\n * dir: \"dist\",\n * build: \"npx astro build\",\n * });\n * ```\n \n @example SPA with client-side routing\n * ```typescript\n * export const app = defineStaticSite({\n * dir: \"dist\",\n * spa: true,\n * build: \"npm run build\",\n * });\n * ```\n \n @example Protected site with middleware (Lambda@Edge)\n * ```typescript\n * export const admin = defineStaticSite({\n * dir: \"admin/dist\",\n * middleware: async (request) => {\n * if (!request.cookies.session) {\n * return { redirect: \"/login\" };\n * }\n * },\n * });\n * ```\n /\nexport const defineStaticSite = (options: StaticSiteConfig): StaticSiteHandler => ({\n __brand: \"effortless-static-site\",\n __spec: options,\n});\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig, Duration } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\n\n/\n Parsed SQS FIFO message passed to the handler callbacks.\n \n @typeParam T - Type of the decoded message body (from schema function)\n /\nexport type FifoQueueMessage<T = unknown> = {\n /* Unique message identifier /\n messageId: string;\n /* Receipt handle for acknowledgement /\n receiptHandle: string;\n /* Parsed message body (JSON-decoded, then optionally schema-validated) /\n body: T;\n /* Raw unparsed message body string /\n rawBody: string;\n /* Message group ID (FIFO ordering key) /\n messageGroupId: string;\n /* Message deduplication ID /\n messageDeduplicationId?: string;\n /* SQS message attributes /\n messageAttributes: Record<string, { dataType?: string; stringValue?: string }>;\n /* Approximate first receive timestamp /\n approximateFirstReceiveTimestamp?: string;\n /* Approximate receive count /\n approximateReceiveCount?: string;\n /* Sent timestamp /\n sentTimestamp?: string;\n};\n\n/\n Configuration options for a FIFO queue handler\n /\nexport type FifoQueueConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Number of messages per Lambda invocation (1-10 for FIFO, default: 10) /\n batchSize?: number;\n /* Maximum time to gather messages before invoking (default: 0). Accepts `\"5s\"`, `\"1m\"`, etc. /\n batchWindow?: Duration;\n /* Visibility timeout (default: max of timeout or 30s). Accepts `\"30s\"`, `\"5m\"`, etc. /\n visibilityTimeout?: Duration;\n /* Message retention period (default: `\"4d\"`). Accepts `\"1h\"`, `\"7d\"`, etc. /\n retentionPeriod?: Duration;\n /* Delivery delay for all messages in the queue (default: 0). Accepts `\"30s\"`, `\"5m\"`, etc. /\n delay?: Duration;\n /* Enable content-based deduplication (default: true) /\n contentBasedDeduplication?: boolean;\n};\n\n/\n Setup factory type — always receives an args object.\n * Args include `deps` and/or `config` when declared (empty `{}` otherwise).\n /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> =\n (args:\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/\n Per-message handler function.\n * Called once per message in the batch. Failures are reported individually.\n /\nexport type FifoQueueMessageFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { message: FifoQueueMessage<T> }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Batch handler function.\n * Called once with all messages in the batch.\n /\nexport type FifoQueueBatchFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { messages: FifoQueueMessage<T>[] }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/* Base options shared by all defineFifoQueue variants /\ntype DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = FifoQueueConfig & {\n /\n Decode/validate function for the message body.\n * Called with the JSON-parsed body; should return typed data or throw on validation failure.\n /\n schema?: (input: unknown) => T;\n /\n Error handler called when onMessage or onBatch throws.\n * If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for the handler.\n * Called once on cold start, result is cached and reused across invocations.\n * When deps/params are declared, receives them as argument.\n /\n setup?: SetupFactory<C, D, P, S>;\n /\n Dependencies on other handlers (tables, queues, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ orders })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* Per-message processing /\ntype DefineFifoQueueWithOnMessage<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {\n onMessage: FifoQueueMessageFn<T, C, D, P, S>;\n onBatch?: never;\n};\n\n/* Batch processing: all messages at once /\ntype DefineFifoQueueWithOnBatch<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {\n onBatch: FifoQueueBatchFn<T, C, D, P, S>;\n onMessage?: never;\n};\n\nexport type DefineFifoQueueOptions<\n T = unknown,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineFifoQueueWithOnMessage<T, C, D, P, S>\n \| DefineFifoQueueWithOnBatch<T, C, D, P, S>;\n\n/\n Internal handler object created by defineFifoQueue\n * @internal\n /\nexport type FifoQueueHandler<T = unknown, C = any> = {\n readonly __brand: \"effortless-fifo-queue\";\n readonly __spec: FifoQueueConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onMessage?: (...args: any[]) => any;\n readonly onBatch?: (...args: any[]) => any;\n};\n\n/\n Define a FIFO SQS queue with a Lambda message handler\n \n Creates:\n * - SQS FIFO queue (with `.fifo` suffix)\n * - Lambda function triggered by the queue\n * - Event source mapping with partial batch failure support\n \n @example Per-message processing\n * ```typescript\n * type OrderEvent = { orderId: string; action: string };\n \n export const orderQueue = defineFifoQueue<OrderEvent>({\n * onMessage: async ({ message }) => {\n * console.log(\"Processing order:\", message.body.orderId);\n * }\n * });\n * ```\n \n @example Batch processing with schema\n * ```typescript\n * export const notifications = defineFifoQueue({\n * schema: (input) => NotificationSchema.parse(input),\n * batchSize: 5,\n * onBatch: async ({ messages }) => {\n * await sendAll(messages.map(m => m.body));\n * }\n * });\n * ```\n /\nexport const defineFifoQueue = <\n T = unknown,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineFifoQueueOptions<T, C, D, P, S>\n): FifoQueueHandler<T, C> => {\n const { onMessage, onBatch, onError, schema, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-fifo-queue\",\n __spec,\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onMessage ? { onMessage } : {}),\n ...(onBatch ? { onBatch } : {})\n } as FifoQueueHandler<T, C>;\n};\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles } from \"./shared\";\nimport type { BucketClient } from \"../runtime/bucket-client\";\n\n/\n Configuration options for defineBucket.\n /\nexport type BucketConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* S3 key prefix filter for event notifications (e.g., \"uploads/\") /\n prefix?: string;\n /* S3 key suffix filter for event notifications (e.g., \".jpg\") /\n suffix?: string;\n};\n\n/\n S3 event record passed to onObjectCreated/onObjectRemoved callbacks.\n /\nexport type BucketEvent = {\n /* S3 event name (e.g., \"ObjectCreated:Put\", \"ObjectRemoved:Delete\") /\n eventName: string;\n /* Object key (path within the bucket) /\n key: string;\n /* Object size in bytes (present for created events) /\n size?: number;\n /* Object ETag (present for created events) /\n eTag?: string;\n /* ISO 8601 timestamp of when the event occurred /\n eventTime?: string;\n /* S3 bucket name /\n bucketName: string;\n};\n\n/\n Callback function type for S3 ObjectCreated events\n /\nexport type BucketObjectCreatedFn<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { event: BucketEvent; bucket: BucketClient }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Callback function type for S3 ObjectRemoved events\n /\nexport type BucketObjectRemovedFn<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> =\n (args: { event: BucketEvent; bucket: BucketClient }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => Promise<void>;\n\n/\n Setup factory type for bucket handlers.\n * Always receives `bucket: BucketClient` (self-client for the handler's own bucket).\n * Also receives `deps` and/or `config` when declared.\n /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> = (args:\n & { bucket: BucketClient }\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/* Base options shared by all defineBucket variants /\ntype DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = BucketConfig & {\n /\n Error handler called when onObjectCreated or onObjectRemoved throws.\n * If not provided, defaults to `console.error`.\n /\n onError?: (error: unknown) => void;\n /\n Factory function to initialize shared state for callbacks.\n * Called once on cold start, result is cached and reused across invocations.\n * Always receives `bucket: BucketClient` (self-client). When deps/config\n * are declared, receives them as well.\n /\n setup?: SetupFactory<C, D, P, S>;\n /\n Dependencies on other handlers (tables, buckets, etc.).\n * Typed clients are injected into the handler via the `deps` argument.\n * Pass a function returning the deps object: `deps: () => ({ uploads })`.\n /\n deps?: () => D & {};\n /\n SSM Parameter Store parameters.\n * Declare with `param()` helper. Values are fetched and cached at cold start.\n /\n config?: P;\n /\n Static file glob patterns to bundle into the Lambda ZIP.\n * Files are accessible at runtime via the `files` callback argument.\n /\n static?: S;\n};\n\n/* With event handlers (at least one callback) /\ntype DefineBucketWithHandlers<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineBucketBase<C, D, P, S> & {\n onObjectCreated?: BucketObjectCreatedFn<C, D, P, S>;\n onObjectRemoved?: BucketObjectRemovedFn<C, D, P, S>;\n};\n\n/* Resource-only: no Lambda, just creates the bucket /\ntype DefineBucketResourceOnly<C = undefined, D = undefined, P = undefined, S extends string[] \| undefined = undefined> = DefineBucketBase<C, D, P, S> & {\n onObjectCreated?: never;\n onObjectRemoved?: never;\n};\n\nexport type DefineBucketOptions<\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n> =\n \| DefineBucketWithHandlers<C, D, P, S>\n \| DefineBucketResourceOnly<C, D, P, S>;\n\n/\n Internal handler object created by defineBucket\n * @internal\n /\nexport type BucketHandler<C = any> = {\n readonly __brand: \"effortless-bucket\";\n readonly __spec: BucketConfig;\n readonly onError?: (error: unknown) => void;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly onObjectCreated?: (...args: any[]) => any;\n readonly onObjectRemoved?: (...args: any[]) => any;\n};\n\n/\n Define an S3 bucket with optional event handlers.\n \n Creates an S3 bucket. When event handlers are provided, also creates a Lambda\n * function triggered by S3 event notifications.\n \n @example Bucket with event handler\n * ```typescript\n * export const uploads = defineBucket({\n * prefix: \"images/\",\n * suffix: \".jpg\",\n * onObjectCreated: async ({ event, bucket }) => {\n * const file = await bucket.get(event.key);\n * console.log(\"New upload:\", event.key, file?.body.length);\n * }\n * });\n * ```\n \n @example Resource-only bucket (no Lambda)\n * ```typescript\n * export const assets = defineBucket({});\n * ```\n \n @example As a dependency\n * ```typescript\n * export const api = defineApi({\n * basePath: \"/process\",\n * deps: { uploads },\n * post: async ({ req, deps }) => {\n * await deps.uploads.put(\"output.jpg\", buffer);\n * return { status: 200, body: \"OK\" };\n * },\n * });\n * ```\n /\nexport const defineBucket = <\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined\n>(\n options: DefineBucketOptions<C, D, P, S>\n): BucketHandler<C> => {\n const { onObjectCreated, onObjectRemoved, onError, setup, deps, config, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-bucket\",\n __spec,\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(onObjectCreated ? { onObjectCreated } : {}),\n ...(onObjectRemoved ? { onObjectRemoved } : {}),\n } as BucketHandler<C>;\n};\n","/\n Configuration options for defining a mailer (SES email identity)\n /\nexport type MailerConfig = {\n /* Domain to verify and send emails from (e.g., \"myapp.com\") /\n domain: string;\n};\n\n/\n Internal handler object created by defineMailer\n * @internal\n /\nexport type MailerHandler = {\n readonly __brand: \"effortless-mailer\";\n readonly __spec: MailerConfig;\n};\n\n/\n Define an email sender backed by Amazon SES.\n \n Creates an SES Email Identity for the specified domain and provides\n * a typed `EmailClient` to other handlers via `deps`.\n \n On first deploy, DKIM DNS records are printed to the console.\n * Add them to your DNS provider to verify the domain.\n \n @param options - Mailer configuration with the domain to send from\n * @returns Handler object used by the deployment system and as a `deps` value\n \n @example Basic mailer with HTTP handler\n * ```typescript\n * export const mailer = defineMailer({ domain: \"myapp.com\" });\n \n export const api = defineApi({\n * basePath: \"/signup\",\n * deps: { mailer },\n * post: async ({ req, deps }) => {\n * await deps.mailer.send({\n * from: \"hello@myapp.com\",\n * to: req.body.email,\n * subject: \"Welcome!\",\n * html: \"<h1>Hi!</h1>\",\n * });\n * return { status: 200, body: { ok: true } };\n * },\n * });\n * ```\n /\nexport const defineMailer = (options: MailerConfig): MailerHandler => ({\n __brand: \"effortless-mailer\",\n __spec: options,\n});\n","import type { LambdaWithPermissions, AnyParamRef, ResolveConfig } from \"./handler-options\";\nimport type { AnyDepHandler, ResolveDeps } from \"./handler-deps\";\nimport type { StaticFiles, ResponseStream } from \"./shared\";\nimport type { HttpRequest, HttpResponse } from \"./shared\";\nimport type { CookieAuth, AuthHelpers } from \"./auth\";\n\n/* Extract session type T from CookieAuth<T> /\ntype SessionOf<A> = A extends CookieAuth<infer T> ? T : undefined;\n\n/* GET route handler — no schema, no data /\nexport type ApiGetHandlerFn<\n C = undefined,\n D = undefined,\n P = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined,\n A extends CookieAuth<any> \| undefined = undefined\n> =\n (args: { req: HttpRequest }\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n & ([ST] extends [true] ? { stream: ResponseStream } : {})\n & ([A] extends [undefined] ? {} : { auth: AuthHelpers<SessionOf<A>> })\n ) => Promise<HttpResponse \| void> \| HttpResponse \| void;\n\n/* POST handler — with typed data from schema /\nexport type ApiPostHandlerFn<\n T = undefined,\n C = undefined,\n D = undefined,\n P = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined,\n A extends CookieAuth<any> \| undefined = undefined\n> =\n (args: { req: HttpRequest }\n & ([T] extends [undefined] ? {} : { data: T })\n & ([C] extends [undefined] ? {} : { ctx: C })\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n & ([ST] extends [true] ? { stream: ResponseStream } : {})\n & ([A] extends [undefined] ? {} : { auth: AuthHelpers<SessionOf<A>> })\n ) => Promise<HttpResponse \| void> \| HttpResponse \| void;\n\n/* Setup factory — receives deps/config/files when declared /\ntype SetupFactory<C, D, P, S extends string[] \| undefined = undefined> =\n (args:\n & ([D] extends [undefined] ? {} : { deps: ResolveDeps<D> })\n & ([P] extends [undefined] ? {} : { config: ResolveConfig<P & {}> })\n & ([S] extends [undefined] ? {} : { files: StaticFiles })\n ) => C \| Promise<C>;\n\n/* Static config extracted by AST (no runtime callbacks) /\nexport type ApiConfig = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Base path prefix for all routes (e.g., \"/api\") /\n basePath: string;\n /* Enable response streaming. When true, the Lambda Function URL uses RESPONSE_STREAM invoke mode. /\n stream?: boolean;\n};\n\n/\n Options for defining a CQRS-style API endpoint.\n \n - `get` routes handle queries (path-based routing, no body)\n * - `post` handles commands (single entry point, discriminated union via `schema`)\n /\nexport type DefineApiOptions<\n T = undefined,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined,\n A extends CookieAuth<any> \| undefined = undefined\n> = {\n /* Lambda function settings (memory, timeout, permissions, etc.) /\n lambda?: LambdaWithPermissions;\n /* Base path prefix for all routes (e.g., \"/api\") /\n basePath: string;\n /* Enable response streaming. When true, routes receive a `stream` arg for SSE. Routes can still return HttpResponse normally. /\n stream?: ST;\n /* Cookie-based authentication. Injects `auth` helpers (grant/revoke) into handler args. /\n auth?: A;\n /\n Factory function to initialize shared state.\n * Called once on cold start, result is cached and reused across invocations.\n /\n setup?: SetupFactory<C, D, P, S>;\n /* Dependencies on other handlers (tables, queues, etc.): `deps: () => ({ users })` /\n deps?: () => D & {};\n /* SSM Parameter Store parameters /\n config?: P;\n /* Static file glob patterns to bundle into the Lambda ZIP /\n static?: S;\n /* Error handler called when schema validation or handler throws /\n onError?: (error: unknown, req: HttpRequest) => HttpResponse;\n\n /* GET routes — query handlers keyed by relative path (e.g., \"/users/{id}\") /\n get?: Record<string, ApiGetHandlerFn<C, D, P, S, ST, A>>;\n\n /\n Schema for POST body validation. Use with discriminated unions:\n * ```typescript\n * schema: Action.parse,\n * post: async ({ data }) => { switch (data.action) { ... } }\n * ```\n /\n schema?: (input: unknown) => T;\n /* POST handler — single entry point for commands /\n post?: ApiPostHandlerFn<T, C, D, P, S, ST, A>;\n};\n\n/* Internal handler object created by defineApi /\nexport type ApiHandler<\n T = undefined,\n C = undefined,\n> = {\n readonly __brand: \"effortless-api\";\n readonly __spec: ApiConfig;\n readonly schema?: (input: unknown) => T;\n readonly onError?: (error: unknown, req: HttpRequest) => HttpResponse;\n readonly setup?: (...args: any[]) => C \| Promise<C>;\n readonly deps?: Record<string, unknown> \| (() => Record<string, unknown>);\n readonly config?: Record<string, unknown>;\n readonly static?: string[];\n readonly auth?: CookieAuth;\n readonly get?: Record<string, (...args: any[]) => any>;\n readonly post?: (...args: any[]) => any;\n};\n\n/\n Define a CQRS-style API with typed GET routes and POST commands.\n \n GET routes handle queries — path-based routing, no request body.\n * POST handles commands — single entry point with discriminated union schema.\n * Deploys as a single Lambda (fat Lambda) with one API Gateway catch-all route.\n \n @example\n * ```typescript\n * export default defineApi({\n * basePath: \"/api\",\n * deps: { users },\n \n get: {\n * \"/users\": async ({ req, deps }) => ({\n * status: 200,\n * body: await deps.users.scan()\n * }),\n * \"/users/{id}\": async ({ req, deps }) => ({\n * status: 200,\n * body: await deps.users.get(req.params.id)\n * }),\n * },\n \n schema: Action.parse,\n * post: async ({ data, deps }) => {\n * switch (data.action) {\n * case \"create\": return { status: 201, body: await deps.users.put(data) }\n * case \"delete\": return { status: 200, body: await deps.users.delete(data.id) }\n * }\n * },\n * })\n * ```\n /\nexport const defineApi = <\n T = undefined,\n C = undefined,\n D extends Record<string, AnyDepHandler> \| undefined = undefined,\n P extends Record<string, AnyParamRef> \| undefined = undefined,\n S extends string[] \| undefined = undefined,\n ST extends boolean \| undefined = undefined,\n A extends CookieAuth<any> \| undefined = undefined\n>(\n options: DefineApiOptions<T, C, D, P, S, ST, A>\n): ApiHandler<T, C> => {\n const { get, post, schema, onError, setup, deps, config, auth: authConfig, static: staticFiles, ...__spec } = options;\n return {\n __brand: \"effortless-api\",\n __spec,\n ...(get ? { get } : {}),\n ...(post ? { post } : {}),\n ...(schema ? { schema } : {}),\n ...(onError ? { onError } : {}),\n ...(setup ? { setup } : {}),\n ...(deps ? { deps } : {}),\n ...(config ? { config } : {}),\n ...(staticFiles ? { static: staticFiles } : {}),\n ...(authConfig ? { auth: authConfig } : {}),\n } as ApiHandler<T, C>;\n};\n","// Public helpers — this file must have ZERO heavy imports (no effect, no AWS SDK, no deploy code).\n// It is the source of truth for param(), unsafeAs(), and related types used by the public API.\n\n// ============ Permissions ============\n\ntype AwsService =\n \| \"dynamodb\"\n \| \"s3\"\n \| \"sqs\"\n \| \"sns\"\n \| \"ses\"\n \| \"ssm\"\n \| \"lambda\"\n \| \"events\"\n \| \"secretsmanager\"\n \| \"cognito-idp\"\n \| \"logs\";\n\nexport type Permission = `${AwsService}:${string}` \| (string & {});\n\n// ============ Duration ============\n\n/\n Human-readable duration. Accepts a plain number (seconds) or a string\n * with a unit suffix: `\"30s\"`, `\"5m\"`, `\"1h\"`, `\"2d\"`.\n \n @example\n * ```typescript\n * timeout: 30 // 30 seconds\n * timeout: \"30s\" // 30 seconds\n * timeout: \"5m\" // 300 seconds\n * timeout: \"1h\" // 3600 seconds\n * retentionPeriod: \"4d\" // 345600 seconds\n * ```\n /\nexport type Duration = number \| `${number}s` \| `${number}m` \| `${number}h` \| `${number}d`;\n\n/* Convert a Duration to seconds. /\nexport const toSeconds = (d: Duration): number => {\n if (typeof d === \"number\") return d;\n const match = d.match(/^(\\d+(?:\\.\\d+)?)(s\|m\|h\|d)$/);\n if (!match) throw new Error(`Invalid duration: \"${d}\"`);\n const n = Number(match[1]);\n const unit = match[2];\n if (unit === \"d\") return n 86400;\n if (unit === \"h\") return n * 3600;\n if (unit === \"m\") return n * 60;\n return n;\n};\n\n// ============ Lambda config ============\n\n/** Logging verbosity level for Lambda handlers /\nexport type LogLevel = \"error\" \| \"info\" \| \"debug\";\n\n/\n Common Lambda configuration shared by all handler types.\n /\nexport type LambdaConfig = {\n /* Lambda memory in MB (default: 256) /\n memory?: number;\n /* Lambda timeout (default: 30s). Accepts seconds or duration string: `\"30s\"`, `\"5m\"` /\n timeout?: Duration;\n /* Logging verbosity: \"error\" (errors only), \"info\" (+ execution summary), \"debug\" (+ input/output). Default: \"info\" /\n logLevel?: LogLevel;\n};\n\n/\n Lambda configuration with additional IAM permissions.\n * Used by handler types that support custom permissions (http, table, fifo-queue).\n /\nexport type LambdaWithPermissions = LambdaConfig & {\n /* Additional IAM permissions for the Lambda /\n permissions?: Permission[];\n};\n\n// ============ Secrets (SSM Parameters) ============\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport type AnySecretRef = SecretRef<any>;\n\n/\n Reference to an SSM Parameter Store secret.\n \n @typeParam T - The resolved type after optional transform (default: string)\n /\nexport type SecretRef<T = string> = {\n readonly __brand: \"effortless-secret\";\n readonly key?: string;\n readonly generate?: () => string;\n readonly transform?: (raw: string) => T;\n};\n\n/\n Maps a config declaration to resolved value types.\n * `SecretRef<T>` resolves to `T`.\n \n @typeParam P - Record of config keys to SecretRef instances\n /\nexport type ResolveConfig<P> = {\n [K in keyof P]: P[K] extends SecretRef<infer T> ? T : string;\n};\n\n/* Options for `secret()` without a transform. /\nexport type SecretOptions = {\n /* Custom SSM key (default: derived from config property name in kebab-case) /\n key?: string;\n /* Generator function called at deploy time if the SSM parameter doesn't exist yet /\n generate?: () => string;\n};\n\n/* Options for `secret()` with a transform. /\nexport type SecretOptionsWithTransform<T> = SecretOptions & {\n /* Transform the raw SSM string value into a typed value /\n transform: (raw: string) => T;\n};\n\n/\n Declare an SSM Parameter Store secret.\n \n The SSM key is derived from the config property name (camelCase → kebab-case)\n * unless overridden with `key`. The full SSM path is `/${project}/${stage}/${key}`.\n \n @param options - Optional configuration (key override, generator, transform)\n * @returns A SecretRef used by the deployment and runtime systems\n \n @example Simple secret\n * ```typescript\n * config: {\n * dbUrl: secret(),\n * // → SSM path: /${project}/${stage}/db-url\n * }\n * ```\n \n @example Auto-generated secret\n * ```typescript\n * config: {\n * authSecret: secret({ generate: generateHex(64) }),\n * // → auto-creates SSM param if missing\n * }\n * ```\n \n @example With transform\n * ```typescript\n * config: {\n * appConfig: secret({ transform: TOML.parse }),\n * }\n * ```\n /\nexport function secret(): SecretRef<string>;\nexport function secret(options: SecretOptions): SecretRef<string>;\nexport function secret<T>(options: SecretOptionsWithTransform<T>): SecretRef<T>;\nexport function secret<T = string>(\n options?: SecretOptions \| SecretOptionsWithTransform<T>\n): SecretRef<T> {\n return {\n __brand: \"effortless-secret\",\n ...(options?.key ? { key: options.key } : {}),\n ...(options?.generate ? { generate: options.generate } : {}),\n ...(\"transform\" in (options ?? {}) ? { transform: (options as SecretOptionsWithTransform<T>).transform } : {}),\n } as SecretRef<T>;\n}\n\n// ============ Secret generators ============\n\n/\n Returns a generator that produces a random hex string.\n * @param bytes - Number of random bytes (output will be 2x this length in hex chars)\n /\nexport const generateHex = (bytes: number) => (): string => {\n const crypto = require(\"crypto\") as typeof import(\"crypto\");\n return crypto.randomBytes(bytes).toString(\"hex\");\n};\n\n/\n Returns a generator that produces a random base64url string.\n * @param bytes - Number of random bytes\n /\nexport const generateBase64 = (bytes: number) => (): string => {\n const crypto = require(\"crypto\") as typeof import(\"crypto\");\n return crypto.randomBytes(bytes).toString(\"base64url\");\n};\n\n/\n Returns a generator that produces a random UUID v4.\n /\nexport const generateUuid = () => (): string => {\n const crypto = require(\"crypto\") as typeof import(\"crypto\");\n return crypto.randomUUID();\n};\n\n// ============ Backwards compatibility ============\n\n/* @deprecated Use `SecretRef` instead /\nexport type ParamRef<T = string> = SecretRef<T>;\n/* @deprecated Use `AnySecretRef` instead /\nexport type AnyParamRef = AnySecretRef;\n\n/\n @deprecated Use `secret()` instead. `param(\"key\")` is equivalent to `secret({ key: \"key\" })`.\n /\nexport function param(key: string): SecretRef<string>;\nexport function param<T>(key: string, transform: (raw: string) => T): SecretRef<T>;\nexport function param<T = string>(\n key: string,\n transform?: (raw: string) => T\n): SecretRef<T> {\n return {\n __brand: \"effortless-secret\",\n key,\n ...(transform ? { transform } : {}),\n } as SecretRef<T>;\n}\n\n// ============ Single-table types ============\n\n/\n DynamoDB table key (always pk + sk strings in single-table design).\n /\nexport type TableKey = { pk: string; sk: string };\n\n/\n Full DynamoDB item in the single-table design.\n \n Every item has a fixed envelope: `pk`, `sk`, `tag`, `data`, and optional `ttl`.\n * `tag` is stored as a top-level DynamoDB attribute (GSI-ready).\n * If your domain type `T` includes a `tag` field, effortless auto-copies\n * `data.tag` to the top-level `tag` on `put()`, so you don't have to pass it twice.\n \n @typeParam T - The domain data type stored in the `data` attribute\n /\nexport type TableItem<T> = {\n pk: string;\n sk: string;\n tag: string;\n data: T;\n ttl?: number;\n};\n\n/\n Input type for `TableClient.put()`.\n \n Unlike `TableItem<T>`, this does NOT include `tag` — effortless auto-extracts\n * the top-level DynamoDB `tag` attribute from your data using the configured\n * tag field (defaults to `data.tag`, configurable via `defineTable({ tag: \"type\" })`).\n \n @typeParam T - The domain data type stored in the `data` attribute\n /\nexport type PutInput<T> = {\n pk: string;\n sk: string;\n data: T;\n ttl?: number;\n};\n\n/\n Create a schema function that casts input to T without runtime validation.\n * Use when you need T inference alongside other generics (deps, config).\n * For handlers without deps/config, prefer `defineTable<Order>({...})`.\n * For untrusted input, prefer a real parser (Zod, Effect Schema).\n \n @example\n * ```typescript\n * export const orders = defineTable({\n * schema: unsafeAs<Order>(),\n * deps: () => ({ notifications }),\n * onRecord: async ({ record, deps }) => { ... }\n * });\n * ```\n /\nexport function unsafeAs<T>(): (input: unknown) => T {\n return (input: unknown) => input as T;\n}\n","import type { Duration } from \"./handler-options\";\nimport { toSeconds } from \"./handler-options\";\n\n// ============ Cookie name ============\n\nexport const AUTH_COOKIE_NAME = \"__eff_session\";\n\n// ============ Auth config ============\n\nexport type CookieAuthConfig<_T = undefined> = {\n /* Path to redirect unauthenticated users to /\n loginPath: string;\n /* Paths that don't require authentication. Supports trailing `` wildcard. /\n public?: string[];\n /** Default session lifetime (default: \"7d\"). Accepts seconds or duration string. /\n expiresIn?: Duration;\n};\n\n/\n Branded cookie auth object returned by `defineAuth()`.\n * Pass to `defineApi({ auth })` and `defineStaticSite({ auth })`.\n /\nexport type CookieAuth<T = undefined> = CookieAuthConfig<T> & {\n readonly __brand: \"effortless-cookie-auth\";\n /* @internal phantom type marker for session data /\n readonly __session?: T;\n};\n\n// ============ auth namespace ============\n\n/\n Define cookie-based authentication using HMAC-signed tokens.\n \n - Middleware (Lambda@Edge) verifies cookie signatures without external calls\n * - API handler gets `auth.grant()` / `auth.revoke()` / `auth.session` helpers\n * - Secret is auto-generated and stored in SSM Parameter Store\n \n @typeParam T - Session data type. When provided, `grant(data)` requires typed payload\n * and `auth.session` is typed as `T` in handler args.\n \n @example\n * ```typescript\n * type Session = { userId: string; role: \"admin\" \| \"user\" };\n \n const protect = defineAuth<Session>({\n * loginPath: '/login',\n * public: ['/login', '/assets/'],\n expiresIn: '7d',\n * })\n \n export const api = defineApi({ auth: protect, ... })\n * export const webapp = defineStaticSite({ auth: protect, ... })\n * ```\n /\nexport const defineAuth = <T = undefined>(options: CookieAuthConfig<T>): CookieAuth<T> => ({\n __brand: \"effortless-cookie-auth\",\n ...options,\n}) as CookieAuth<T>;\n\n// ============ Runtime helpers (API Lambda) ============\n\n/* Grant options for creating a session /\ntype GrantOptions = { expiresIn?: Duration };\n/* Grant response with Set-Cookie header /\ntype GrantResponse = { status: 200; body: { ok: true }; headers: Record<string, string> };\n\n/\n Auth helpers injected into API handler callback args when `auth` is configured.\n * @typeParam T - Session data type (undefined = no custom data)\n /\nexport type AuthHelpers<T = undefined> =\n { /* Clear the session cookie. /\n revoke(): { status: 200; body: { ok: true }; headers: Record<string, string> };\n /* The current session data (decoded from cookie). Undefined if no valid session. /\n session: T extends undefined ? undefined : T \| undefined;\n }\n & ([T] extends [undefined]\n ? { /* Create a signed session cookie. / grant(options?: GrantOptions): GrantResponse }\n : { /* Create a signed session cookie with typed data. / grant(data: T, options?: GrantOptions): GrantResponse });\n\n// ============ Cookie format ============\n// Payload: base64url(JSON.stringify({ exp, ...data }))\n// Cookie value: {payload}.{hmac-sha256(payload, secret)}\n\n/\n Auth runtime created once on cold start. Holds the HMAC key.\n * Call `forRequest(cookieValue)` per request to get typed helpers with decoded session.\n * @internal\n /\nexport type AuthRuntime = {\n forRequest(cookieValue: string \| undefined): AuthHelpers<any>;\n};\n\n/\n Create auth runtime for an API handler.\n * Called once on cold start with the HMAC secret from SSM.\n * @internal\n /\nexport const createAuthRuntime = (secret: string, defaultExpiresIn: number): AuthRuntime => {\n // Dynamic import to avoid bundling crypto in non-auth handlers\n // eslint-disable-next-line @typescript-eslint/no-require-imports\n const crypto = require(\"crypto\") as typeof import(\"crypto\");\n\n const sign = (payload: string): string =>\n crypto.createHmac(\"sha256\", secret).update(payload).digest(\"base64url\");\n\n const cookieBase = `${AUTH_COOKIE_NAME}=`;\n const cookieAttrs = \"; HttpOnly; Secure; SameSite=Lax; Path=/\";\n\n const decodeSession = (cookieValue: string \| undefined): unknown => {\n if (!cookieValue) return undefined;\n const dot = cookieValue.indexOf(\".\");\n if (dot === -1) return undefined;\n const payload = cookieValue.slice(0, dot);\n const sig = cookieValue.slice(dot + 1);\n if (sign(payload) !== sig) return undefined;\n try {\n const parsed = JSON.parse(Buffer.from(payload, \"base64url\").toString(\"utf-8\"));\n if (parsed.exp <= Math.floor(Date.now() / 1000)) return undefined;\n const { exp: _, ...data } = parsed;\n return Object.keys(data).length > 0 ? data : undefined;\n } catch { return undefined; }\n };\n\n return {\n forRequest(cookieValue) {\n return {\n grant(...args: unknown[]) {\n const hasData = args.length > 0 && (typeof args[0] === \"object\" && args[0] !== null && !(\"expiresIn\" in args[0]));\n const data = hasData ? args[0] as Record<string, unknown> : undefined;\n const options = (hasData ? args[1] : args[0]) as GrantOptions \| undefined;\n const seconds = options?.expiresIn ? toSeconds(options.expiresIn) : defaultExpiresIn;\n const exp = Math.floor(Date.now() / 1000) + seconds;\n const payload = Buffer.from(JSON.stringify({ exp, ...data }), \"utf-8\").toString(\"base64url\");\n const sig = sign(payload);\n return {\n status: 200 as const,\n body: { ok: true as const },\n headers: {\n \"set-cookie\": `${cookieBase}${payload}.${sig}${cookieAttrs}; Max-Age=${seconds}`,\n },\n };\n },\n revoke() {\n return {\n status: 200 as const,\n body: { ok: true as const },\n headers: {\n \"set-cookie\": `${cookieBase}${cookieAttrs}; Max-Age=0`,\n },\n };\n },\n session: decodeSession(cookieValue),\n } as AuthHelpers<any>;\n },\n };\n};\n","/* HTTP methods supported by Lambda Function URLs /\nexport type HttpMethod = \"GET\" \| \"POST\" \| \"PUT\" \| \"DELETE\" \| \"PATCH\" \| \"ANY\";\n\n/* Short content-type aliases for common response formats /\nexport type ContentType = \"json\" \| \"html\" \| \"text\" \| \"css\" \| \"js\" \| \"xml\" \| \"csv\" \| \"svg\";\n\n/\n Incoming HTTP request object passed to the handler\n /\nexport type HttpRequest = {\n /* HTTP method (GET, POST, etc.) /\n method: string;\n /* Request path (e.g., \"/users/123\") /\n path: string;\n /* Request headers /\n headers: Record<string, string \| undefined>;\n /* Query string parameters /\n query: Record<string, string \| undefined>;\n /* Path parameters extracted from route (e.g., {id} -> params.id) /\n params: Record<string, string \| undefined>;\n /* Parsed request body (JSON parsed if Content-Type is application/json) /\n body: unknown;\n /* Raw unparsed request body /\n rawBody?: string;\n};\n\n/\n HTTP response returned from the handler\n /\nexport type HttpResponse = {\n /* HTTP status code (e.g., 200, 404, 500) /\n status: number;\n /* Response body — JSON-serialized by default, or sent as string when contentType is set /\n body?: unknown;\n /\n Short content-type alias. Resolves to full MIME type automatically:\n * - `\"json\"` → `application/json` (default if omitted)\n * - `\"html\"` → `text/html; charset=utf-8`\n * - `\"text\"` → `text/plain; charset=utf-8`\n * - `\"css\"` → `text/css; charset=utf-8`\n * - `\"js\"` → `application/javascript; charset=utf-8`\n * - `\"xml\"` → `application/xml; charset=utf-8`\n * - `\"csv\"` → `text/csv; charset=utf-8`\n * - `\"svg\"` → `image/svg+xml; charset=utf-8`\n /\n contentType?: ContentType;\n /* Response headers (use for custom content-types not covered by contentType) /\n headers?: Record<string, string>;\n /\n Set to `true` to return binary data.\n * When enabled, `body` must be a base64-encoded string and the response\n * will include `isBase64Encoded: true` so Lambda Function URLs / API Gateway\n * decode it back to binary for the client.\n /\n binary?: boolean;\n};\n\n/* Response helpers for defineApi handlers /\nexport const result = {\n /* Return a JSON response /\n json: (body: unknown, status: number = 200): HttpResponse => ({ status, body }),\n /* Return a binary response. Accepts a Buffer and converts to base64 automatically. /\n binary: (body: Buffer, contentType: string, headers?: Record<string, string>): HttpResponse => ({\n status: 200,\n body: body.toString(\"base64\"),\n binary: true,\n headers: { \"content-type\": contentType, ...headers },\n }),\n};\n\n/* Stream helper injected into route args when `stream: true` is set on defineApi /\nexport type ResponseStream = {\n /* Write a raw string chunk to the response stream /\n write(chunk: string): void;\n /* End the response stream /\n end(): void;\n /* Switch to SSE mode: sets Content-Type to text/event-stream /\n sse(): void;\n /* Write an SSE event: `data: JSON.stringify(data)\\n\\n` /\n event(data: unknown): void;\n};\n\n/* Service for reading static files bundled into the Lambda ZIP /\nexport type StaticFiles = {\n /* Read file as UTF-8 string /\n read(path: string): string;\n /* Read file as Buffer (for binary content) /\n readBuffer(path: string): Buffer;\n /* Resolve absolute path to the bundled file */\n path(path: string): string;\n};\n"],"mappings":";;;;;;;;AAwGO,IAAM,eAAe,CAAC,WAA+C;;;ACqJrE,IAAM,cAAc,CAQzB,YACuB;AACvB,QAAM,EAAE,UAAU,iBAAiB,SAAS,SAAS,QAAQ,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AACrH,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,IAC/B,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,IAC7C,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/B;AACF;;;AC5NO,IAAM,YAAY,CAAC,aAAoC;AAAA,EAC5D,SAAS;AAAA,EACT,QAAQ;AACV;;;AC0DO,IAAM,mBAAmB,CAAC,aAAkD;AAAA,EACjF,SAAS;AAAA,EACT,QAAQ;AACV;;;ACuEO,IAAM,kBAAkB,CAO7B,YAC2B;AAC3B,QAAM,EAAE,WAAW,SAAS,SAAS,QAAQ,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AACrG,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,IACjC,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/B;AACF;;;ACzCO,IAAM,eAAe,CAM1B,YACqB;AACrB,QAAM,EAAE,iBAAiB,iBAAiB,SAAS,OAAO,MAAM,QAAQ,QAAQ,aAAa,GAAG,OAAO,IAAI;AAC3G,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,IAC7C,GAAI,kBAAkB,EAAE,gBAAgB,IAAI,CAAC;AAAA,EAC/C;AACF;;;ACjJO,IAAM,eAAe,CAAC,aAA0C;AAAA,EACrE,SAAS;AAAA,EACT,QAAQ;AACV;;;ACsHO,IAAM,YAAY,CASvB,YACqB;AACrB,QAAM,EAAE,KAAK,MAAM,QAAQ,SAAS,OAAO,MAAM,QAAQ,MAAM,YAAY,QAAQ,aAAa,GAAG,OAAO,IAAI;AAC9G,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,MAAM,EAAE,IAAI,IAAI,CAAC;AAAA,IACrB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC7B,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IACzB,GAAI,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACvB,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3B,GAAI,cAAc,EAAE,QAAQ,YAAY,IAAI,CAAC;AAAA,IAC7C,GAAI,aAAa,EAAE,MAAM,WAAW,IAAI,CAAC;AAAA,EAC3C;AACF;;;AC5JO,IAAM,YAAY,CAAC,MAAwB;AAChD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,QAAQ,EAAE,MAAM,4BAA4B;AAClD,MAAI,CAAC,MAAO,OAAM,IAAI,MAAM,sBAAsB,CAAC,GAAG;AACtD,QAAM,IAAI,OAAO,MAAM,CAAC,CAAC;AACzB,QAAM,OAAO,MAAM,CAAC;AACpB,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,MAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,SAAO;AACT;AAwGO,SAAS,OACd,SACc;AACd,SAAO;AAAA,IACL,SAAS;AAAA,IACT,GAAI,SAAS,MAAM,EAAE,KAAK,QAAQ,IAAI,IAAI,CAAC;AAAA,IAC3C,GAAI,SAAS,WAAW,EAAE,UAAU,QAAQ,SAAS,IAAI,CAAC;AAAA,IAC1D,GAAI,gBAAgB,WAAW,CAAC,KAAK,EAAE,WAAY,QAA0C,UAAU,IAAI,CAAC;AAAA,EAC9G;AACF;AAQO,IAAM,cAAc,CAAC,UAAkB,MAAc;AAC1D,QAAM,SAAS,UAAQ,QAAQ;AAC/B,SAAO,OAAO,YAAY,KAAK,EAAE,SAAS,KAAK;AACjD;AAMO,IAAM,iBAAiB,CAAC,UAAkB,MAAc;AAC7D,QAAM,SAAS,UAAQ,QAAQ;AAC/B,SAAO,OAAO,YAAY,KAAK,EAAE,SAAS,WAAW;AACvD;AAKO,IAAM,eAAe,MAAM,MAAc;AAC9C,QAAM,SAAS,UAAQ,QAAQ;AAC/B,SAAO,OAAO,WAAW;AAC3B;AAcO,SAAS,MACd,KACA,WACc;AACd,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,EACnC;AACF;AA0DO,SAAS,WAAqC;AACnD,SAAO,CAAC,UAAmB;AAC7B;;;AC1NO,IAAM,aAAa,CAAgB,aAAiD;AAAA,EACzF,SAAS;AAAA,EACT,GAAG;AACL;;;ACCO,IAAM,SAAS;AAAA;AAAA,EAEpB,MAAM,CAAC,MAAe,SAAiB,SAAuB,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE7E,QAAQ,CAAC,MAAc,aAAqB,aAAoD;AAAA,IAC9F,QAAQ;AAAA,IACR,MAAM,KAAK,SAAS,QAAQ;AAAA,IAC5B,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,aAAa,GAAG,QAAQ;AAAA,EACrD;AACF;","names":[]}

package/dist/runtime/wrap-api.js CHANGED Viewed

@@ -1,6 +1,8 @@
 import {
+  AUTH_COOKIE_NAME,
   createHandlerRuntime
-} from "../chunk-OB5R34Y7.js";
+} from "../chunk-MJMAXSVJ.js";
+import "../chunk-3RG5ZIWI.js";
 // src/runtime/wrap-api.ts
 var CONTENT_TYPE_MAP = {
@@ -98,7 +100,13 @@ var wrapApi = (handler) => {
         rawBody: event.body
       };
       const input = { method: req.method, path: req.path, query: req.query, body: req.body };
-      const sharedArgs = await rt.commonArgs();
+      const cookieHeader = req.headers["cookie"] ?? req.headers["Cookie"] ?? "";
+      let authCookie;
+      if (cookieHeader) {
+        const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${AUTH_COOKIE_NAME}=([^;]+)`));
+        if (match) authCookie = match[1];
+      }
+      const sharedArgs = await rt.commonArgs(authCookie);
       if (req.method === "GET" || req.method === "HEAD") {
         const matched = matchRoute(getMatchers, req.path);
         if (!matched) {

package/dist/runtime/wrap-bucket.js CHANGED Viewed

@@ -1,7 +1,8 @@
 import {
   createBucketClient,
   createHandlerRuntime
-} from "../chunk-OB5R34Y7.js";
+} from "../chunk-MJMAXSVJ.js";
+import "../chunk-3RG5ZIWI.js";
 // src/runtime/wrap-bucket.ts
 var ENV_DEP_SELF = "EFF_DEP_SELF";

package/dist/runtime/wrap-fifo-queue.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import {
   createHandlerRuntime
-} from "../chunk-OB5R34Y7.js";
+} from "../chunk-MJMAXSVJ.js";
+import "../chunk-3RG5ZIWI.js";
 // src/runtime/wrap-fifo-queue.ts
 var parseMessages = (rawRecords, schema) => {

package/dist/runtime/wrap-middleware.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import "../chunk-3RG5ZIWI.js";
 // src/runtime/wrap-middleware.ts
 var parseHeaders = (cfHeaders) => {
   const result = {};
@@ -30,8 +32,7 @@ var rewriteUrl = (uri) => {
 };
 var isRedirect = (result) => result != null && "redirect" in result;
 var isDeny = (result) => result != null && "status" in result && result.status === 403;
-var wrapMiddleware = (handler) => {
-  const middleware = handler.__spec.middleware;
+var wrapMiddlewareFn = (middleware) => {
   return async (event) => {
     const cfRequest = event.Records[0].cf.request;
     const request = {
@@ -78,6 +79,11 @@ var wrapMiddleware = (handler) => {
     }
   };
 };
+var wrapMiddleware = (handler) => {
+  const middleware = handler.__spec.middleware;
+  return wrapMiddlewareFn(middleware);
+};
 export {
-  wrapMiddleware
+  wrapMiddleware,
+  wrapMiddlewareFn
 };

package/dist/runtime/wrap-table-stream.js CHANGED Viewed

@@ -1,7 +1,8 @@
 import {
   createHandlerRuntime,
   createTableClient
-} from "../chunk-OB5R34Y7.js";
+} from "../chunk-MJMAXSVJ.js";
+import "../chunk-3RG5ZIWI.js";
 // src/runtime/wrap-table-stream.ts
 import { unmarshall } from "@aws-sdk/util-dynamodb";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "effortless-aws",
-  "version": "0.23.0",
+  "version": "0.24.0",
   "license": "MIT",
   "type": "module",
   "description": "Code-first AWS Lambda framework. Export handlers, deploy with one command.",