@neon/config 0.0.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. package/LICENSE.md +178 -0
  2. package/README.md +146 -0
  3. package/dist/index.d.ts +11 -0
  4. package/dist/index.js +10 -0
  5. package/dist/lib/auth.d.ts +67 -0
  6. package/dist/lib/auth.d.ts.map +1 -0
  7. package/dist/lib/auth.js +107 -0
  8. package/dist/lib/auth.js.map +1 -0
  9. package/dist/lib/credentials.d.ts +37 -0
  10. package/dist/lib/credentials.d.ts.map +1 -0
  11. package/dist/lib/credentials.js +30 -0
  12. package/dist/lib/credentials.js.map +1 -0
  13. package/dist/lib/define-config.d.ts +123 -0
  14. package/dist/lib/define-config.d.ts.map +1 -0
  15. package/dist/lib/define-config.js +168 -0
  16. package/dist/lib/define-config.js.map +1 -0
  17. package/dist/lib/diff.d.ts +120 -0
  18. package/dist/lib/diff.d.ts.map +1 -0
  19. package/dist/lib/diff.js +284 -0
  20. package/dist/lib/diff.js.map +1 -0
  21. package/dist/lib/duration.d.ts +68 -0
  22. package/dist/lib/duration.d.ts.map +1 -0
  23. package/dist/lib/duration.js +111 -0
  24. package/dist/lib/duration.js.map +1 -0
  25. package/dist/lib/errors.d.ts +140 -0
  26. package/dist/lib/errors.d.ts.map +1 -0
  27. package/dist/lib/errors.js +185 -0
  28. package/dist/lib/errors.js.map +1 -0
  29. package/dist/lib/loader.d.ts +44 -0
  30. package/dist/lib/loader.d.ts.map +1 -0
  31. package/dist/lib/loader.js +120 -0
  32. package/dist/lib/loader.js.map +1 -0
  33. package/dist/lib/neon-api-real.d.ts +92 -0
  34. package/dist/lib/neon-api-real.d.ts.map +1 -0
  35. package/dist/lib/neon-api-real.js +957 -0
  36. package/dist/lib/neon-api-real.js.map +1 -0
  37. package/dist/lib/neon-api.d.ts +373 -0
  38. package/dist/lib/neon-api.d.ts.map +1 -0
  39. package/dist/lib/neon-api.js +1 -0
  40. package/dist/lib/patterns.d.ts +43 -0
  41. package/dist/lib/patterns.d.ts.map +1 -0
  42. package/dist/lib/patterns.js +76 -0
  43. package/dist/lib/patterns.js.map +1 -0
  44. package/dist/lib/schema.d.ts +215 -0
  45. package/dist/lib/schema.d.ts.map +1 -0
  46. package/dist/lib/schema.js +284 -0
  47. package/dist/lib/schema.js.map +1 -0
  48. package/dist/lib/types.d.ts +546 -0
  49. package/dist/lib/types.d.ts.map +1 -0
  50. package/dist/lib/types.js +18 -0
  51. package/dist/lib/types.js.map +1 -0
  52. package/dist/lib/wrap-neon-error.d.ts +30 -0
  53. package/dist/lib/wrap-neon-error.d.ts.map +1 -0
  54. package/dist/lib/wrap-neon-error.js +139 -0
  55. package/dist/lib/wrap-neon-error.js.map +1 -0
  56. package/dist/v1.d.ts +211 -0
  57. package/dist/v1.d.ts.map +1 -0
  58. package/dist/v1.js +82 -0
  59. package/dist/v1.js.map +1 -0
  60. package/package.json +57 -18
@@ -0,0 +1,546 @@
1
+ //#region src/lib/types.d.ts
2
+ /**
3
+ * Valid Neon Compute Unit values.
4
+ * Most plans support 0.25, 0.5, 1, 2, 4, 8. Higher values may be available on Business plans.
5
+ */
6
+ type ComputeUnit = 0.25 | 0.5 | 1 | 2 | 4 | 8;
7
+ /** Time units accepted in a {@link DurationString}: seconds, minutes, hours, days, weeks. */
8
+ type DurationUnit = "s" | "m" | "h" | "d" | "w";
9
+ /**
10
+ * A Neon duration string: a positive integer **followed by a unit** — `s` (seconds),
11
+ * `m` (minutes), `h` (hours), `d` (days), or `w` (weeks). Used by
12
+ * {@link ComputeSettings.suspendTimeout} and {@link BranchTuning.ttl}.
13
+ *
14
+ * A **unit is required**: a bare numeric string like `"7"` is rejected at the type level. To
15
+ * express a raw number of seconds, pass a `number` (`300`) — not a string (`"300"`). This
16
+ * removes the old ambiguity where `"7"` silently meant 7 *seconds* instead of, say, `"7d"`.
17
+ *
18
+ * @example "5m" // 5 minutes
19
+ * @example "1h" // 1 hour
20
+ * @example "7d" // 7 days
21
+ */
22
+ type DurationString = `${number}${DurationUnit}`;
23
+ /**
24
+ * Autocomplete suggestions for {@link ComputeSettings.suspendTimeout}. Every value sits inside
25
+ * the Neon API's allowed scale-to-zero band: **60s–604800s** (1 minute – 1 week). This is *not*
26
+ * a closed set — the field also accepts any other {@link DurationString} or a `number` of
27
+ * seconds; out-of-range values type-check but are rejected at apply time.
28
+ */
29
+ type SuspendTimeoutSuggestion = "1m" | "5m" | "15m" | "30m" | "1h" | "6h" | "12h" | "1d" | "7d";
30
+ /**
31
+ * Autocomplete suggestions for {@link BranchTuning.ttl}. Every value sits within the Neon API's
32
+ * branch-expiration limit (**max 30 days** from creation; the Console's own presets are 1h / 1d
33
+ * / 7d). This is *not* a closed set — the field also accepts any other {@link DurationString} or
34
+ * a `number` of seconds; values over 30 days are rejected at apply time.
35
+ */
36
+ type TtlSuggestion = "1h" | "6h" | "12h" | "1d" | "3d" | "7d" | "14d" | "30d";
37
+ /**
38
+ * Compose a field's duration type: its curated autocomplete `Suggestions` plus the open
39
+ * `DurationString` template (so any `<integer><unit>` string still type-checks) and a `number`
40
+ * of seconds. Intersecting the template arm with `NonNullable<unknown>` stops TypeScript from
41
+ * collapsing the literal suggestions into the template, which is what preserves the autocomplete.
42
+ */
43
+ type DurationField<Suggestions extends DurationString> = Suggestions | (DurationString & NonNullable<unknown>) | number;
44
+ /**
45
+ * Compute settings applied to the read/write endpoint of a branch.
46
+ *
47
+ * Mirrors the subset of {@link https://api-docs.neon.tech/reference/getting-started-with-neon-api Neon endpoint}
48
+ * fields that we expose as IaC primitives. Anything left undefined falls back to the project's
49
+ * `default_endpoint_settings` (which themselves fall back to Neon platform defaults).
50
+ */
51
+ interface ComputeSettings {
52
+ /**
53
+ * Minimum number of Compute Units. Set to 0.25 for true scale-to-zero.
54
+ * @example 0.25 // scale-to-zero
55
+ * @example 1 // always-on with 1 CU minimum
56
+ */
57
+ autoscalingLimitMinCu?: ComputeUnit;
58
+ /**
59
+ * Maximum number of Compute Units for autoscaling.
60
+ * @example 2
61
+ * @example 8
62
+ */
63
+ autoscalingLimitMaxCu?: ComputeUnit;
64
+ /**
65
+ * How long an idle compute waits before suspending (Neon's scale-to-zero). Accepts a
66
+ * {@link DurationString} (autocompletes common values), a number of seconds, or `false`.
67
+ *
68
+ * - `false` — never suspend (always-on compute)
69
+ * - {@link DurationString} — e.g. `"5m"`; autocompletes the in-range values `"1m"`, `"5m"`,
70
+ * `"15m"`, `"30m"`, `"1h"`, `"6h"`, `"12h"`, `"1d"`, `"7d"`, and accepts any other
71
+ * `<integer><unit>` (units: `s`, `m`, `h`, `d`, `w`). A **unit is required** — for raw
72
+ * seconds pass a `number`, not a string.
73
+ * - `number` — custom timeout in **seconds**, must be in `60`–`604800` (1 minute to 1 week)
74
+ * - `undefined` — use the Neon platform default (currently 300s / 5 minutes)
75
+ *
76
+ * Whichever form you use, the resolved timeout must fall in `60`–`604800` seconds (the Neon
77
+ * API limit); the suggestions are all within that band, anything else is checked at apply.
78
+ *
79
+ * @example false // never suspend (always-on)
80
+ * @example "5m" // suspend after 5 minutes idle
81
+ * @example "1h" // suspend after 1 hour idle
82
+ * @example 300 // 5 minutes, expressed in seconds
83
+ */
84
+ suspendTimeout?: false | DurationField<SuspendTimeoutSuggestion>;
85
+ }
86
+ /**
87
+ * Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the
88
+ * `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes
89
+ * **which** branch this invocation decides for; it is not a live branch handle and must not
90
+ * be mutated. Switch on its fields and return the desired {@link BranchConfig}.
91
+ */
92
+ interface BranchTarget {
93
+ /** Branch name being evaluated. For `branch dev`, this is the generated branch name. */
94
+ name: string;
95
+ /** Neon branch id when the branch already exists. Undefined during pre-create eval. */
96
+ id?: string;
97
+ /** Whether this branch already exists on Neon. */
98
+ exists: boolean;
99
+ /** Parent branch id from Neon when known. */
100
+ parentId?: string;
101
+ /** Whether Neon marks this branch as the project default. */
102
+ isDefault?: boolean;
103
+ /** Whether Neon currently marks this branch protected. */
104
+ isProtected?: boolean;
105
+ /** Current expiration timestamp from Neon, when set. */
106
+ expiresAt?: string;
107
+ }
108
+ /**
109
+ * Object form of a branch-scoped service toggle. `{}` or `{ enabled: true }` enables it;
110
+ * `{ enabled: false }` opts out. Used as the object half of {@link ServiceToggleInput}.
111
+ */
112
+ interface ServiceToggle {
113
+ /** Defaults to `true` when the service namespace is present. Set `false` to opt out. */
114
+ enabled?: boolean;
115
+ }
116
+ /**
117
+ * How a branch-scoped service (Neon Auth, Data API, AI Gateway) is toggled in a policy.
118
+ *
119
+ * - `true` / `{}` / `{ enabled: true }` — enabled.
120
+ * - `false` / `{ enabled: false }` — disabled.
121
+ * - omitted (`undefined`) — not part of the policy at all.
122
+ *
123
+ * These toggles are **static** (they live in the top-level `defineConfig({ … })` object,
124
+ * not in the per-branch `branch` closure) so the secret set they imply can be derived at
125
+ * the type level — that's what makes `NeonEnv<typeof config>` exact.
126
+ */
127
+ type ServiceToggleInput = boolean | ServiceToggle;
128
+ /**
129
+ * Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /
130
+ * `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables
131
+ * distribution so a union/`undefined` is judged as a single unit:
132
+ *
133
+ * - `false` / `{ enabled: false }` / `undefined` → `false`
134
+ * - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`
135
+ * (a present toggle defaults to enabled)
136
+ * - the bare `boolean | … | undefined` (no literal info) → `false`
137
+ *
138
+ * Shared by the {@link Config} static cross-field checks and the `@neon/env`
139
+ * `NeonEnv` namespace derivation, so both read "is this service on?" identically.
140
+ */
141
+ type ServiceEnabled<T> = [T] extends [false] ? false : [T] extends [{
142
+ enabled: false;
143
+ }] ? false : [T] extends [undefined] ? false : [T] extends [true] ? true : [T] extends [{
144
+ enabled: true;
145
+ }] ? true : [T] extends [object] ? true : false;
146
+ interface PostgresConfig {
147
+ computeSettings?: ComputeSettings;
148
+ }
149
+ /**
150
+ * Authentication providers a Data API integration can verify JWTs against, as written in
151
+ * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
152
+ * at the API boundary):
153
+ *
154
+ * - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
155
+ * JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
156
+ * fields are forbidden (a type error) on this variant — and the policy must also enable
157
+ * top-level `auth` (Neon Auth) so the tokens exist.
158
+ * - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
159
+ * provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
160
+ */
161
+ declare const DATA_API_AUTH_PROVIDERS: readonly ["neon", "external"];
162
+ type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];
163
+ /**
164
+ * Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,
165
+ * camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep
166
+ * the Neon defaults shown below. These are the **only** Data API fields that can change on
167
+ * an already-enabled integration — drift here is reconciled as an *update* (requires
168
+ * `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.
169
+ */
170
+ interface DataApiSettings {
171
+ /** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */
172
+ dbAggregatesEnabled?: boolean;
173
+ /** Database role used for anonymous requests (`db_anon_role`). Default `"anonymous"`. */
174
+ dbAnonRole?: string;
175
+ /** Extra schemas appended to the search path (`db_extra_search_path`). */
176
+ dbExtraSearchPath?: string;
177
+ /** Maximum rows returned in a single request (`db_max_rows`). */
178
+ dbMaxRows?: number;
179
+ /** Schemas exposed via the API (`db_schemas`). Default `["public"]`. */
180
+ dbSchemas?: string[];
181
+ /** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `".role"`. */
182
+ jwtRoleClaimKey?: string;
183
+ /** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */
184
+ jwtCacheMaxLifetime?: number;
185
+ /** OpenAPI spec mode (`openapi_mode`). Default `"disabled"`. */
186
+ openapiMode?: "ignore-privileges" | "disabled";
187
+ /** CORS allowed origins (`server_cors_allowed_origins`). */
188
+ serverCorsAllowedOrigins?: string;
189
+ /** Emit server-timing headers (`server_timing_enabled`). */
190
+ serverTimingEnabled?: boolean;
191
+ }
192
+ /** Fields shared by every {@link DataApiConfig} variant. */
193
+ interface DataApiConfigBase {
194
+ /** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */
195
+ enabled?: boolean;
196
+ /** Reusable runtime settings. Drift here is reconciled as an update. */
197
+ settings?: DataApiSettings;
198
+ }
199
+ /**
200
+ * Data API verified by **Neon Auth** (`authProvider: "neon"`, the default). The external
201
+ * IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any
202
+ * of them is a type error directing you to `authProvider: "external"`.
203
+ */
204
+ interface DataApiNeonAuthConfig extends DataApiConfigBase {
205
+ authProvider?: "neon";
206
+ /** Forbidden with `authProvider: "neon"` — Neon provides the JWKS URL. */
207
+ jwksUrl?: never;
208
+ /** Forbidden with `authProvider: "neon"` — the provider is Neon Auth. */
209
+ providerName?: never;
210
+ /** Forbidden with `authProvider: "neon"` — Neon manages the audience. */
211
+ jwtAudience?: never;
212
+ }
213
+ /**
214
+ * Data API verified by an **external** IdP (`authProvider: "external"`). You provide the
215
+ * JWKS URL (and optionally a provider label / expected audience).
216
+ */
217
+ interface DataApiExternalAuthConfig extends DataApiConfigBase {
218
+ authProvider: "external";
219
+ /** URL that publishes the IdP's JWKS (JSON Web Key Set). */
220
+ jwksUrl?: string;
221
+ /** Human label for the IdP (e.g. "Clerk", "Stytch", "Auth0"). */
222
+ providerName?: string;
223
+ /**
224
+ * Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;
225
+ * tokens with no `aud` claim are still accepted.
226
+ */
227
+ jwtAudience?: string;
228
+ }
229
+ /**
230
+ * Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:
231
+ * the `"neon"` variant forbids the external-IdP fields, the `"external"` variant allows them.
232
+ */
233
+ type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;
234
+ /**
235
+ * How the Data API is toggled in a policy: a bare boolean (like the other service toggles)
236
+ * or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it
237
+ * with Neon defaults; `false` / `{ enabled: false }` opt out.
238
+ */
239
+ type DataApiInput = boolean | DataApiConfig;
240
+ /**
241
+ * Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.
242
+ * Only `nodejs24` exists today; kept as a union so adding runtimes later is a
243
+ * non-breaking, type-checked change.
244
+ */
245
+ type FunctionRuntime = "nodejs24";
246
+ /**
247
+ * Local-development settings for a function, used by `neon dev` when it serves every
248
+ * function declared in `neon.ts` (i.e. invoked with no `--source`). Never affects deploy.
249
+ */
250
+ interface FunctionDevConfig {
251
+ /**
252
+ * Port the local server binds. Bound exactly (and `neon dev` fails loudly if it is taken)
253
+ * when set; a free port is found automatically when omitted.
254
+ */
255
+ port?: number;
256
+ }
257
+ /**
258
+ * Static definition of a Neon Function (Preview feature). Declares that the function
259
+ * **exists** on every branch; its branch-unique slug is the **record key** in
260
+ * {@link PreviewInput.functions} (not a field here), so slugs are statically enumerable,
261
+ * cannot duplicate, and the `branch` closure can only tune slugs that are declared here.
262
+ *
263
+ * A function is invoked like a Cloudflare/Vercel handler — its source module
264
+ * `export default { fetch }` or `export async function handler(req): Response`. The
265
+ * `source` path is bundled (esbuild) and uploaded as a deployment; the newest deployment
266
+ * becomes active.
267
+ *
268
+ * Runtime tuning is **not** here — it varies per branch and lives in the `branch` closure
269
+ * (see {@link FunctionTuning}). Memory is fixed by the platform policy for now and is not
270
+ * user-configurable.
271
+ */
272
+ interface FunctionDef {
273
+ /** Free-form display name. @example "Hello World" */
274
+ name: string;
275
+ /**
276
+ * Path to the function's entry module, **relative to `neon.ts`** (or absolute). The
277
+ * module's default export (`{ fetch }`) or `handler` export is the function entry. This
278
+ * path is resolved against the loaded `neon.ts` location and bundled with esbuild at
279
+ * deploy time.
280
+ *
281
+ * We require a string path rather than an imported handler because a JS function value
282
+ * carries no reference back to its source file, so esbuild has nothing to bundle from.
283
+ * @example "./functions/hello-world.ts"
284
+ */
285
+ source: string;
286
+ /**
287
+ * Environment variables injected into the deployed function, keyed by the var name the
288
+ * function reads at runtime. The **keys** are static (preserved at the type level so
289
+ * `parseEnv(config, "<slug>").function.<key>` is typed); the **values** are arbitrary
290
+ * strings evaluated when `neon.ts` is loaded (typically `process.env.X`) and uploaded
291
+ * at `config apply`. Every value must be a defined string — a `process.env.X` that is
292
+ * `undefined` (unset) errors at validation time rather than silently shipping
293
+ * `undefined`.
294
+ * @example { resendApiKey: process.env.RESEND_API_KEY ?? "" }
295
+ */
296
+ env?: Record<string, string>;
297
+ /**
298
+ * Local-development settings used by `neon dev` when serving every function from
299
+ * `neon.ts`. Ignored at deploy time. See {@link FunctionDevConfig}.
300
+ */
301
+ dev?: FunctionDevConfig;
302
+ }
303
+ /**
304
+ * A single capability a branch-scoped service credential may exercise (Preview). A
305
+ * credential is granted a set of these and may only perform the listed actions. Mirrors
306
+ * the Neon API `CredentialScope` enum (`x-stability-level: beta`):
307
+ *
308
+ * - `storage:read` / `storage:write` — object-storage (bucket) access via the S3 key.
309
+ * - `ai_gateway:invoke` — call the AI Gateway with the bearer `api_token`.
310
+ * - `functions:invoke` — invoke Neon Functions with the bearer `api_token`.
311
+ *
312
+ * The set a policy needs is derived from its enabled Preview features (see
313
+ * {@link deriveCredentialScopes}); it is never authored by hand.
314
+ */
315
+ type CredentialScope = "storage:read" | "storage:write" | "ai_gateway:invoke" | "functions:invoke";
316
+ /**
317
+ * Who a credential acts as. `user` is the developer/app principal minted for local dev and
318
+ * app bootstrap (`fetchEnv` / `env pull`); `function` is a deployed-function principal
319
+ * (carries a `function_id`). The env tooling only mints `user` credentials today.
320
+ */
321
+ type CredentialPrincipalType = "user" | "function";
322
+ /** Anonymous-access level for a branchable object-storage bucket. */
323
+ type BucketAccessLevel = "private" | "public_read";
324
+ /**
325
+ * Static definition of a branchable object-storage bucket (Preview feature). The bucket's
326
+ * name is the **record key** in {@link PreviewInput.buckets}, so names are statically
327
+ * enumerable and cannot duplicate.
328
+ */
329
+ interface BucketDef {
330
+ /**
331
+ * Anonymous access level. `private` (default) requires authenticated reads/writes;
332
+ * `public_read` allows anonymous GetObject/HeadObject.
333
+ */
334
+ access?: BucketAccessLevel;
335
+ }
336
+ /**
337
+ * Static, branch-scoped **Preview** features. Grouped under `preview` to signal they are
338
+ * backed by Neon `x-stability-level: beta` endpoints and may change before GA. Everything
339
+ * here is existential (it determines what exists on the branch); per-branch tuning lives in
340
+ * the `branch` closure.
341
+ */
342
+ interface PreviewInput {
343
+ /** Enable/disable the AI Gateway on the branch (toggle, like auth / dataApi). */
344
+ aiGateway?: ServiceToggleInput;
345
+ /** Functions to deploy, keyed by branch-unique slug (`^[a-z0-9]{1,20}$`). */
346
+ functions?: Record<string, FunctionDef>;
347
+ /** Object-storage buckets to create, keyed by bucket name. */
348
+ buckets?: Record<string, BucketDef>;
349
+ }
350
+ /**
351
+ * Per-branch deploy tuning for a single function. Returned (per slug) by the `branch`
352
+ * closure. Deliberately **cannot** change the function's existence, source, name, env
353
+ * **keys**, or memory — only runtime selection is currently configurable — so the static
354
+ * secret/function set stays sound.
355
+ */
356
+ interface FunctionTuning {
357
+ /** Runtime to execute the function with. Defaults to `"nodejs24"`. */
358
+ runtime?: FunctionRuntime;
359
+ }
360
+ /**
361
+ * Per-branch tuning of Preview features. Only existing function slugs (those declared in
362
+ * the static {@link PreviewInput.functions}) may be tuned — `Slug` is constrained to the
363
+ * declared keys by {@link BranchTuningFn}.
364
+ */
365
+ interface PreviewTuning<Slug extends string = string> {
366
+ functions?: Partial<Record<Slug, FunctionTuning>>;
367
+ }
368
+ /**
369
+ * The per-branch tuning object returned by the `branch` closure. It can adjust branch
370
+ * lifecycle (`parent`, `ttl`, `protected`), Postgres compute settings, and per-function
371
+ * deploy tuning — but **cannot** add/remove services or functions. That guarantee is what
372
+ * keeps the static secret set (and therefore `NeonEnv`) exact.
373
+ */
374
+ interface BranchTuning<Slug extends string = string> {
375
+ /** Parent branch name used when creating a new branch. Not a Postgres setting. */
376
+ parent?: string;
377
+ /**
378
+ * Branch time-to-live: how long after creation the branch should auto-expire. Applied
379
+ * when creating a new branch and reconciled on existing branches (when `updateExisting`
380
+ * is set). Accepts a {@link DurationString} (autocompletes common values) or a number of
381
+ * seconds. Omit to keep the branch indefinitely.
382
+ *
383
+ * - {@link DurationString} — e.g. `"7d"`; autocompletes `"1h"`, `"6h"`, `"12h"`, `"1d"`,
384
+ * `"3d"`, `"7d"`, `"14d"`, `"30d"`, and accepts any other `<integer><unit>` (units: `s`,
385
+ * `m`, `h`, `d`, `w` — e.g. `"12h"`, `"2w"`). A **unit is required** — `"7"` is rejected;
386
+ * for raw seconds pass a `number`.
387
+ * - `number` — custom TTL in **seconds** (e.g. `3600`)
388
+ * - `undefined` — no expiry; the branch persists until explicitly deleted
389
+ *
390
+ * The Neon API caps branch expiration at **30 days** from creation, so the resolved TTL must
391
+ * be `> 0` and `<= 30d`; the suggestions stay within that limit and anything longer is
392
+ * rejected at apply.
393
+ *
394
+ * @example "1d" // ephemeral preview branch: expires a day after creation
395
+ * @example "7d" // one-week TTL
396
+ * @example "30d" // the maximum the API allows
397
+ * @example 3600 // 1 hour, expressed in seconds
398
+ */
399
+ ttl?: DurationField<TtlSuggestion>;
400
+ /** Whether the selected branch should be protected. Undefined means "leave as-is". */
401
+ protected?: boolean;
402
+ postgres?: PostgresConfig;
403
+ preview?: PreviewTuning<Slug>;
404
+ }
405
+ /** Extract the declared function slugs from a {@link PreviewInput} for closure typing. */
406
+ type FunctionSlugsOf<Preview extends PreviewInput | undefined> = Preview extends {
407
+ functions: infer F;
408
+ } ? Extract<keyof F, string> : string;
409
+ /**
410
+ * Signature of the `branch` closure. Generic over the static {@link PreviewInput} so the
411
+ * `preview.functions` keys it may tune are constrained to the slugs actually declared.
412
+ */
413
+ type BranchTuningFn<Preview extends PreviewInput | undefined = PreviewInput | undefined> = (branch: BranchTarget) => BranchTuning<FunctionSlugsOf<Preview>>;
414
+ /**
415
+ * A validated Neon branch policy — the value `defineConfig({ … })` returns and `neon.ts`
416
+ * default-exports.
417
+ *
418
+ * Split into a **static** existential set (top-level `auth` / `dataApi` GA toggles plus the
419
+ * beta `preview` block) and a **dynamic** per-branch `branch` closure for tuning. The
420
+ * static half is what makes the secret set — and therefore `NeonEnv<typeof config>` and
421
+ * `parseEnv` — exact; the closure can tune but never change what exists.
422
+ *
423
+ * Generic over the three static fields so the type system can read the exact toggle/slug
424
+ * literals; the defaults make the bare `Config` a usable "any policy" type for runtime
425
+ * function signatures.
426
+ */
427
+ interface Config<Auth extends ServiceToggleInput | undefined = ServiceToggleInput | undefined, DataApi extends DataApiInput | undefined = DataApiInput | undefined, Preview extends PreviewInput | undefined = PreviewInput | undefined> {
428
+ /** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */
429
+ auth?: Auth;
430
+ /**
431
+ * Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or
432
+ * a {@link DataApiConfig} object selecting the auth provider (`"neon"` / `"external"`) and
433
+ * runtime {@link DataApiSettings}. With `authProvider: "neon"` the policy must also enable
434
+ * top-level `auth`.
435
+ */
436
+ dataApi?: DataApi;
437
+ /** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */
438
+ preview?: Preview;
439
+ /** Per-branch tuning closure. Cannot change the static existential set. */
440
+ branch?: BranchTuningFn<Preview>;
441
+ }
442
+ /**
443
+ * A function with all deploy defaults applied. `resolveConfig` fills in `runtime` so
444
+ * downstream diff/apply never has to re-derive it.
445
+ */
446
+ interface ResolvedFunctionConfig {
447
+ slug: string;
448
+ name: string;
449
+ source: string;
450
+ env: Record<string, string>;
451
+ runtime: FunctionRuntime;
452
+ /**
453
+ * Local-development settings, passed through untouched from {@link FunctionDef.dev}
454
+ * (no defaults applied). Only consumed by `neon dev`; deploy ignores it.
455
+ */
456
+ dev?: FunctionDevConfig;
457
+ }
458
+ /** A bucket with its access level defaulted to `private`. */
459
+ interface ResolvedBucketConfig {
460
+ name: string;
461
+ access: BucketAccessLevel;
462
+ }
463
+ /**
464
+ * Normalized {@link PreviewInput}. Only present on {@link ResolvedBranchConfig} when the
465
+ * policy returned a `preview` block. `aiGatewayEnabled` follows the same
466
+ * "present-and-not-`false`" semantics as `authEnabled` / `dataApiEnabled`.
467
+ */
468
+ interface ResolvedPreviewConfig {
469
+ functions: ResolvedFunctionConfig[];
470
+ buckets: ResolvedBucketConfig[];
471
+ aiGatewayEnabled: boolean;
472
+ }
473
+ /**
474
+ * Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the
475
+ * policy enables `dataApi`. `authProvider` always resolves (defaults to `"neon"`); the
476
+ * external-IdP wiring is present only for `"external"`; `settings` carries the camelCase
477
+ * runtime settings (reconciled as an update when they drift).
478
+ */
479
+ interface ResolvedDataApiConfig {
480
+ authProvider: DataApiAuthProvider;
481
+ jwksUrl?: string;
482
+ providerName?: string;
483
+ jwtAudience?: string;
484
+ settings?: DataApiSettings;
485
+ }
486
+ interface ResolvedBranchConfig {
487
+ parent?: string;
488
+ ttlSeconds?: number;
489
+ protected?: boolean;
490
+ postgres?: PostgresConfig;
491
+ authEnabled: boolean;
492
+ dataApiEnabled: boolean;
493
+ /**
494
+ * Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the
495
+ * create-time auth wiring and the updatable {@link DataApiSettings}.
496
+ */
497
+ dataApi?: ResolvedDataApiConfig;
498
+ preview?: ResolvedPreviewConfig;
499
+ }
500
+ /**
501
+ * One concrete change `pushConfig` made (or, in dry-run, would make) on the remote.
502
+ */
503
+ interface AppliedChange {
504
+ /**
505
+ * `service` covers branch-scoped integrations driven by the branch policy (e.g.
506
+ * Neon Auth, Data API).
507
+ */
508
+ kind: "branch" | "service";
509
+ action: "create" | "update" | "noop";
510
+ identifier: string;
511
+ details?: Record<string, unknown>;
512
+ }
513
+ /**
514
+ * A diff entry that conflicts with the desired config. `pushConfig` throws
515
+ * {@link PushConflictError} on the first call when conflicts exist; pass
516
+ * `updateExisting: true` to apply mutable drift (settings, `protected`, TTL, project
517
+ * rename). Immutable fields (region, Postgres major version) are always conflicts —
518
+ * recreate the project to change them.
519
+ */
520
+ interface ConflictReport {
521
+ kind: "branch";
522
+ identifier: string;
523
+ field: string;
524
+ current: unknown;
525
+ desired: unknown;
526
+ reason: string;
527
+ }
528
+ /**
529
+ * Result of a `pushConfig` invocation.
530
+ */
531
+ interface PushResult {
532
+ projectId: string;
533
+ orgId?: string;
534
+ branchId: string;
535
+ branchName: string;
536
+ /**
537
+ * `true` when `pushConfig` was called with `{ dryRun: true }`. `applied` then records
538
+ * what **would** be applied on a real push; no API mutations were performed.
539
+ */
540
+ dryRun: boolean;
541
+ applied: AppliedChange[];
542
+ conflicts: ConflictReport[];
543
+ }
544
+ //#endregion
545
+ export { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DATA_API_AUTH_PROVIDERS, DataApiAuthProvider, DataApiConfig, DataApiExternalAuthConfig, DataApiInput, DataApiNeonAuthConfig, DataApiSettings, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedDataApiConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceEnabled, ServiceToggle, ServiceToggleInput };
546
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","names":[],"sources":["../../src/lib/types.ts"],"mappings":";;AAIA;AAGA;AAeA;AAQK,KA1BO,WAAA,GA0BP,IAAA,GAAwB,GAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA;AAAA;AAyBxB,KAhDO,YAAA,GAgDM,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA;;;;;;AAEc;AAUhC;;;;;;AAiCuC;AAStB,KAvFL,cAAA,GAuFiB,GAAA,MAAA,GAvFY,YAuFZ,EAAA;AAqB7B;AAgBA;AAeA;;;;KAnIK,wBAAA,GAuIA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA;;;;AAMI;AAIT;AAgBA;AACA,KAjJK,aAAA,GAiJO,IAAA,GAAmB,IAAA,GAAA,KAAW,GAAA,IAAA,GAAA,IAAA,GAAA,IAAuB,GAAA,KAAA,GAAA,KAAA;AASjE;AAqBC;AAeD;AAcA;AAiBA;;KArNK,aAqNuB,CAAA,oBArNW,cAqNX,CAAA,GApNzB,WAoNyB,GAAA,CAnNxB,cAmNwB,GAnNP,WAmNO,CAAA,OAAA,CAAA,CAAA,GAAA,MAAA;;AAAiD;AAO7E;AAOA;AAMA;AAuBA;;AAwBO,UA5QU,eAAA,CA4QV;;AAKiB;AAexB;AAWA;AAGA;EAOiB,qBAAS,CAAA,EA/SD,WAoTf;EASO;;;;;uBAMS,CAAA,EA7TD,WA6TC;;AAAT;AASjB;AAUA;;;;;;AACoB;AASpB;;;;;;;AA6BwB;AACvB;;gBAGoC,CAAA,EAAA,KAAA,GAtWX,aAsWW,CAtWG,wBAsWH,CAAA;;;;AAI1B;AAOX;;;AAC4C,UAzW3B,YAAA,CAyW2B;;MACe,EAAA,MAAA;;KAA7B,EAAA,MAAA;EAAY;EAezB,MAAA,EAAA,OAAM;EAAA;UACT,CAAA,EAAA,MAAA;;WAGG,CAAA,EAAA,OAAA;;aACA,CAAA,EAAA,OAAA;;WAGT,CAAA,EAAA,MAAA;;;;;AAWgB;AAOP,UA9XA,aAAA,CA8XsB;EAAA;SAIjC,CAAA,EAAA,OAAA;;;AAMkB;AAIxB;AAUA;;;;AAE8B;AAU9B;;;AAKY,KAvZA,kBAAA,GAuZA,OAAA,GAvZ+B,aAuZ/B;AAAe;AAG3B;;;;;AAYgC;AAMhC;AAkBA;AAYA;;;;AAW0B,KAtcd,cAscc,CAAA,CAAA,CAAA,GAAA,CAtcO,CAscP,CAAA,SAAA,CAAA,KAAA,CAAA,GAAA,KAAA,GAAA,CApctB,CAocsB,CAAA,SAAA,CAAA;;cAlcrB,kCAEC,4BAEC;;aAEC;UAIS,cAAA;oBACE;;;;;;;;;;;;;;cAeN;KACD,mBAAA,WAA8B;;;;;;;;UASzB,eAAA;;;;;;;;;;;;;;;;;;;;;;;UAwBP,iBAAA;;;;aAIE;;;;;;;UAQK,qBAAA,SAA8B;;;;;;;;;;;;;UAc9B,yBAAA,SAAkC;;;;;;;;;;;;;;;;KAiBvC,aAAA,GAAgB,wBAAwB;;;;;;KAOxC,YAAA,aAAyB;;;;;;KAOzB,eAAA;;;;;UAMK,iBAAA;;;;;;;;;;;;;;;;;;;;;;UAuBA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;QAwBV;;;;;QAKA;;;;;;;;;;;;;;KAeK,eAAA;;;;;;KAWA,uBAAA;;KAGA,iBAAA;;;;;;UAOK,SAAA;;;;;WAKP;;;;;;;;UASO,YAAA;;cAEJ;;cAEA,eAAe;;YAEjB,eAAe;;;;;;;;UAST,cAAA;;YAEN;;;;;;;UAQM;cACJ,QAAQ,OAAO,MAAM;;;;;;;;UASjB;;;;;;;;;;;;;;;;;;;;;;;;;QAyBV,cAAc;;;aAGT;YACD,cAAc;;;KAIpB,gCAAgC,4BACpC;;IAGG,cAAc;;;;;KAON,+BACK,2BAA2B,qCAC/B,iBAAiB,aAAa,gBAAgB;;;;;;;;;;;;;;UAe1C,oBACH,iCACV,gDAEa,2BAA2B,0CAC3B,2BAA2B;;SAGpC;;;;;;;YAOG;;YAEA;;WAED,eAAe;;;;;;UAOR,sBAAA;;;;OAIX;WACI;;;;;QAKH;;;UAIU,oBAAA;;UAER;;;;;;;UAQQ,qBAAA;aACL;WACF;;;;;;;;;UAUO,qBAAA;gBACF;;;;aAIH;;UAGK,oBAAA;;;;aAIL;;;;;;;YAOD;YACA;;;;;UAMM,aAAA;;;;;;;;YAQN;;;;;;;;;UAUM,cAAA;;;;;;;;;;;UAYA,UAAA;;;;;;;;;;WAUP;aACE"}
@@ -0,0 +1,18 @@
1
+ //#region src/lib/types.ts
2
+ /**
3
+ * Authentication providers a Data API integration can verify JWTs against, as written in
4
+ * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
5
+ * at the API boundary):
6
+ *
7
+ * - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
8
+ * JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
9
+ * fields are forbidden (a type error) on this variant — and the policy must also enable
10
+ * top-level `auth` (Neon Auth) so the tokens exist.
11
+ * - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
12
+ * provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
13
+ */
14
+ const DATA_API_AUTH_PROVIDERS = ["neon", "external"];
15
+ //#endregion
16
+ export { DATA_API_AUTH_PROVIDERS };
17
+
18
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","names":[],"sources":["../../src/lib/types.ts"],"sourcesContent":["/**\n * Valid Neon Compute Unit values.\n * Most plans support 0.25, 0.5, 1, 2, 4, 8. Higher values may be available on Business plans.\n */\nexport type ComputeUnit = 0.25 | 0.5 | 1 | 2 | 4 | 8;\n\n/** Time units accepted in a {@link DurationString}: seconds, minutes, hours, days, weeks. */\nexport type DurationUnit = \"s\" | \"m\" | \"h\" | \"d\" | \"w\";\n\n/**\n * A Neon duration string: a positive integer **followed by a unit** — `s` (seconds),\n * `m` (minutes), `h` (hours), `d` (days), or `w` (weeks). Used by\n * {@link ComputeSettings.suspendTimeout} and {@link BranchTuning.ttl}.\n *\n * A **unit is required**: a bare numeric string like `\"7\"` is rejected at the type level. To\n * express a raw number of seconds, pass a `number` (`300`) — not a string (`\"300\"`). This\n * removes the old ambiguity where `\"7\"` silently meant 7 *seconds* instead of, say, `\"7d\"`.\n *\n * @example \"5m\" // 5 minutes\n * @example \"1h\" // 1 hour\n * @example \"7d\" // 7 days\n */\nexport type DurationString = `${number}${DurationUnit}`;\n\n/**\n * Autocomplete suggestions for {@link ComputeSettings.suspendTimeout}. Every value sits inside\n * the Neon API's allowed scale-to-zero band: **60s–604800s** (1 minute – 1 week). This is *not*\n * a closed set — the field also accepts any other {@link DurationString} or a `number` of\n * seconds; out-of-range values type-check but are rejected at apply time.\n */\ntype SuspendTimeoutSuggestion =\n\t| \"1m\"\n\t| \"5m\"\n\t| \"15m\"\n\t| \"30m\"\n\t| \"1h\"\n\t| \"6h\"\n\t| \"12h\"\n\t| \"1d\"\n\t| \"7d\";\n\n/**\n * Autocomplete suggestions for {@link BranchTuning.ttl}. Every value sits within the Neon API's\n * branch-expiration limit (**max 30 days** from creation; the Console's own presets are 1h / 1d\n * / 7d). This is *not* a closed set — the field also accepts any other {@link DurationString} or\n * a `number` of seconds; values over 30 days are rejected at apply time.\n */\ntype TtlSuggestion = \"1h\" | \"6h\" | \"12h\" | \"1d\" | \"3d\" | \"7d\" | \"14d\" | \"30d\";\n\n/**\n * Compose a field's duration type: its curated autocomplete `Suggestions` plus the open\n * `DurationString` template (so any `<integer><unit>` string still type-checks) and a `number`\n * of seconds. Intersecting the template arm with `NonNullable<unknown>` stops TypeScript from\n * collapsing the literal suggestions into the template, which is what preserves the autocomplete.\n */\ntype DurationField<Suggestions extends DurationString> =\n\t| Suggestions\n\t| (DurationString & NonNullable<unknown>)\n\t| number;\n\n/**\n * Compute settings applied to the read/write endpoint of a branch.\n *\n * Mirrors the subset of {@link https://api-docs.neon.tech/reference/getting-started-with-neon-api Neon endpoint}\n * fields that we expose as IaC primitives. Anything left undefined falls back to the project's\n * `default_endpoint_settings` (which themselves fall back to Neon platform defaults).\n */\nexport interface ComputeSettings {\n\t/**\n\t * Minimum number of Compute Units. Set to 0.25 for true scale-to-zero.\n\t * @example 0.25 // scale-to-zero\n\t * @example 1 // always-on with 1 CU minimum\n\t */\n\tautoscalingLimitMinCu?: ComputeUnit;\n\t/**\n\t * Maximum number of Compute Units for autoscaling.\n\t * @example 2\n\t * @example 8\n\t */\n\tautoscalingLimitMaxCu?: ComputeUnit;\n\t/**\n\t * How long an idle compute waits before suspending (Neon's scale-to-zero). Accepts a\n\t * {@link DurationString} (autocompletes common values), a number of seconds, or `false`.\n\t *\n\t * - `false` — never suspend (always-on compute)\n\t * - {@link DurationString} — e.g. `\"5m\"`; autocompletes the in-range values `\"1m\"`, `\"5m\"`,\n\t * `\"15m\"`, `\"30m\"`, `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`, `\"7d\"`, and accepts any other\n\t * `<integer><unit>` (units: `s`, `m`, `h`, `d`, `w`). A **unit is required** — for raw\n\t * seconds pass a `number`, not a string.\n\t * - `number` — custom timeout in **seconds**, must be in `60`–`604800` (1 minute to 1 week)\n\t * - `undefined` — use the Neon platform default (currently 300s / 5 minutes)\n\t *\n\t * Whichever form you use, the resolved timeout must fall in `60`–`604800` seconds (the Neon\n\t * API limit); the suggestions are all within that band, anything else is checked at apply.\n\t *\n\t * @example false // never suspend (always-on)\n\t * @example \"5m\" // suspend after 5 minutes idle\n\t * @example \"1h\" // suspend after 1 hour idle\n\t * @example 300 // 5 minutes, expressed in seconds\n\t */\n\tsuspendTimeout?: false | DurationField<SuspendTimeoutSuggestion>;\n}\n\n/**\n * Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the\n * `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes\n * **which** branch this invocation decides for; it is not a live branch handle and must not\n * be mutated. Switch on its fields and return the desired {@link BranchConfig}.\n */\nexport interface BranchTarget {\n\t/** Branch name being evaluated. For `branch dev`, this is the generated branch name. */\n\tname: string;\n\t/** Neon branch id when the branch already exists. Undefined during pre-create eval. */\n\tid?: string;\n\t/** Whether this branch already exists on Neon. */\n\texists: boolean;\n\t/** Parent branch id from Neon when known. */\n\tparentId?: string;\n\t/** Whether Neon marks this branch as the project default. */\n\tisDefault?: boolean;\n\t/** Whether Neon currently marks this branch protected. */\n\tisProtected?: boolean;\n\t/** Current expiration timestamp from Neon, when set. */\n\texpiresAt?: string;\n}\n\n/**\n * Object form of a branch-scoped service toggle. `{}` or `{ enabled: true }` enables it;\n * `{ enabled: false }` opts out. Used as the object half of {@link ServiceToggleInput}.\n */\nexport interface ServiceToggle {\n\t/** Defaults to `true` when the service namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n}\n\n/**\n * How a branch-scoped service (Neon Auth, Data API, AI Gateway) is toggled in a policy.\n *\n * - `true` / `{}` / `{ enabled: true }` — enabled.\n * - `false` / `{ enabled: false }` — disabled.\n * - omitted (`undefined`) — not part of the policy at all.\n *\n * These toggles are **static** (they live in the top-level `defineConfig({ … })` object,\n * not in the per-branch `branch` closure) so the secret set they imply can be derived at\n * the type level — that's what makes `NeonEnv<typeof config>` exact.\n */\nexport type ServiceToggleInput = boolean | ServiceToggle;\n\n/**\n * Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /\n * `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables\n * distribution so a union/`undefined` is judged as a single unit:\n *\n * - `false` / `{ enabled: false }` / `undefined` → `false`\n * - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`\n * (a present toggle defaults to enabled)\n * - the bare `boolean | … | undefined` (no literal info) → `false`\n *\n * Shared by the {@link Config} static cross-field checks and the `@neon/env`\n * `NeonEnv` namespace derivation, so both read \"is this service on?\" identically.\n */\nexport type ServiceEnabled<T> = [T] extends [false]\n\t? false\n\t: [T] extends [{ enabled: false }]\n\t\t? false\n\t\t: [T] extends [undefined]\n\t\t\t? false\n\t\t\t: [T] extends [true]\n\t\t\t\t? true\n\t\t\t\t: [T] extends [{ enabled: true }]\n\t\t\t\t\t? true\n\t\t\t\t\t: [T] extends [object]\n\t\t\t\t\t\t? true\n\t\t\t\t\t\t: false;\n\nexport interface PostgresConfig {\n\tcomputeSettings?: ComputeSettings;\n}\n\n/**\n * Authentication providers a Data API integration can verify JWTs against, as written in\n * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`\n * at the API boundary):\n *\n * - `\"neon\"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the\n * JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`\n * fields are forbidden (a type error) on this variant — and the policy must also enable\n * top-level `auth` (Neon Auth) so the tokens exist.\n * - `\"external\"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You\n * provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).\n */\nexport const DATA_API_AUTH_PROVIDERS = [\"neon\", \"external\"] as const;\nexport type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];\n\n/**\n * Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,\n * camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep\n * the Neon defaults shown below. These are the **only** Data API fields that can change on\n * an already-enabled integration — drift here is reconciled as an *update* (requires\n * `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.\n */\nexport interface DataApiSettings {\n\t/** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */\n\tdbAggregatesEnabled?: boolean;\n\t/** Database role used for anonymous requests (`db_anon_role`). Default `\"anonymous\"`. */\n\tdbAnonRole?: string;\n\t/** Extra schemas appended to the search path (`db_extra_search_path`). */\n\tdbExtraSearchPath?: string;\n\t/** Maximum rows returned in a single request (`db_max_rows`). */\n\tdbMaxRows?: number;\n\t/** Schemas exposed via the API (`db_schemas`). Default `[\"public\"]`. */\n\tdbSchemas?: string[];\n\t/** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `\".role\"`. */\n\tjwtRoleClaimKey?: string;\n\t/** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */\n\tjwtCacheMaxLifetime?: number;\n\t/** OpenAPI spec mode (`openapi_mode`). Default `\"disabled\"`. */\n\topenapiMode?: \"ignore-privileges\" | \"disabled\";\n\t/** CORS allowed origins (`server_cors_allowed_origins`). */\n\tserverCorsAllowedOrigins?: string;\n\t/** Emit server-timing headers (`server_timing_enabled`). */\n\tserverTimingEnabled?: boolean;\n}\n\n/** Fields shared by every {@link DataApiConfig} variant. */\ninterface DataApiConfigBase {\n\t/** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n\t/** Reusable runtime settings. Drift here is reconciled as an update. */\n\tsettings?: DataApiSettings;\n}\n\n/**\n * Data API verified by **Neon Auth** (`authProvider: \"neon\"`, the default). The external\n * IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any\n * of them is a type error directing you to `authProvider: \"external\"`.\n */\nexport interface DataApiNeonAuthConfig extends DataApiConfigBase {\n\tauthProvider?: \"neon\";\n\t/** Forbidden with `authProvider: \"neon\"` — Neon provides the JWKS URL. */\n\tjwksUrl?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — the provider is Neon Auth. */\n\tproviderName?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — Neon manages the audience. */\n\tjwtAudience?: never;\n}\n\n/**\n * Data API verified by an **external** IdP (`authProvider: \"external\"`). You provide the\n * JWKS URL (and optionally a provider label / expected audience).\n */\nexport interface DataApiExternalAuthConfig extends DataApiConfigBase {\n\tauthProvider: \"external\";\n\t/** URL that publishes the IdP's JWKS (JSON Web Key Set). */\n\tjwksUrl?: string;\n\t/** Human label for the IdP (e.g. \"Clerk\", \"Stytch\", \"Auth0\"). */\n\tproviderName?: string;\n\t/**\n\t * Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;\n\t * tokens with no `aud` claim are still accepted.\n\t */\n\tjwtAudience?: string;\n}\n\n/**\n * Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:\n * the `\"neon\"` variant forbids the external-IdP fields, the `\"external\"` variant allows them.\n */\nexport type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;\n\n/**\n * How the Data API is toggled in a policy: a bare boolean (like the other service toggles)\n * or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it\n * with Neon defaults; `false` / `{ enabled: false }` opt out.\n */\nexport type DataApiInput = boolean | DataApiConfig;\n\n/**\n * Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.\n * Only `nodejs24` exists today; kept as a union so adding runtimes later is a\n * non-breaking, type-checked change.\n */\nexport type FunctionRuntime = \"nodejs24\";\n\n/**\n * Local-development settings for a function, used by `neon dev` when it serves every\n * function declared in `neon.ts` (i.e. invoked with no `--source`). Never affects deploy.\n */\nexport interface FunctionDevConfig {\n\t/**\n\t * Port the local server binds. Bound exactly (and `neon dev` fails loudly if it is taken)\n\t * when set; a free port is found automatically when omitted.\n\t */\n\tport?: number;\n}\n\n/**\n * Static definition of a Neon Function (Preview feature). Declares that the function\n * **exists** on every branch; its branch-unique slug is the **record key** in\n * {@link PreviewInput.functions} (not a field here), so slugs are statically enumerable,\n * cannot duplicate, and the `branch` closure can only tune slugs that are declared here.\n *\n * A function is invoked like a Cloudflare/Vercel handler — its source module\n * `export default { fetch }` or `export async function handler(req): Response`. The\n * `source` path is bundled (esbuild) and uploaded as a deployment; the newest deployment\n * becomes active.\n *\n * Runtime tuning is **not** here — it varies per branch and lives in the `branch` closure\n * (see {@link FunctionTuning}). Memory is fixed by the platform policy for now and is not\n * user-configurable.\n */\nexport interface FunctionDef {\n\t/** Free-form display name. @example \"Hello World\" */\n\tname: string;\n\t/**\n\t * Path to the function's entry module, **relative to `neon.ts`** (or absolute). The\n\t * module's default export (`{ fetch }`) or `handler` export is the function entry. This\n\t * path is resolved against the loaded `neon.ts` location and bundled with esbuild at\n\t * deploy time.\n\t *\n\t * We require a string path rather than an imported handler because a JS function value\n\t * carries no reference back to its source file, so esbuild has nothing to bundle from.\n\t * @example \"./functions/hello-world.ts\"\n\t */\n\tsource: string;\n\t/**\n\t * Environment variables injected into the deployed function, keyed by the var name the\n\t * function reads at runtime. The **keys** are static (preserved at the type level so\n\t * `parseEnv(config, \"<slug>\").function.<key>` is typed); the **values** are arbitrary\n\t * strings evaluated when `neon.ts` is loaded (typically `process.env.X`) and uploaded\n\t * at `config apply`. Every value must be a defined string — a `process.env.X` that is\n\t * `undefined` (unset) errors at validation time rather than silently shipping\n\t * `undefined`.\n\t * @example { resendApiKey: process.env.RESEND_API_KEY ?? \"\" }\n\t */\n\tenv?: Record<string, string>;\n\t/**\n\t * Local-development settings used by `neon dev` when serving every function from\n\t * `neon.ts`. Ignored at deploy time. See {@link FunctionDevConfig}.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/**\n * A single capability a branch-scoped service credential may exercise (Preview). A\n * credential is granted a set of these and may only perform the listed actions. Mirrors\n * the Neon API `CredentialScope` enum (`x-stability-level: beta`):\n *\n * - `storage:read` / `storage:write` — object-storage (bucket) access via the S3 key.\n * - `ai_gateway:invoke` — call the AI Gateway with the bearer `api_token`.\n * - `functions:invoke` — invoke Neon Functions with the bearer `api_token`.\n *\n * The set a policy needs is derived from its enabled Preview features (see\n * {@link deriveCredentialScopes}); it is never authored by hand.\n */\nexport type CredentialScope =\n\t| \"storage:read\"\n\t| \"storage:write\"\n\t| \"ai_gateway:invoke\"\n\t| \"functions:invoke\";\n\n/**\n * Who a credential acts as. `user` is the developer/app principal minted for local dev and\n * app bootstrap (`fetchEnv` / `env pull`); `function` is a deployed-function principal\n * (carries a `function_id`). The env tooling only mints `user` credentials today.\n */\nexport type CredentialPrincipalType = \"user\" | \"function\";\n\n/** Anonymous-access level for a branchable object-storage bucket. */\nexport type BucketAccessLevel = \"private\" | \"public_read\";\n\n/**\n * Static definition of a branchable object-storage bucket (Preview feature). The bucket's\n * name is the **record key** in {@link PreviewInput.buckets}, so names are statically\n * enumerable and cannot duplicate.\n */\nexport interface BucketDef {\n\t/**\n\t * Anonymous access level. `private` (default) requires authenticated reads/writes;\n\t * `public_read` allows anonymous GetObject/HeadObject.\n\t */\n\taccess?: BucketAccessLevel;\n}\n\n/**\n * Static, branch-scoped **Preview** features. Grouped under `preview` to signal they are\n * backed by Neon `x-stability-level: beta` endpoints and may change before GA. Everything\n * here is existential (it determines what exists on the branch); per-branch tuning lives in\n * the `branch` closure.\n */\nexport interface PreviewInput {\n\t/** Enable/disable the AI Gateway on the branch (toggle, like auth / dataApi). */\n\taiGateway?: ServiceToggleInput;\n\t/** Functions to deploy, keyed by branch-unique slug (`^[a-z0-9]{1,20}$`). */\n\tfunctions?: Record<string, FunctionDef>;\n\t/** Object-storage buckets to create, keyed by bucket name. */\n\tbuckets?: Record<string, BucketDef>;\n}\n\n/**\n * Per-branch deploy tuning for a single function. Returned (per slug) by the `branch`\n * closure. Deliberately **cannot** change the function's existence, source, name, env\n * **keys**, or memory — only runtime selection is currently configurable — so the static\n * secret/function set stays sound.\n */\nexport interface FunctionTuning {\n\t/** Runtime to execute the function with. Defaults to `\"nodejs24\"`. */\n\truntime?: FunctionRuntime;\n}\n\n/**\n * Per-branch tuning of Preview features. Only existing function slugs (those declared in\n * the static {@link PreviewInput.functions}) may be tuned — `Slug` is constrained to the\n * declared keys by {@link BranchTuningFn}.\n */\nexport interface PreviewTuning<Slug extends string = string> {\n\tfunctions?: Partial<Record<Slug, FunctionTuning>>;\n}\n\n/**\n * The per-branch tuning object returned by the `branch` closure. It can adjust branch\n * lifecycle (`parent`, `ttl`, `protected`), Postgres compute settings, and per-function\n * deploy tuning — but **cannot** add/remove services or functions. That guarantee is what\n * keeps the static secret set (and therefore `NeonEnv`) exact.\n */\nexport interface BranchTuning<Slug extends string = string> {\n\t/** Parent branch name used when creating a new branch. Not a Postgres setting. */\n\tparent?: string;\n\t/**\n\t * Branch time-to-live: how long after creation the branch should auto-expire. Applied\n\t * when creating a new branch and reconciled on existing branches (when `updateExisting`\n\t * is set). Accepts a {@link DurationString} (autocompletes common values) or a number of\n\t * seconds. Omit to keep the branch indefinitely.\n\t *\n\t * - {@link DurationString} — e.g. `\"7d\"`; autocompletes `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`,\n\t * `\"3d\"`, `\"7d\"`, `\"14d\"`, `\"30d\"`, and accepts any other `<integer><unit>` (units: `s`,\n\t * `m`, `h`, `d`, `w` — e.g. `\"12h\"`, `\"2w\"`). A **unit is required** — `\"7\"` is rejected;\n\t * for raw seconds pass a `number`.\n\t * - `number` — custom TTL in **seconds** (e.g. `3600`)\n\t * - `undefined` — no expiry; the branch persists until explicitly deleted\n\t *\n\t * The Neon API caps branch expiration at **30 days** from creation, so the resolved TTL must\n\t * be `> 0` and `<= 30d`; the suggestions stay within that limit and anything longer is\n\t * rejected at apply.\n\t *\n\t * @example \"1d\" // ephemeral preview branch: expires a day after creation\n\t * @example \"7d\" // one-week TTL\n\t * @example \"30d\" // the maximum the API allows\n\t * @example 3600 // 1 hour, expressed in seconds\n\t */\n\tttl?: DurationField<TtlSuggestion>;\n\t/** Whether the selected branch should be protected. Undefined means \"leave as-is\". */\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tpreview?: PreviewTuning<Slug>;\n}\n\n/** Extract the declared function slugs from a {@link PreviewInput} for closure typing. */\ntype FunctionSlugsOf<Preview extends PreviewInput | undefined> =\n\tPreview extends {\n\t\tfunctions: infer F;\n\t}\n\t\t? Extract<keyof F, string>\n\t\t: string;\n\n/**\n * Signature of the `branch` closure. Generic over the static {@link PreviewInput} so the\n * `preview.functions` keys it may tune are constrained to the slugs actually declared.\n */\nexport type BranchTuningFn<\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> = (branch: BranchTarget) => BranchTuning<FunctionSlugsOf<Preview>>;\n\n/**\n * A validated Neon branch policy — the value `defineConfig({ … })` returns and `neon.ts`\n * default-exports.\n *\n * Split into a **static** existential set (top-level `auth` / `dataApi` GA toggles plus the\n * beta `preview` block) and a **dynamic** per-branch `branch` closure for tuning. The\n * static half is what makes the secret set — and therefore `NeonEnv<typeof config>` and\n * `parseEnv` — exact; the closure can tune but never change what exists.\n *\n * Generic over the three static fields so the type system can read the exact toggle/slug\n * literals; the defaults make the bare `Config` a usable \"any policy\" type for runtime\n * function signatures.\n */\nexport interface Config<\n\tAuth extends ServiceToggleInput | undefined =\n\t\t| ServiceToggleInput\n\t\t| undefined,\n\tDataApi extends DataApiInput | undefined = DataApiInput | undefined,\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> {\n\t/** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */\n\tauth?: Auth;\n\t/**\n\t * Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or\n\t * a {@link DataApiConfig} object selecting the auth provider (`\"neon\"` / `\"external\"`) and\n\t * runtime {@link DataApiSettings}. With `authProvider: \"neon\"` the policy must also enable\n\t * top-level `auth`.\n\t */\n\tdataApi?: DataApi;\n\t/** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */\n\tpreview?: Preview;\n\t/** Per-branch tuning closure. Cannot change the static existential set. */\n\tbranch?: BranchTuningFn<Preview>;\n}\n\n/**\n * A function with all deploy defaults applied. `resolveConfig` fills in `runtime` so\n * downstream diff/apply never has to re-derive it.\n */\nexport interface ResolvedFunctionConfig {\n\tslug: string;\n\tname: string;\n\tsource: string;\n\tenv: Record<string, string>;\n\truntime: FunctionRuntime;\n\t/**\n\t * Local-development settings, passed through untouched from {@link FunctionDef.dev}\n\t * (no defaults applied). Only consumed by `neon dev`; deploy ignores it.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/** A bucket with its access level defaulted to `private`. */\nexport interface ResolvedBucketConfig {\n\tname: string;\n\taccess: BucketAccessLevel;\n}\n\n/**\n * Normalized {@link PreviewInput}. Only present on {@link ResolvedBranchConfig} when the\n * policy returned a `preview` block. `aiGatewayEnabled` follows the same\n * \"present-and-not-`false`\" semantics as `authEnabled` / `dataApiEnabled`.\n */\nexport interface ResolvedPreviewConfig {\n\tfunctions: ResolvedFunctionConfig[];\n\tbuckets: ResolvedBucketConfig[];\n\taiGatewayEnabled: boolean;\n}\n\n/**\n * Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the\n * policy enables `dataApi`. `authProvider` always resolves (defaults to `\"neon\"`); the\n * external-IdP wiring is present only for `\"external\"`; `settings` carries the camelCase\n * runtime settings (reconciled as an update when they drift).\n */\nexport interface ResolvedDataApiConfig {\n\tauthProvider: DataApiAuthProvider;\n\tjwksUrl?: string;\n\tproviderName?: string;\n\tjwtAudience?: string;\n\tsettings?: DataApiSettings;\n}\n\nexport interface ResolvedBranchConfig {\n\tparent?: string;\n\tttlSeconds?: number;\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tauthEnabled: boolean;\n\tdataApiEnabled: boolean;\n\t/**\n\t * Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the\n\t * create-time auth wiring and the updatable {@link DataApiSettings}.\n\t */\n\tdataApi?: ResolvedDataApiConfig;\n\tpreview?: ResolvedPreviewConfig;\n}\n\n/**\n * One concrete change `pushConfig` made (or, in dry-run, would make) on the remote.\n */\nexport interface AppliedChange {\n\t/**\n\t * `service` covers branch-scoped integrations driven by the branch policy (e.g.\n\t * Neon Auth, Data API).\n\t */\n\tkind: \"branch\" | \"service\";\n\taction: \"create\" | \"update\" | \"noop\";\n\tidentifier: string;\n\tdetails?: Record<string, unknown>;\n}\n\n/**\n * A diff entry that conflicts with the desired config. `pushConfig` throws\n * {@link PushConflictError} on the first call when conflicts exist; pass\n * `updateExisting: true` to apply mutable drift (settings, `protected`, TTL, project\n * rename). Immutable fields (region, Postgres major version) are always conflicts —\n * recreate the project to change them.\n */\nexport interface ConflictReport {\n\tkind: \"branch\";\n\tidentifier: string;\n\tfield: string;\n\tcurrent: unknown;\n\tdesired: unknown;\n\treason: string;\n}\n\n/**\n * Result of a `pushConfig` invocation.\n */\nexport interface PushResult {\n\tprojectId: string;\n\torgId?: string;\n\tbranchId: string;\n\tbranchName: string;\n\t/**\n\t * `true` when `pushConfig` was called with `{ dryRun: true }`. `applied` then records\n\t * what **would** be applied on a real push; no API mutations were performed.\n\t */\n\tdryRun: boolean;\n\tapplied: AppliedChange[];\n\tconflicts: ConflictReport[];\n}\n"],"mappings":";;;;;;;;;;;;;AA+LA,MAAa,0BAA0B,CAAC,QAAQ,UAAU"}