@neon/config 0.0.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +178 -0
- package/README.md +148 -0
- package/dist/index.d.ts +11 -0
- package/dist/index.js +10 -0
- package/dist/lib/auth.d.ts +67 -0
- package/dist/lib/auth.d.ts.map +1 -0
- package/dist/lib/auth.js +107 -0
- package/dist/lib/auth.js.map +1 -0
- package/dist/lib/credentials.d.ts +37 -0
- package/dist/lib/credentials.d.ts.map +1 -0
- package/dist/lib/credentials.js +30 -0
- package/dist/lib/credentials.js.map +1 -0
- package/dist/lib/define-config.d.ts +123 -0
- package/dist/lib/define-config.d.ts.map +1 -0
- package/dist/lib/define-config.js +168 -0
- package/dist/lib/define-config.js.map +1 -0
- package/dist/lib/diff.d.ts +120 -0
- package/dist/lib/diff.d.ts.map +1 -0
- package/dist/lib/diff.js +284 -0
- package/dist/lib/diff.js.map +1 -0
- package/dist/lib/duration.d.ts +68 -0
- package/dist/lib/duration.d.ts.map +1 -0
- package/dist/lib/duration.js +111 -0
- package/dist/lib/duration.js.map +1 -0
- package/dist/lib/errors.d.ts +140 -0
- package/dist/lib/errors.d.ts.map +1 -0
- package/dist/lib/errors.js +185 -0
- package/dist/lib/errors.js.map +1 -0
- package/dist/lib/loader.d.ts +44 -0
- package/dist/lib/loader.d.ts.map +1 -0
- package/dist/lib/loader.js +120 -0
- package/dist/lib/loader.js.map +1 -0
- package/dist/lib/neon-api-real.d.ts +92 -0
- package/dist/lib/neon-api-real.d.ts.map +1 -0
- package/dist/lib/neon-api-real.js +957 -0
- package/dist/lib/neon-api-real.js.map +1 -0
- package/dist/lib/neon-api.d.ts +373 -0
- package/dist/lib/neon-api.d.ts.map +1 -0
- package/dist/lib/neon-api.js +1 -0
- package/dist/lib/patterns.d.ts +43 -0
- package/dist/lib/patterns.d.ts.map +1 -0
- package/dist/lib/patterns.js +76 -0
- package/dist/lib/patterns.js.map +1 -0
- package/dist/lib/schema.d.ts +215 -0
- package/dist/lib/schema.d.ts.map +1 -0
- package/dist/lib/schema.js +284 -0
- package/dist/lib/schema.js.map +1 -0
- package/dist/lib/types.d.ts +546 -0
- package/dist/lib/types.d.ts.map +1 -0
- package/dist/lib/types.js +18 -0
- package/dist/lib/types.js.map +1 -0
- package/dist/lib/wrap-neon-error.d.ts +30 -0
- package/dist/lib/wrap-neon-error.d.ts.map +1 -0
- package/dist/lib/wrap-neon-error.js +139 -0
- package/dist/lib/wrap-neon-error.js.map +1 -0
- package/dist/v1.d.ts +211 -0
- package/dist/v1.d.ts.map +1 -0
- package/dist/v1.js +82 -0
- package/dist/v1.js.map +1 -0
- package/package.json +57 -18
|
@@ -0,0 +1,546 @@
|
|
|
1
|
+
//#region src/lib/types.d.ts
|
|
2
|
+
/**
|
|
3
|
+
* Valid Neon Compute Unit values.
|
|
4
|
+
* Most plans support 0.25, 0.5, 1, 2, 4, 8. Higher values may be available on Business plans.
|
|
5
|
+
*/
|
|
6
|
+
type ComputeUnit = 0.25 | 0.5 | 1 | 2 | 4 | 8;
|
|
7
|
+
/** Time units accepted in a {@link DurationString}: seconds, minutes, hours, days, weeks. */
|
|
8
|
+
type DurationUnit = "s" | "m" | "h" | "d" | "w";
|
|
9
|
+
/**
|
|
10
|
+
* A Neon duration string: a positive integer **followed by a unit** — `s` (seconds),
|
|
11
|
+
* `m` (minutes), `h` (hours), `d` (days), or `w` (weeks). Used by
|
|
12
|
+
* {@link ComputeSettings.suspendTimeout} and {@link BranchTuning.ttl}.
|
|
13
|
+
*
|
|
14
|
+
* A **unit is required**: a bare numeric string like `"7"` is rejected at the type level. To
|
|
15
|
+
* express a raw number of seconds, pass a `number` (`300`) — not a string (`"300"`). This
|
|
16
|
+
* removes the old ambiguity where `"7"` silently meant 7 *seconds* instead of, say, `"7d"`.
|
|
17
|
+
*
|
|
18
|
+
* @example "5m" // 5 minutes
|
|
19
|
+
* @example "1h" // 1 hour
|
|
20
|
+
* @example "7d" // 7 days
|
|
21
|
+
*/
|
|
22
|
+
type DurationString = `${number}${DurationUnit}`;
|
|
23
|
+
/**
|
|
24
|
+
* Autocomplete suggestions for {@link ComputeSettings.suspendTimeout}. Every value sits inside
|
|
25
|
+
* the Neon API's allowed scale-to-zero band: **60s–604800s** (1 minute – 1 week). This is *not*
|
|
26
|
+
* a closed set — the field also accepts any other {@link DurationString} or a `number` of
|
|
27
|
+
* seconds; out-of-range values type-check but are rejected at apply time.
|
|
28
|
+
*/
|
|
29
|
+
type SuspendTimeoutSuggestion = "1m" | "5m" | "15m" | "30m" | "1h" | "6h" | "12h" | "1d" | "7d";
|
|
30
|
+
/**
|
|
31
|
+
* Autocomplete suggestions for {@link BranchTuning.ttl}. Every value sits within the Neon API's
|
|
32
|
+
* branch-expiration limit (**max 30 days** from creation; the Console's own presets are 1h / 1d
|
|
33
|
+
* / 7d). This is *not* a closed set — the field also accepts any other {@link DurationString} or
|
|
34
|
+
* a `number` of seconds; values over 30 days are rejected at apply time.
|
|
35
|
+
*/
|
|
36
|
+
type TtlSuggestion = "1h" | "6h" | "12h" | "1d" | "3d" | "7d" | "14d" | "30d";
|
|
37
|
+
/**
|
|
38
|
+
* Compose a field's duration type: its curated autocomplete `Suggestions` plus the open
|
|
39
|
+
* `DurationString` template (so any `<integer><unit>` string still type-checks) and a `number`
|
|
40
|
+
* of seconds. Intersecting the template arm with `NonNullable<unknown>` stops TypeScript from
|
|
41
|
+
* collapsing the literal suggestions into the template, which is what preserves the autocomplete.
|
|
42
|
+
*/
|
|
43
|
+
type DurationField<Suggestions extends DurationString> = Suggestions | (DurationString & NonNullable<unknown>) | number;
|
|
44
|
+
/**
|
|
45
|
+
* Compute settings applied to the read/write endpoint of a branch.
|
|
46
|
+
*
|
|
47
|
+
* Mirrors the subset of {@link https://api-docs.neon.tech/reference/getting-started-with-neon-api Neon endpoint}
|
|
48
|
+
* fields that we expose as IaC primitives. Anything left undefined falls back to the project's
|
|
49
|
+
* `default_endpoint_settings` (which themselves fall back to Neon platform defaults).
|
|
50
|
+
*/
|
|
51
|
+
interface ComputeSettings {
|
|
52
|
+
/**
|
|
53
|
+
* Minimum number of Compute Units. Set to 0.25 for true scale-to-zero.
|
|
54
|
+
* @example 0.25 // scale-to-zero
|
|
55
|
+
* @example 1 // always-on with 1 CU minimum
|
|
56
|
+
*/
|
|
57
|
+
autoscalingLimitMinCu?: ComputeUnit;
|
|
58
|
+
/**
|
|
59
|
+
* Maximum number of Compute Units for autoscaling.
|
|
60
|
+
* @example 2
|
|
61
|
+
* @example 8
|
|
62
|
+
*/
|
|
63
|
+
autoscalingLimitMaxCu?: ComputeUnit;
|
|
64
|
+
/**
|
|
65
|
+
* How long an idle compute waits before suspending (Neon's scale-to-zero). Accepts a
|
|
66
|
+
* {@link DurationString} (autocompletes common values), a number of seconds, or `false`.
|
|
67
|
+
*
|
|
68
|
+
* - `false` — never suspend (always-on compute)
|
|
69
|
+
* - {@link DurationString} — e.g. `"5m"`; autocompletes the in-range values `"1m"`, `"5m"`,
|
|
70
|
+
* `"15m"`, `"30m"`, `"1h"`, `"6h"`, `"12h"`, `"1d"`, `"7d"`, and accepts any other
|
|
71
|
+
* `<integer><unit>` (units: `s`, `m`, `h`, `d`, `w`). A **unit is required** — for raw
|
|
72
|
+
* seconds pass a `number`, not a string.
|
|
73
|
+
* - `number` — custom timeout in **seconds**, must be in `60`–`604800` (1 minute to 1 week)
|
|
74
|
+
* - `undefined` — use the Neon platform default (currently 300s / 5 minutes)
|
|
75
|
+
*
|
|
76
|
+
* Whichever form you use, the resolved timeout must fall in `60`–`604800` seconds (the Neon
|
|
77
|
+
* API limit); the suggestions are all within that band, anything else is checked at apply.
|
|
78
|
+
*
|
|
79
|
+
* @example false // never suspend (always-on)
|
|
80
|
+
* @example "5m" // suspend after 5 minutes idle
|
|
81
|
+
* @example "1h" // suspend after 1 hour idle
|
|
82
|
+
* @example 300 // 5 minutes, expressed in seconds
|
|
83
|
+
*/
|
|
84
|
+
suspendTimeout?: false | DurationField<SuspendTimeoutSuggestion>;
|
|
85
|
+
}
|
|
86
|
+
/**
|
|
87
|
+
* Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the
|
|
88
|
+
* `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes
|
|
89
|
+
* **which** branch this invocation decides for; it is not a live branch handle and must not
|
|
90
|
+
* be mutated. Switch on its fields and return the desired {@link BranchConfig}.
|
|
91
|
+
*/
|
|
92
|
+
interface BranchTarget {
|
|
93
|
+
/** Branch name being evaluated. For `branch dev`, this is the generated branch name. */
|
|
94
|
+
name: string;
|
|
95
|
+
/** Neon branch id when the branch already exists. Undefined during pre-create eval. */
|
|
96
|
+
id?: string;
|
|
97
|
+
/** Whether this branch already exists on Neon. */
|
|
98
|
+
exists: boolean;
|
|
99
|
+
/** Parent branch id from Neon when known. */
|
|
100
|
+
parentId?: string;
|
|
101
|
+
/** Whether Neon marks this branch as the project default. */
|
|
102
|
+
isDefault?: boolean;
|
|
103
|
+
/** Whether Neon currently marks this branch protected. */
|
|
104
|
+
isProtected?: boolean;
|
|
105
|
+
/** Current expiration timestamp from Neon, when set. */
|
|
106
|
+
expiresAt?: string;
|
|
107
|
+
}
|
|
108
|
+
/**
|
|
109
|
+
* Object form of a branch-scoped service toggle. `{}` or `{ enabled: true }` enables it;
|
|
110
|
+
* `{ enabled: false }` opts out. Used as the object half of {@link ServiceToggleInput}.
|
|
111
|
+
*/
|
|
112
|
+
interface ServiceToggle {
|
|
113
|
+
/** Defaults to `true` when the service namespace is present. Set `false` to opt out. */
|
|
114
|
+
enabled?: boolean;
|
|
115
|
+
}
|
|
116
|
+
/**
|
|
117
|
+
* How a branch-scoped service (Neon Auth, Data API, AI Gateway) is toggled in a policy.
|
|
118
|
+
*
|
|
119
|
+
* - `true` / `{}` / `{ enabled: true }` — enabled.
|
|
120
|
+
* - `false` / `{ enabled: false }` — disabled.
|
|
121
|
+
* - omitted (`undefined`) — not part of the policy at all.
|
|
122
|
+
*
|
|
123
|
+
* These toggles are **static** (they live in the top-level `defineConfig({ … })` object,
|
|
124
|
+
* not in the per-branch `branch` closure) so the secret set they imply can be derived at
|
|
125
|
+
* the type level — that's what makes `NeonEnv<typeof config>` exact.
|
|
126
|
+
*/
|
|
127
|
+
type ServiceToggleInput = boolean | ServiceToggle;
|
|
128
|
+
/**
|
|
129
|
+
* Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /
|
|
130
|
+
* `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables
|
|
131
|
+
* distribution so a union/`undefined` is judged as a single unit:
|
|
132
|
+
*
|
|
133
|
+
* - `false` / `{ enabled: false }` / `undefined` → `false`
|
|
134
|
+
* - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`
|
|
135
|
+
* (a present toggle defaults to enabled)
|
|
136
|
+
* - the bare `boolean | … | undefined` (no literal info) → `false`
|
|
137
|
+
*
|
|
138
|
+
* Shared by the {@link Config} static cross-field checks and the `@neon/env`
|
|
139
|
+
* `NeonEnv` namespace derivation, so both read "is this service on?" identically.
|
|
140
|
+
*/
|
|
141
|
+
type ServiceEnabled<T> = [T] extends [false] ? false : [T] extends [{
|
|
142
|
+
enabled: false;
|
|
143
|
+
}] ? false : [T] extends [undefined] ? false : [T] extends [true] ? true : [T] extends [{
|
|
144
|
+
enabled: true;
|
|
145
|
+
}] ? true : [T] extends [object] ? true : false;
|
|
146
|
+
interface PostgresConfig {
|
|
147
|
+
computeSettings?: ComputeSettings;
|
|
148
|
+
}
|
|
149
|
+
/**
|
|
150
|
+
* Authentication providers a Data API integration can verify JWTs against, as written in
|
|
151
|
+
* `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
|
|
152
|
+
* at the API boundary):
|
|
153
|
+
*
|
|
154
|
+
* - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
|
|
155
|
+
* JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
|
|
156
|
+
* fields are forbidden (a type error) on this variant — and the policy must also enable
|
|
157
|
+
* top-level `auth` (Neon Auth) so the tokens exist.
|
|
158
|
+
* - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
|
|
159
|
+
* provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
|
|
160
|
+
*/
|
|
161
|
+
declare const DATA_API_AUTH_PROVIDERS: readonly ["neon", "external"];
|
|
162
|
+
type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];
|
|
163
|
+
/**
|
|
164
|
+
* Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,
|
|
165
|
+
* camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep
|
|
166
|
+
* the Neon defaults shown below. These are the **only** Data API fields that can change on
|
|
167
|
+
* an already-enabled integration — drift here is reconciled as an *update* (requires
|
|
168
|
+
* `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.
|
|
169
|
+
*/
|
|
170
|
+
interface DataApiSettings {
|
|
171
|
+
/** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */
|
|
172
|
+
dbAggregatesEnabled?: boolean;
|
|
173
|
+
/** Database role used for anonymous requests (`db_anon_role`). Default `"anonymous"`. */
|
|
174
|
+
dbAnonRole?: string;
|
|
175
|
+
/** Extra schemas appended to the search path (`db_extra_search_path`). */
|
|
176
|
+
dbExtraSearchPath?: string;
|
|
177
|
+
/** Maximum rows returned in a single request (`db_max_rows`). */
|
|
178
|
+
dbMaxRows?: number;
|
|
179
|
+
/** Schemas exposed via the API (`db_schemas`). Default `["public"]`. */
|
|
180
|
+
dbSchemas?: string[];
|
|
181
|
+
/** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `".role"`. */
|
|
182
|
+
jwtRoleClaimKey?: string;
|
|
183
|
+
/** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */
|
|
184
|
+
jwtCacheMaxLifetime?: number;
|
|
185
|
+
/** OpenAPI spec mode (`openapi_mode`). Default `"disabled"`. */
|
|
186
|
+
openapiMode?: "ignore-privileges" | "disabled";
|
|
187
|
+
/** CORS allowed origins (`server_cors_allowed_origins`). */
|
|
188
|
+
serverCorsAllowedOrigins?: string;
|
|
189
|
+
/** Emit server-timing headers (`server_timing_enabled`). */
|
|
190
|
+
serverTimingEnabled?: boolean;
|
|
191
|
+
}
|
|
192
|
+
/** Fields shared by every {@link DataApiConfig} variant. */
|
|
193
|
+
interface DataApiConfigBase {
|
|
194
|
+
/** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */
|
|
195
|
+
enabled?: boolean;
|
|
196
|
+
/** Reusable runtime settings. Drift here is reconciled as an update. */
|
|
197
|
+
settings?: DataApiSettings;
|
|
198
|
+
}
|
|
199
|
+
/**
|
|
200
|
+
* Data API verified by **Neon Auth** (`authProvider: "neon"`, the default). The external
|
|
201
|
+
* IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any
|
|
202
|
+
* of them is a type error directing you to `authProvider: "external"`.
|
|
203
|
+
*/
|
|
204
|
+
interface DataApiNeonAuthConfig extends DataApiConfigBase {
|
|
205
|
+
authProvider?: "neon";
|
|
206
|
+
/** Forbidden with `authProvider: "neon"` — Neon provides the JWKS URL. */
|
|
207
|
+
jwksUrl?: never;
|
|
208
|
+
/** Forbidden with `authProvider: "neon"` — the provider is Neon Auth. */
|
|
209
|
+
providerName?: never;
|
|
210
|
+
/** Forbidden with `authProvider: "neon"` — Neon manages the audience. */
|
|
211
|
+
jwtAudience?: never;
|
|
212
|
+
}
|
|
213
|
+
/**
|
|
214
|
+
* Data API verified by an **external** IdP (`authProvider: "external"`). You provide the
|
|
215
|
+
* JWKS URL (and optionally a provider label / expected audience).
|
|
216
|
+
*/
|
|
217
|
+
interface DataApiExternalAuthConfig extends DataApiConfigBase {
|
|
218
|
+
authProvider: "external";
|
|
219
|
+
/** URL that publishes the IdP's JWKS (JSON Web Key Set). */
|
|
220
|
+
jwksUrl?: string;
|
|
221
|
+
/** Human label for the IdP (e.g. "Clerk", "Stytch", "Auth0"). */
|
|
222
|
+
providerName?: string;
|
|
223
|
+
/**
|
|
224
|
+
* Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;
|
|
225
|
+
* tokens with no `aud` claim are still accepted.
|
|
226
|
+
*/
|
|
227
|
+
jwtAudience?: string;
|
|
228
|
+
}
|
|
229
|
+
/**
|
|
230
|
+
* Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:
|
|
231
|
+
* the `"neon"` variant forbids the external-IdP fields, the `"external"` variant allows them.
|
|
232
|
+
*/
|
|
233
|
+
type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;
|
|
234
|
+
/**
|
|
235
|
+
* How the Data API is toggled in a policy: a bare boolean (like the other service toggles)
|
|
236
|
+
* or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it
|
|
237
|
+
* with Neon defaults; `false` / `{ enabled: false }` opt out.
|
|
238
|
+
*/
|
|
239
|
+
type DataApiInput = boolean | DataApiConfig;
|
|
240
|
+
/**
|
|
241
|
+
* Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.
|
|
242
|
+
* Only `nodejs24` exists today; kept as a union so adding runtimes later is a
|
|
243
|
+
* non-breaking, type-checked change.
|
|
244
|
+
*/
|
|
245
|
+
type FunctionRuntime = "nodejs24";
|
|
246
|
+
/**
|
|
247
|
+
* Local-development settings for a function, used by `neon dev` when it serves every
|
|
248
|
+
* function declared in `neon.ts` (i.e. invoked with no `--source`). Never affects deploy.
|
|
249
|
+
*/
|
|
250
|
+
interface FunctionDevConfig {
|
|
251
|
+
/**
|
|
252
|
+
* Port the local server binds. Bound exactly (and `neon dev` fails loudly if it is taken)
|
|
253
|
+
* when set; a free port is found automatically when omitted.
|
|
254
|
+
*/
|
|
255
|
+
port?: number;
|
|
256
|
+
}
|
|
257
|
+
/**
|
|
258
|
+
* Static definition of a Neon Function (Preview feature). Declares that the function
|
|
259
|
+
* **exists** on every branch; its branch-unique slug is the **record key** in
|
|
260
|
+
* {@link PreviewInput.functions} (not a field here), so slugs are statically enumerable,
|
|
261
|
+
* cannot duplicate, and the `branch` closure can only tune slugs that are declared here.
|
|
262
|
+
*
|
|
263
|
+
* A function is invoked like a Cloudflare/Vercel handler — its source module
|
|
264
|
+
* `export default { fetch }` or `export async function handler(req): Response`. The
|
|
265
|
+
* `source` path is bundled (esbuild) and uploaded as a deployment; the newest deployment
|
|
266
|
+
* becomes active.
|
|
267
|
+
*
|
|
268
|
+
* Runtime tuning is **not** here — it varies per branch and lives in the `branch` closure
|
|
269
|
+
* (see {@link FunctionTuning}). Memory is fixed by the platform policy for now and is not
|
|
270
|
+
* user-configurable.
|
|
271
|
+
*/
|
|
272
|
+
interface FunctionDef {
|
|
273
|
+
/** Free-form display name. @example "Hello World" */
|
|
274
|
+
name: string;
|
|
275
|
+
/**
|
|
276
|
+
* Path to the function's entry module, **relative to `neon.ts`** (or absolute). The
|
|
277
|
+
* module's default export (`{ fetch }`) or `handler` export is the function entry. This
|
|
278
|
+
* path is resolved against the loaded `neon.ts` location and bundled with esbuild at
|
|
279
|
+
* deploy time.
|
|
280
|
+
*
|
|
281
|
+
* We require a string path rather than an imported handler because a JS function value
|
|
282
|
+
* carries no reference back to its source file, so esbuild has nothing to bundle from.
|
|
283
|
+
* @example "./functions/hello-world.ts"
|
|
284
|
+
*/
|
|
285
|
+
source: string;
|
|
286
|
+
/**
|
|
287
|
+
* Environment variables injected into the deployed function, keyed by the var name the
|
|
288
|
+
* function reads at runtime. The **keys** are static (preserved at the type level so
|
|
289
|
+
* `parseEnv(config, "<slug>").function.<key>` is typed); the **values** are arbitrary
|
|
290
|
+
* strings evaluated when `neon.ts` is loaded (typically `process.env.X`) and uploaded
|
|
291
|
+
* at `config apply`. Every value must be a defined string — a `process.env.X` that is
|
|
292
|
+
* `undefined` (unset) errors at validation time rather than silently shipping
|
|
293
|
+
* `undefined`.
|
|
294
|
+
* @example { resendApiKey: process.env.RESEND_API_KEY ?? "" }
|
|
295
|
+
*/
|
|
296
|
+
env?: Record<string, string>;
|
|
297
|
+
/**
|
|
298
|
+
* Local-development settings used by `neon dev` when serving every function from
|
|
299
|
+
* `neon.ts`. Ignored at deploy time. See {@link FunctionDevConfig}.
|
|
300
|
+
*/
|
|
301
|
+
dev?: FunctionDevConfig;
|
|
302
|
+
}
|
|
303
|
+
/**
|
|
304
|
+
* A single capability a branch-scoped service credential may exercise (Preview). A
|
|
305
|
+
* credential is granted a set of these and may only perform the listed actions. Mirrors
|
|
306
|
+
* the Neon API `CredentialScope` enum (`x-stability-level: beta`):
|
|
307
|
+
*
|
|
308
|
+
* - `storage:read` / `storage:write` — object-storage (bucket) access via the S3 key.
|
|
309
|
+
* - `ai_gateway:invoke` — call the AI Gateway with the bearer `api_token`.
|
|
310
|
+
* - `functions:invoke` — invoke Neon Functions with the bearer `api_token`.
|
|
311
|
+
*
|
|
312
|
+
* The set a policy needs is derived from its enabled Preview features (see
|
|
313
|
+
* {@link deriveCredentialScopes}); it is never authored by hand.
|
|
314
|
+
*/
|
|
315
|
+
type CredentialScope = "storage:read" | "storage:write" | "ai_gateway:invoke" | "functions:invoke";
|
|
316
|
+
/**
|
|
317
|
+
* Who a credential acts as. `user` is the developer/app principal minted for local dev and
|
|
318
|
+
* app bootstrap (`fetchEnv` / `env pull`); `function` is a deployed-function principal
|
|
319
|
+
* (carries a `function_id`). The env tooling only mints `user` credentials today.
|
|
320
|
+
*/
|
|
321
|
+
type CredentialPrincipalType = "user" | "function";
|
|
322
|
+
/** Anonymous-access level for a branchable object-storage bucket. */
|
|
323
|
+
type BucketAccessLevel = "private" | "public_read";
|
|
324
|
+
/**
|
|
325
|
+
* Static definition of a branchable object-storage bucket (Preview feature). The bucket's
|
|
326
|
+
* name is the **record key** in {@link PreviewInput.buckets}, so names are statically
|
|
327
|
+
* enumerable and cannot duplicate.
|
|
328
|
+
*/
|
|
329
|
+
interface BucketDef {
|
|
330
|
+
/**
|
|
331
|
+
* Anonymous access level. `private` (default) requires authenticated reads/writes;
|
|
332
|
+
* `public_read` allows anonymous GetObject/HeadObject.
|
|
333
|
+
*/
|
|
334
|
+
access?: BucketAccessLevel;
|
|
335
|
+
}
|
|
336
|
+
/**
|
|
337
|
+
* Static, branch-scoped **Preview** features. Grouped under `preview` to signal they are
|
|
338
|
+
* backed by Neon `x-stability-level: beta` endpoints and may change before GA. Everything
|
|
339
|
+
* here is existential (it determines what exists on the branch); per-branch tuning lives in
|
|
340
|
+
* the `branch` closure.
|
|
341
|
+
*/
|
|
342
|
+
interface PreviewInput {
|
|
343
|
+
/** Enable/disable the AI Gateway on the branch (toggle, like auth / dataApi). */
|
|
344
|
+
aiGateway?: ServiceToggleInput;
|
|
345
|
+
/** Functions to deploy, keyed by branch-unique slug (`^[a-z0-9]{1,20}$`). */
|
|
346
|
+
functions?: Record<string, FunctionDef>;
|
|
347
|
+
/** Object-storage buckets to create, keyed by bucket name. */
|
|
348
|
+
buckets?: Record<string, BucketDef>;
|
|
349
|
+
}
|
|
350
|
+
/**
|
|
351
|
+
* Per-branch deploy tuning for a single function. Returned (per slug) by the `branch`
|
|
352
|
+
* closure. Deliberately **cannot** change the function's existence, source, name, env
|
|
353
|
+
* **keys**, or memory — only runtime selection is currently configurable — so the static
|
|
354
|
+
* secret/function set stays sound.
|
|
355
|
+
*/
|
|
356
|
+
interface FunctionTuning {
|
|
357
|
+
/** Runtime to execute the function with. Defaults to `"nodejs24"`. */
|
|
358
|
+
runtime?: FunctionRuntime;
|
|
359
|
+
}
|
|
360
|
+
/**
|
|
361
|
+
* Per-branch tuning of Preview features. Only existing function slugs (those declared in
|
|
362
|
+
* the static {@link PreviewInput.functions}) may be tuned — `Slug` is constrained to the
|
|
363
|
+
* declared keys by {@link BranchTuningFn}.
|
|
364
|
+
*/
|
|
365
|
+
interface PreviewTuning<Slug extends string = string> {
|
|
366
|
+
functions?: Partial<Record<Slug, FunctionTuning>>;
|
|
367
|
+
}
|
|
368
|
+
/**
|
|
369
|
+
* The per-branch tuning object returned by the `branch` closure. It can adjust branch
|
|
370
|
+
* lifecycle (`parent`, `ttl`, `protected`), Postgres compute settings, and per-function
|
|
371
|
+
* deploy tuning — but **cannot** add/remove services or functions. That guarantee is what
|
|
372
|
+
* keeps the static secret set (and therefore `NeonEnv`) exact.
|
|
373
|
+
*/
|
|
374
|
+
interface BranchTuning<Slug extends string = string> {
|
|
375
|
+
/** Parent branch name used when creating a new branch. Not a Postgres setting. */
|
|
376
|
+
parent?: string;
|
|
377
|
+
/**
|
|
378
|
+
* Branch time-to-live: how long after creation the branch should auto-expire. Applied
|
|
379
|
+
* when creating a new branch and reconciled on existing branches (when `updateExisting`
|
|
380
|
+
* is set). Accepts a {@link DurationString} (autocompletes common values) or a number of
|
|
381
|
+
* seconds. Omit to keep the branch indefinitely.
|
|
382
|
+
*
|
|
383
|
+
* - {@link DurationString} — e.g. `"7d"`; autocompletes `"1h"`, `"6h"`, `"12h"`, `"1d"`,
|
|
384
|
+
* `"3d"`, `"7d"`, `"14d"`, `"30d"`, and accepts any other `<integer><unit>` (units: `s`,
|
|
385
|
+
* `m`, `h`, `d`, `w` — e.g. `"12h"`, `"2w"`). A **unit is required** — `"7"` is rejected;
|
|
386
|
+
* for raw seconds pass a `number`.
|
|
387
|
+
* - `number` — custom TTL in **seconds** (e.g. `3600`)
|
|
388
|
+
* - `undefined` — no expiry; the branch persists until explicitly deleted
|
|
389
|
+
*
|
|
390
|
+
* The Neon API caps branch expiration at **30 days** from creation, so the resolved TTL must
|
|
391
|
+
* be `> 0` and `<= 30d`; the suggestions stay within that limit and anything longer is
|
|
392
|
+
* rejected at apply.
|
|
393
|
+
*
|
|
394
|
+
* @example "1d" // ephemeral preview branch: expires a day after creation
|
|
395
|
+
* @example "7d" // one-week TTL
|
|
396
|
+
* @example "30d" // the maximum the API allows
|
|
397
|
+
* @example 3600 // 1 hour, expressed in seconds
|
|
398
|
+
*/
|
|
399
|
+
ttl?: DurationField<TtlSuggestion>;
|
|
400
|
+
/** Whether the selected branch should be protected. Undefined means "leave as-is". */
|
|
401
|
+
protected?: boolean;
|
|
402
|
+
postgres?: PostgresConfig;
|
|
403
|
+
preview?: PreviewTuning<Slug>;
|
|
404
|
+
}
|
|
405
|
+
/** Extract the declared function slugs from a {@link PreviewInput} for closure typing. */
|
|
406
|
+
type FunctionSlugsOf<Preview extends PreviewInput | undefined> = Preview extends {
|
|
407
|
+
functions: infer F;
|
|
408
|
+
} ? Extract<keyof F, string> : string;
|
|
409
|
+
/**
|
|
410
|
+
* Signature of the `branch` closure. Generic over the static {@link PreviewInput} so the
|
|
411
|
+
* `preview.functions` keys it may tune are constrained to the slugs actually declared.
|
|
412
|
+
*/
|
|
413
|
+
type BranchTuningFn<Preview extends PreviewInput | undefined = PreviewInput | undefined> = (branch: BranchTarget) => BranchTuning<FunctionSlugsOf<Preview>>;
|
|
414
|
+
/**
|
|
415
|
+
* A validated Neon branch policy — the value `defineConfig({ … })` returns and `neon.ts`
|
|
416
|
+
* default-exports.
|
|
417
|
+
*
|
|
418
|
+
* Split into a **static** existential set (top-level `auth` / `dataApi` GA toggles plus the
|
|
419
|
+
* beta `preview` block) and a **dynamic** per-branch `branch` closure for tuning. The
|
|
420
|
+
* static half is what makes the secret set — and therefore `NeonEnv<typeof config>` and
|
|
421
|
+
* `parseEnv` — exact; the closure can tune but never change what exists.
|
|
422
|
+
*
|
|
423
|
+
* Generic over the three static fields so the type system can read the exact toggle/slug
|
|
424
|
+
* literals; the defaults make the bare `Config` a usable "any policy" type for runtime
|
|
425
|
+
* function signatures.
|
|
426
|
+
*/
|
|
427
|
+
interface Config<Auth extends ServiceToggleInput | undefined = ServiceToggleInput | undefined, DataApi extends DataApiInput | undefined = DataApiInput | undefined, Preview extends PreviewInput | undefined = PreviewInput | undefined> {
|
|
428
|
+
/** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */
|
|
429
|
+
auth?: Auth;
|
|
430
|
+
/**
|
|
431
|
+
* Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or
|
|
432
|
+
* a {@link DataApiConfig} object selecting the auth provider (`"neon"` / `"external"`) and
|
|
433
|
+
* runtime {@link DataApiSettings}. With `authProvider: "neon"` the policy must also enable
|
|
434
|
+
* top-level `auth`.
|
|
435
|
+
*/
|
|
436
|
+
dataApi?: DataApi;
|
|
437
|
+
/** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */
|
|
438
|
+
preview?: Preview;
|
|
439
|
+
/** Per-branch tuning closure. Cannot change the static existential set. */
|
|
440
|
+
branch?: BranchTuningFn<Preview>;
|
|
441
|
+
}
|
|
442
|
+
/**
|
|
443
|
+
* A function with all deploy defaults applied. `resolveConfig` fills in `runtime` so
|
|
444
|
+
* downstream diff/apply never has to re-derive it.
|
|
445
|
+
*/
|
|
446
|
+
interface ResolvedFunctionConfig {
|
|
447
|
+
slug: string;
|
|
448
|
+
name: string;
|
|
449
|
+
source: string;
|
|
450
|
+
env: Record<string, string>;
|
|
451
|
+
runtime: FunctionRuntime;
|
|
452
|
+
/**
|
|
453
|
+
* Local-development settings, passed through untouched from {@link FunctionDef.dev}
|
|
454
|
+
* (no defaults applied). Only consumed by `neon dev`; deploy ignores it.
|
|
455
|
+
*/
|
|
456
|
+
dev?: FunctionDevConfig;
|
|
457
|
+
}
|
|
458
|
+
/** A bucket with its access level defaulted to `private`. */
|
|
459
|
+
interface ResolvedBucketConfig {
|
|
460
|
+
name: string;
|
|
461
|
+
access: BucketAccessLevel;
|
|
462
|
+
}
|
|
463
|
+
/**
|
|
464
|
+
* Normalized {@link PreviewInput}. Only present on {@link ResolvedBranchConfig} when the
|
|
465
|
+
* policy returned a `preview` block. `aiGatewayEnabled` follows the same
|
|
466
|
+
* "present-and-not-`false`" semantics as `authEnabled` / `dataApiEnabled`.
|
|
467
|
+
*/
|
|
468
|
+
interface ResolvedPreviewConfig {
|
|
469
|
+
functions: ResolvedFunctionConfig[];
|
|
470
|
+
buckets: ResolvedBucketConfig[];
|
|
471
|
+
aiGatewayEnabled: boolean;
|
|
472
|
+
}
|
|
473
|
+
/**
|
|
474
|
+
* Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the
|
|
475
|
+
* policy enables `dataApi`. `authProvider` always resolves (defaults to `"neon"`); the
|
|
476
|
+
* external-IdP wiring is present only for `"external"`; `settings` carries the camelCase
|
|
477
|
+
* runtime settings (reconciled as an update when they drift).
|
|
478
|
+
*/
|
|
479
|
+
interface ResolvedDataApiConfig {
|
|
480
|
+
authProvider: DataApiAuthProvider;
|
|
481
|
+
jwksUrl?: string;
|
|
482
|
+
providerName?: string;
|
|
483
|
+
jwtAudience?: string;
|
|
484
|
+
settings?: DataApiSettings;
|
|
485
|
+
}
|
|
486
|
+
interface ResolvedBranchConfig {
|
|
487
|
+
parent?: string;
|
|
488
|
+
ttlSeconds?: number;
|
|
489
|
+
protected?: boolean;
|
|
490
|
+
postgres?: PostgresConfig;
|
|
491
|
+
authEnabled: boolean;
|
|
492
|
+
dataApiEnabled: boolean;
|
|
493
|
+
/**
|
|
494
|
+
* Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the
|
|
495
|
+
* create-time auth wiring and the updatable {@link DataApiSettings}.
|
|
496
|
+
*/
|
|
497
|
+
dataApi?: ResolvedDataApiConfig;
|
|
498
|
+
preview?: ResolvedPreviewConfig;
|
|
499
|
+
}
|
|
500
|
+
/**
|
|
501
|
+
* One concrete change `pushConfig` made (or, in dry-run, would make) on the remote.
|
|
502
|
+
*/
|
|
503
|
+
interface AppliedChange {
|
|
504
|
+
/**
|
|
505
|
+
* `service` covers branch-scoped integrations driven by the branch policy (e.g.
|
|
506
|
+
* Neon Auth, Data API).
|
|
507
|
+
*/
|
|
508
|
+
kind: "branch" | "service";
|
|
509
|
+
action: "create" | "update" | "noop";
|
|
510
|
+
identifier: string;
|
|
511
|
+
details?: Record<string, unknown>;
|
|
512
|
+
}
|
|
513
|
+
/**
|
|
514
|
+
* A diff entry that conflicts with the desired config. `pushConfig` throws
|
|
515
|
+
* {@link PushConflictError} on the first call when conflicts exist; pass
|
|
516
|
+
* `updateExisting: true` to apply mutable drift (settings, `protected`, TTL, project
|
|
517
|
+
* rename). Immutable fields (region, Postgres major version) are always conflicts —
|
|
518
|
+
* recreate the project to change them.
|
|
519
|
+
*/
|
|
520
|
+
interface ConflictReport {
|
|
521
|
+
kind: "branch";
|
|
522
|
+
identifier: string;
|
|
523
|
+
field: string;
|
|
524
|
+
current: unknown;
|
|
525
|
+
desired: unknown;
|
|
526
|
+
reason: string;
|
|
527
|
+
}
|
|
528
|
+
/**
|
|
529
|
+
* Result of a `pushConfig` invocation.
|
|
530
|
+
*/
|
|
531
|
+
interface PushResult {
|
|
532
|
+
projectId: string;
|
|
533
|
+
orgId?: string;
|
|
534
|
+
branchId: string;
|
|
535
|
+
branchName: string;
|
|
536
|
+
/**
|
|
537
|
+
* `true` when `pushConfig` was called with `{ dryRun: true }`. `applied` then records
|
|
538
|
+
* what **would** be applied on a real push; no API mutations were performed.
|
|
539
|
+
*/
|
|
540
|
+
dryRun: boolean;
|
|
541
|
+
applied: AppliedChange[];
|
|
542
|
+
conflicts: ConflictReport[];
|
|
543
|
+
}
|
|
544
|
+
//#endregion
|
|
545
|
+
export { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DATA_API_AUTH_PROVIDERS, DataApiAuthProvider, DataApiConfig, DataApiExternalAuthConfig, DataApiInput, DataApiNeonAuthConfig, DataApiSettings, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedDataApiConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceEnabled, ServiceToggle, ServiceToggleInput };
|
|
546
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/lib/types.ts"],"mappings":";;AAIA;AAGA;AAeA;AAQK,KA1BO,WAAA,GA0BP,IAAA,GAAwB,GAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA;AAAA;AAyBxB,KAhDO,YAAA,GAgDM,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA;;;;;;AAEc;AAUhC;;;;;;AAiCuC;AAStB,KAvFL,cAAA,GAuFiB,GAAA,MAAA,GAvFY,YAuFZ,EAAA;AAqB7B;AAgBA;AAeA;;;;KAnIK,wBAAA,GAuIA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA;;;;AAMI;AAIT;AAgBA;AACA,KAjJK,aAAA,GAiJO,IAAA,GAAmB,IAAA,GAAA,KAAW,GAAA,IAAA,GAAA,IAAA,GAAA,IAAuB,GAAA,KAAA,GAAA,KAAA;AASjE;AAqBC;AAeD;AAcA;AAiBA;;KArNK,aAqNuB,CAAA,oBArNW,cAqNX,CAAA,GApNzB,WAoNyB,GAAA,CAnNxB,cAmNwB,GAnNP,WAmNO,CAAA,OAAA,CAAA,CAAA,GAAA,MAAA;;AAAiD;AAO7E;AAOA;AAMA;AAuBA;;AAwBO,UA5QU,eAAA,CA4QV;;AAKiB;AAexB;AAWA;AAGA;EAOiB,qBAAS,CAAA,EA/SD,WAoTf;EASO;;;;;uBAMS,CAAA,EA7TD,WA6TC;;AAAT;AASjB;AAUA;;;;;;AACoB;AASpB;;;;;;;AA6BwB;AACvB;;gBAGoC,CAAA,EAAA,KAAA,GAtWX,aAsWW,CAtWG,wBAsWH,CAAA;;;;AAI1B;AAOX;;;AAC4C,UAzW3B,YAAA,CAyW2B;;MACe,EAAA,MAAA;;KAA7B,EAAA,MAAA;EAAY;EAezB,MAAA,EAAA,OAAM;EAAA;UACT,CAAA,EAAA,MAAA;;WAGG,CAAA,EAAA,OAAA;;aACA,CAAA,EAAA,OAAA;;WAGT,CAAA,EAAA,MAAA;;;;;AAWgB;AAOP,UA9XA,aAAA,CA8XsB;EAAA;SAIjC,CAAA,EAAA,OAAA;;;AAMkB;AAIxB;AAUA;;;;AAE8B;AAU9B;;;AAKY,KAvZA,kBAAA,GAuZA,OAAA,GAvZ+B,aAuZ/B;AAAe;AAG3B;;;;;AAYgC;AAMhC;AAkBA;AAYA;;;;AAW0B,KAtcd,cAscc,CAAA,CAAA,CAAA,GAAA,CAtcO,CAscP,CAAA,SAAA,CAAA,KAAA,CAAA,GAAA,KAAA,GAAA,CApctB,CAocsB,CAAA,SAAA,CAAA;;cAlcrB,kCAEC,4BAEC;;aAEC;UAIS,cAAA;oBACE;;;;;;;;;;;;;;cAeN;KACD,mBAAA,WAA8B;;;;;;;;UASzB,eAAA;;;;;;;;;;;;;;;;;;;;;;;UAwBP,iBAAA;;;;aAIE;;;;;;;UAQK,qBAAA,SAA8B;;;;;;;;;;;;;UAc9B,yBAAA,SAAkC;;;;;;;;;;;;;;;;KAiBvC,aAAA,GAAgB,wBAAwB;;;;;;KAOxC,YAAA,aAAyB;;;;;;KAOzB,eAAA;;;;;UAMK,iBAAA;;;;;;;;;;;;;;;;;;;;;;UAuBA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;QAwBV;;;;;QAKA;;;;;;;;;;;;;;KAeK,eAAA;;;;;;KAWA,uBAAA;;KAGA,iBAAA;;;;;;UAOK,SAAA;;;;;WAKP;;;;;;;;UASO,YAAA;;cAEJ;;cAEA,eAAe;;YAEjB,eAAe;;;;;;;;UAST,cAAA;;YAEN;;;;;;;UAQM;cACJ,QAAQ,OAAO,MAAM;;;;;;;;UASjB;;;;;;;;;;;;;;;;;;;;;;;;;QAyBV,cAAc;;;aAGT;YACD,cAAc;;;KAIpB,gCAAgC,4BACpC;;IAGG,cAAc;;;;;KAON,+BACK,2BAA2B,qCAC/B,iBAAiB,aAAa,gBAAgB;;;;;;;;;;;;;;UAe1C,oBACH,iCACV,gDAEa,2BAA2B,0CAC3B,2BAA2B;;SAGpC;;;;;;;YAOG;;YAEA;;WAED,eAAe;;;;;;UAOR,sBAAA;;;;OAIX;WACI;;;;;QAKH;;;UAIU,oBAAA;;UAER;;;;;;;UAQQ,qBAAA;aACL;WACF;;;;;;;;;UAUO,qBAAA;gBACF;;;;aAIH;;UAGK,oBAAA;;;;aAIL;;;;;;;YAOD;YACA;;;;;UAMM,aAAA;;;;;;;;YAQN;;;;;;;;;UAUM,cAAA;;;;;;;;;;;UAYA,UAAA;;;;;;;;;;WAUP;aACE"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
//#region src/lib/types.ts
|
|
2
|
+
/**
|
|
3
|
+
* Authentication providers a Data API integration can verify JWTs against, as written in
|
|
4
|
+
* `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
|
|
5
|
+
* at the API boundary):
|
|
6
|
+
*
|
|
7
|
+
* - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
|
|
8
|
+
* JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
|
|
9
|
+
* fields are forbidden (a type error) on this variant — and the policy must also enable
|
|
10
|
+
* top-level `auth` (Neon Auth) so the tokens exist.
|
|
11
|
+
* - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
|
|
12
|
+
* provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
|
|
13
|
+
*/
|
|
14
|
+
const DATA_API_AUTH_PROVIDERS = ["neon", "external"];
|
|
15
|
+
//#endregion
|
|
16
|
+
export { DATA_API_AUTH_PROVIDERS };
|
|
17
|
+
|
|
18
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","names":[],"sources":["../../src/lib/types.ts"],"sourcesContent":["/**\n * Valid Neon Compute Unit values.\n * Most plans support 0.25, 0.5, 1, 2, 4, 8. Higher values may be available on Business plans.\n */\nexport type ComputeUnit = 0.25 | 0.5 | 1 | 2 | 4 | 8;\n\n/** Time units accepted in a {@link DurationString}: seconds, minutes, hours, days, weeks. */\nexport type DurationUnit = \"s\" | \"m\" | \"h\" | \"d\" | \"w\";\n\n/**\n * A Neon duration string: a positive integer **followed by a unit** — `s` (seconds),\n * `m` (minutes), `h` (hours), `d` (days), or `w` (weeks). Used by\n * {@link ComputeSettings.suspendTimeout} and {@link BranchTuning.ttl}.\n *\n * A **unit is required**: a bare numeric string like `\"7\"` is rejected at the type level. To\n * express a raw number of seconds, pass a `number` (`300`) — not a string (`\"300\"`). This\n * removes the old ambiguity where `\"7\"` silently meant 7 *seconds* instead of, say, `\"7d\"`.\n *\n * @example \"5m\" // 5 minutes\n * @example \"1h\" // 1 hour\n * @example \"7d\" // 7 days\n */\nexport type DurationString = `${number}${DurationUnit}`;\n\n/**\n * Autocomplete suggestions for {@link ComputeSettings.suspendTimeout}. Every value sits inside\n * the Neon API's allowed scale-to-zero band: **60s–604800s** (1 minute – 1 week). This is *not*\n * a closed set — the field also accepts any other {@link DurationString} or a `number` of\n * seconds; out-of-range values type-check but are rejected at apply time.\n */\ntype SuspendTimeoutSuggestion =\n\t| \"1m\"\n\t| \"5m\"\n\t| \"15m\"\n\t| \"30m\"\n\t| \"1h\"\n\t| \"6h\"\n\t| \"12h\"\n\t| \"1d\"\n\t| \"7d\";\n\n/**\n * Autocomplete suggestions for {@link BranchTuning.ttl}. Every value sits within the Neon API's\n * branch-expiration limit (**max 30 days** from creation; the Console's own presets are 1h / 1d\n * / 7d). This is *not* a closed set — the field also accepts any other {@link DurationString} or\n * a `number` of seconds; values over 30 days are rejected at apply time.\n */\ntype TtlSuggestion = \"1h\" | \"6h\" | \"12h\" | \"1d\" | \"3d\" | \"7d\" | \"14d\" | \"30d\";\n\n/**\n * Compose a field's duration type: its curated autocomplete `Suggestions` plus the open\n * `DurationString` template (so any `<integer><unit>` string still type-checks) and a `number`\n * of seconds. Intersecting the template arm with `NonNullable<unknown>` stops TypeScript from\n * collapsing the literal suggestions into the template, which is what preserves the autocomplete.\n */\ntype DurationField<Suggestions extends DurationString> =\n\t| Suggestions\n\t| (DurationString & NonNullable<unknown>)\n\t| number;\n\n/**\n * Compute settings applied to the read/write endpoint of a branch.\n *\n * Mirrors the subset of {@link https://api-docs.neon.tech/reference/getting-started-with-neon-api Neon endpoint}\n * fields that we expose as IaC primitives. Anything left undefined falls back to the project's\n * `default_endpoint_settings` (which themselves fall back to Neon platform defaults).\n */\nexport interface ComputeSettings {\n\t/**\n\t * Minimum number of Compute Units. Set to 0.25 for true scale-to-zero.\n\t * @example 0.25 // scale-to-zero\n\t * @example 1 // always-on with 1 CU minimum\n\t */\n\tautoscalingLimitMinCu?: ComputeUnit;\n\t/**\n\t * Maximum number of Compute Units for autoscaling.\n\t * @example 2\n\t * @example 8\n\t */\n\tautoscalingLimitMaxCu?: ComputeUnit;\n\t/**\n\t * How long an idle compute waits before suspending (Neon's scale-to-zero). Accepts a\n\t * {@link DurationString} (autocompletes common values), a number of seconds, or `false`.\n\t *\n\t * - `false` — never suspend (always-on compute)\n\t * - {@link DurationString} — e.g. `\"5m\"`; autocompletes the in-range values `\"1m\"`, `\"5m\"`,\n\t * `\"15m\"`, `\"30m\"`, `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`, `\"7d\"`, and accepts any other\n\t * `<integer><unit>` (units: `s`, `m`, `h`, `d`, `w`). A **unit is required** — for raw\n\t * seconds pass a `number`, not a string.\n\t * - `number` — custom timeout in **seconds**, must be in `60`–`604800` (1 minute to 1 week)\n\t * - `undefined` — use the Neon platform default (currently 300s / 5 minutes)\n\t *\n\t * Whichever form you use, the resolved timeout must fall in `60`–`604800` seconds (the Neon\n\t * API limit); the suggestions are all within that band, anything else is checked at apply.\n\t *\n\t * @example false // never suspend (always-on)\n\t * @example \"5m\" // suspend after 5 minutes idle\n\t * @example \"1h\" // suspend after 1 hour idle\n\t * @example 300 // 5 minutes, expressed in seconds\n\t */\n\tsuspendTimeout?: false | DurationField<SuspendTimeoutSuggestion>;\n}\n\n/**\n * Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the\n * `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes\n * **which** branch this invocation decides for; it is not a live branch handle and must not\n * be mutated. Switch on its fields and return the desired {@link BranchConfig}.\n */\nexport interface BranchTarget {\n\t/** Branch name being evaluated. For `branch dev`, this is the generated branch name. */\n\tname: string;\n\t/** Neon branch id when the branch already exists. Undefined during pre-create eval. */\n\tid?: string;\n\t/** Whether this branch already exists on Neon. */\n\texists: boolean;\n\t/** Parent branch id from Neon when known. */\n\tparentId?: string;\n\t/** Whether Neon marks this branch as the project default. */\n\tisDefault?: boolean;\n\t/** Whether Neon currently marks this branch protected. */\n\tisProtected?: boolean;\n\t/** Current expiration timestamp from Neon, when set. */\n\texpiresAt?: string;\n}\n\n/**\n * Object form of a branch-scoped service toggle. `{}` or `{ enabled: true }` enables it;\n * `{ enabled: false }` opts out. Used as the object half of {@link ServiceToggleInput}.\n */\nexport interface ServiceToggle {\n\t/** Defaults to `true` when the service namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n}\n\n/**\n * How a branch-scoped service (Neon Auth, Data API, AI Gateway) is toggled in a policy.\n *\n * - `true` / `{}` / `{ enabled: true }` — enabled.\n * - `false` / `{ enabled: false }` — disabled.\n * - omitted (`undefined`) — not part of the policy at all.\n *\n * These toggles are **static** (they live in the top-level `defineConfig({ … })` object,\n * not in the per-branch `branch` closure) so the secret set they imply can be derived at\n * the type level — that's what makes `NeonEnv<typeof config>` exact.\n */\nexport type ServiceToggleInput = boolean | ServiceToggle;\n\n/**\n * Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /\n * `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables\n * distribution so a union/`undefined` is judged as a single unit:\n *\n * - `false` / `{ enabled: false }` / `undefined` → `false`\n * - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`\n * (a present toggle defaults to enabled)\n * - the bare `boolean | … | undefined` (no literal info) → `false`\n *\n * Shared by the {@link Config} static cross-field checks and the `@neon/env`\n * `NeonEnv` namespace derivation, so both read \"is this service on?\" identically.\n */\nexport type ServiceEnabled<T> = [T] extends [false]\n\t? false\n\t: [T] extends [{ enabled: false }]\n\t\t? false\n\t\t: [T] extends [undefined]\n\t\t\t? false\n\t\t\t: [T] extends [true]\n\t\t\t\t? true\n\t\t\t\t: [T] extends [{ enabled: true }]\n\t\t\t\t\t? true\n\t\t\t\t\t: [T] extends [object]\n\t\t\t\t\t\t? true\n\t\t\t\t\t\t: false;\n\nexport interface PostgresConfig {\n\tcomputeSettings?: ComputeSettings;\n}\n\n/**\n * Authentication providers a Data API integration can verify JWTs against, as written in\n * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`\n * at the API boundary):\n *\n * - `\"neon\"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the\n * JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`\n * fields are forbidden (a type error) on this variant — and the policy must also enable\n * top-level `auth` (Neon Auth) so the tokens exist.\n * - `\"external\"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You\n * provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).\n */\nexport const DATA_API_AUTH_PROVIDERS = [\"neon\", \"external\"] as const;\nexport type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];\n\n/**\n * Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,\n * camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep\n * the Neon defaults shown below. These are the **only** Data API fields that can change on\n * an already-enabled integration — drift here is reconciled as an *update* (requires\n * `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.\n */\nexport interface DataApiSettings {\n\t/** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */\n\tdbAggregatesEnabled?: boolean;\n\t/** Database role used for anonymous requests (`db_anon_role`). Default `\"anonymous\"`. */\n\tdbAnonRole?: string;\n\t/** Extra schemas appended to the search path (`db_extra_search_path`). */\n\tdbExtraSearchPath?: string;\n\t/** Maximum rows returned in a single request (`db_max_rows`). */\n\tdbMaxRows?: number;\n\t/** Schemas exposed via the API (`db_schemas`). Default `[\"public\"]`. */\n\tdbSchemas?: string[];\n\t/** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `\".role\"`. */\n\tjwtRoleClaimKey?: string;\n\t/** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */\n\tjwtCacheMaxLifetime?: number;\n\t/** OpenAPI spec mode (`openapi_mode`). Default `\"disabled\"`. */\n\topenapiMode?: \"ignore-privileges\" | \"disabled\";\n\t/** CORS allowed origins (`server_cors_allowed_origins`). */\n\tserverCorsAllowedOrigins?: string;\n\t/** Emit server-timing headers (`server_timing_enabled`). */\n\tserverTimingEnabled?: boolean;\n}\n\n/** Fields shared by every {@link DataApiConfig} variant. */\ninterface DataApiConfigBase {\n\t/** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n\t/** Reusable runtime settings. Drift here is reconciled as an update. */\n\tsettings?: DataApiSettings;\n}\n\n/**\n * Data API verified by **Neon Auth** (`authProvider: \"neon\"`, the default). The external\n * IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any\n * of them is a type error directing you to `authProvider: \"external\"`.\n */\nexport interface DataApiNeonAuthConfig extends DataApiConfigBase {\n\tauthProvider?: \"neon\";\n\t/** Forbidden with `authProvider: \"neon\"` — Neon provides the JWKS URL. */\n\tjwksUrl?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — the provider is Neon Auth. */\n\tproviderName?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — Neon manages the audience. */\n\tjwtAudience?: never;\n}\n\n/**\n * Data API verified by an **external** IdP (`authProvider: \"external\"`). You provide the\n * JWKS URL (and optionally a provider label / expected audience).\n */\nexport interface DataApiExternalAuthConfig extends DataApiConfigBase {\n\tauthProvider: \"external\";\n\t/** URL that publishes the IdP's JWKS (JSON Web Key Set). */\n\tjwksUrl?: string;\n\t/** Human label for the IdP (e.g. \"Clerk\", \"Stytch\", \"Auth0\"). */\n\tproviderName?: string;\n\t/**\n\t * Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;\n\t * tokens with no `aud` claim are still accepted.\n\t */\n\tjwtAudience?: string;\n}\n\n/**\n * Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:\n * the `\"neon\"` variant forbids the external-IdP fields, the `\"external\"` variant allows them.\n */\nexport type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;\n\n/**\n * How the Data API is toggled in a policy: a bare boolean (like the other service toggles)\n * or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it\n * with Neon defaults; `false` / `{ enabled: false }` opt out.\n */\nexport type DataApiInput = boolean | DataApiConfig;\n\n/**\n * Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.\n * Only `nodejs24` exists today; kept as a union so adding runtimes later is a\n * non-breaking, type-checked change.\n */\nexport type FunctionRuntime = \"nodejs24\";\n\n/**\n * Local-development settings for a function, used by `neon dev` when it serves every\n * function declared in `neon.ts` (i.e. invoked with no `--source`). Never affects deploy.\n */\nexport interface FunctionDevConfig {\n\t/**\n\t * Port the local server binds. Bound exactly (and `neon dev` fails loudly if it is taken)\n\t * when set; a free port is found automatically when omitted.\n\t */\n\tport?: number;\n}\n\n/**\n * Static definition of a Neon Function (Preview feature). Declares that the function\n * **exists** on every branch; its branch-unique slug is the **record key** in\n * {@link PreviewInput.functions} (not a field here), so slugs are statically enumerable,\n * cannot duplicate, and the `branch` closure can only tune slugs that are declared here.\n *\n * A function is invoked like a Cloudflare/Vercel handler — its source module\n * `export default { fetch }` or `export async function handler(req): Response`. The\n * `source` path is bundled (esbuild) and uploaded as a deployment; the newest deployment\n * becomes active.\n *\n * Runtime tuning is **not** here — it varies per branch and lives in the `branch` closure\n * (see {@link FunctionTuning}). Memory is fixed by the platform policy for now and is not\n * user-configurable.\n */\nexport interface FunctionDef {\n\t/** Free-form display name. @example \"Hello World\" */\n\tname: string;\n\t/**\n\t * Path to the function's entry module, **relative to `neon.ts`** (or absolute). The\n\t * module's default export (`{ fetch }`) or `handler` export is the function entry. This\n\t * path is resolved against the loaded `neon.ts` location and bundled with esbuild at\n\t * deploy time.\n\t *\n\t * We require a string path rather than an imported handler because a JS function value\n\t * carries no reference back to its source file, so esbuild has nothing to bundle from.\n\t * @example \"./functions/hello-world.ts\"\n\t */\n\tsource: string;\n\t/**\n\t * Environment variables injected into the deployed function, keyed by the var name the\n\t * function reads at runtime. The **keys** are static (preserved at the type level so\n\t * `parseEnv(config, \"<slug>\").function.<key>` is typed); the **values** are arbitrary\n\t * strings evaluated when `neon.ts` is loaded (typically `process.env.X`) and uploaded\n\t * at `config apply`. Every value must be a defined string — a `process.env.X` that is\n\t * `undefined` (unset) errors at validation time rather than silently shipping\n\t * `undefined`.\n\t * @example { resendApiKey: process.env.RESEND_API_KEY ?? \"\" }\n\t */\n\tenv?: Record<string, string>;\n\t/**\n\t * Local-development settings used by `neon dev` when serving every function from\n\t * `neon.ts`. Ignored at deploy time. See {@link FunctionDevConfig}.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/**\n * A single capability a branch-scoped service credential may exercise (Preview). A\n * credential is granted a set of these and may only perform the listed actions. Mirrors\n * the Neon API `CredentialScope` enum (`x-stability-level: beta`):\n *\n * - `storage:read` / `storage:write` — object-storage (bucket) access via the S3 key.\n * - `ai_gateway:invoke` — call the AI Gateway with the bearer `api_token`.\n * - `functions:invoke` — invoke Neon Functions with the bearer `api_token`.\n *\n * The set a policy needs is derived from its enabled Preview features (see\n * {@link deriveCredentialScopes}); it is never authored by hand.\n */\nexport type CredentialScope =\n\t| \"storage:read\"\n\t| \"storage:write\"\n\t| \"ai_gateway:invoke\"\n\t| \"functions:invoke\";\n\n/**\n * Who a credential acts as. `user` is the developer/app principal minted for local dev and\n * app bootstrap (`fetchEnv` / `env pull`); `function` is a deployed-function principal\n * (carries a `function_id`). The env tooling only mints `user` credentials today.\n */\nexport type CredentialPrincipalType = \"user\" | \"function\";\n\n/** Anonymous-access level for a branchable object-storage bucket. */\nexport type BucketAccessLevel = \"private\" | \"public_read\";\n\n/**\n * Static definition of a branchable object-storage bucket (Preview feature). The bucket's\n * name is the **record key** in {@link PreviewInput.buckets}, so names are statically\n * enumerable and cannot duplicate.\n */\nexport interface BucketDef {\n\t/**\n\t * Anonymous access level. `private` (default) requires authenticated reads/writes;\n\t * `public_read` allows anonymous GetObject/HeadObject.\n\t */\n\taccess?: BucketAccessLevel;\n}\n\n/**\n * Static, branch-scoped **Preview** features. Grouped under `preview` to signal they are\n * backed by Neon `x-stability-level: beta` endpoints and may change before GA. Everything\n * here is existential (it determines what exists on the branch); per-branch tuning lives in\n * the `branch` closure.\n */\nexport interface PreviewInput {\n\t/** Enable/disable the AI Gateway on the branch (toggle, like auth / dataApi). */\n\taiGateway?: ServiceToggleInput;\n\t/** Functions to deploy, keyed by branch-unique slug (`^[a-z0-9]{1,20}$`). */\n\tfunctions?: Record<string, FunctionDef>;\n\t/** Object-storage buckets to create, keyed by bucket name. */\n\tbuckets?: Record<string, BucketDef>;\n}\n\n/**\n * Per-branch deploy tuning for a single function. Returned (per slug) by the `branch`\n * closure. Deliberately **cannot** change the function's existence, source, name, env\n * **keys**, or memory — only runtime selection is currently configurable — so the static\n * secret/function set stays sound.\n */\nexport interface FunctionTuning {\n\t/** Runtime to execute the function with. Defaults to `\"nodejs24\"`. */\n\truntime?: FunctionRuntime;\n}\n\n/**\n * Per-branch tuning of Preview features. Only existing function slugs (those declared in\n * the static {@link PreviewInput.functions}) may be tuned — `Slug` is constrained to the\n * declared keys by {@link BranchTuningFn}.\n */\nexport interface PreviewTuning<Slug extends string = string> {\n\tfunctions?: Partial<Record<Slug, FunctionTuning>>;\n}\n\n/**\n * The per-branch tuning object returned by the `branch` closure. It can adjust branch\n * lifecycle (`parent`, `ttl`, `protected`), Postgres compute settings, and per-function\n * deploy tuning — but **cannot** add/remove services or functions. That guarantee is what\n * keeps the static secret set (and therefore `NeonEnv`) exact.\n */\nexport interface BranchTuning<Slug extends string = string> {\n\t/** Parent branch name used when creating a new branch. Not a Postgres setting. */\n\tparent?: string;\n\t/**\n\t * Branch time-to-live: how long after creation the branch should auto-expire. Applied\n\t * when creating a new branch and reconciled on existing branches (when `updateExisting`\n\t * is set). Accepts a {@link DurationString} (autocompletes common values) or a number of\n\t * seconds. Omit to keep the branch indefinitely.\n\t *\n\t * - {@link DurationString} — e.g. `\"7d\"`; autocompletes `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`,\n\t * `\"3d\"`, `\"7d\"`, `\"14d\"`, `\"30d\"`, and accepts any other `<integer><unit>` (units: `s`,\n\t * `m`, `h`, `d`, `w` — e.g. `\"12h\"`, `\"2w\"`). A **unit is required** — `\"7\"` is rejected;\n\t * for raw seconds pass a `number`.\n\t * - `number` — custom TTL in **seconds** (e.g. `3600`)\n\t * - `undefined` — no expiry; the branch persists until explicitly deleted\n\t *\n\t * The Neon API caps branch expiration at **30 days** from creation, so the resolved TTL must\n\t * be `> 0` and `<= 30d`; the suggestions stay within that limit and anything longer is\n\t * rejected at apply.\n\t *\n\t * @example \"1d\" // ephemeral preview branch: expires a day after creation\n\t * @example \"7d\" // one-week TTL\n\t * @example \"30d\" // the maximum the API allows\n\t * @example 3600 // 1 hour, expressed in seconds\n\t */\n\tttl?: DurationField<TtlSuggestion>;\n\t/** Whether the selected branch should be protected. Undefined means \"leave as-is\". */\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tpreview?: PreviewTuning<Slug>;\n}\n\n/** Extract the declared function slugs from a {@link PreviewInput} for closure typing. */\ntype FunctionSlugsOf<Preview extends PreviewInput | undefined> =\n\tPreview extends {\n\t\tfunctions: infer F;\n\t}\n\t\t? Extract<keyof F, string>\n\t\t: string;\n\n/**\n * Signature of the `branch` closure. Generic over the static {@link PreviewInput} so the\n * `preview.functions` keys it may tune are constrained to the slugs actually declared.\n */\nexport type BranchTuningFn<\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> = (branch: BranchTarget) => BranchTuning<FunctionSlugsOf<Preview>>;\n\n/**\n * A validated Neon branch policy — the value `defineConfig({ … })` returns and `neon.ts`\n * default-exports.\n *\n * Split into a **static** existential set (top-level `auth` / `dataApi` GA toggles plus the\n * beta `preview` block) and a **dynamic** per-branch `branch` closure for tuning. The\n * static half is what makes the secret set — and therefore `NeonEnv<typeof config>` and\n * `parseEnv` — exact; the closure can tune but never change what exists.\n *\n * Generic over the three static fields so the type system can read the exact toggle/slug\n * literals; the defaults make the bare `Config` a usable \"any policy\" type for runtime\n * function signatures.\n */\nexport interface Config<\n\tAuth extends ServiceToggleInput | undefined =\n\t\t| ServiceToggleInput\n\t\t| undefined,\n\tDataApi extends DataApiInput | undefined = DataApiInput | undefined,\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> {\n\t/** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */\n\tauth?: Auth;\n\t/**\n\t * Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or\n\t * a {@link DataApiConfig} object selecting the auth provider (`\"neon\"` / `\"external\"`) and\n\t * runtime {@link DataApiSettings}. With `authProvider: \"neon\"` the policy must also enable\n\t * top-level `auth`.\n\t */\n\tdataApi?: DataApi;\n\t/** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */\n\tpreview?: Preview;\n\t/** Per-branch tuning closure. Cannot change the static existential set. */\n\tbranch?: BranchTuningFn<Preview>;\n}\n\n/**\n * A function with all deploy defaults applied. `resolveConfig` fills in `runtime` so\n * downstream diff/apply never has to re-derive it.\n */\nexport interface ResolvedFunctionConfig {\n\tslug: string;\n\tname: string;\n\tsource: string;\n\tenv: Record<string, string>;\n\truntime: FunctionRuntime;\n\t/**\n\t * Local-development settings, passed through untouched from {@link FunctionDef.dev}\n\t * (no defaults applied). Only consumed by `neon dev`; deploy ignores it.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/** A bucket with its access level defaulted to `private`. */\nexport interface ResolvedBucketConfig {\n\tname: string;\n\taccess: BucketAccessLevel;\n}\n\n/**\n * Normalized {@link PreviewInput}. Only present on {@link ResolvedBranchConfig} when the\n * policy returned a `preview` block. `aiGatewayEnabled` follows the same\n * \"present-and-not-`false`\" semantics as `authEnabled` / `dataApiEnabled`.\n */\nexport interface ResolvedPreviewConfig {\n\tfunctions: ResolvedFunctionConfig[];\n\tbuckets: ResolvedBucketConfig[];\n\taiGatewayEnabled: boolean;\n}\n\n/**\n * Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the\n * policy enables `dataApi`. `authProvider` always resolves (defaults to `\"neon\"`); the\n * external-IdP wiring is present only for `\"external\"`; `settings` carries the camelCase\n * runtime settings (reconciled as an update when they drift).\n */\nexport interface ResolvedDataApiConfig {\n\tauthProvider: DataApiAuthProvider;\n\tjwksUrl?: string;\n\tproviderName?: string;\n\tjwtAudience?: string;\n\tsettings?: DataApiSettings;\n}\n\nexport interface ResolvedBranchConfig {\n\tparent?: string;\n\tttlSeconds?: number;\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tauthEnabled: boolean;\n\tdataApiEnabled: boolean;\n\t/**\n\t * Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the\n\t * create-time auth wiring and the updatable {@link DataApiSettings}.\n\t */\n\tdataApi?: ResolvedDataApiConfig;\n\tpreview?: ResolvedPreviewConfig;\n}\n\n/**\n * One concrete change `pushConfig` made (or, in dry-run, would make) on the remote.\n */\nexport interface AppliedChange {\n\t/**\n\t * `service` covers branch-scoped integrations driven by the branch policy (e.g.\n\t * Neon Auth, Data API).\n\t */\n\tkind: \"branch\" | \"service\";\n\taction: \"create\" | \"update\" | \"noop\";\n\tidentifier: string;\n\tdetails?: Record<string, unknown>;\n}\n\n/**\n * A diff entry that conflicts with the desired config. `pushConfig` throws\n * {@link PushConflictError} on the first call when conflicts exist; pass\n * `updateExisting: true` to apply mutable drift (settings, `protected`, TTL, project\n * rename). Immutable fields (region, Postgres major version) are always conflicts —\n * recreate the project to change them.\n */\nexport interface ConflictReport {\n\tkind: \"branch\";\n\tidentifier: string;\n\tfield: string;\n\tcurrent: unknown;\n\tdesired: unknown;\n\treason: string;\n}\n\n/**\n * Result of a `pushConfig` invocation.\n */\nexport interface PushResult {\n\tprojectId: string;\n\torgId?: string;\n\tbranchId: string;\n\tbranchName: string;\n\t/**\n\t * `true` when `pushConfig` was called with `{ dryRun: true }`. `applied` then records\n\t * what **would** be applied on a real push; no API mutations were performed.\n\t */\n\tdryRun: boolean;\n\tapplied: AppliedChange[];\n\tconflicts: ConflictReport[];\n}\n"],"mappings":";;;;;;;;;;;;;AA+LA,MAAa,0BAA0B,CAAC,QAAQ,UAAU"}
|