effortless-aws 0.34.0 → 0.36.0

package/dist/{chunk-6HFS224S.js → chunk-Q3ZDMZF3.js}

@@ -765,9 +765,18 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
     resolvedCfSigningConfig = { privateKey, keyPairId: cfKeyPairId, domain: cfDomain };
     return resolvedCfSigningConfig;
   };
-  const getAuthRuntime = async (setupCtx) => {
+  const getAuthRuntime = async () => {
     if (resolvedAuthRuntime !== null) return resolvedAuthRuntime;
-    const authOpts = setupCtx && typeof setupCtx === "object" && "auth" in setupCtx ? setupCtx.auth : void 0;
+    if (!handler.authFn) {
+      resolvedAuthRuntime = void 0;
+      return void 0;
+    }
+    const params = await getParams();
+    const deps = getDeps();
+    const authArgs = {};
+    if (params) authArgs.config = params;
+    if (deps) authArgs.deps = deps;
+    const authOpts = await handler.authFn(authArgs);
     if (!authOpts?.secret) {
       resolvedAuthRuntime = void 0;
       return void 0;
@@ -795,7 +804,7 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
     if (handler.setup) {
       const params = await getParams();
       const deps = getDeps();
-      const args = { enableAuth: (opts) => opts };
+      const args = {};
       if (params) args.config = params;
       if (deps) args.deps = deps;
       if (handler.static) args.files = staticFiles;
@@ -813,7 +822,7 @@ var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupA
     const params = await getParams();
     if (params) args.config = params;
     if (handler.static) args.files = staticFiles;
-    const authRuntime = await getAuthRuntime(args.ctx);
+    const authRuntime = await getAuthRuntime();
     if (authRuntime) {
       let finalAuthHeader = authHeader;
       if (finalAuthHeader === void 0 && headers && resolvedAuthHeaderName) {

package/dist/index.d.ts

@@ -1,3 +1,5 @@
+import { StandardSchemaV1, StandardJSONSchemaV1 } from '@standard-schema/spec';
+
 /**
  * Configuration for an Effortless project.
  *
@@ -421,7 +423,7 @@ type BucketObjectRemovedFn<C = undefined> = (args: {
  * Internal handler object created by defineBucket
  * @internal
  */
-type BucketHandler$1<C = any, Entities extends Record<string, any> = {}> = {
+type BucketHandler$1<C = any, _Entities extends Record<string, any> = {}> = {
     readonly __brand: "effortless-bucket";
     readonly __spec: BucketConfig;
     readonly onError?: (...args: any[]) => any;
@@ -728,7 +730,7 @@ type WorkerMessageFn<T, C = undefined> = (msg: T, ctx: SpreadCtx$4<C>) => Promis
  * Handler object created by defineWorker.
  * @internal
  */
-type WorkerHandler$1<T = any, C = any> = {
+type WorkerHandler$1<_T = any, C = any> = {
     readonly __brand: "effortless-worker";
     readonly __spec: WorkerConfig;
     readonly onError?: (...args: any[]) => any;
@@ -1206,22 +1208,10 @@ type AppHandler = {
  */
 declare const defineApp: () => (options: AppConfig) => AppHandler;
 
-/** Any branded handler that deploys to API Gateway (HttpHandler, ApiHandler, etc.) */
+/** Any branded handler that deploys to API Gateway or S3 */
 type AnyRoutableHandler = {
     readonly __brand: string;
 };
-/** Route configuration for serving bucket content through CloudFront */
-type BucketRouteConfig = {
-    bucket: {
-        readonly __brand: "effortless-bucket";
-    };
-    /** Access control: "private" requires CloudFront signed cookies, "public" serves openly. Default: "public" */
-    access?: "private" | "public";
-};
-/** A route value: either an API handler or a bucket route config */
-type RouteValue = AnyRoutableHandler | BucketRouteConfig;
-/** Type guard for bucket route entries */
-declare const isBucketRoute: (v: unknown) => v is BucketRouteConfig;
 /** Simplified request object passed to middleware */
 type MiddlewareRequest = {
     uri: string;
@@ -1253,33 +1243,32 @@ type StaticSiteSeo = {
     googleIndexing?: string;
 };
 /**
- * Configuration for a static site handler (S3 + CloudFront)
+ * Configuration for a static site (S3 + CloudFront)
  */
 type StaticSiteConfig = {
-    /** Handler name. Defaults to export name if not specified */
-    name?: string;
     /** Directory containing the static site files, relative to project root */
     dir: string;
     /** Default file for directory requests (default: "index.html") */
     index?: string;
-    /** SPA mode: serve index.html for all paths that don't match a file (default: false) */
-    spa?: boolean;
     /** Shell command to run before deploy to generate site content (e.g., "npx astro build") */
     build?: string;
+    /** Path to a custom error page relative to `dir`.
+     * - If set to the same value as `index` (e.g. "index.html"), enables SPA mode:
+     *   all paths that don't match a file are served with `index.html` (HTTP 200), letting the client-side router handle them.
+     * - If set to a different file (e.g. "404.html"), that file is served with HTTP 404 for missing paths.
+     * - If omitted, a default 404 page is auto-generated. */
+    errorPage?: string;
     /** Custom domain name. Accepts a string (same domain for all stages) or a Record mapping stage names to domains (e.g., `{ prod: "example.com", dev: "dev.example.com" }`). Requires an ACM certificate in us-east-1. If the cert also covers www, a 301 redirect from www to non-www is set up automatically. */
     domain?: string | Record<string, string>;
-    /** CloudFront route overrides: path patterns forwarded to API Gateway or S3 bucket origins.
-     * Keys are CloudFront path patterns (e.g., "/api/*"), values are HTTP handlers or bucket route configs.
-     * Example: `routes: { "/api/*": api, "/files/*": { bucket: storage, access: "private" } }` */
-    routes?: Record<string, RouteValue>;
-    /** Custom 404 error page path relative to `dir` (e.g. "404.html").
-     * For non-SPA sites only. If not set, a default page is generated automatically. */
-    errorPage?: string;
-    /** Lambda@Edge middleware that runs before serving pages. Use for auth checks, redirects, etc. */
-    middleware?: MiddlewareHandler;
     /** SEO: auto-generate sitemap.xml and robots.txt at deploy time, optionally submit URLs to Google Indexing API */
     seo?: StaticSiteSeo;
 };
+/** Route entry stored on the static site handler */
+type StaticSiteRouteEntry = {
+    pattern: string;
+    origin: AnyRoutableHandler;
+    access?: "private" | "public";
+};
 /**
  * Internal handler object created by defineStaticSite
  * @internal
@@ -1287,16 +1276,24 @@ type StaticSiteConfig = {
 type StaticSiteHandler = {
     readonly __brand: "effortless-static-site";
     readonly __spec: StaticSiteConfig;
+    readonly routes: StaticSiteRouteEntry[];
+    readonly middleware?: MiddlewareHandler;
 };
 /**
- * Deploy a static site via S3 + CloudFront CDN.
+ * Deploy a static site via S3 + CloudFront CDN, with optional API and bucket route overrides.
  *
  * @see {@link https://effortless-aws.website/use-cases/web-app | Web app guide}
  *
- * @param options - Static site configuration: directory, optional SPA mode, build command
- * @returns Handler object used by the deployment system
+ * @param options - Static site configuration: directory, optional SPA mode, build command, domain
+ * @returns Builder with `.route()`, `.middleware()`, and `.build()` methods
  */
-declare const defineStaticSite: () => (options: StaticSiteConfig) => StaticSiteHandler;
+declare function defineStaticSite(options: StaticSiteConfig): {
+    route(pattern: string, origin: AnyRoutableHandler, opts?: {
+        access?: "private" | "public";
+    }): /*elided*/ any;
+    middleware(fn: MiddlewareHandler): /*elided*/ any;
+    build(): StaticSiteHandler;
+};
 
 /** Options for CloudFront signed cookie policy */
 type CdnPolicyOptions = {
@@ -1355,16 +1352,6 @@ type AuthOptions<A = unknown> = {
         cacheTtl?: Duration;
     };
 };
-/** Branded auth config — created by `enableAuth<A>()` helper, carries session type A */
-type ApiAuthConfig<A = unknown> = AuthOptions<A> & {
-    readonly __sessionType: A;
-};
-/** Type of the `enableAuth` helper injected into setup args */
-type EnableAuth = <A = unknown>(options: AuthOptions<A>) => ApiAuthConfig<A>;
-/** Extract session type A from ctx.auth if present */
-type ExtractAuth<C> = C extends {
-    auth: ApiAuthConfig<infer A>;
-} ? A : undefined;
 /** Property names reserved by the framework — cannot be used in setup return */
 type ReservedKeys = 'req' | 'input' | 'stream' | 'ok' | 'fail';
 /** Success response helper: `ok({ data })` → `{ status: 200, body: { data } }` */
@@ -1392,35 +1379,36 @@ type RouteEntry = {
     method: HttpMethod;
     path: string;
     onRequest: (...args: any[]) => any;
+    schema?: unknown;
     public?: boolean;
     cache?: ResolvedCache;
 };
-/** Spread ctx into route args: Omit auth config, add AuthHelpers if present */
-type SpreadCtx$2<C> = ([C] extends [undefined] ? {} : Omit<C & {}, 'auth'>) & ([ExtractAuth<C>] extends [undefined] ? {} : {
-    auth: AuthHelpers<ExtractAuth<C>>;
+/** Spread ctx into route args, add AuthHelpers if A is set */
+type SpreadCtx$2<C, A = undefined> = ([C] extends [undefined] ? {} : C & {}) & ([A] extends [undefined] ? {} : {
+    auth: AuthHelpers<A>;
 });
+/** Infer validated output type from a Standard Schema, or fall back to unknown */
+type InferInput<S> = S extends StandardSchemaV1 ? StandardSchemaV1.InferOutput<S> : unknown;
 /** Callback args available inside each route — ctx is spread into args */
-type RouteArgs<C, ST> = SpreadCtx$2<C> & {
+type RouteArgs<C, ST, A = undefined, S = undefined> = SpreadCtx$2<C, A> & {
     req: HttpRequest;
-    input: unknown;
+    input: InferInput<S>;
     ok: OkHelper;
     fail: FailHelper;
 } & ([ST] extends [true] ? {
     stream: ResponseStream;
 } : {});
 /** Route handler function */
-type RouteHandler<C, ST> = (args: RouteArgs<C, ST>) => Promise<HttpResponse | void> | HttpResponse | void;
-/** Route options for all methods */
-type RouteOptions = {
+type RouteHandler<C, ST, A = undefined, S = undefined> = (args: RouteArgs<C, ST, A, S>) => Promise<HttpResponse | void> | HttpResponse | void;
+/** Route definition — pass `input` for typed schema validation */
+type RouteDef<S extends StandardSchemaV1 | undefined = undefined> = {
+    path: `/${string}`;
+    input?: S;
     public?: boolean;
-};
-/** Route options for GET — supports caching */
-type GetRouteOptions = RouteOptions & {
     cache?: CacheOptions;
 };
-/** Setup factory — receives deps/config/files/enableAuth based on what was declared */
+/** Setup factory — receives deps/config/files based on what was declared */
 type SetupArgs$2<D, P, HasFiles extends boolean> = {
-    enableAuth: EnableAuth;
     ok: OkHelper;
     fail: FailHelper;
 } & ([D] extends [undefined] ? {} : {
@@ -1430,6 +1418,12 @@ type SetupArgs$2<D, P, HasFiles extends boolean> = {
 }) & (HasFiles extends true ? {
     files: StaticFiles;
 } : {});
+/** Auth factory args — receives config/deps based on what was declared */
+type AuthArgs$1<D, P> = ([D] extends [undefined] ? {} : {
+    deps: ResolveDeps<D>;
+}) & ([P] extends [undefined] ? {} : {
+    config: ResolveConfig<P & {}>;
+});
 /** Validate that setup return type does not use reserved property names */
 type ValidateSetupReturn<C> = C & {
     [K in ReservedKeys]?: never;
@@ -1466,12 +1460,12 @@ type ApiOptions = {
  * Finalized API handler with route-adding methods.
  * Has `__brand` so CLI discovers it. Each `.get()/.post()` adds a route and returns self.
  */
-interface ApiRoutes<C = undefined, ST extends boolean = false> extends ApiHandler<C> {
-    get(path: `/${string}`, handler: RouteHandler<C, ST>, options?: GetRouteOptions): ApiRoutes<C, ST>;
-    post(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    put(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    patch(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    delete(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+interface ApiRoutes<C = undefined, ST extends boolean = false, A = undefined> extends ApiHandler<C> {
+    get<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    post<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    put<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    patch<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    delete<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
 }
 /**
  * Builder interface for defining API handlers.
@@ -1479,38 +1473,35 @@ interface ApiRoutes<C = undefined, ST extends boolean = false> extends ApiHandle
  * Each method sets exactly one generic, so inference happens one step at a time.
  * This prevents cascading type errors when one property has a mistake.
  */
-interface ApiBuilder<D = undefined, P = undefined, C = undefined, ST extends boolean = false, HasFiles extends boolean = false> {
+interface ApiBuilder<D = undefined, P = undefined, C = undefined, ST extends boolean = false, HasFiles extends boolean = false, A = undefined> {
     /** Declare handler dependencies (tables, queues, buckets, mailers) */
-    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): ApiBuilder<D2, P, C, ST, HasFiles>;
+    deps<D2 extends Record<string, AnyDepHandler>>(fn: () => D2): ApiBuilder<D2, P, C, ST, HasFiles, A>;
     /** Declare SSM secrets */
-    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): ApiBuilder<D, P2, C, ST, HasFiles>;
+    config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): ApiBuilder<D, P2, C, ST, HasFiles, A>;
     /** Include static files by glob pattern */
-    include(glob: string): ApiBuilder<D, P, C, ST, true>;
+    include(glob: string): ApiBuilder<D, P, C, ST, true, A>;
+    /** Configure session-based authentication. Receives resolved config/deps. */
+    auth<A2>(fn: (args: AuthArgs$1<D, P>) => AuthOptions<A2> | Promise<AuthOptions<A2>>): ApiBuilder<D, P, C, ST, HasFiles, A2>;
     /** Configure Lambda settings only (no init function) */
-    setup(lambda: LambdaOptions): ApiBuilder<D, P, C, ST, HasFiles>;
+    setup(lambda: LambdaOptions): ApiBuilder<D, P, C, ST, HasFiles, A>;
     /** Initialize shared state on cold start. Receives deps/config/files based on what was declared. */
-    setup<C2>(fn: (args: SetupArgs$2<D, P, HasFiles>) => ValidateSetupReturn<C2> | Promise<ValidateSetupReturn<C2>>): ApiBuilder<D, P, C2, ST, HasFiles>;
+    setup<C2>(fn: (args: SetupArgs$2<D, P, HasFiles>) => ValidateSetupReturn<C2> | Promise<ValidateSetupReturn<C2>>): ApiBuilder<D, P, C2, ST, HasFiles, A>;
     /** Initialize shared state on cold start with Lambda config. */
-    setup<C2>(fn: (args: SetupArgs$2<D, P, HasFiles>) => ValidateSetupReturn<C2> | Promise<ValidateSetupReturn<C2>>, lambda: LambdaOptions): ApiBuilder<D, P, C2, ST, HasFiles>;
+    setup<C2>(fn: (args: SetupArgs$2<D, P, HasFiles>) => ValidateSetupReturn<C2> | Promise<ValidateSetupReturn<C2>>, lambda: LambdaOptions): ApiBuilder<D, P, C2, ST, HasFiles, A>;
     /** Handle errors thrown by routes */
     onError(fn: (args: {
         error: unknown;
         req: HttpRequest;
         ok: OkHelper;
         fail: FailHelper;
-    } & SpreadCtx$2<C>) => HttpResponse | Promise<HttpResponse>): ApiBuilder<D, P, C, ST, HasFiles>;
+    } & SpreadCtx$2<C, A>) => HttpResponse | Promise<HttpResponse>): ApiBuilder<D, P, C, ST, HasFiles, A>;
     /** Cleanup callback — runs after each invocation, before Lambda freezes */
-    onCleanup(fn: (args: SpreadCtx$2<C>) => void | Promise<void>): ApiBuilder<D, P, C, ST, HasFiles>;
-    /** Add a GET route (terminal — returns finalized handler with route methods) */
-    get(path: `/${string}`, handler: RouteHandler<C, ST>, options?: GetRouteOptions): ApiRoutes<C, ST>;
-    /** Add a POST route (terminal) */
-    post(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    /** Add a PUT route (terminal) */
-    put(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    /** Add a PATCH route (terminal) */
-    patch(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
-    /** Add a DELETE route (terminal) */
-    delete(path: `/${string}`, handler: RouteHandler<C, ST>, options?: RouteOptions): ApiRoutes<C, ST>;
+    onCleanup(fn: (args: SpreadCtx$2<C, A>) => void | Promise<void>): ApiBuilder<D, P, C, ST, HasFiles, A>;
+    get<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    post<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    put<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    patch<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
+    delete<S extends StandardSchemaV1 | undefined = undefined>(def: RouteDef<S>, handler: RouteHandler<C, ST, A, S>): ApiRoutes<C, ST, A>;
 }
 /**
  * Define an API with typed routes using a builder pattern.
@@ -1519,16 +1510,12 @@ interface ApiBuilder<D = undefined, P = undefined, C = undefined, ST extends boo
  *
  * @example
  * ```typescript
- * export const api = defineApi({ basePath: "/api", timeout: "30s" })
+ * export const api = defineApi({ basePath: "/api" })
  *   .deps(() => ({ users }))
- *   .config(({ defineSecret }) => ({ dbUrl: defineSecret() }))
- *   .setup(async ({ deps, config, enableAuth }) => ({
- *     users: deps.users,
- *     auth: enableAuth<Session>({ secret: config.dbUrl }),
- *   }))
- *   .onError(({ error, fail }) => fail(String(error), 500))
- *   .get("/me", async ({ users, auth, ok }) => ok(auth.session))
- *   .post("/login", async ({ auth, ok }) => ok(await auth.createSession()), { public: true })
+ *   .config(({ defineSecret }) => ({ authSecret: defineSecret() }))
+ *   .auth<Session>(({ config }) => ({ secret: config.authSecret, expiresIn: "1h" }))
+ *   .get({ path: "/me" }, async ({ users, auth, ok }) => ok(auth.session))
+ *   .post({ path: "/login", public: true }, async ({ auth, ok }) => ok(await auth.createSession()))
  * ```
  */
 declare function defineApi<const O extends ApiOptions>(options: O): ApiBuilder<undefined, undefined, undefined, O["stream"] extends true ? true : false, false>;
@@ -1699,29 +1686,42 @@ type McpResourceContent = {
     mimeType?: string;
     blob: string;
 };
-/** A static resource definition */
-type McpResourceDef$1<C = undefined> = {
+/** Legacy resource content result type used by runtime internals */
+type McpResourceResult = McpResourceContent | McpResourceContent[] | Promise<McpResourceContent | McpResourceContent[]>;
+/** Infer resource params type from schema, or fall back to Record<string, string> */
+type InferResourceParams<S> = S extends StandardSchemaV1 ? StandardSchemaV1.InferOutput<S> : Record<string, string>;
+/** Resource definition — pass `params` for typed schema validation on URI template params */
+type McpResourceDefInput<S extends StandardSchemaV1 | undefined = undefined> = {
+    /** Resource URI or URI template (e.g. "resource://contacts/{id}") */
+    uri: string;
     /** Human-readable name */
     name: string;
+    /** Schema for URI template params — provides type inference + validation */
+    params?: S;
     /** Optional description */
     description?: string;
     /** Optional MIME type */
     mimeType?: string;
-    /** Handler called on resources/read */
-    handler: (ctx: SpreadCtx<C>) => McpResourceContent | McpResourceContent[] | Promise<McpResourceContent | McpResourceContent[]>;
 };
-/** A parameterized resource template (URI template RFC 6570) */
+/** What resource handlers can return — plain data is auto-wrapped by the runtime */
+type McpResourceReturn = unknown | Promise<unknown>;
+/** Resource handler — receives params (typed or Record<string, string>) and ctx */
+type McpResourceHandler<C, S = undefined> = (params: InferResourceParams<S>, ctx: SpreadCtx<C>) => McpResourceReturn;
+/** @internal */
+type McpResourceDef$1<C = undefined> = {
+    name: string;
+    description?: string;
+    mimeType?: string;
+    handler: (ctx: SpreadCtx<C>) => McpResourceResult;
+};
+/** @internal */
 type McpResourceTemplateDef$1<C = undefined> = {
-    /** Human-readable name */
     name: string;
-    /** Optional description */
     description?: string;
-    /** Optional MIME type */
     mimeType?: string;
-    /** Handler called on resources/read — receives matched URI params */
-    handler: (params: Record<string, string>, ctx: SpreadCtx<C>) => McpResourceContent | McpResourceContent[] | Promise<McpResourceContent | McpResourceContent[]>;
+    handler: (params: Record<string, string>, ctx: SpreadCtx<C>) => McpResourceResult;
 };
-/** Map of uri → resource definition, or uriTemplate → template definition */
+/** @internal */
 type McpResourceMap$1<C = undefined> = {
     [uriOrTemplate: string]: McpResourceDef$1<C> | McpResourceTemplateDef$1<C>;
 };
@@ -1765,34 +1765,54 @@ type McpPromptResult = {
     description?: string;
     messages: McpPromptMessage[];
 };
-/** A single prompt definition */
+/** @internal Legacy prompt definition used by runtime */
 type McpPromptDef$1<C = undefined> = {
-    /** Human-readable description */
     description?: string;
-    /** Arguments this prompt accepts */
     arguments?: McpPromptArgument[];
-    /** Handler called on prompts/get — receives argument values */
     handler: (args: Record<string, string>, ctx: SpreadCtx<C>) => McpPromptResult | Promise<McpPromptResult>;
 };
-/** A single MCP tool definition */
-type McpToolDef$1<C = undefined> = {
+/** Infer prompt args type from schema, or fall back to Record<string, string> */
+type InferPromptArgs<S> = S extends StandardSchemaV1 ? StandardSchemaV1.InferOutput<S> : Record<string, string>;
+/** Prompt definition — pass a Standard Schema for `args` for typed validation, or McpPromptArgument[] for untyped */
+type McpPromptDefInput<S extends StandardSchemaV1 | McpPromptArgument[] | undefined = undefined> = {
+    /** Prompt name */
+    name: string;
+    /** Human-readable description */
+    description?: string;
+    /** Args: Standard Schema for typed validation, or McpPromptArgument[] for untyped */
+    args?: S;
+};
+/** Handler return: string auto-wraps as user message, or return full McpPromptResult */
+type McpPromptReturn = string | McpPromptResult | Promise<string | McpPromptResult>;
+/** Prompt handler — receives args (typed or Record<string, string>) and ctx */
+type McpPromptHandler<C, S = undefined> = (args: InferPromptArgs<S>, ctx: SpreadCtx<C>) => McpPromptReturn;
+/** Infer tool input type from schema, or fall back to any */
+type InferToolInput<S> = S extends StandardJSONSchemaV1 ? StandardJSONSchemaV1.InferOutput<S> : any;
+/** Tool definition — pass a StandardJSONSchemaV1 for `input` for typed validation, or McpInputSchema for raw JSON Schema */
+type McpToolDefInput<S extends StandardJSONSchemaV1 | McpInputSchema = McpInputSchema> = {
+    /** Tool name */
+    name: string;
     /** Human-readable description of the tool */
     description: string;
-    /** JSON Schema describing the tool's input parameters */
-    input: McpInputSchema;
-    /** Handler function called when the tool is invoked */
-    handler: (input: any, ctx: SpreadCtx<C>) => McpToolResult | Promise<McpToolResult>;
-};
-/** Setup factory — receives deps/config/files/enableAuth based on what was declared */
-type SetupArgs<D, P, HasFiles extends boolean> = {
-    enableAuth: EnableAuth;
-} & ([D] extends [undefined] ? {} : {
+    /** Schema for tool input: StandardJSONSchemaV1 (e.g. z.object({...})) or raw McpInputSchema */
+    input: S;
+};
+/** Tool handler — receives input (typed or any) and ctx */
+type McpToolHandler<C, S = McpInputSchema> = (input: InferToolInput<S>, ctx: SpreadCtx<C>) => unknown | Promise<unknown>;
+/** Setup factory — receives deps/config/files based on what was declared */
+type SetupArgs<D, P, HasFiles extends boolean> = ([D] extends [undefined] ? {} : {
     deps: ResolveDeps<D>;
 }) & ([P] extends [undefined] ? {} : {
     config: ResolveConfig<P & {}>;
 }) & (HasFiles extends true ? {
     files: StaticFiles;
 } : {});
+/** Auth factory args — receives config/deps based on what was declared */
+type AuthArgs<D, P> = ([D] extends [undefined] ? {} : {
+    deps: ResolveDeps<D>;
+}) & ([P] extends [undefined] ? {} : {
+    config: ResolveConfig<P & {}>;
+});
 /** Spread ctx into callback args (empty when no setup) */
 type SpreadCtx<C> = [C] extends [undefined] ? {} : C & {};
 /**
@@ -1812,6 +1832,18 @@ type McpHandler$1<C = any> = {
     readonly prompts?: (...args: any[]) => any;
     readonly tools?: (...args: any[]) => any;
 };
+/**
+ * Finalized MCP handler with chainable registration methods.
+ * Has `__brand` so CLI discovers it. Each `.tool()/.resource()/.prompt()` adds an entry and returns self.
+ */
+interface McpEntries<C = undefined> extends McpHandler$1<C> {
+    /** Register a tool */
+    tool<S extends StandardJSONSchemaV1 | McpInputSchema = McpInputSchema>(def: McpToolDefInput<S>, handler: McpToolHandler<C, S>): McpEntries<C>;
+    /** Register a resource */
+    resource<S extends StandardSchemaV1 | undefined = undefined>(def: McpResourceDefInput<S>, handler: McpResourceHandler<C, S>): McpEntries<C>;
+    /** Register a prompt */
+    prompt<S extends StandardSchemaV1 | McpPromptArgument[] | undefined = undefined>(def: McpPromptDefInput<S>, handler: McpPromptHandler<C, S>): McpEntries<C>;
+}
 /** Options passed to `defineMcp()` */
 type McpOptions = {
     /** MCP server name (used in server info) */
@@ -1828,6 +1860,8 @@ interface McpBuilder<D = undefined, P = undefined, C = undefined, HasFiles exten
     config<P2 extends Record<string, AnySecretRef>>(fn: ConfigFactory<P2>): McpBuilder<D, P2, C, HasFiles>;
     /** Include static files in the bundle. Chainable — call multiple times. */
     include(glob: string): McpBuilder<D, P, C, true>;
+    /** Configure session-based authentication. Receives resolved config/deps. All requests require a valid session. */
+    auth<A2>(fn: (args: AuthArgs<D, P>) => AuthOptions<A2> | Promise<AuthOptions<A2>>): McpBuilder<D, P, C, HasFiles>;
     /** Configure Lambda settings only (memory, timeout, permissions, logLevel) */
     setup(lambda: LambdaOptions): McpBuilder<D, P, C, HasFiles>;
     /** Initialize shared state on cold start. Receives deps, config, files. */
@@ -1841,12 +1875,14 @@ interface McpBuilder<D = undefined, P = undefined, C = undefined, HasFiles exten
     } & SpreadCtx<C>) => void | Promise<void>): McpBuilder<D, P, C, HasFiles>;
     /** Cleanup callback — runs on shutdown */
     onCleanup(fn: (args: SpreadCtx<C>) => void | Promise<void>): McpBuilder<D, P, C, HasFiles>;
-    /** Define MCP resources (chainable) */
-    resources(fn: (ctx: SpreadCtx<C>) => McpResourceMap$1<C>): McpBuilder<D, P, C, HasFiles>;
-    /** Define MCP prompts (chainable) */
-    prompts(fn: (ctx: SpreadCtx<C>) => Record<string, McpPromptDef$1<C>>): McpBuilder<D, P, C, HasFiles>;
-    /** Define MCP tools (terminal) */
-    tools(fn: (ctx: SpreadCtx<C>) => Record<string, McpToolDef$1<C>>): McpHandler$1<C>;
+    /** Register a tool */
+    tool<S extends StandardJSONSchemaV1 | McpInputSchema = McpInputSchema>(def: McpToolDefInput<S>, handler: McpToolHandler<C, S>): McpEntries<C>;
+    /** Register a resource */
+    resource<S extends StandardSchemaV1 | undefined = undefined>(def: McpResourceDefInput<S>, handler: McpResourceHandler<C, S>): McpEntries<C>;
+    /** Register a prompt */
+    prompt<S extends StandardSchemaV1 | McpPromptArgument[] | undefined = undefined>(def: McpPromptDefInput<S>, handler: McpPromptHandler<C, S>): McpEntries<C>;
+    /** Finalize the handler without adding more entries */
+    build(): McpHandler$1<C>;
 }
 /**
  * Define an MCP (Model Context Protocol) server endpoint.
@@ -1859,7 +1895,7 @@ interface McpBuilder<D = undefined, P = undefined, C = undefined, HasFiles exten
  */
 declare function defineMcp(options: McpOptions): McpBuilder;
 
-type McpToolDef = McpToolDef$1;
+type McpToolDef = McpToolDefInput;
 type McpResourceDef = McpResourceDef$1;
 type McpResourceTemplateDef = McpResourceTemplateDef$1;
 type McpResourceMap = McpResourceMap$1;
@@ -1872,4 +1908,4 @@ type CronHandler = CronHandler$1<any>;
 type WorkerHandler<T = any> = WorkerHandler$1<T, any>;
 type McpHandler = McpHandler$1<any>;
 
-export { type ApiAuthConfig, type ApiConfig, type ApiHandler, type ApiRoutes, type AppConfig, type AppHandler, type AuthHelpers, type BucketClient, type BucketClientWithEntities, type BucketConfig, type BucketEntityConfig, type BucketEvent, type BucketHandler, type BucketRouteConfig, type CacheOptions, type CdnPolicyOptions, type ConfigHelpers, type ContentType, type CronConfig, type CronHandler, type DefineSecretFn, type Duration, type EffortlessConfig, type EmailClient, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod$1 as HttpMethod, type HttpRequest, type HttpResponse, type LogLevel, type MailerConfig, type MailerHandler, type McpConfig, type McpHandler, type McpInputSchema, type McpPromptArgument, type McpPromptContent, type McpPromptDef, type McpPromptMessage, type McpPromptResult, type McpResourceContent, type McpResourceDef, type McpResourceMap, type McpResourceTemplateDef, type McpToolContent, type McpToolDef, type McpToolResult, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StoreEntityClient, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type Timezone, type UpdateActions, type WorkerClient, type WorkerConfig, type WorkerHandler, type WorkerSendOptions, defineApi, defineApp, defineBucket, defineConfig, defineCron, defineFifoQueue, defineMailer, defineMcp, defineSecret, defineStaticSite, defineTable, defineWorker, generateBase64, generateHex, generateUuid, isBucketRoute, param, secret, toSeconds };
+export { type ApiConfig, type ApiHandler, type ApiRoutes, type AppConfig, type AppHandler, type AuthHelpers, type AuthOptions, type BucketClient, type BucketClientWithEntities, type BucketConfig, type BucketEntityConfig, type BucketEvent, type BucketHandler, type CacheOptions, type CdnPolicyOptions, type ConfigHelpers, type ContentType, type CronConfig, type CronHandler, type DefineSecretFn, type Duration, type EffortlessConfig, type EmailClient, type FifoQueueConfig, type FifoQueueHandler, type FifoQueueMessage, type HttpMethod$1 as HttpMethod, type HttpRequest, type HttpResponse, type LogLevel, type MailerConfig, type MailerHandler, type McpConfig, type McpEntries, type McpHandler, type McpInputSchema, type McpPromptArgument, type McpPromptContent, type McpPromptDef, type McpPromptMessage, type McpPromptResult, type McpResourceContent, type McpResourceDef, type McpResourceMap, type McpResourceTemplateDef, type McpToolContent, type McpToolDef, type McpToolResult, type MiddlewareDeny, type MiddlewareHandler, type MiddlewareRedirect, type MiddlewareRequest, type MiddlewareResult, type ParamRef, type Permission, type PutInput, type PutOptions, type QueryByTagParams, type QueryParams, type QueueClient, type ResponseStream, type SecretRef, type SendEmailOptions, type SendMessageInput, type SkCondition, type StaticFiles, type StaticSiteConfig, type StaticSiteHandler, type StaticSiteSeo, type StoreEntityClient, type StreamView, type TableClient, type TableConfig, type TableHandler, type TableItem, type TableKey, type TableRecord, type Timezone, type UpdateActions, type WorkerClient, type WorkerConfig, type WorkerHandler, type WorkerSendOptions, defineApi, defineApp, defineBucket, defineConfig, defineCron, defineFifoQueue, defineMailer, defineMcp, defineSecret, defineStaticSite, defineTable, defineWorker, generateBase64, generateHex, generateUuid, param, secret, toSeconds };