npm - effortless-aws - Versions diffs - 0.28.0 → 0.30.0 - Mend

effortless-aws 0.28.0 → 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/{chunk-EZG3NX42.js → chunk-ISJC6CHC.js} +24 -21
package/dist/index.d.ts +595 -716
package/dist/index.js +313 -129
package/dist/index.js.map +1 -1
package/dist/runtime/wrap-api.js +69 -95
package/dist/runtime/wrap-bucket.js +10 -6
package/dist/runtime/wrap-fifo-queue.js +18 -10
package/dist/runtime/wrap-table-stream.js +45 -39
package/package.json +6 -3

package/dist/index.d.ts CHANGED Viewed

@@ -95,6 +95,8 @@ type EffortlessConfig = {
  */
 declare const defineConfig: (config: EffortlessConfig) => EffortlessConfig;
+/** Generator spec for auto-creating secrets at deploy time. */
+type GenerateSpec = `hex:${number}` | `base64:${number}` | "uuid";
 type AwsService = "dynamodb" | "s3" | "sqs" | "sns" | "ses" | "ssm" | "lambda" | "events" | "secretsmanager" | "cognito-idp" | "logs";
 type Permission = `${AwsService}:${string}` | (string & {});
 /**
@@ -143,7 +145,7 @@ type AnySecretRef = SecretRef<any>;
 type SecretRef<T = string> = {
     readonly __brand: "effortless-secret";
     readonly key?: string;
-    readonly generate?: () => string;
+    readonly generate?: GenerateSpec;
     readonly transform?: (raw: string) => T;
 };
 /**
@@ -155,76 +157,46 @@ type SecretRef<T = string> = {
 type ResolveConfig<P> = {
     [K in keyof P]: P[K] extends SecretRef<infer T> ? T : string;
 };
-/** Options for `secret()` without a transform. */
-type SecretOptions = {
+/** Options for `defineSecret()` without a transform. */
+type DefineSecretOptions = {
     /** Custom SSM key (default: derived from config property name in kebab-case) */
     key?: string;
-    /** Generator function called at deploy time if the SSM parameter doesn't exist yet */
-    generate?: () => string;
+    /** Generator spec for auto-creating the secret at deploy time: `"hex:32"`, `"base64:32"`, `"uuid"` */
+    generate?: GenerateSpec;
 };
-/** Options for `secret()` with a transform. */
-type SecretOptionsWithTransform<T> = SecretOptions & {
+/** Options for `defineSecret()` with a transform. */
+type DefineSecretOptionsWithTransform<T> = DefineSecretOptions & {
     /** Transform the raw SSM string value into a typed value */
     transform: (raw: string) => T;
 };
-/**
- * Declare an SSM Parameter Store secret.
- *
- * The SSM key is derived from the config property name (camelCase → kebab-case)
- * unless overridden with `key`. The full SSM path is `/${project}/${stage}/${key}`.
- *
- * @param options - Optional configuration (key override, generator, transform)
- * @returns A SecretRef used by the deployment and runtime systems
- *
- * @example Simple secret
- * ```typescript
- * config: {
- *   dbUrl: secret(),
- *   // → SSM path: /${project}/${stage}/db-url
- * }
- * ```
- *
- * @example Auto-generated secret
- * ```typescript
- * config: {
- *   authSecret: secret({ generate: generateHex(64) }),
- *   // → auto-creates SSM param if missing
- * }
- * ```
- *
- * @example With transform
- * ```typescript
- * config: {
- *   appConfig: secret({ transform: TOML.parse }),
- * }
- * ```
- */
-declare function secret(): SecretRef<string>;
-declare function secret(options: SecretOptions): SecretRef<string>;
-declare function secret<T>(options: SecretOptionsWithTransform<T>): SecretRef<T>;
-/**
- * Returns a generator that produces a random hex string.
- * @param bytes - Number of random bytes (output will be 2x this length in hex chars)
- */
-declare const generateHex: (bytes: number) => () => string;
-/**
- * Returns a generator that produces a random base64url string.
- * @param bytes - Number of random bytes
- */
-declare const generateBase64: (bytes: number) => () => string;
-/**
- * Returns a generator that produces a random UUID v4.
- */
-declare const generateUuid: () => () => string;
+/** The defineSecret helper function type, injected into config callbacks. */
+type DefineSecretFn = {
+    (): SecretRef<string>;
+    (options: DefineSecretOptions): SecretRef<string>;
+    <T>(options: DefineSecretOptionsWithTransform<T>): SecretRef<T>;
+};
+/** Helpers injected into the `config` callback. */
+type ConfigHelpers = {
+    defineSecret: DefineSecretFn;
+};
+/** Config factory: a function receiving helpers and returning a record of SecretRefs. */
+type ConfigFactory<P> = (helpers: ConfigHelpers) => P;
+/** The `defineSecret` implementation, passed to config callbacks. */
+declare const defineSecret: DefineSecretFn;
+/** @deprecated Use `defineSecret()` inside a config callback instead. */
+declare const secret: DefineSecretFn;
 /** @deprecated Use `SecretRef` instead */
 type ParamRef<T = string> = SecretRef<T>;
 /** @deprecated Use `AnySecretRef` instead */
 type AnyParamRef = AnySecretRef;
-/**
- * @deprecated Use `secret()` instead. `param("key")` is equivalent to `secret({ key: "key" })`.
- */
-declare function param(key: string): SecretRef<string>;
-declare function param<T>(key: string, transform: (raw: string) => T): SecretRef<T>;
+/** @deprecated Use `defineSecret()` instead. */
+declare const param: <T = string>(key: string, transform?: (raw: string) => T) => SecretRef<T>;
+/** @deprecated Use `defineSecret({ generate: "hex:N" })` instead. */
+declare const generateHex: (bytes: number) => string;
+/** @deprecated Use `defineSecret({ generate: "base64:N" })` instead. */
+declare const generateBase64: (bytes: number) => string;
+/** @deprecated Use `defineSecret({ generate: "uuid" })` instead. */
+declare const generateUuid: () => string;
 /**
  * DynamoDB table key (always pk + sk strings in single-table design).
  */
@@ -281,113 +253,8 @@ type PutInput<T> = {
  */
 declare function unsafeAs<T>(): (input: unknown) => T;
-/**
- * Sort key condition for TableClient.query()
- */
-type SkCondition = string | {
-    begins_with: string;
-} | {
-    gt: string;
-} | {
-    gte: string;
-} | {
-    lt: string;
-} | {
-    lte: string;
-} | {
-    between: [string, string];
-};
-/**
- * Query parameters for TableClient.query()
- */
-type QueryParams = {
-    /** Partition key value */
-    pk: string;
-    /** Optional sort key condition */
-    sk?: SkCondition;
-    /** Maximum number of items to return */
-    limit?: number;
-    /** Sort order (true = ascending, false = descending) */
-    scanIndexForward?: boolean;
-};
-/**
- * Query parameters for TableClient.queryByTag() — cross-partition query via GSI.
- * Uses the built-in `tag-pk-index` GSI (tag as partition key, pk as sort key).
- */
-type QueryByTagParams = {
-    /** Tag value (GSI partition key) — the entity type discriminant */
-    tag: string;
-    /** Optional pk condition (GSI sort key) */
-    pk?: SkCondition;
-    /** Maximum number of items to return */
-    limit?: number;
-    /** Sort order (true = ascending, false = descending) */
-    scanIndexForward?: boolean;
-};
-/** Extract keys of T whose values are arrays */
-type ArrayKeys<T> = {
-    [K in keyof T]: T[K] extends unknown[] ? K : never;
-}[keyof T];
-/** Extract keys of T whose values are numbers */
-type NumberKeys<T> = {
-    [K in keyof T]: T[K] extends number ? K : never;
-}[keyof T];
-/**
- * Update actions for TableClient.update()
- *
- * `set`, `append`, and `remove` target fields inside the `data` attribute.
- * Effortless auto-prefixes `data.` in the DynamoDB expression.
- *
- * @typeParam T - Type of the domain data (the `data` attribute)
- */
-type UpdateActions<T> = {
-    /** Set domain data fields (inside `data` attribute) */
-    set?: Partial<T>;
-    /** Atomically increment/decrement numeric fields inside `data` (use negative values to decrement) */
-    increment?: Pick<Partial<T>, NumberKeys<T>>;
-    /** Append elements to list fields inside `data` (creates the list if it doesn't exist) */
-    append?: Pick<Partial<T>, ArrayKeys<T>>;
-    /** Remove fields from `data` */
-    remove?: (keyof T)[];
-    /** Update the top-level `tag` attribute */
-    tag?: string;
-    /** Update TTL (set number or null to remove) */
-    ttl?: number | null;
-};
-/**
- * Typed DynamoDB table client for single-table design.
- *
- * All items follow the `{ pk, sk, tag, data, ttl? }` structure.
- * `T` is the domain data type stored in the `data` attribute.
- *
- * @typeParam T - Type of the domain data
- */
-/**
- * Options for `put()` operation.
- */
-type PutOptions = {
-    /** When true, the put fails if an item with the same pk+sk already exists. */
-    ifNotExists?: boolean;
-};
-type TableClient<T = Record<string, unknown>> = {
-    /** Put an item. Tag is auto-extracted from `data[tagField]`. Use `ifNotExists` to prevent overwrites. */
-    put(item: PutInput<T>, options?: PutOptions): Promise<void>;
-    /** Get an item by pk + sk */
-    get(key: TableKey): Promise<TableItem<T> | undefined>;
-    /** Delete an item by pk + sk */
-    delete(key: TableKey): Promise<void>;
-    /** Update domain data fields without reading the full item */
-    update(key: TableKey, actions: UpdateActions<T>): Promise<void>;
-    /** Query by partition key with optional sort key condition */
-    query(params: QueryParams): Promise<TableItem<T>[]>;
-    /** Query by tag across all partitions via GSI (tag-pk-index). */
-    queryByTag(params: QueryByTagParams): Promise<TableItem<T>[]>;
-    /** The underlying DynamoDB table name */
-    tableName: string;
-};
 /** HTTP methods supported by Lambda Function URLs */
-type HttpMethod = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "ANY";
+type HttpMethod$1 = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "ANY";
 /** Short content-type aliases for common response formats */
 type ContentType = "json" | "html" | "text" | "css" | "js" | "xml" | "csv" | "svg";
 /**
@@ -439,13 +306,6 @@ type HttpResponse = {
      */
     binary?: boolean;
 };
-/** Response helpers for defineApi handlers */
-declare const result: {
-    /** Return a JSON response */
-    json: (body: unknown, status?: number) => HttpResponse;
-    /** Return a binary response. Accepts a Buffer and converts to base64 automatically. */
-    binary: (body: Buffer, contentType: string, headers?: Record<string, string>) => HttpResponse;
-};
 /** Stream helper injected into route args when `stream: true` is set on defineApi */
 type ResponseStream = {
     /** Write a raw string chunk to the response stream */
@@ -493,27 +353,17 @@ type BucketClient = {
     bucketName: string;
 };
-/**
- * Common conditional args injected into handler callbacks.
- * Resolves ctx, deps, config, and files based on whether each generic is defined.
- * @internal
- */
-type HandlerArgs<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = ([C] extends [undefined] ? {} : {
-    ctx: C;
-}) & ([D] extends [undefined] ? {} : {
-    deps: ResolveDeps<D>;
-}) & ([P] extends [undefined] ? {} : {
-    config: ResolveConfig<P>;
-}) & ([S] extends [undefined] ? {} : {
-    files: StaticFiles;
-});
 /**
  * Configuration options for defineBucket.
  */
 type BucketConfig = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
-    lambda?: LambdaWithPermissions;
+    lambda?: {
+        memory?: number;
+        timeout?: Duration;
+        logLevel?: LogLevel;
+        permissions?: Permission[];
+    };
     /** S3 key prefix filter for event notifications (e.g., "uploads/") */
     prefix?: string;
     /** S3 key suffix filter for event notifications (e.g., ".jpg") */
@@ -536,80 +386,30 @@ type BucketEvent = {
     /** S3 bucket name */
     bucketName: string;
 };
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$3<C> = [C] extends [undefined] ? {} : C & {};
+/** Setup factory — receives bucket/deps/config/files based on what was declared */
+type SetupArgs$3<D, P, HasFiles extends boolean> = {
+    bucket: BucketClient;
+} & ([D] extends [undefined] ? {} : {
+    deps: ResolveDeps<D>;
+}) & ([P] extends [undefined] ? {} : {
+    config: ResolveConfig<P & {}>;
+}) & (HasFiles extends true ? {
+    files: StaticFiles;
+} : {});
 /**
  * Callback function type for S3 ObjectCreated events
  */
-type BucketObjectCreatedFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type BucketObjectCreatedFn<C = undefined> = (args: {
     event: BucketEvent;
-    bucket: BucketClient;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$3<C>) => Promise<void>;
 /**
  * Callback function type for S3 ObjectRemoved events
  */
-type BucketObjectRemovedFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type BucketObjectRemovedFn<C = undefined> = (args: {
     event: BucketEvent;
-    bucket: BucketClient;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
-/**
- * Setup factory type for bucket handlers.
- * Always receives `bucket: BucketClient` (self-client for the handler's own bucket).
- * Also receives `deps` and/or `config` when declared.
- */
-type SetupFactory$3<C, D, P, S extends string[] | undefined = undefined> = (args: {
-    bucket: BucketClient;
-} & ([D] extends [undefined] ? {} : {
-    deps: ResolveDeps<D>;
-}) & ([P] extends [undefined] ? {} : {
-    config: ResolveConfig<P & {}>;
-}) & ([S] extends [undefined] ? {} : {
-    files: StaticFiles;
-})) => C | Promise<C>;
-/** Base options shared by all defineBucket variants */
-type DefineBucketBase<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = BucketConfig & {
-    /**
-     * Error handler called when onObjectCreated or onObjectRemoved throws.
-     * If not provided, defaults to `console.error`.
-     */
-    onError?: (args: {
-        error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
-    /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
-    /**
-     * Factory function to initialize shared state for callbacks.
-     * Called once on cold start, result is cached and reused across invocations.
-     * Always receives `bucket: BucketClient` (self-client). When deps/config
-     * are declared, receives them as well.
-     */
-    setup?: SetupFactory$3<C, D, P, S>;
-    /**
-     * Dependencies on other handlers (tables, buckets, etc.).
-     * Typed clients are injected into the handler via the `deps` argument.
-     * Pass a function returning the deps object: `deps: () => ({ uploads })`.
-     */
-    deps?: () => D & {};
-    /**
-     * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
-     */
-    config?: P;
-    /**
-     * Static file glob patterns to bundle into the Lambda ZIP.
-     * Files are accessible at runtime via the `files` callback argument.
-     */
-    static?: S;
-};
-/** With event handlers (at least one callback) */
-type DefineBucketWithHandlers<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineBucketBase<C, D, P, S> & {
-    onObjectCreated?: BucketObjectCreatedFn<C, D, P, S>;
-    onObjectRemoved?: BucketObjectRemovedFn<C, D, P, S>;
-};
-/** Resource-only: no Lambda, just creates the bucket */
-type DefineBucketResourceOnly<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineBucketBase<C, D, P, S> & {
-    onObjectCreated?: never;
-    onObjectRemoved?: never;
-};
-type DefineBucketOptions<C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineBucketWithHandlers<C, D, P, S> | DefineBucketResourceOnly<C, D, P, S>;
+} & SpreadCtx$3<C>) => Promise<void>;
 /**
  * Internal handler object created by defineBucket
  * @internal
@@ -618,7 +418,7 @@ type BucketHandler<C = any> = {
     readonly __brand: "effortless-bucket";
     readonly __spec: BucketConfig;
     readonly onError?: (...args: any[]) => any;
-    readonly onAfterInvoke?: (...args: any[]) => any;
+    readonly onCleanup?: (...args: any[]) => any;
     readonly setup?: (...args: any[]) => C | Promise<C>;
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
@@ -626,42 +426,65 @@ type BucketHandler<C = any> = {
     readonly onObjectCreated?: (...args: any[]) => any;
     readonly onObjectRemoved?: (...args: any[]) => any;
 };
+/** Options passed to `defineBucket()` — static config */
+type BucketOptions = {
+    /** Lambda memory in MB (default: 256) */
+    memory?: number;
+    /** Lambda timeout (default: 30s) */
+    timeout?: Duration;
+    /** Additional IAM permissions for the Lambda */
+    permissions?: Permission[];
+    /** Logging verbosity */
+    logLevel?: LogLevel;
+    /** S3 key prefix filter for event notifications (e.g., "uploads/") */
+    prefix?: string;
+    /** S3 key suffix filter for event notifications (e.g., ".jpg") */
+    suffix?: string;
+    /** Static file glob patterns to bundle into the Lambda ZIP */
+    static?: string[];
+};
+interface BucketBuilder<D = undefined, P = undefined, C = undefined, HasFiles extends boolean = false> {
+    /** Declare handler dependencies */
+    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): BucketBuilder<D2, P, C, HasFiles>;
+    /** Declare SSM secrets */
+    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): BucketBuilder<D, P2, C, HasFiles>;
+    /** Initialize shared state on cold start. Receives bucket (self-client), deps, config, files. */
+    setup<C2>(fn: (args: SetupArgs$3<D, P, HasFiles>) => C2 | Promise<C2>): BucketBuilder<D, P, C2, HasFiles>;
+    /** Handle errors thrown by callbacks */
+    onError(fn: (args: {
+        error: unknown;
+    } & SpreadCtx$3<C>) => void): BucketBuilder<D, P, C, HasFiles>;
+    /** Cleanup callback — runs after each invocation, before Lambda freezes */
+    onCleanup(fn: (args: SpreadCtx$3<C>) => void | Promise<void>): BucketBuilder<D, P, C, HasFiles>;
+    /** Handle S3 ObjectCreated events (terminal — returns finalized handler) */
+    onObjectCreated(fn: BucketObjectCreatedFn<C>): BucketHandler<C>;
+    /** Handle S3 ObjectRemoved events (terminal — returns finalized handler) */
+    onObjectRemoved(fn: BucketObjectRemovedFn<C>): BucketHandler<C>;
+    /** Finalize as resource-only bucket (no Lambda) */
+    build(): BucketHandler<C>;
+}
 /**
  * Define an S3 bucket with optional event handlers.
  *
- * Creates an S3 bucket. When event handlers are provided, also creates a Lambda
- * function triggered by S3 event notifications.
- *
  * @example Bucket with event handler
  * ```typescript
- * export const uploads = defineBucket({
- *   prefix: "images/",
- *   suffix: ".jpg",
- *   onObjectCreated: async ({ event, bucket }) => {
- *     const file = await bucket.get(event.key);
- *     console.log("New upload:", event.key, file?.body.length);
- *   }
- * });
- * ```
+ * export const uploads = defineBucket({ prefix: "images/", suffix: ".jpg" })
+ *   .onObjectCreated(async ({ event, bucket }) => {
+ *     console.log("New upload:", event.key);
+ *   })
  *
- * @example Resource-only bucket (no Lambda)
- * ```typescript
- * export const assets = defineBucket({});
  * ```
  *
- * @example As a dependency
+ * @example Resource-only bucket (no Lambda)
  * ```typescript
- * export const api = defineApi({
- *   basePath: "/process",
- *   deps: { uploads },
- *   post: async ({ req, deps }) => {
- *     await deps.uploads.put("output.jpg", buffer);
- *     return { status: 200, body: "OK" };
- *   },
- * });
+ * export const assets = defineBucket().build()
  * ```
  */
-declare const defineBucket: <C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineBucketOptions<C, D, P, S>) => BucketHandler<C>;
+declare function defineBucket(): BucketBuilder;
+declare function defineBucket(options: BucketOptions & {
+    static: string[];
+}): BucketBuilder<undefined, undefined, undefined, true>;
+declare function defineBucket(options: BucketOptions): BucketBuilder;
 /**
  * Configuration options for defining a mailer (SES email identity)
@@ -709,7 +532,7 @@ type MailerHandler = {
  * });
  * ```
  */
-declare const defineMailer: (options: MailerConfig) => MailerHandler;
+declare const defineMailer: () => (options: MailerConfig) => MailerHandler;
 /**
  * Parsed SQS FIFO message passed to the handler callbacks.
@@ -746,7 +569,12 @@ type FifoQueueMessage<T = unknown> = {
  */
 type FifoQueueConfig = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
-    lambda?: LambdaWithPermissions;
+    lambda?: {
+        memory?: number;
+        timeout?: Duration;
+        logLevel?: LogLevel;
+        permissions?: Permission[];
+    };
     /** Number of messages per Lambda invocation (1-10 for FIFO, default: 10) */
     batchSize?: number;
     /** Maximum time to gather messages before invoking (default: 0). Accepts `"5s"`, `"1m"`, etc. */
@@ -762,81 +590,33 @@ type FifoQueueConfig = {
     /** Max number of receives before a message is sent to the dead-letter queue (default: 3) */
     maxReceiveCount?: number;
 };
-/**
- * Setup factory type — always receives an args object.
- * Args include `deps` and/or `config` when declared (empty `{}` otherwise).
- */
-type SetupFactory$2<C, D, P, S extends string[] | undefined = undefined> = (args: ([D] extends [undefined] ? {} : {
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$2<C> = [C] extends [undefined] ? {} : C & {};
+/** Setup factory — receives deps/config/files based on what was declared */
+type SetupArgs$2<D, P, HasFiles extends boolean> = ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
 }) & ([P] extends [undefined] ? {} : {
     config: ResolveConfig<P & {}>;
-}) & ([S] extends [undefined] ? {} : {
+}) & (HasFiles extends true ? {
     files: StaticFiles;
-})) => C | Promise<C>;
+} : {});
 /**
  * Per-message handler function.
  * Called once per message in the batch. Failures are reported individually.
  */
-type FifoQueueMessageFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type FifoQueueMessageFn<T = unknown, C = undefined> = (args: {
     message: FifoQueueMessage<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
+} & SpreadCtx$2<C>) => Promise<void>;
 /**
  * Batch handler function.
  * Called once with all messages in the batch.
+ * Return `{ failures: string[] }` (messageIds) for partial batch failure reporting.
  */
-type FifoQueueBatchFn<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type FifoQueueBatchFn<T = unknown, C = undefined> = (args: {
     messages: FifoQueueMessage<T>[];
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
-/** Base options shared by all defineFifoQueue variants */
-type DefineFifoQueueBase<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = FifoQueueConfig & {
-    /**
-     * Decode/validate function for the message body.
-     * Called with the JSON-parsed body; should return typed data or throw on validation failure.
-     */
-    schema?: (input: unknown) => T;
-    /**
-     * Error handler called when onMessage or onBatch throws.
-     * If not provided, defaults to `console.error`.
-     */
-    onError?: (args: {
-        error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
-    /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
-    /**
-     * Factory function to initialize shared state for the handler.
-     * Called once on cold start, result is cached and reused across invocations.
-     * When deps/params are declared, receives them as argument.
-     */
-    setup?: SetupFactory$2<C, D, P, S>;
-    /**
-     * Dependencies on other handlers (tables, queues, etc.).
-     * Typed clients are injected into the handler via the `deps` argument.
-     * Pass a function returning the deps object: `deps: () => ({ orders })`.
-     */
-    deps?: () => D & {};
-    /**
-     * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
-     */
-    config?: P;
-    /**
-     * Static file glob patterns to bundle into the Lambda ZIP.
-     * Files are accessible at runtime via the `files` callback argument.
-     */
-    static?: S;
-};
-/** Per-message processing */
-type DefineFifoQueueWithOnMessage<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {
-    onMessage: FifoQueueMessageFn<T, C, D, P, S>;
-    onBatch?: never;
-};
-/** Batch processing: all messages at once */
-type DefineFifoQueueWithOnBatch<T = unknown, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueBase<T, C, D, P, S> & {
-    onBatch: FifoQueueBatchFn<T, C, D, P, S>;
-    onMessage?: never;
-};
-type DefineFifoQueueOptions<T = unknown, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineFifoQueueWithOnMessage<T, C, D, P, S> | DefineFifoQueueWithOnBatch<T, C, D, P, S>;
+} & SpreadCtx$2<C>) => Promise<void | {
+    failures: string[];
+}>;
 /**
  * Internal handler object created by defineFifoQueue
  * @internal
@@ -846,64 +626,211 @@ type FifoQueueHandler<T = unknown, C = any> = {
     readonly __spec: FifoQueueConfig;
     readonly schema?: (input: unknown) => T;
     readonly onError?: (...args: any[]) => any;
-    readonly onAfterInvoke?: (...args: any[]) => any;
+    readonly onCleanup?: (...args: any[]) => any;
     readonly setup?: (...args: any[]) => C | Promise<C>;
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
     readonly onMessage?: (...args: any[]) => any;
-    readonly onBatch?: (...args: any[]) => any;
+    readonly onMessageBatch?: (...args: any[]) => any;
 };
+/** Options passed to `defineFifoQueue()` — static config */
+type FifoQueueOptions<T> = {
+    /** Lambda memory in MB (default: 256) */
+    memory?: number;
+    /** Lambda timeout (default: 30s) */
+    timeout?: Duration;
+    /** Additional IAM permissions for the Lambda */
+    permissions?: Permission[];
+    /** Logging verbosity */
+    logLevel?: LogLevel;
+    /** Number of messages per Lambda invocation (1-10 for FIFO, default: 10) */
+    batchSize?: number;
+    /** Maximum time to gather messages before invoking (default: 0) */
+    batchWindow?: Duration;
+    /** Visibility timeout (default: max of timeout or 30s) */
+    visibilityTimeout?: Duration;
+    /** Message retention period (default: "4d") */
+    retentionPeriod?: Duration;
+    /** Delivery delay for all messages in the queue (default: 0) */
+    delay?: Duration;
+    /** Enable content-based deduplication (default: true) */
+    contentBasedDeduplication?: boolean;
+    /** Max number of receives before DLQ (default: 3) */
+    maxReceiveCount?: number;
+    /** Decode/validate function for the message body */
+    schema?: (input: unknown) => T;
+    /** Static file glob patterns to bundle into the Lambda ZIP */
+    static?: string[];
+};
+interface FifoQueueBuilder<T = unknown, D = undefined, P = undefined, C = undefined, HasFiles extends boolean = false> {
+    /** Declare handler dependencies */
+    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): FifoQueueBuilder<T, D2, P, C, HasFiles>;
+    /** Declare SSM secrets */
+    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): FifoQueueBuilder<T, D, P2, C, HasFiles>;
+    /** Initialize shared state on cold start. Receives deps, config, files. */
+    setup<C2>(fn: (args: SetupArgs$2<D, P, HasFiles>) => C2 | Promise<C2>): FifoQueueBuilder<T, D, P, C2, HasFiles>;
+    /** Handle errors thrown by message handlers */
+    onError(fn: (args: {
+        error: unknown;
+    } & SpreadCtx$2<C>) => void): FifoQueueBuilder<T, D, P, C, HasFiles>;
+    /** Cleanup callback — runs after each invocation, before Lambda freezes */
+    onCleanup(fn: (args: SpreadCtx$2<C>) => void | Promise<void>): FifoQueueBuilder<T, D, P, C, HasFiles>;
+    /** Per-message handler (terminal — returns finalized handler) */
+    onMessage(fn: FifoQueueMessageFn<T, C>): FifoQueueHandler<T, C>;
+    /** Batch handler (terminal — returns finalized handler) */
+    onMessageBatch(fn: FifoQueueBatchFn<T, C>): FifoQueueHandler<T, C>;
+}
 /**
- * Define a FIFO SQS queue with a Lambda message handler
- *
- * Creates:
- * - SQS FIFO queue (with `.fifo` suffix)
- * - Lambda function triggered by the queue
- * - Event source mapping with partial batch failure support
+ * Define a FIFO SQS queue with a Lambda message handler.
  *
  * @example Per-message processing
  * ```typescript
- * type OrderEvent = { orderId: string; action: string };
- *
- * export const orderQueue = defineFifoQueue<OrderEvent>({
- *   onMessage: async ({ message }) => {
+ * export const orderQueue = defineFifoQueue<OrderEvent>()
+ *   .onMessage(async ({ message }) => {
  *     console.log("Processing order:", message.body.orderId);
- *   }
- * });
+ *   })
+ *
  * ```
  *
  * @example Batch processing with schema
  * ```typescript
- * export const notifications = defineFifoQueue({
- *   schema: (input) => NotificationSchema.parse(input),
- *   batchSize: 5,
- *   onBatch: async ({ messages }) => {
+ * export const notifications = defineFifoQueue({ batchSize: 5, schema: (i) => NotifSchema.parse(i) })
+ *   .onMessageBatch(async ({ messages }) => {
  *     await sendAll(messages.map(m => m.body));
- *   }
- * });
+ *   })
+ *
  * ```
  */
-declare const defineFifoQueue: <T = unknown, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineFifoQueueOptions<T, C, D, P, S>) => FifoQueueHandler<T, C>;
+declare function defineFifoQueue<T = unknown>(): FifoQueueBuilder<T>;
+declare function defineFifoQueue<T = unknown>(options: FifoQueueOptions<T> & {
+    static: string[];
+}): FifoQueueBuilder<T, undefined, undefined, undefined, true>;
+declare function defineFifoQueue<T = unknown>(options: FifoQueueOptions<T>): FifoQueueBuilder<T>;
 /**
- * Options for sending an email via EmailClient.send()
+ * Sort key condition for TableClient.query()
  */
-type SendEmailBase = {
-    /** Sender address (must be on a verified domain) */
-    from: string;
-    /** Recipient address(es) */
-    to: string | string[];
-    /** Email subject line */
-    subject: string;
-};
-type SendEmailOptions = SendEmailBase & ({
-    html: string;
-    text?: string;
+type SkCondition = string | {
+    begins_with: string;
 } | {
-    html?: string;
-    text: string;
-});
+    gt: string;
+} | {
+    gte: string;
+} | {
+    lt: string;
+} | {
+    lte: string;
+} | {
+    between: [string, string];
+};
+/**
+ * Query parameters for TableClient.query()
+ */
+type QueryParams = {
+    /** Partition key value */
+    pk: string;
+    /** Optional sort key condition */
+    sk?: SkCondition;
+    /** Maximum number of items to return */
+    limit?: number;
+    /** Sort order (true = ascending, false = descending) */
+    scanIndexForward?: boolean;
+};
+/**
+ * Query parameters for TableClient.queryByTag() — cross-partition query via GSI.
+ * Uses the built-in `tag-pk-index` GSI (tag as partition key, pk as sort key).
+ */
+type QueryByTagParams = {
+    /** Tag value (GSI partition key) — the entity type discriminant */
+    tag: string;
+    /** Optional pk condition (GSI sort key) */
+    pk?: SkCondition;
+    /** Maximum number of items to return */
+    limit?: number;
+    /** Sort order (true = ascending, false = descending) */
+    scanIndexForward?: boolean;
+};
+/** Extract keys of T whose values are arrays */
+type ArrayKeys<T> = {
+    [K in keyof T]: T[K] extends unknown[] ? K : never;
+}[keyof T];
+/** Extract keys of T whose values are numbers */
+type NumberKeys<T> = {
+    [K in keyof T]: T[K] extends number ? K : never;
+}[keyof T];
+/**
+ * Update actions for TableClient.update()
+ *
+ * `set`, `append`, and `remove` target fields inside the `data` attribute.
+ * Effortless auto-prefixes `data.` in the DynamoDB expression.
+ *
+ * @typeParam T - Type of the domain data (the `data` attribute)
+ */
+type UpdateActions<T> = {
+    /** Set domain data fields (inside `data` attribute) */
+    set?: Partial<T>;
+    /** Atomically increment/decrement numeric fields inside `data` (use negative values to decrement) */
+    increment?: Pick<Partial<T>, NumberKeys<T>>;
+    /** Append elements to list fields inside `data` (creates the list if it doesn't exist) */
+    append?: Pick<Partial<T>, ArrayKeys<T>>;
+    /** Remove fields from `data` */
+    remove?: (keyof T)[];
+    /** Update the top-level `tag` attribute */
+    tag?: string;
+    /** Update TTL (set number or null to remove) */
+    ttl?: number | null;
+};
+/**
+ * Typed DynamoDB table client for single-table design.
+ *
+ * All items follow the `{ pk, sk, tag, data, ttl? }` structure.
+ * `T` is the domain data type stored in the `data` attribute.
+ *
+ * @typeParam T - Type of the domain data
+ */
+/**
+ * Options for `put()` operation.
+ */
+type PutOptions = {
+    /** When true, the put fails if an item with the same pk+sk already exists. */
+    ifNotExists?: boolean;
+};
+type TableClient<T = Record<string, unknown>> = {
+    /** Put an item. Tag is auto-extracted from `data[tagField]`. Use `ifNotExists` to prevent overwrites. */
+    put(item: PutInput<T>, options?: PutOptions): Promise<void>;
+    /** Get an item by pk + sk */
+    get(key: TableKey): Promise<TableItem<T> | undefined>;
+    /** Delete an item by pk + sk */
+    delete(key: TableKey): Promise<void>;
+    /** Update domain data fields without reading the full item */
+    update(key: TableKey, actions: UpdateActions<T>): Promise<void>;
+    /** Query by partition key with optional sort key condition */
+    query(params: QueryParams): Promise<TableItem<T>[]>;
+    /** Query by tag across all partitions via GSI (tag-pk-index). */
+    queryByTag(params: QueryByTagParams): Promise<TableItem<T>[]>;
+    /** The underlying DynamoDB table name */
+    tableName: string;
+};
+/**
+ * Options for sending an email via EmailClient.send()
+ */
+type SendEmailBase = {
+    /** Sender address (must be on a verified domain) */
+    from: string;
+    /** Recipient address(es) */
+    to: string | string[];
+    /** Email subject line */
+    subject: string;
+};
+type SendEmailOptions = SendEmailBase & ({
+    html: string;
+    text?: string;
+} | {
+    html?: string;
+    text: string;
+});
 /**
  * Typed SES email client injected via deps.
  *
@@ -962,7 +889,12 @@ type StreamView = "NEW_AND_OLD_IMAGES" | "NEW_IMAGE" | "OLD_IMAGE" | "KEYS_ONLY"
  */
 type TableConfig = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
-    lambda?: LambdaWithPermissions;
+    lambda?: {
+        memory?: number;
+        timeout?: Duration;
+        logLevel?: LogLevel;
+        permissions?: Permission[];
+    };
     /** DynamoDB billing mode (default: "PAY_PER_REQUEST") */
     billingMode?: "PAY_PER_REQUEST" | "PROVISIONED";
     /** Stream view type - what data to include in stream records (default: "NEW_AND_OLD_IMAGES") */
@@ -973,18 +905,12 @@ type TableConfig = {
     batchWindow?: Duration;
     /** Where to start reading the stream (default: "LATEST") */
     startingPosition?: "LATEST" | "TRIM_HORIZON";
+    /** Number of records to process concurrently within a batch (default: 1 — sequential) */
+    concurrency?: number;
     /**
      * Name of the field in `data` that serves as the entity type discriminant.
      * Effortless auto-copies `data[tagField]` to the top-level DynamoDB `tag` attribute on `put()`.
      * Defaults to `"tag"`.
-     *
-     * @example
-     * ```typescript
-     * export const orders = defineTable<{ type: "order"; amount: number }>({
-     *   tagField: "type",
-     *   onRecord: async ({ record }) => { ... }
-     * });
-     * ```
      */
     tagField?: string;
 };
@@ -1012,118 +938,40 @@ type TableRecord<T = Record<string, unknown>> = {
     /** Approximate timestamp when the modification occurred */
     timestamp?: number;
 };
-/**
- * Information about a failed record during batch processing
- *
- * @typeParam T - Type of the domain data
- */
-type FailedRecord<T = Record<string, unknown>> = {
-    /** The record that failed to process */
-    record: TableRecord<T>;
-    /** The error that occurred */
-    error: unknown;
-};
-/**
- * Setup factory type for table handlers.
- * Always receives `table: TableClient<T>` (self-client for the handler's own table).
- * Also receives `deps` and/or `config` when declared.
- */
-type SetupFactory$1<C, T, D, P, S extends string[] | undefined = undefined> = (args: {
+/** Setup factory — receives table/deps/config/files based on what was declared */
+type SetupArgs$1<T, D, P, HasFiles extends boolean> = {
     table: TableClient<T>;
 } & ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
 }) & ([P] extends [undefined] ? {} : {
     config: ResolveConfig<P & {}>;
-}) & ([S] extends [undefined] ? {} : {
+}) & (HasFiles extends true ? {
     files: StaticFiles;
-})) => C | Promise<C>;
+} : {});
+/** Spread ctx into callback args (empty when no setup) */
+type SpreadCtx$1<C> = [C] extends [undefined] ? {} : C & {};
 /**
- * Callback function type for processing a single DynamoDB stream record
+ * Callback function type for processing a single DynamoDB stream record.
+ * Receives the current record and the full batch for context.
  */
-type TableRecordFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
+type TableRecordFn<T = Record<string, unknown>, C = undefined> = (args: {
     record: TableRecord<T>;
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<R>;
-/**
- * Callback function type for processing accumulated batch results
- */
-type TableBatchCompleteFn<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
-    results: R[];
-    failures: FailedRecord<T>[];
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
-/**
- * Callback function type for processing all records in a batch at once
- */
-type TableBatchFn<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = (args: {
-    records: TableRecord<T>[];
-    table: TableClient<T>;
-} & HandlerArgs<C, D, P, S>) => Promise<void>;
-/** Base options shared by all defineTable variants */
-type DefineTableBase<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = Omit<TableConfig, "tagField"> & {
-    /** Name of the field in `data` that serves as the entity type discriminant (default: `"tag"`). */
-    tagField?: Extract<keyof T, string>;
-    /**
-     * Decode/validate function for the `data` portion of stream record items.
-     * Called with the unmarshalled `data` attribute; should return typed data or throw on validation failure.
-     * When provided, T is inferred from the return type — no need to specify generic parameters.
-     */
-    schema?: (input: unknown) => T;
-    /**
-     * Error handler called when onRecord, onBatch, or onBatchComplete throws.
-     * Receives the error. If not provided, defaults to `console.error`.
-     */
-    onError?: (args: {
-        error: unknown;
-    } & HandlerArgs<C, D, P, S>) => void;
-    /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
-    /**
-     * Factory function to initialize shared state for callbacks.
-     * Called once on cold start, result is cached and reused across invocations.
-     * When deps/params are declared, receives them as argument.
-     * Supports both sync and async return values.
-     */
-    setup?: SetupFactory$1<C, T, D, P, S>;
-    /**
-     * Dependencies on other handlers (tables, queues, etc.).
-     * Typed clients are injected into the handler via the `deps` argument.
-     * Pass a function returning the deps object: `deps: () => ({ orders })`.
-     */
-    deps?: () => D & {};
-    /**
-     * SSM Parameter Store parameters.
-     * Declare with `param()` helper. Values are fetched and cached at cold start.
-     * Typed values are injected into the handler via the `config` argument.
-     */
-    config?: P;
-    /**
-     * Static file glob patterns to bundle into the Lambda ZIP.
-     * Files are accessible at runtime via the `files` callback argument.
-     */
-    static?: S;
-};
-/** Per-record processing: onRecord with optional onBatchComplete */
-type DefineTableWithOnRecord<T = Record<string, unknown>, C = undefined, R = void, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
-    onRecord: TableRecordFn<T, C, R, D, P, S>;
-    onBatchComplete?: TableBatchCompleteFn<T, C, R, D, P, S>;
-    onBatch?: never;
-};
-/** Batch processing: onBatch processes all records at once */
-type DefineTableWithOnBatch<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
-    onBatch: TableBatchFn<T, C, D, P, S>;
-    onRecord?: never;
-    onBatchComplete?: never;
-};
-/** Resource-only: no handler, just creates the table */
-type DefineTableResourceOnly<T = Record<string, unknown>, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined> = DefineTableBase<T, C, D, P, S> & {
-    onRecord?: never;
-    onBatch?: never;
-    onBatchComplete?: never;
-};
-type DefineTableOptions<T = Record<string, unknown>, C = undefined, R = void, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined> = DefineTableWithOnRecord<T, C, R, D, P, S> | DefineTableWithOnBatch<T, C, D, P, S> | DefineTableResourceOnly<T, C, D, P, S>;
+    batch: readonly TableRecord<T>[];
+} & SpreadCtx$1<C>) => Promise<void>;
+/**
+ * Batch handler function for DynamoDB stream records.
+ * Called once with all records in the batch.
+ * Return `{ failures: string[] }` (sequence numbers) for partial batch failure reporting.
+ */
+type TableBatchFn<T = Record<string, unknown>, C = undefined> = (args: {
+    records: readonly TableRecord<T>[];
+} & SpreadCtx$1<C>) => Promise<void | {
+    failures: string[];
+}>;
+/** Static config extracted by AST (no runtime callbacks) */
 /**
- * Internal handler object created by defineTable
+ * Handler object created by defineTable.
+ * Used by runtime wrappers and as type annotation for circular deps.
  * @internal
  */
 type TableHandler<T = Record<string, unknown>, C = any> = {
@@ -1131,15 +979,63 @@ type TableHandler<T = Record<string, unknown>, C = any> = {
     readonly __spec: TableConfig;
     readonly schema?: (input: unknown) => T;
     readonly onError?: (...args: any[]) => any;
-    readonly onAfterInvoke?: (...args: any[]) => any;
+    readonly onCleanup?: (...args: any[]) => any;
     readonly setup?: (...args: any[]) => C | Promise<C>;
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
     readonly onRecord?: (...args: any[]) => any;
-    readonly onBatchComplete?: (...args: any[]) => any;
-    readonly onBatch?: (...args: any[]) => any;
+    readonly onRecordBatch?: (...args: any[]) => any;
 };
+/** Options passed to `defineTable()` — static config, no generics needed for inference */
+type TableOptions<T> = {
+    /** Lambda memory in MB (default: 256) */
+    memory?: number;
+    /** Lambda timeout (default: 30s). Accepts seconds or duration string: `"30s"`, `"5m"` */
+    timeout?: Duration;
+    /** Additional IAM permissions for the Lambda */
+    permissions?: Permission[];
+    /** Logging verbosity */
+    logLevel?: LogLevel;
+    /** DynamoDB billing mode (default: "PAY_PER_REQUEST") */
+    billingMode?: "PAY_PER_REQUEST" | "PROVISIONED";
+    /** Stream view type (default: "NEW_AND_OLD_IMAGES") */
+    streamView?: StreamView;
+    /** Number of records to process in each Lambda invocation (1-10000, default: 100) */
+    batchSize?: number;
+    /** Maximum time to gather records before invoking (default: "2s") */
+    batchWindow?: Duration;
+    /** Where to start reading the stream (default: "LATEST") */
+    startingPosition?: "LATEST" | "TRIM_HORIZON";
+    /** Number of records to process concurrently within a batch (default: 1) */
+    concurrency?: number;
+    /** Name of the field in `data` that serves as the entity type discriminant (default: "tag") */
+    tagField?: Extract<keyof T, string>;
+    /** Decode/validate function for the `data` portion of stream records */
+    schema?: (input: unknown) => T;
+    /** Static file glob patterns to bundle into the Lambda ZIP */
+    static?: string[];
+};
+interface TableBuilder<T = Record<string, unknown>, D = undefined, P = undefined, C = undefined, HasFiles extends boolean = false> {
+    /** Declare handler dependencies (tables, queues, buckets, mailers) */
+    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): TableBuilder<T, D2, P, C, HasFiles>;
+    /** Declare SSM secrets */
+    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): TableBuilder<T, D, P2, C, HasFiles>;
+    /** Initialize shared state on cold start. Receives table (self-client), deps, config, files. */
+    setup<C2>(fn: (args: SetupArgs$1<T, D, P, HasFiles>) => C2 | Promise<C2>): TableBuilder<T, D, P, C2, HasFiles>;
+    /** Handle errors thrown by onRecord/onRecordBatch */
+    onError(fn: (args: {
+        error: unknown;
+    } & SpreadCtx$1<C>) => void): TableBuilder<T, D, P, C, HasFiles>;
+    /** Cleanup callback — runs after each invocation, before Lambda freezes */
+    onCleanup(fn: (args: SpreadCtx$1<C>) => void | Promise<void>): TableBuilder<T, D, P, C, HasFiles>;
+    /** Per-record stream handler (terminal — returns finalized handler) */
+    onRecord(fn: TableRecordFn<T, C>): TableHandler<T, C>;
+    /** Batch stream handler (terminal — returns finalized handler) */
+    onRecordBatch(fn: TableBatchFn<T, C>): TableHandler<T, C>;
+    /** Finalize as resource-only table (no Lambda) */
+    build(): TableHandler<T, C>;
+}
 /**
  * Define a DynamoDB table with optional stream handler (single-table design).
  *
@@ -1148,25 +1044,30 @@ type TableHandler<T = Record<string, unknown>, C = any> = {
  *
  * @example Table with stream handler
  * ```typescript
- * type OrderData = { amount: number; status: string };
- *
- * export const orders = defineTable<OrderData>({
- *   streamView: "NEW_AND_OLD_IMAGES",
- *   batchSize: 10,
- *   onRecord: async ({ record }) => {
+ * export const orders = defineTable<OrderData>({ batchSize: 10, concurrency: 5 })
+ *   .setup(({ table }) => ({ table }))
+ *   .onRecord(async ({ record, table }) => {
  *     if (record.eventName === "INSERT") {
- *       console.log("New order:", record.new?.data.amount);
+ *       console.log("New order:", record.new?.data);
  *     }
- *   }
- * });
+ *   })
  * ```
  *
  * @example Table only (no Lambda)
  * ```typescript
- * export const users = defineTable({});
+ * export const users = defineTable<User>().build()
+ * ```
+ *
+ * @example Table as dependency (resource-only, no Lambda)
+ * ```typescript
+ * export const sessions = defineTable<Session>().build()
  * ```
  */
-declare const defineTable: <T = Record<string, unknown>, C = undefined, R = void, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined>(options: DefineTableOptions<T, C, R, D, P, S>) => TableHandler<T, C>;
+declare function defineTable<T = Record<string, unknown>>(): TableBuilder<T>;
+declare function defineTable<T = Record<string, unknown>>(options: TableOptions<T> & {
+    static: string[];
+}): TableBuilder<T, undefined, undefined, undefined, true>;
+declare function defineTable<T = Record<string, unknown>>(options: TableOptions<T>): TableBuilder<T>;
 /**
  * Configuration for deploying an SSR framework (Nuxt, Astro, etc.)
@@ -1223,94 +1124,7 @@ type AppHandler = {
  * });
  * ```
  */
-declare const defineApp: (options: AppConfig) => AppHandler;
-type AuthConfig<_T = undefined> = {
-    /** Path to redirect unauthenticated users to (used by static sites). */
-    loginPath: string;
-    /** Paths that don't require authentication. Supports trailing `*` wildcard. */
-    public?: string[];
-    /** Default session lifetime (default: "7d"). Accepts seconds or duration string. */
-    expiresIn?: Duration;
-};
-/**
- * Branded auth object returned by `defineAuth()`.
- * Pass to `defineApi({ auth })` and `defineStaticSite({ auth })`.
- */
-type Auth<T = undefined> = AuthConfig<T> & {
-    readonly __brand: "effortless-auth";
-    /** @internal phantom type marker for session data */
-    readonly __session?: T;
-};
-/** API token authentication strategy. Verifies tokens from HTTP headers (e.g. Authorization: Bearer). */
-type ApiTokenStrategy<T, D = undefined> = {
-    /** HTTP header to read the token from. Default: "authorization" (strips "Bearer " prefix). */
-    header?: string;
-    /** Verify the token value and return session data, or null if invalid. */
-    verify: [D] extends [undefined] ? (value: string) => T | null | Promise<T | null> : (value: string, ctx: {
-        deps: D;
-    }) => T | null | Promise<T | null>;
-    /** Cache verified token results for this duration. Avoids calling verify on every request. */
-    cacheTtl?: Duration;
-};
-/**
- * Define authentication for API handlers and static sites.
- *
- * Session-based auth uses HMAC-signed cookies (auto-managed by the framework).
- *
- * - Lambda@Edge middleware verifies cookie signatures for static sites
- * - API handler gets `auth.createSession()` / `auth.clearSession()` / `auth.session` helpers
- * - HMAC secret is auto-generated and stored in SSM Parameter Store
- *
- * @typeParam T - Session data type. When provided, `createSession(data)` requires typed payload
- *   and `auth.session` is typed as `T` in handler args.
- *
- * @example
- * ```typescript
- * type Session = { userId: string; role: "admin" | "user" };
- *
- * const auth = defineAuth<Session>({
- *   loginPath: '/login',
- *   public: ['/login', '/api/login'],
- *   expiresIn: '7d',
- * })
- *
- * export const api = defineApi({ auth, ... })
- * export const webapp = defineStaticSite({ auth, ... })
- * ```
- */
-declare const defineAuth: <T = undefined>(options: AuthConfig<T>) => Auth<T>;
-/** Options for creating a session */
-type SessionOptions = {
-    expiresIn?: Duration;
-};
-/** Session response with Set-Cookie header */
-type SessionResponse = {
-    status: 200;
-    body: {
-        ok: true;
-    };
-    headers: Record<string, string>;
-};
-/**
- * Auth helpers injected into API handler callback args when `auth` is configured.
- * @typeParam T - Session data type (undefined = no custom data)
- */
-type AuthHelpers<T = undefined> = {
-    clearSession(): {
-        status: 200;
-        body: {
-            ok: true;
-        };
-        headers: Record<string, string>;
-    };
-    /** The current session data (from cookie or API token). Undefined if no valid session. */
-    session: T extends undefined ? undefined : T | undefined;
-} & ([T] extends [undefined] ? {
-    createSession(options?: SessionOptions): SessionResponse;
-} : {
-    createSession(data: T, options?: SessionOptions): SessionResponse;
-});
+declare const defineApp: () => (options: AppConfig) => AppHandler;
 /** Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) */
 type AnyRoutableHandler = {
@@ -1371,8 +1185,6 @@ type StaticSiteConfig = {
     errorPage?: string;
     /** Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. */
     middleware?: MiddlewareHandler;
-    /** Cookie-based authentication. Auto-generates Lambda@Edge middleware that verifies signed cookies. */
-    auth?: Auth<any>;
     /** SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API */
     seo?: StaticSiteSeo;
 };
@@ -1407,48 +1219,115 @@ type StaticSiteHandler = {
  * });
  * ```
  *
- * @example Protected site with middleware (Lambda@Edge)
- * ```typescript
- * export const admin = defineStaticSite({
- *   dir: "admin/dist",
- *   middleware: async (request) => {
- *     if (!request.cookies.session) {
- *       return { redirect: "/login" };
- *     }
- *   },
- * });
- * ```
  */
-declare const defineStaticSite: (options: StaticSiteConfig) => StaticSiteHandler;
+declare const defineStaticSite: () => (options: StaticSiteConfig) => StaticSiteHandler;
-/** Extract session type T from Auth<T> */
-type SessionOf<A> = A extends Auth<infer T> ? T : undefined;
-/** GET route handler — no schema, no data */
-type ApiGetHandlerFn<C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = (args: {
-    req: HttpRequest;
-} & HandlerArgs<C, D, P, S> & ([ST] extends [true] ? {
-    stream: ResponseStream;
-} : {}) & ([A] extends [undefined] ? {} : {
-    auth: AuthHelpers<SessionOf<A>>;
-})) => Promise<HttpResponse | void> | HttpResponse | void;
-/** POST handler — with typed data from schema */
-type ApiPostHandlerFn<T = undefined, C = undefined, D = undefined, P = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = (args: {
+/** Options for creating a session */
+type SessionOptions = {
+    expiresIn?: Duration;
+};
+/** Session response with Set-Cookie header */
+type SessionResponse = {
+    status: 200;
+    body: {
+        ok: true;
+    };
+    headers: Record<string, string>;
+};
+/**
+ * Auth helpers injected into API handler callback args when `auth` is configured.
+ * @typeParam T - Session data type (from `AuthOptions<T>`)
+ */
+type AuthHelpers<T = unknown> = {
+    /** Create a signed session cookie with typed data. */
+    createSession(data: T, options?: SessionOptions): SessionResponse;
+    /** Clear the session cookie. */
+    clearSession(): {
+        status: 200;
+        body: {
+            ok: true;
+        };
+        headers: Record<string, string>;
+    };
+    /** The current session data (from cookie or API token). Undefined if no valid session. */
+    session: T | undefined;
+};
+/** Auth config options (user-facing) */
+type AuthOptions<A = unknown> = {
+    /** HMAC secret for signing session cookies. Use `secret()` or `param()` in config. */
+    secret: string;
+    /** Default session lifetime (default: "7d"). */
+    expiresIn?: Duration;
+    /** Optional API token strategy for external clients. */
+    apiToken?: {
+        /** HTTP header to read the token from. Default: "authorization" (strips "Bearer " prefix). */
+        header?: string;
+        /** Verify the token value and return session data, or null if invalid. */
+        verify: (value: string) => A | null | Promise<A | null>;
+        /** Cache verified token results for this duration. */
+        cacheTtl?: Duration;
+    };
+};
+/** Branded auth config — created by `enableAuth<A>()` helper, carries session type A */
+type ApiAuthConfig<A = unknown> = AuthOptions<A> & {
+    readonly __sessionType: A;
+};
+/** Type of the `enableAuth` helper injected into setup args */
+type EnableAuth = <A = unknown>(options: AuthOptions<A>) => ApiAuthConfig<A>;
+/** Extract session type A from ctx.auth if present */
+type ExtractAuth<C> = C extends {
+    auth: ApiAuthConfig<infer A>;
+} ? A : undefined;
+/** Property names reserved by the framework — cannot be used in setup return */
+type ReservedKeys = 'req' | 'input' | 'stream' | 'ok' | 'fail';
+/** Success response helper: `ok({ data })` → `{ status: 200, body: { data } }` */
+type OkHelper = (body?: unknown, status?: number) => HttpResponse;
+/** Error response helper: `fail("message")` → `{ status: 400, body: { error: "message" } }` */
+type FailHelper = (message: string, status?: number) => HttpResponse;
+type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+/** Parsed route definition stored at runtime */
+type RouteEntry = {
+    method: HttpMethod;
+    path: string;
+    onRequest: (...args: any[]) => any;
+    public?: boolean;
+};
+/** Spread ctx into route args: Omit auth config, add AuthHelpers if present */
+type SpreadCtx<C> = ([C] extends [undefined] ? {} : Omit<C & {}, 'auth'>) & ([ExtractAuth<C>] extends [undefined] ? {} : {
+    auth: AuthHelpers<ExtractAuth<C>>;
+});
+/** Callback args available inside each route — ctx is spread into args */
+type RouteArgs<C, ST> = SpreadCtx<C> & {
     req: HttpRequest;
-} & ([T] extends [undefined] ? {} : {
-    data: T;
-}) & HandlerArgs<C, D, P, S> & ([ST] extends [true] ? {
+    input: unknown;
+    ok: OkHelper;
+    fail: FailHelper;
+} & ([ST] extends [true] ? {
     stream: ResponseStream;
-} : {}) & ([A] extends [undefined] ? {} : {
-    auth: AuthHelpers<SessionOf<A>>;
-})) => Promise<HttpResponse | void> | HttpResponse | void;
-/** Setup factory — receives deps/config/files when declared */
-type SetupFactory<C, D, P, S extends string[] | undefined = undefined> = (args: ([D] extends [undefined] ? {} : {
+} : {});
+/** Route handler function */
+type RouteHandler<C, ST> = (args: RouteArgs<C, ST>) => Promise<HttpResponse | void> | HttpResponse | void;
+/** Route options (e.g. public) */
+type RouteOptions = {
+    public?: boolean;
+};
+/** Setup factory — receives deps/config/files/enableAuth based on what was declared */
+type SetupArgs<D, P, HasFiles extends boolean> = {
+    enableAuth: EnableAuth;
+    ok: OkHelper;
+    fail: FailHelper;
+} & ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
 }) & ([P] extends [undefined] ? {} : {
     config: ResolveConfig<P & {}>;
-}) & ([S] extends [undefined] ? {} : {
+}) & (HasFiles extends true ? {
     files: StaticFiles;
-})) => C | Promise<C>;
+} : {});
+/** Validate that setup return type does not use reserved property names */
+type ValidateSetupReturn<C> = C & {
+    [K in ReservedKeys]?: never;
+};
 /** Static config extracted by AST (no runtime callbacks) */
 type ApiConfig = {
     /** Lambda function settings (memory, timeout, permissions, etc.) */
@@ -1458,104 +1337,104 @@ type ApiConfig = {
     /** Enable response streaming. When true, the Lambda Function URL uses RESPONSE_STREAM invoke mode. */
     stream?: boolean;
 };
-/**
- * Options for defining a CQRS-style API endpoint.
- *
- * - `get` routes handle queries (path-based routing, no body)
- * - `post` handles commands (single entry point, discriminated union via `schema`)
- */
-type DefineApiOptions<T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined> = {
-    /** Lambda function settings (memory, timeout, permissions, etc.) */
-    lambda?: LambdaWithPermissions;
-    /** Base path prefix for all routes (e.g., "/api") */
-    basePath: `/${string}`;
-    /** Enable response streaming. When true, routes receive a `stream` arg for SSE. Routes can still return HttpResponse normally. */
-    stream?: ST;
-    /** Session-based authentication. Injects `auth` helpers (createSession/clearSession/session) into handler args. */
-    auth?: A;
-    /** API token authentication for external clients (Bearer tokens, API keys). Has access to deps. */
-    apiToken?: ApiTokenStrategy<SessionOf<A>, [D] extends [undefined] ? undefined : ResolveDeps<D>>;
-    /**
-     * Factory function to initialize shared state.
-     * Called once on cold start, result is cached and reused across invocations.
-     */
-    setup?: SetupFactory<C, D, P, S>;
-    /** Dependencies on other handlers (tables, queues, etc.): `deps: () => ({ users })` */
-    deps?: () => D & {};
-    /** SSM Parameter Store parameters */
-    config?: P;
-    /** Static file glob patterns to bundle into the Lambda ZIP */
-    static?: S;
-    /** Error handler called when schema validation or handler throws */
-    onError?: (args: {
-        error: unknown;
-        req: HttpRequest;
-    } & HandlerArgs<C, D, P, S>) => HttpResponse;
-    /** Called after each invocation completes, right before Lambda freezes the process */
-    onAfterInvoke?: (args: HandlerArgs<C, D, P, S>) => void | Promise<void>;
-    /** GET routes — query handlers keyed by relative path (e.g., "/users/{id}") */
-    get?: Record<`/${string}`, ApiGetHandlerFn<C, D, P, S, ST, A>>;
-    /**
-     * Schema for POST body validation. Use with discriminated unions:
-     * ```typescript
-     * schema: Action.parse,
-     * post: async ({ data }) => { switch (data.action) { ... } }
-     * ```
-     */
-    schema?: (input: unknown) => T;
-    /** POST handler — single entry point for commands */
-    post?: ApiPostHandlerFn<T, C, D, P, S, ST, A>;
-};
 /** Internal handler object created by defineApi */
-type ApiHandler<T = undefined, C = undefined> = {
+type ApiHandler<C = undefined> = {
     readonly __brand: "effortless-api";
     readonly __spec: ApiConfig;
-    readonly schema?: (input: unknown) => T;
     readonly onError?: (...args: any[]) => any;
-    readonly onAfterInvoke?: (...args: any[]) => any;
+    readonly onCleanup?: (...args: any[]) => any;
     readonly setup?: (...args: any[]) => C | Promise<C>;
     readonly deps?: Record<string, unknown> | (() => Record<string, unknown>);
     readonly config?: Record<string, unknown>;
     readonly static?: string[];
-    readonly auth?: Auth;
-    readonly apiToken?: ApiTokenStrategy<any, any>;
-    readonly get?: Record<`/${string}`, (...args: any[]) => any>;
-    readonly post?: (...args: any[]) => any;
+    readonly routes?: RouteEntry[];
 };
-/**
- * Define a CQRS-style API with typed GET routes and POST commands.
- *
- * GET routes handle queries — path-based routing, no request body.
- * POST handles commands — single entry point with discriminated union schema.
- * Deploys as a single Lambda (fat Lambda) with one API Gateway catch-all route.
+/** Options passed to `defineApi()` */
+type ApiOptions = {
+    /** Base path prefix for all routes (e.g., "/api") */
+    basePath: `/${string}`;
+    /** Lambda memory in MB (default: 256) */
+    memory?: number;
+    /** Lambda timeout (default: 30s). Accepts seconds or duration string: `"30s"`, `"5m"` */
+    timeout?: Duration;
+    /** Additional IAM permissions for the Lambda */
+    permissions?: Permission[];
+    /** Logging verbosity: "error" (errors only), "info" (+ execution summary), "debug" (+ input/output). Default: "info" */
+    logLevel?: LogLevel;
+    /** Enable response streaming. When true, routes receive a `stream` arg for SSE. */
+    stream?: boolean;
+    /** Static file glob patterns to bundle into the Lambda ZIP */
+    static?: string[];
+};
+/**
+ * Finalized API handler with route-adding methods.
+ * Has `__brand` so CLI discovers it. Each `.get()/.post()` adds a route and returns self.
+ */
+interface ApiRoutes<C = undefined, ST extends boolean = false> extends ApiHandler<C> {
+    get(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    post(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    put(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    patch(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    delete(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+}
+/**
+ * Builder interface for defining API handlers.
+ *
+ * Each method sets exactly one generic, so inference happens one step at a time.
+ * This prevents cascading type errors when one property has a mistake.
+ */
+interface ApiBuilder<D = undefined, P = undefined, C = undefined, ST extends boolean = false, HasFiles extends boolean = false> {
+    /** Declare handler dependencies (tables, queues, buckets, mailers) */
+    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): ApiBuilder<D2, P, C, ST, HasFiles>;
+    /** Declare SSM secrets */
+    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): ApiBuilder<D, P2, C, ST, HasFiles>;
+    /** Initialize shared state on cold start. Receives deps/config/files based on what was declared. */
+    setup<C2>(fn: (args: SetupArgs<D, P, HasFiles>) => ValidateSetupReturn<C2> | Promise<ValidateSetupReturn<C2>>): ApiBuilder<D, P, C2, ST, HasFiles>;
+    /** Handle errors thrown by routes */
+    onError(fn: (args: {
+        error: unknown;
+        req: HttpRequest;
+        ok: OkHelper;
+        fail: FailHelper;
+    } & SpreadCtx<C>) => HttpResponse): ApiBuilder<D, P, C, ST, HasFiles>;
+    /** Cleanup callback — runs after each invocation, before Lambda freezes */
+    onCleanup(fn: (args: SpreadCtx<C>) => void | Promise<void>): ApiBuilder<D, P, C, ST, HasFiles>;
+    /** Add a GET route (terminal — returns finalized handler with route methods) */
+    get(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    /** Add a POST route (terminal) */
+    post(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    /** Add a PUT route (terminal) */
+    put(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    /** Add a PATCH route (terminal) */
+    patch(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    /** Add a DELETE route (terminal) */
+    delete(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+}
+/**
+ * Define an API with typed routes using a builder pattern.
  *
  * @example
  * ```typescript
- * export default defineApi({
- *   basePath: "/api",
- *   deps: { users },
- *
- *   get: {
- *     "/users": async ({ req, deps }) => ({
- *       status: 200,
- *       body: await deps.users.scan()
- *     }),
- *     "/users/{id}": async ({ req, deps }) => ({
- *       status: 200,
- *       body: await deps.users.get(req.params.id)
- *     }),
- *   },
- *
- *   schema: Action.parse,
- *   post: async ({ data, deps }) => {
- *     switch (data.action) {
- *       case "create": return { status: 201, body: await deps.users.put(data) }
- *       case "delete": return { status: 200, body: await deps.users.delete(data.id) }
- *     }
- *   },
- * })
+ * // Minimal
+ * export default defineApi({ basePath: "/hello" })
+ *   .get("/", async ({ req, ok }) => ok({ message: "Hello!" }))
+ *
+ * // Full
+ * export const api = defineApi({ basePath: "/api", timeout: "30s" })
+ *   .deps(() => ({ users }))
+ *   .config(({ defineSecret }) => ({ dbUrl: defineSecret() }))
+ *   .setup(async ({ deps, config, enableAuth }) => ({
+ *     users: deps.users,
+ *     auth: enableAuth<Session>({ secret: config.dbUrl }),
+ *   }))
+ *   .onError(({ error, fail }) => fail(String(error), 500))
+ *   .get("/me", async ({ users, auth, ok }) => ok(auth.session))
+ *   .post("/login", async ({ auth, ok }) => ok(await auth.createSession()), { public: true })
  * ```
  */
-declare const defineApi: <T = undefined, C = undefined, D extends Record<string, AnyDepHandler> | undefined = undefined, P extends Record<string, AnyParamRef> | undefined = undefined, S extends string[] | undefined = undefined, ST extends boolean | undefined = undefined, A extends Auth<any> | undefined = undefined>(options: DefineApiOptions<T, C, D, P, S, ST, A>) => ApiHandler<T, C>;
+declare function defineApi(options: ApiOptions & {
+    static: string[];
+}): ApiBuilder<undefined, undefined, undefined, false, true>;
+declare function defineApi<const O extends ApiOptions>(options: O): ApiBuilder<undefined, undefined, undefined, O["stream"] extends true ? true : false, O["static"] extends string[] ? true : false>;
-export { type AnyParamRef, type AnySecretRef, type ApiConfig, type ApiHandler, type ApiTokenStrategy, type AppConfig, type AppHandler, type Auth, type AuthConfig, type AuthHelpers, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ContentType, type Duration, type EffortlessConfig, type EmailClient, type FailedRecord, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineAuth, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineStaticSite, defineTable, generateBase64, generateHex, generateUuid, param, result, secret, toSeconds, unsafeAs };
+export { type AnyParamRef, type AnySecretRef, type ApiAuthConfig, type ApiConfig, type ApiHandler, type ApiRoutes, type AppConfig, type AppHandler, type AuthHelpers, type BucketClient, type BucketConfig, type BucketEvent, type BucketHandler, type ConfigHelpers, type ContentType, type DefineSecretFn, type Duration, type EffortlessConfig, type EmailClient, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type GenerateSpec, type HttpMethod$1 as HttpMethod, type HttpRequest, type HttpResponse, type LambdaConfig, type LambdaWithPermissions, type LogLevel, type MailerConfig, type MailerHandler, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type UpdateActions, defineApi, defineApp, defineBucket, defineConfig, defineFifoQueue, defineMailer, defineSecret, defineStaticSite, defineTable, generateBase64, generateHex, generateUuid, param, secret, toSeconds, unsafeAs };