effortless-aws 0.28.0 → 0.29.0

package/dist/index.d.ts

@@ -95,6 +95,8 @@ type EffortlessConfig = {
  */
 declare const defineConfig: (config: EffortlessConfig) => EffortlessConfig;
 
+/** Generator spec for auto-creating secrets at deploy time. */
+type GenerateSpec = `hex:${number}` | `base64:${number}` | "uuid";
 type AwsService = "dynamodb" | "s3" | "sqs" | "sns" | "ses" | "ssm" | "lambda" | "events" | "secretsmanager" | "cognito-idp" | "logs";
 type Permission = `${AwsService}:${string}` | (string & {});
 /**
@@ -143,7 +145,7 @@ type AnySecretRef = SecretRef<any>;
 type SecretRef<T = string> = {
     readonly __brand: "effortless-secret";
     readonly key?: string;
-    readonly generate?: () => string;
+    readonly generate?: GenerateSpec;
     readonly transform?: (raw: string) => T;
 };
 /**
@@ -155,76 +157,46 @@ type SecretRef<T = string> = {
 type ResolveConfig<P> = {
     [K in keyof P]: P[K] extends SecretRef<infer T> ? T : string;
 };
-/** Options for `secret()` without a transform. */
-type SecretOptions = {
+/** Options for `defineSecret()` without a transform. */
+type DefineSecretOptions = {
     /** Custom SSM key (default: derived from config property name in kebab-case) */
     key?: string;
-    /** Generator function called at deploy time if the SSM parameter doesn't exist yet */
-    generate?: () => string;
+    /** Generator spec for auto-creating the secret at deploy time: `"hex:32"`, `"base64:32"`, `"uuid"` */
+    generate?: GenerateSpec;
 };
-/** Options for `secret()` with a transform. */
-type SecretOptionsWithTransform<T> = SecretOptions & {
+/** Options for `defineSecret()` with a transform. */
+type DefineSecretOptionsWithTransform<T> = DefineSecretOptions & {
     /** Transform the raw SSM string value into a typed value */
     transform: (raw: string) => T;
 };
-/**
- * Declare an SSM Parameter Store secret.
- *
- * The SSM key is derived from the config property name (camelCase → kebab-case)
- * unless overridden with `key`. The full SSM path is `/${project}/${stage}/${key}`.
- *
- * @param options - Optional configuration (key override, generator, transform)
- * @returns A SecretRef used by the deployment and runtime systems
- *
- * @example Simple secret
- * ```typescript
- * config: {
- *   dbUrl: secret(),
- *   // → SSM path: /${project}/${stage}/db-url
- * }
- * ```
- *
- * @example Auto-generated secret
- * ```typescript
- * config: {
- *   authSecret: secret({ generate: generateHex(64) }),
- *   // → auto-creates SSM param if missing
- * }
- * ```
- *
- * @example With transform
- * ```typescript
- * config: {
- *   appConfig: secret({ transform: TOML.parse }),
- * }
- * ```
- */
-declare function secret(): SecretRef<string>;
-declare function secret(options: SecretOptions): SecretRef<string>;
-declare function secret<T>(options: SecretOptionsWithTransform<T>): SecretRef<T>;
-/**
- * Returns a generator that produces a random hex string.
- * @param bytes - Number of random bytes (output will be 2x this length in hex chars)
- */
-declare const generateHex: (bytes: number) => () => string;
-/**
- * Returns a generator that produces a random base64url string.
- * @param bytes - Number of random bytes
- */
-declare const generateBase64: (bytes: number) => () => string;
-/**
- * Returns a generator that produces a random UUID v4.
- */
-declare const generateUuid: () => () => string;
+/** The defineSecret helper function type, injected into config callbacks. */
+type DefineSecretFn = {
+    (): SecretRef<string>;
+    (options: DefineSecretOptions): SecretRef<string>;
+    <T>(options: DefineSecretOptionsWithTransform<T>): SecretRef<T>;
+};
+/** Helpers injected into the `config` callback. */
+type ConfigHelpers = {
+    defineSecret: DefineSecretFn;
+};
+/** Config factory: a function receiving helpers and returning a record of SecretRefs. */
+type ConfigFactory<P> = (helpers: ConfigHelpers) => P;
+/** The `defineSecret` implementation, passed to config callbacks. */
+declare const defineSecret: DefineSecretFn;
+/** @deprecated Use `defineSecret()` inside a config callback instead. */
+declare const secret: DefineSecretFn;
 /** @deprecated Use `SecretRef` instead */
 type ParamRef<T = string> = SecretRef<T>;
 /** @deprecated Use `AnySecretRef` instead */
 type AnyParamRef = AnySecretRef;
-/**
- * @deprecated Use `secret()` instead. `param("key")` is equivalent to `secret({ key: "key" })`.
- */
-declare function param(key: string): SecretRef<string>;
-declare function param<T>(key: string, transform: (raw: string) => T): SecretRef<T>;
+/** @deprecated Use `defineSecret()` instead. */
+declare const param: <T = string>(key: string, transform?: (raw: string) => T) => SecretRef<T>;
+/** @deprecated Use `defineSecret({ generate: "hex:N" })` instead. */
+declare const generateHex: (bytes: number) => string;
+/** @deprecated Use `defineSecret({ generate: "base64:N" })` instead. */
+declare const generateBase64: (bytes: number) => string;
+/** @deprecated Use `defineSecret({ generate: "uuid" })` instead. */
+declare const generateUuid: () => string;
 /**
  * DynamoDB table key (always pk + sk strings in single-table design).
  */
@@ -387,7 +359,7 @@ type TableClient<T = Record<string, unknown>> = {
 };
 
 /** HTTP methods supported by Lambda Function URLs */
-type HttpMethod = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "ANY";
+type HttpMethod$1 = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "ANY";
 /** Short content-type aliases for common response formats */
 type ContentType = "json" | "html" | "text" | "css" | "js" | "xml" | "csv" | "svg";
 /**
@@ -493,21 +465,6 @@ type BucketClient = {
     bucketName: string;
 };
 
-/**
- * Common conditional args injected into handler callbacks.
- * Resolves ctx, deps, config, and files based on whether each generic is defined.
- * @internal
- */
-type HandlerArgs<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = ([C] extends [undefined] ? {} : {
-    ctx: C;
-}) & ([D] extends [undefined] ? {} : {
-    deps: ResolveDeps<D>;
-}) & ([P] extends [undefined] ? {} : {
-    config: ResolveConfig<P>;
-}) & ([S] extends [undefined] ? {} : {
-    files: StaticFiles;
-});
-
 /**
  * Configuration options for defineBucket.
  */
@@ -536,20 +493,20 @@ type BucketEvent = {
     /** S3 bucket name */
     bucketName: string;
 };
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$3<C> = [C] extends [undefined] ? {} : C & {};
 /**
  * Callback function type for S3 ObjectCreated events
  */
-type BucketObjectCreatedFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type BucketObjectCreatedFn<C = undefined> = (args: {
     event: BucketEvent;
-    bucket: BucketClient;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$3<C>) => Promise<void>;
 /**
  * Callback function type for S3 ObjectRemoved events
  */
-type BucketObjectRemovedFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type BucketObjectRemovedFn<C = undefined> = (args: {
     event: BucketEvent;
-    bucket: BucketClient;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$3<C>) => Promise<void>;
 /**
  * Setup factory type for bucket handlers.
  * Always receives `bucket: BucketClient` (self-client for the handler's own bucket).
@@ -572,16 +529,16 @@ type DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends str
      */
     onError?: (args: {
         error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
+    } & SpreadCtx$3<C>) => void;
     /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
+    onAfterInvoke?: (args: SpreadCtx$3<C>) => void | Promise<void>;
     /**
      * Factory function to initialize shared state for callbacks.
      * Called once on cold start, result is cached and reused across invocations.
      * Always receives `bucket: BucketClient` (self-client). When deps/config
      * are declared, receives them as well.
      */
-    setup?: SetupFactory$3<C, D, P, S>;
+    setup?: SetupFactory$3<C, NoInfer<D>, NoInfer<P>, NoInfer<S>>;
     /**
      * Dependencies on other handlers (tables, buckets, etc.).
      * Typed clients are injected into the handler via the `deps` argument.
@@ -590,9 +547,9 @@ type DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends str
     deps?: () => D & {};
     /**
      * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
+     * Declare with `defineSecret()` helper. Values are fetched and cached at cold start.
      */
-    config?: P;
+    config?: ConfigFactory<P>;
     /**
      * Static file glob patterns to bundle into the Lambda ZIP.
      * Files are accessible at runtime via the `files` callback argument.
@@ -601,15 +558,15 @@ type DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends str
 };
 /** With event handlers (at least one callback) */
 type DefineBucketWithHandlers<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineBucketBase<C, D, P, S> & {
-    onObjectCreated?: BucketObjectCreatedFn<C, D, P, S>;
-    onObjectRemoved?: BucketObjectRemovedFn<C, D, P, S>;
+    onObjectCreated?: BucketObjectCreatedFn<C>;
+    onObjectRemoved?: BucketObjectRemovedFn<C>;
 };
 /** Resource-only: no Lambda, just creates the bucket */
 type DefineBucketResourceOnly<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineBucketBase<C, D, P, S> & {
     onObjectCreated?: never;
     onObjectRemoved?: never;
 };
-type DefineBucketOptions<C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineBucketWithHandlers<C, D, P, S> | DefineBucketResourceOnly<C, D, P, S>;
+type DefineBucketOptions<C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineBucketWithHandlers<C, D, P, S> | DefineBucketResourceOnly<C, D, P, S>;
 /**
  * Internal handler object created by defineBucket
  * @internal
@@ -661,7 +618,7 @@ type BucketHandler<C = any> = {
  * });
  * ```
  */
-declare const defineBucket: <C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineBucketOptions<C, D, P, S>) => BucketHandler<C>;
+declare const defineBucket: () => <C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineBucketOptions<C, D, P, S>) => BucketHandler<C>;
 
 /**
  * Configuration options for defining a mailer (SES email identity)
@@ -709,7 +666,7 @@ type MailerHandler = {
  * });
  * ```
  */
-declare const defineMailer: (options: MailerConfig) => MailerHandler;
+declare const defineMailer: () => (options: MailerConfig) => MailerHandler;
 
 /**
  * Parsed SQS FIFO message passed to the handler callbacks.
@@ -773,20 +730,25 @@ type SetupFactory$2<C, D, P, S extends string[] | undefined = undefined> = (args
 }) & ([S] extends [undefined] ? {} : {
     files: StaticFiles;
 })) => C | Promise<C>;
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$2<C> = [C] extends [undefined] ? {} : C & {};
 /**
  * Per-message handler function.
  * Called once per message in the batch. Failures are reported individually.
  */
-type FifoQueueMessageFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type FifoQueueMessageFn<T = unknown, C = undefined> = (args: {
     message: FifoQueueMessage<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$2<C>) => Promise<void>;
 /**
  * Batch handler function.
  * Called once with all messages in the batch.
+ * Return `{ failures: string[] }` (messageIds) for partial batch failure reporting.
  */
-type FifoQueueBatchFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type FifoQueueBatchFn<T = unknown, C = undefined> = (args: {
     messages: FifoQueueMessage<T>[];
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$2<C>) => Promise<void | {
+    failures: string[];
+}>;
 /** Base options shared by all defineFifoQueue variants */
 type DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = FifoQueueConfig & {
     /**
@@ -795,20 +757,20 @@ type DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefine
      */
     schema?: (input: unknown) => T;
     /**
-     * Error handler called when onMessage or onBatch throws.
+     * Error handler called when onMessage or onMessageBatch throws.
      * If not provided, defaults to `console.error`.
      */
     onError?: (args: {
         error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
+    } & SpreadCtx$2<C>) => void;
     /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
+    onAfterInvoke?: (args: SpreadCtx$2<C>) => void | Promise<void>;
     /**
      * Factory function to initialize shared state for the handler.
      * Called once on cold start, result is cached and reused across invocations.
      * When deps/params are declared, receives them as argument.
      */
-    setup?: SetupFactory$2<C, D, P, S>;
+    setup?: SetupFactory$2<C, NoInfer<D>, NoInfer<P>, NoInfer<S>>;
     /**
      * Dependencies on other handlers (tables, queues, etc.).
      * Typed clients are injected into the handler via the `deps` argument.
@@ -817,9 +779,9 @@ type DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefine
     deps?: () => D & {};
     /**
      * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
+     * Declare with `defineSecret()` helper. Values are fetched and cached at cold start.
      */
-    config?: P;
+    config?: ConfigFactory<P>;
     /**
      * Static file glob patterns to bundle into the Lambda ZIP.
      * Files are accessible at runtime via the `files` callback argument.
@@ -828,15 +790,15 @@ type DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefine
 };
 /** Per-message processing */
 type DefineFifoQueueWithOnMessage<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {
-    onMessage: FifoQueueMessageFn<T, C, D, P, S>;
-    onBatch?: never;
+    onMessage: FifoQueueMessageFn<T, C>;
+    onMessageBatch?: never;
 };
 /** Batch processing: all messages at once */
 type DefineFifoQueueWithOnBatch<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {
-    onBatch: FifoQueueBatchFn<T, C, D, P, S>;
+    onMessageBatch: FifoQueueBatchFn<T, C>;
     onMessage?: never;
 };
-type DefineFifoQueueOptions<T = unknown, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueWithOnMessage<T, C, D, P, S> | DefineFifoQueueWithOnBatch<T, C, D, P, S>;
+type DefineFifoQueueOptions<T = unknown, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueWithOnMessage<T, C, D, P, S> | DefineFifoQueueWithOnBatch<T, C, D, P, S>;
 /**
  * Internal handler object created by defineFifoQueue
  * @internal
@@ -852,7 +814,7 @@ type FifoQueueHandler<T = unknown, C = any> = {
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
     readonly onMessage?: (...args: any[]) => any;
-    readonly onBatch?: (...args: any[]) => any;
+    readonly onMessageBatch?: (...args: any[]) => any;
 };
 /**
  * Define a FIFO SQS queue with a Lambda message handler
@@ -878,13 +840,13 @@ type FifoQueueHandler<T = unknown, C = any> = {
  * export const notifications = defineFifoQueue({
  *   schema: (input) => NotificationSchema.parse(input),
  *   batchSize: 5,
- *   onBatch: async ({ messages }) => {
+ *   onMessageBatch: async ({ messages }) => {
  *     await sendAll(messages.map(m => m.body));
  *   }
  * });
  * ```
  */
-declare const defineFifoQueue: <T = unknown, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineFifoQueueOptions<T, C, D, P, S>) => FifoQueueHandler<T, C>;
+declare const defineFifoQueue: <T = unknown>() => <C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineFifoQueueOptions<T, C, D, P, S>) => FifoQueueHandler<T, C>;
 
 /**
  * Options for sending an email via EmailClient.send()
@@ -973,18 +935,12 @@ type TableConfig = {
     batchWindow?: Duration;
     /** Where to start reading the stream (default: "LATEST") */
     startingPosition?: "LATEST" | "TRIM_HORIZON";
+    /** Number of records to process concurrently within a batch (default: 1 — sequential) */
+    concurrency?: number;
     /**
      * Name of the field in `data` that serves as the entity type discriminant.
      * Effortless auto-copies `data[tagField]` to the top-level DynamoDB `tag` attribute on `put()`.
      * Defaults to `"tag"`.
-     *
-     * @example
-     * ```typescript
-     * export const orders = defineTable<{ type: "order"; amount: number }>({
-     *   tagField: "type",
-     *   onRecord: async ({ record }) => { ... }
-     * });
-     * ```
      */
     tagField?: string;
 };
@@ -1012,20 +968,9 @@ type TableRecord<T = Record<string, unknown>> = {
     /** Approximate timestamp when the modification occurred */
     timestamp?: number;
 };
-/**
- * Information about a failed record during batch processing
- *
- * @typeParam T - Type of the domain data
- */
-type FailedRecord<T = Record<string, unknown>> = {
-    /** The record that failed to process */
-    record: TableRecord<T>;
-    /** The error that occurred */
-    error: unknown;
-};
 /**
  * Setup factory type for table handlers.
- * Always receives `table: TableClient<T>` (self-client for the handler's own table).
+ * Receives `table: TableClient<T>` (self-client for the handler's own table).
  * Also receives `deps` and/or `config` when declared.
  */
 type SetupFactory$1<C, T, D, P, S extends string[] | undefined = undefined> = (args: {
@@ -1037,28 +982,26 @@ type SetupFactory$1<C, T, D, P, S extends string[] | undefined = undefined> = (a
 }) & ([S] extends [undefined] ? {} : {
     files: StaticFiles;
 })) => C | Promise<C>;
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$1<C> = [C] extends [undefined] ? {} : C & {};
 /**
- * Callback function type for processing a single DynamoDB stream record
+ * Callback function type for processing a single DynamoDB stream record.
+ * Receives the current record and the full batch for context.
  */
-type TableRecordFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type TableRecordFn<T = Record<string, unknown>, C = undefined> = (args: {
     record: TableRecord<T>;
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<R>;
-/**
- * Callback function type for processing accumulated batch results
- */
-type TableBatchCompleteFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
-    results: R[];
-    failures: FailedRecord<T>[];
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
-/**
- * Callback function type for processing all records in a batch at once
- */
-type TableBatchFn<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
-    records: TableRecord<T>[];
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+    batch: readonly TableRecord<T>[];
+} & SpreadCtx$1<C>) => Promise<void>;
+/**
+ * Batch handler function for DynamoDB stream records.
+ * Called once with all records in the batch.
+ * Return `{ failures: string[] }` (sequence numbers) for partial batch failure reporting.
+ */
+type TableBatchFn<T = Record<string, unknown>, C = undefined> = (args: {
+    records: readonly TableRecord<T>[];
+} & SpreadCtx$1<C>) => Promise<void | {
+    failures: string[];
+}>;
 /** Base options shared by all defineTable variants */
 type DefineTableBase<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = Omit<TableConfig, "tagField"> & {
     /** Name of the field in `data` that serves as the entity type discriminant (default: `"tag"`). */
@@ -1070,58 +1013,60 @@ type DefineTableBase<T = Record<string, unknown>, C = undefined, D = undefined,
      */
     schema?: (input: unknown) => T;
     /**
-     * Error handler called when onRecord, onBatch, or onBatchComplete throws.
-     * Receives the error. If not provided, defaults to `console.error`.
+     * Error handler called when onRecord/onRecordBatch throws.
+     * If not provided, defaults to `console.error`.
      */
     onError?: (args: {
         error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
+    } & SpreadCtx$1<C>) => void;
     /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
+    onAfterInvoke?: (args: SpreadCtx$1<C>) => void | Promise<void>;
     /**
      * Factory function to initialize shared state for callbacks.
      * Called once on cold start, result is cached and reused across invocations.
-     * When deps/params are declared, receives them as argument.
-     * Supports both sync and async return values.
+     * Receives `table` (self-client), plus `deps`/`config`/`files` when declared.
      */
-    setup?: SetupFactory$1<C, T, D, P, S>;
+    setup?: SetupFactory$1<C, T, NoInfer<D>, NoInfer<P>, NoInfer<S>>;
     /**
      * Dependencies on other handlers (tables, queues, etc.).
-     * Typed clients are injected into the handler via the `deps` argument.
+     * Typed clients are injected into setup via the `deps` argument.
      * Pass a function returning the deps object: `deps: () => ({ orders })`.
      */
     deps?: () => D & {};
     /**
      * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
-     * Typed values are injected into the handler via the `config` argument.
+     * Declare with `defineSecret()` helper. Values are fetched and cached at cold start.
      */
-    config?: P;
+    config?: ConfigFactory<P>;
     /**
      * Static file glob patterns to bundle into the Lambda ZIP.
-     * Files are accessible at runtime via the `files` callback argument.
+     * Files are accessible at runtime via the `files` argument in setup.
      */
     static?: S;
 };
-/** Per-record processing: onRecord with optional onBatchComplete */
-type DefineTableWithOnRecord<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
-    onRecord: TableRecordFn<T, C, R, D, P, S>;
-    onBatchComplete?: TableBatchCompleteFn<T, C, R, D, P, S>;
-    onBatch?: never;
-};
-/** Batch processing: onBatch processes all records at once */
-type DefineTableWithOnBatch<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
-    onBatch: TableBatchFn<T, C, D, P, S>;
+/**
+ * Options for defineTable.
+ * `onRecord` and `onRecordBatch` are mutually exclusive. Both are optional (table-only mode).
+ */
+type DefineTableOptions<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & ({
+    /**
+     * Per-record stream handler. Called once per record in the batch.
+     * Runtime handles partial batch failure reporting automatically.
+     * Records are processed with configurable `concurrency` (default: 1 — sequential).
+     */
+    onRecord?: TableRecordFn<T, C>;
+    onRecordBatch?: never;
+} | {
+    /**
+     * Batch stream handler. Called once with all records in the batch.
+     * Return `{ failures: string[] }` with sequence numbers for partial batch failure.
+     */
+    onRecordBatch?: TableBatchFn<T, C>;
     onRecord?: never;
-    onBatchComplete?: never;
-};
-/** Resource-only: no handler, just creates the table */
-type DefineTableResourceOnly<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
+} | {
     onRecord?: never;
-    onBatch?: never;
-    onBatchComplete?: never;
-};
-type DefineTableOptions<T = Record<string, unknown>, C = undefined, R = void, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineTableWithOnRecord<T, C, R, D, P, S> | DefineTableWithOnBatch<T, C, D, P, S> | DefineTableResourceOnly<T, C, D, P, S>;
+    onRecordBatch?: never;
+});
 /**
  * Internal handler object created by defineTable
  * @internal
@@ -1137,8 +1082,7 @@ type TableHandler<T = Record<string, unknown>, C = any> = {
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
     readonly onRecord?: (...args: any[]) => any;
-    readonly onBatchComplete?: (...args: any[]) => any;
-    readonly onBatch?: (...args: any[]) => any;
+    readonly onRecordBatch?: (...args: any[]) => any;
 };
 /**
  * Define a DynamoDB table with optional stream handler (single-table design).
@@ -1148,25 +1092,32 @@ type TableHandler<T = Record<string, unknown>, C = any> = {
  *
  * @example Table with stream handler
  * ```typescript
- * type OrderData = { amount: number; status: string };
- *
- * export const orders = defineTable<OrderData>({
- *   streamView: "NEW_AND_OLD_IMAGES",
+ * export const orders = defineTable<OrderData>()({
  *   batchSize: 10,
- *   onRecord: async ({ record }) => {
+ *   concurrency: 5,
+ *   setup: ({ table }) => ({ table }),
+ *   onRecord: async ({ record, batch, table }) => {
  *     if (record.eventName === "INSERT") {
- *       console.log("New order:", record.new?.data.amount);
+ *       console.log("New order:", record.new?.data);
  *     }
  *   }
  * });
  * ```
  *
+ * @example Table with runtime validation
+ * ```typescript
+ * export const orders = defineTable<OrderData>()({
+ *   schema: (input) => OrderSchema.parse(input),
+ *   onRecord: async ({ record }) => { ... }
+ * });
+ * ```
+ *
  * @example Table only (no Lambda)
  * ```typescript
- * export const users = defineTable({});
+ * export const users = defineTable()({});
  * ```
  */
-declare const defineTable: <T = Record<string, unknown>, C = undefined, R = void, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineTableOptions<T, C, R, D, P, S>) => TableHandler<T, C>;
+declare const defineTable: <T = Record<string, unknown>>() => <C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined>(options: DefineTableOptions<T, C, D, P, S>) => TableHandler<T, C>;
 
 /**
  * Configuration for deploying an SSR framework (Nuxt, Astro, etc.)
@@ -1223,94 +1174,7 @@ type AppHandler = {
  * });
  * ```
  */
-declare const defineApp: (options: AppConfig) => AppHandler;
-
-type AuthConfig<_T = undefined> = {
-    /** Path to redirect unauthenticated users to (used by static sites). */
-    loginPath: string;
-    /** Paths that don't require authentication. Supports trailing `*` wildcard. */
-    public?: string[];
-    /** Default session lifetime (default: "7d"). Accepts seconds or duration string. */
-    expiresIn?: Duration;
-};
-/**
- * Branded auth object returned by `defineAuth()`.
- * Pass to `defineApi({ auth })` and `defineStaticSite({ auth })`.
- */
-type Auth<T = undefined> = AuthConfig<T> & {
-    readonly __brand: "effortless-auth";
-    /** @internal phantom type marker for session data */
-    readonly __session?: T;
-};
-/** API token authentication strategy. Verifies tokens from HTTP headers (e.g. Authorization: Bearer). */
-type ApiTokenStrategy<T, D = undefined> = {
-    /** HTTP header to read the token from. Default: "authorization" (strips "Bearer " prefix). */
-    header?: string;
-    /** Verify the token value and return session data, or null if invalid. */
-    verify: [D] extends [undefined] ? (value: string) => T | null | Promise<T | null> : (value: string, ctx: {
-        deps: D;
-    }) => T | null | Promise<T | null>;
-    /** Cache verified token results for this duration. Avoids calling verify on every request. */
-    cacheTtl?: Duration;
-};
-/**
- * Define authentication for API handlers and static sites.
- *
- * Session-based auth uses HMAC-signed cookies (auto-managed by the framework).
- *
- * - Lambda@Edge middleware verifies cookie signatures for static sites
- * - API handler gets `auth.createSession()` / `auth.clearSession()` / `auth.session` helpers
- * - HMAC secret is auto-generated and stored in SSM Parameter Store
- *
- * @typeParam T - Session data type. When provided, `createSession(data)` requires typed payload
- *   and `auth.session` is typed as `T` in handler args.
- *
- * @example
- * ```typescript
- * type Session = { userId: string; role: "admin" | "user" };
- *
- * const auth = defineAuth<Session>({
- *   loginPath: '/login',
- *   public: ['/login', '/api/login'],
- *   expiresIn: '7d',
- * })
- *
- * export const api = defineApi({ auth, ... })
- * export const webapp = defineStaticSite({ auth, ... })
- * ```
- */
-declare const defineAuth: <T = undefined>(options: AuthConfig<T>) => Auth<T>;
-/** Options for creating a session */
-type SessionOptions = {
-    expiresIn?: Duration;
-};
-/** Session response with Set-Cookie header */
-type SessionResponse = {
-    status: 200;
-    body: {
-        ok: true;
-    };
-    headers: Record<string, string>;
-};
-/**
- * Auth helpers injected into API handler callback args when `auth` is configured.
- * @typeParam T - Session data type (undefined = no custom data)
- */
-type AuthHelpers<T = undefined> = {
-    clearSession(): {
-        status: 200;
-        body: {
-            ok: true;
-        };
-        headers: Record<string, string>;
-    };
-    /** The current session data (from cookie or API token). Undefined if no valid session. */
-    session: T extends undefined ? undefined : T | undefined;
-} & ([T] extends [undefined] ? {
-    createSession(options?: SessionOptions): SessionResponse;
-} : {
-    createSession(data: T, options?: SessionOptions): SessionResponse;
-});
+declare const defineApp: () => (options: AppConfig) => AppHandler;
 
 /** Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) */
 type AnyRoutableHandler = {
@@ -1371,8 +1235,6 @@ type StaticSiteConfig = {
     errorPage?: string;
     /** Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. */
     middleware?: MiddlewareHandler;
-    /** Cookie-based authentication. Auto-generates Lambda@Edge middleware that verifies signed cookies. */
-    auth?: Auth<any>;
     /** SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API */
     seo?: StaticSiteSeo;
 };
@@ -1407,48 +1269,107 @@ type StaticSiteHandler = {
  * });
  * ```
  *
- * @example Protected site with middleware (Lambda@Edge)
- * ```typescript
- * export const admin = defineStaticSite({
- *   dir: "admin/dist",
- *   middleware: async (request) => {
- *     if (!request.cookies.session) {
- *       return { redirect: "/login" };
- *     }
- *   },
- * });
- * ```
  */
-declare const defineStaticSite: (options: StaticSiteConfig) => StaticSiteHandler;
+declare const defineStaticSite: () => (options: StaticSiteConfig) => StaticSiteHandler;
 
-/** Extract session type T from Auth<T> */
-type SessionOf<A> = A extends Auth<infer T> ? T : undefined;
-/** GET route handler — no schema, no data */
-type ApiGetHandlerFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = (args: {
-    req: HttpRequest;
-} & HandlerArgs<C, D, P, S> & ([ST] extends [true] ? {
-    stream: ResponseStream;
-} : {}) & ([A] extends [undefined] ? {} : {
-    auth: AuthHelpers<SessionOf<A>>;
-})) => Promise<HttpResponse | void> | HttpResponse | void;
-/** POST handler — with typed data from schema */
-type ApiPostHandlerFn<T = undefined, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = (args: {
+/** Options for creating a session */
+type SessionOptions = {
+    expiresIn?: Duration;
+};
+/** Session response with Set-Cookie header */
+type SessionResponse = {
+    status: 200;
+    body: {
+        ok: true;
+    };
+    headers: Record<string, string>;
+};
+/**
+ * Auth helpers injected into API handler callback args when `auth` is configured.
+ * @typeParam T - Session data type (from `AuthOptions<T>`)
+ */
+type AuthHelpers<T = unknown> = {
+    /** Create a signed session cookie with typed data. */
+    createSession(data: T, options?: SessionOptions): SessionResponse;
+    /** Clear the session cookie. */
+    clearSession(): {
+        status: 200;
+        body: {
+            ok: true;
+        };
+        headers: Record<string, string>;
+    };
+    /** The current session data (from cookie or API token). Undefined if no valid session. */
+    session: T | undefined;
+};
+
+/** Auth config options (user-facing) */
+type AuthOptions<A = unknown> = {
+    /** HMAC secret for signing session cookies. Use `secret()` or `param()` in config. */
+    secret: string;
+    /** Default session lifetime (default: "7d"). */
+    expiresIn?: Duration;
+    /** Optional API token strategy for external clients. */
+    apiToken?: {
+        /** HTTP header to read the token from. Default: "authorization" (strips "Bearer " prefix). */
+        header?: string;
+        /** Verify the token value and return session data, or null if invalid. */
+        verify: (value: string) => A | null | Promise<A | null>;
+        /** Cache verified token results for this duration. */
+        cacheTtl?: Duration;
+    };
+};
+/** Branded auth config — created by `enableAuth<A>()` helper, carries session type A */
+type ApiAuthConfig<A = unknown> = AuthOptions<A> & {
+    readonly __sessionType: A;
+};
+/** Type of the `enableAuth` helper injected into setup args */
+type EnableAuth = <A = unknown>(options: AuthOptions<A>) => ApiAuthConfig<A>;
+/** Extract session type A from ctx.auth if present */
+type ExtractAuth<C> = C extends {
+    auth: ApiAuthConfig<infer A>;
+} ? A : undefined;
+/** Property names reserved by the framework — cannot be used in setup return */
+type ReservedKeys = 'req' | 'input' | 'stream';
+type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+/** Parsed route definition stored at runtime */
+type RouteEntry = {
+    method: HttpMethod;
+    path: string;
+    onRequest: (...args: any[]) => any;
+    public?: boolean;
+};
+/** Spread ctx into route args: Omit auth config, add AuthHelpers if present */
+type SpreadCtx<C> = ([C] extends [undefined] ? {} : Omit<C & {}, 'auth'>) & ([ExtractAuth<C>] extends [undefined] ? {} : {
+    auth: AuthHelpers<ExtractAuth<C>>;
+});
+/** Callback args available inside each route — ctx is spread into args */
+type RouteArgs<C, ST> = SpreadCtx<C> & {
     req: HttpRequest;
-} & ([T] extends [undefined] ? {} : {
-    data: T;
-}) & HandlerArgs<C, D, P, S> & ([ST] extends [true] ? {
+    input: unknown;
+} & ([ST] extends [true] ? {
     stream: ResponseStream;
-} : {}) & ([A] extends [undefined] ? {} : {
-    auth: AuthHelpers<SessionOf<A>>;
-})) => Promise<HttpResponse | void> | HttpResponse | void;
-/** Setup factory — receives deps/config/files when declared */
-type SetupFactory<C, D, P, S extends string[] | undefined = undefined> = (args: ([D] extends [undefined] ? {} : {
+} : {});
+/** Route definition with typed args */
+type RouteDefinition<C, ST> = {
+    path: `${HttpMethod} /${string}`;
+    onRequest: (args: RouteArgs<C, ST>) => Promise<HttpResponse | void> | HttpResponse | void;
+    public?: boolean;
+};
+/** Validate that setup return type does not use reserved property names */
+type ValidateSetupReturn<C> = C & {
+    [K in ReservedKeys]?: never;
+};
+/** Setup factory — receives deps/config/files/enableAuth when declared */
+type SetupFactory<C, D, P, S extends string[] | undefined = undefined> = (args: {
+    enableAuth: EnableAuth;
+} & ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
 }) & ([P] extends [undefined] ? {} : {
     config: ResolveConfig<P & {}>;
 }) & ([S] extends [undefined] ? {} : {
     files: StaticFiles;
-})) => C | Promise<C>;
+})) => ValidateSetupReturn<C> | Promise<ValidateSetupReturn<C>>;
 /** Static config extracted by AST (no runtime callbacks) */
 type ApiConfig = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
@@ -1458,104 +1379,79 @@ type ApiConfig = {
     /** Enable response streaming. When true, the Lambda Function URL uses RESPONSE_STREAM invoke mode. */
     stream?: boolean;
 };
-/**
- * Options for defining a CQRS-style API endpoint.
- *
- * - `get` routes handle queries (path-based routing, no body)
- * - `post` handles commands (single entry point, discriminated union via `schema`)
- */
-type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = {
+type DefineApiOptions<C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined> = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
     lambda?: LambdaWithPermissions;
     /** Base path prefix for all routes (e.g., "/api") */
     basePath: `/${string}`;
-    /** Enable response streaming. When true, routes receive a `stream` arg for SSE. Routes can still return HttpResponse normally. */
+    /** Enable response streaming. When true, routes receive a `stream` arg for SSE. */
     stream?: ST;
-    /** Session-based authentication. Injects `auth` helpers (createSession/clearSession/session) into handler args. */
-    auth?: A;
-    /** API token authentication for external clients (Bearer tokens, API keys). Has access to deps. */
-    apiToken?: ApiTokenStrategy<SessionOf<A>, [D] extends [undefined] ? undefined : ResolveDeps<D>>;
-    /**
-     * Factory function to initialize shared state.
-     * Called once on cold start, result is cached and reused across invocations.
-     */
-    setup?: SetupFactory<C, D, P, S>;
+    /** Factory function to initialize shared state. Called once on cold start. */
+    setup?: SetupFactory<C, NoInfer<D>, NoInfer<P>, NoInfer<S>>;
     /** Dependencies on other handlers (tables, queues, etc.): `deps: () => ({ users })` */
     deps?: () => D & {};
-    /** SSM Parameter Store parameters */
-    config?: P;
+    /** SSM Parameter Store parameters. Receives `{ defineSecret }` helper. */
+    config?: ConfigFactory<P>;
     /** Static file glob patterns to bundle into the Lambda ZIP */
     static?: S;
-    /** Error handler called when schema validation or handler throws */
+    /** Error handler called when a route throws */
     onError?: (args: {
         error: unknown;
         req: HttpRequest;
-    } & HandlerArgs<C, D, P, S>) => HttpResponse;
-    /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
-    /** GET routes — query handlers keyed by relative path (e.g., "/users/{id}") */
-    get?: Record<`/${string}`, ApiGetHandlerFn<C, D, P, S, ST, A>>;
-    /**
-     * Schema for POST body validation. Use with discriminated unions:
-     * ```typescript
-     * schema: Action.parse,
-     * post: async ({ data }) => { switch (data.action) { ... } }
-     * ```
-     */
-    schema?: (input: unknown) => T;
-    /** POST handler — single entry point for commands */
-    post?: ApiPostHandlerFn<T, C, D, P, S, ST, A>;
+    } & SpreadCtx<C>) => HttpResponse;
+    /** Called after each invocation completes */
+    onAfterInvoke?: (args: SpreadCtx<C>) => void | Promise<void>;
+    /** Route definitions — plain array of route objects */
+    routes?: RouteDefinition<C, ST>[];
 };
 /** Internal handler object created by defineApi */
-type ApiHandler<T = undefined, C = undefined> = {
+type ApiHandler<C = undefined> = {
     readonly __brand: "effortless-api";
     readonly __spec: ApiConfig;
-    readonly schema?: (input: unknown) => T;
     readonly onError?: (...args: any[]) => any;
     readonly onAfterInvoke?: (...args: any[]) => any;
     readonly setup?: (...args: any[]) => C | Promise<C>;
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
-    readonly auth?: Auth;
-    readonly apiToken?: ApiTokenStrategy<any, any>;
-    readonly get?: Record<`/${string}`, (...args: any[]) => any>;
-    readonly post?: (...args: any[]) => any;
+    readonly routes?: RouteEntry[];
 };
 /**
- * Define a CQRS-style API with typed GET routes and POST commands.
+ * Define an API with typed routes.
  *
- * GET routes handle queries — path-based routing, no request body.
- * POST handles commands — single entry point with discriminated union schema.
- * Deploys as a single Lambda (fat Lambda) with one API Gateway catch-all route.
+ * Setup return is spread into route args — all properties are directly accessible.
+ * Reserved names (`req`, `input`, `stream`) cannot be used in setup return.
+ * Auth is configured via an `auth` property in setup return — runtime replaces it with `AuthHelpers`.
  *
  * @example
  * ```typescript
  * export default defineApi({
  *   basePath: "/api",
- *   deps: { users },
- *
- *   get: {
- *     "/users": async ({ req, deps }) => ({
- *       status: 200,
- *       body: await deps.users.scan()
- *     }),
- *     "/users/{id}": async ({ req, deps }) => ({
- *       status: 200,
- *       body: await deps.users.get(req.params.id)
- *     }),
- *   },
- *
- *   schema: Action.parse,
- *   post: async ({ data, deps }) => {
- *     switch (data.action) {
- *       case "create": return { status: 201, body: await deps.users.put(data) }
- *       case "delete": return { status: 200, body: await deps.users.delete(data.id) }
- *     }
- *   },
+ *   deps: () => ({ users }),
+ *   setup: ({ deps }) => ({
+ *     users: deps.users,
+ *     auth: {
+ *       schema: unsafeAs<Session>(),
+ *       apiToken: {
+ *         verify: async (value) => {
+ *           const user = await deps.users.query({ pk: value });
+ *           return user[0] ? { userId: user[0].sk } : null;
+ *         },
+ *       },
+ *     },
+ *   }),
+ *   routes: [
+ *     {
+ *       path: "GET /me",
+ *       onRequest: async ({ users, auth }) => ({
+ *         status: 200,
+ *         body: { user: await users.get(auth.session.userId) },
+ *       }),
+ *     },
+ *   ],
  * })
  * ```
  */
-declare const defineApi: <T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined>(options: DefineApiOptions<T, C, D, P, S, ST, A>) => ApiHandler<T, C>;
+declare const defineApi: () => <C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnySecretRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined>(options: DefineApiOptions<C, D, P, S, ST>) => ApiHandler<C>;
 
-export { type AnyParamRef, type AnySecretRef, type ApiConfig, type ApiHandler, type ApiTokenStrategy, type AppConfig, type AppHandler, type Auth, type AuthConfig, type AuthHelpers, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ContentType, type Duration, type EffortlessConfig, type EmailClient, type FailedRecord, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineAuth, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineStaticSite, defineTable, generateBase64, generateHex, generateUuid, param, result, secret, toSeconds, unsafeAs };
+export { type AnyParamRef, type AnySecretRef, type ApiAuthConfig, type ApiConfig, type ApiHandler, type AppConfig, type AppHandler, type AuthHelpers, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ConfigHelpers, type ContentType, type DefineSecretFn, type Duration, type EffortlessConfig, type EmailClient, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type GenerateSpec, type HttpMethod$1 as HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineSecret, defineStaticSite, defineTable, generateBase64, generateHex, generateUuid, param, result, secret, toSeconds, unsafeAs };