@neondatabase/config-runtime 0.0.0 → 0.1.0

package/dist/lib/push-config.d.ts

@@ -0,0 +1,104 @@
+import { Config, NeonApi, PushResult } from "@neondatabase/config";
+
+//#region src/lib/push-config.d.ts
+interface PushConfigOptions {
+  /**
+   * Neon project id. **Required** — the management API addresses every branch through
+   * its project, so there is no way to push without it. `pushConfig` never creates a
+   * project; resolve the id yourself (e.g. via neonctl) and pass it in.
+   */
+  projectId: string;
+  /**
+   * Neon branch id (`br-…`). **Required.** `pushConfig` never creates a branch — it must
+   * already exist on the project. Resolve names to ids before calling.
+   */
+  branchId: string;
+  /** Neon API key. Falls back to `NEON_API_KEY` / neonctl credentials. Ignored when `api` is supplied. */
+  apiKey?: string;
+  /**
+   * Inject a custom NeonApi adapter. Primarily used by tests; production callers can rely
+   * on the default real adapter built from `apiKey`.
+   */
+  api?: NeonApi;
+  /**
+   * Auto-confirm overriding existing remote settings.
+   *
+   * When `true`, mutable drift on the selected branch (TTL, `protected` flag, compute
+   * settings) is applied as actual mutations and the override-confirm prompt is
+   * skipped. When `false` (default) the behaviour depends on whether `confirm` is
+   * supplied:
+   *   - With `confirm`: the callback is asked whether to apply the override.
+   *   - Without `confirm`: drift is reported as a `PushConflictError` (legacy
+   *     non-interactive default — preserved so programmatic SDK callers don't
+   *     silently start mutating remote state).
+   */
+  updateExisting?: boolean;
+  /**
+   * Auto-confirm pushing to a protected branch.
+   *
+   * When `true`, no protected-branch confirmation is asked. When `false` (default):
+   *   - With `confirm`: the callback is asked.
+   *   - Without `confirm`: the push proceeds (legacy SDK default).
+   */
+  allowProtectedBranch?: boolean;
+  /**
+   * Optional confirmation callback. Invoked once with a single context object before
+   * any mutations run when the push needs confirmation: pushing to a protected
+   * branch (unless `allowProtectedBranch` is `true`) and/or applying mutable drift
+   * (unless `updateExisting` is `true`).
+   *
+   * Both prompts collapse into a single callback invocation when both apply, so the
+   * CLI can render one combined "are you sure?" prompt.
+   *
+   * Resolves to `true` to proceed, `false` to abort with {@link PushAbortedError}.
+   *
+   * Never invoked on `dryRun`.
+   */
+  confirm?: (context: PushConfirmContext) => boolean | Promise<boolean>;
+  /**
+   * When `true`, compute the full plan against the live remote state but **do not
+   * execute any mutations**. The resulting `PushResult.applied` array records every
+   * change that *would* run on a real push (with the same action / identifier / details
+   * shape, so the existing CLI summary formatter just works), and conflicts are
+   * reported instead of thrown.
+   *
+   * Used by `plan(config, branchId)` and any caller that wants a "would this push do
+   * something dangerous?" check before invoking `pushConfig` for real.
+   */
+  dryRun?: boolean;
+}
+/**
+ * Context handed to a {@link PushConfigOptions.confirm} callback. Both flags can be
+ * `true` simultaneously when the push targets a protected branch *and* would override
+ * existing settings — render a single combined prompt covering both reasons.
+ */
+interface PushConfirmContext {
+  /** Name of the target branch on Neon. */
+  branchName: string;
+  /**
+   * `true` when the target branch has the `protected` flag on Neon and the caller
+   * did not pass `allowProtectedBranch: true`.
+   */
+  protectedBranch: boolean;
+  /**
+   * `true` when the plan would override existing remote settings (TTL, `protected`
+   * flag, compute settings on an existing endpoint) and the caller did not pass
+   * `updateExisting: true`. Additive operations (enabling Neon Auth / Data API for
+   * the first time) are **not** counted here — those are unambiguous and never
+   * prompt.
+   */
+  overrideUpdates: boolean;
+}
+/**
+ * Push a Neon branch policy to a specific project + branch.
+ *
+ * Filesystem- and env-agnostic: the caller supplies an already-validated `Config` object
+ * (from `defineConfig` / `loadConfigFromFile`) and explicit `projectId` + `branch` in
+ * `options`. `pushConfig` performs no `.neon` lookups and reads no `NEON_*` env vars.
+ *
+ * It will **not** create a project or branch — both must already exist on Neon.
+ */
+declare function pushConfig(config: Config, options: PushConfigOptions): Promise<PushResult>;
+//#endregion
+export { PushConfigOptions, PushConfirmContext, pushConfig };
+//# sourceMappingURL=push-config.d.ts.map

package/dist/lib/push-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"push-config.d.ts","names":[],"sources":["../../src/lib/push-config.ts"],"mappings":";;;UAoBiB,iBAAA;;AAAjB;;;;WAqDsD,EAAA,MAAA;EAAO;AAmB7D;AA2BA;;UACS,EAAA,MAAA;;QAEE,CAAA,EAAA,MAAA;;AAAD;;;QApFH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAmCc,iCAAiC;;;;;;;;;;;;;;;;;;UAmBrC,kBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2BK,UAAA,SACb,iBACC,oBACP,QAAQ"}

package/dist/lib/push-config.js

@@ -0,0 +1,389 @@
+import { buildFunctionBundle } from "./function-bundle.js";
+import { ErrorCode, PlatformError, PushAbortedError, PushConflictError, createNeonApiFromOptions, diffConfig, resolveConfig } from "@neondatabase/config";
+//#region src/lib/push-config.ts
+/**
+* Push a Neon branch policy to a specific project + branch.
+*
+* Filesystem- and env-agnostic: the caller supplies an already-validated `Config` object
+* (from `defineConfig` / `loadConfigFromFile`) and explicit `projectId` + `branch` in
+* `options`. `pushConfig` performs no `.neon` lookups and reads no `NEON_*` env vars.
+*
+* It will **not** create a project or branch — both must already exist on Neon.
+*/
+async function pushConfig(config, options) {
+	const api = options.api ?? createApiFromOptions(options);
+	const projectId = options.projectId;
+	const dryRun = options.dryRun === true;
+	const updateExisting = options.updateExisting === true;
+	const allowProtectedBranch = options.allowProtectedBranch === true;
+	const remoteProject = await api.getProject(projectId);
+	const [branches, endpoints] = await Promise.all([api.listBranches(remoteProject.id), api.listEndpoints(remoteProject.id)]);
+	const branch = resolveRemoteBranch(options.branchId, branches);
+	const resolved = resolveConfig(config, {
+		name: branch.name,
+		id: branch.id,
+		exists: true,
+		...branch.parentId ? { parentId: branch.parentId } : {},
+		isDefault: branch.isDefault,
+		isProtected: branch.protected,
+		...branch.expiresAt ? { expiresAt: branch.expiresAt } : {}
+	});
+	const services = await resolveServiceState({
+		api,
+		projectId: remoteProject.id,
+		branch,
+		wantsAuth: resolved.authEnabled,
+		wantsDataApi: resolved.dataApiEnabled
+	});
+	const remote = {
+		projectId: remoteProject.id,
+		branch,
+		endpoint: endpoints.find((ep) => ep.type === "read_write" && ep.branchId === branch.id),
+		services
+	};
+	if (resolved.preview) remote.preview = await resolvePreviewState({
+		api,
+		projectId: remoteProject.id,
+		branchId: branch.id
+	});
+	const diff = diffConfig(resolved, remote, { updateExisting: true });
+	const needsOverrideConfirm = diff.plan.filter(isOverrideStep).length > 0 && !updateExisting;
+	const needsProtectedConfirm = branch.protected && !allowProtectedBranch;
+	if (!dryRun && diff.conflicts.length > 0) throw new PushConflictError(diff.conflicts);
+	if (!dryRun && (needsOverrideConfirm || needsProtectedConfirm)) {
+		if (options.confirm) {
+			if (!await options.confirm({
+				branchName: branch.name,
+				protectedBranch: needsProtectedConfirm,
+				overrideUpdates: needsOverrideConfirm
+			})) {
+				const reasons = [];
+				if (needsProtectedConfirm) reasons.push("protected-branch");
+				if (needsOverrideConfirm) reasons.push("override-updates");
+				throw new PushAbortedError(branch.name, reasons);
+			}
+		} else if (needsOverrideConfirm) throw new PushConflictError(diffConfig(resolved, remote, { updateExisting: false }).conflicts);
+	}
+	const applied = [{
+		kind: "branch",
+		action: "noop",
+		identifier: branch.name
+	}];
+	const branchById = new Map(branches.map((b) => [b.id, b]));
+	const branchByName = new Map(branches.map((b) => [b.name, b]));
+	for (const step of diff.plan) {
+		const change = dryRun ? synthesizeAppliedChange(step) : await applyStep(step, {
+			api,
+			remoteProjectId: remoteProject.id,
+			branchById,
+			branchByName
+		});
+		applied.push(change);
+	}
+	const result = {
+		projectId: remoteProject.id,
+		branchId: branch.id,
+		branchName: branch.name,
+		dryRun,
+		applied,
+		conflicts: diff.conflicts
+	};
+	if (remoteProject.orgId) result.orgId = remoteProject.orgId;
+	return result;
+}
+/**
+* `update-*` plan steps mutate existing remote state. `enable-*` steps are additive (no
+* existing resource to override) and never trigger the override-confirm prompt.
+*/
+function isOverrideStep(step) {
+	return step.kind === "update-branch-ttl" || step.kind === "update-branch-protected" || step.kind === "update-endpoint";
+}
+/**
+* Build an {@link AppliedChange} from a {@link PlanStep} without calling the Neon API.
+* Used by dry-run mode so callers see the same record shape they would on a live push,
+* just with no side effects. Identifiers are the branch names from the plan; any
+* sub-resource ids (`branchId`, `endpointId`) flow through unchanged when known.
+*/
+function synthesizeAppliedChange(step) {
+	switch (step.kind) {
+		case "update-branch-ttl": return {
+			kind: "branch",
+			action: "update",
+			identifier: step.branchName,
+			details: {
+				field: "ttl",
+				expiresAt: step.expiresAt
+			}
+		};
+		case "update-branch-protected": return {
+			kind: "branch",
+			action: "update",
+			identifier: step.branchName,
+			details: {
+				field: "protected",
+				protected: step.protected
+			}
+		};
+		case "update-endpoint": return {
+			kind: "branch",
+			action: "update",
+			identifier: step.branchName,
+			details: {
+				field: "computeSettings",
+				endpointId: step.endpointId,
+				settings: step.settings
+			}
+		};
+		case "enable-auth": return {
+			kind: "service",
+			action: "create",
+			identifier: "auth",
+			details: {
+				branchName: step.branchName,
+				...step.databaseName ? { databaseName: step.databaseName } : {}
+			}
+		};
+		case "enable-data-api": return {
+			kind: "service",
+			action: "create",
+			identifier: "dataApi",
+			details: {
+				branchName: step.branchName,
+				databaseName: step.databaseName
+			}
+		};
+		case "create-bucket": return {
+			kind: "service",
+			action: "create",
+			identifier: `bucket:${step.bucketName}`,
+			details: {
+				branchName: step.branchName,
+				bucketName: step.bucketName,
+				accessLevel: step.accessLevel
+			}
+		};
+		case "create-function": return {
+			kind: "service",
+			action: "create",
+			identifier: `function:${step.fn.slug}`,
+			details: {
+				branchName: step.branchName,
+				slug: step.fn.slug,
+				name: step.fn.name
+			}
+		};
+		case "deploy-function": return {
+			kind: "service",
+			action: "update",
+			identifier: `function:${step.fn.slug}`,
+			details: {
+				branchName: step.branchName,
+				slug: step.fn.slug,
+				source: step.fn.source,
+				runtime: step.fn.runtime,
+				memoryMib: step.fn.memoryMib
+			}
+		};
+		case "enable-ai-gateway": return {
+			kind: "service",
+			action: "create",
+			identifier: "aiGateway",
+			details: { branchName: step.branchName }
+		};
+	}
+}
+function createApiFromOptions(options) {
+	return createNeonApiFromOptions("pushConfig", { ...options.apiKey ? { apiKey: options.apiKey } : {} });
+}
+function resolveRemoteBranch(branchId, branches) {
+	const found = branches.find((b) => b.id === branchId);
+	if (found) return found;
+	throw new PlatformError(ErrorCode.BranchNotFound, [
+		`pushConfig: branch id ${JSON.stringify(branchId)} does not exist on the project.`,
+		`Available branches: ${branches.map((b) => `${b.name} (${b.id})`).join(", ") || "(none)"}.`,
+		"Pass an existing branch id, or create the branch first with the neonctl CLI."
+	].join(" "), { details: {
+		branchId,
+		available: branches.map((b) => b.id)
+	} });
+}
+/**
+* Pre-fetch the current state of branch-scoped integrations on the selected branch.
+*/
+async function resolveServiceState(args) {
+	const { api, projectId, branch, wantsAuth, wantsDataApi } = args;
+	if (!wantsAuth && !wantsDataApi) return {
+		databaseName: "neondb",
+		authEnabled: false,
+		dataApiEnabled: false
+	};
+	const databaseName = await pickServiceDatabaseName(api, projectId, branch.id);
+	const [auth, dataApi] = await Promise.all([wantsAuth ? api.getNeonAuth(projectId, branch.id) : Promise.resolve(null), wantsDataApi ? api.getNeonDataApi(projectId, branch.id, databaseName) : Promise.resolve(null)]);
+	return {
+		databaseName,
+		authEnabled: auth !== null,
+		dataApiEnabled: dataApi !== null
+	};
+}
+/**
+* Pre-fetch the current state of branch-scoped Preview features (buckets, functions, AI
+* Gateway) so the diff can be computed additively. Only called when the policy has a
+* `preview` block.
+*/
+async function resolvePreviewState(args) {
+	const { api, projectId, branchId } = args;
+	const [buckets, functions, aiGatewayEnabled] = await Promise.all([
+		api.listBranchBuckets(projectId, branchId),
+		api.listBranchFunctions(projectId, branchId),
+		api.getAiGatewayEnabled(projectId, branchId)
+	]);
+	return {
+		buckets,
+		functions,
+		aiGatewayEnabled
+	};
+}
+/**
+* Resolve the database name for a Data API integration. Auto-pick when the branch has
+* exactly one database; otherwise fall back to Neon's default (`neondb`) so the call
+* stays useful even on branches with multiple databases — push doesn't have a way to
+* surface a "pick one" prompt the way `fetchEnv` does.
+*/
+async function pickServiceDatabaseName(api, projectId, branchId) {
+	const databases = await api.listBranchDatabases(projectId, branchId);
+	if (databases.length === 1) return databases[0].name;
+	const neondb = databases.find((d) => d.name === "neondb");
+	if (neondb) return neondb.name;
+	return databases[0]?.name ?? "neondb";
+}
+async function applyStep(step, ctx) {
+	switch (step.kind) {
+		case "update-branch-ttl": {
+			const updated = await ctx.api.updateBranch(ctx.remoteProjectId, step.branchId, { expiresAt: step.expiresAt ?? null });
+			ctx.branchById.set(updated.id, updated);
+			ctx.branchByName.set(updated.name, updated);
+			return {
+				kind: "branch",
+				action: "update",
+				identifier: updated.name,
+				details: {
+					field: "ttl",
+					expiresAt: step.expiresAt
+				}
+			};
+		}
+		case "update-branch-protected": {
+			const updated = await ctx.api.updateBranch(ctx.remoteProjectId, step.branchId, { protected: step.protected });
+			ctx.branchById.set(updated.id, updated);
+			ctx.branchByName.set(updated.name, updated);
+			return {
+				kind: "branch",
+				action: "update",
+				identifier: updated.name,
+				details: {
+					field: "protected",
+					protected: step.protected
+				}
+			};
+		}
+		case "update-endpoint": {
+			const updated = await ctx.api.updateEndpoint(ctx.remoteProjectId, step.endpointId, step.settings);
+			return {
+				kind: "branch",
+				action: "update",
+				identifier: step.branchName,
+				details: {
+					field: "computeSettings",
+					endpointId: updated.id,
+					settings: step.settings
+				}
+			};
+		}
+		case "enable-auth":
+			await ctx.api.enableNeonAuth(ctx.remoteProjectId, step.branchId, { ...step.databaseName ? { databaseName: step.databaseName } : {} });
+			return {
+				kind: "service",
+				action: "create",
+				identifier: "auth",
+				details: {
+					branchName: step.branchName,
+					...step.databaseName ? { databaseName: step.databaseName } : {}
+				}
+			};
+		case "enable-data-api":
+			await ctx.api.enableProjectBranchDataApi(ctx.remoteProjectId, step.branchId, step.databaseName);
+			return {
+				kind: "service",
+				action: "create",
+				identifier: "dataApi",
+				details: {
+					branchName: step.branchName,
+					databaseName: step.databaseName
+				}
+			};
+		case "create-bucket":
+			await ctx.api.createBranchBucket(ctx.remoteProjectId, step.branchId, {
+				name: step.bucketName,
+				accessLevel: step.accessLevel
+			});
+			return {
+				kind: "service",
+				action: "create",
+				identifier: `bucket:${step.bucketName}`,
+				details: {
+					branchName: step.branchName,
+					bucketName: step.bucketName,
+					accessLevel: step.accessLevel
+				}
+			};
+		case "create-function":
+			await ctx.api.createBranchFunction(ctx.remoteProjectId, step.branchId, {
+				slug: step.fn.slug,
+				name: step.fn.name
+			});
+			return {
+				kind: "service",
+				action: "create",
+				identifier: `function:${step.fn.slug}`,
+				details: {
+					branchName: step.branchName,
+					slug: step.fn.slug,
+					name: step.fn.name
+				}
+			};
+		case "deploy-function": {
+			const bundle = await buildFunctionBundle(step.fn);
+			const deployment = await ctx.api.deployBranchFunction(ctx.remoteProjectId, step.branchId, step.fn.slug, {
+				bundle,
+				runtime: step.fn.runtime,
+				memoryMib: step.fn.memoryMib,
+				environment: step.fn.env
+			});
+			return {
+				kind: "service",
+				action: "update",
+				identifier: `function:${step.fn.slug}`,
+				details: {
+					branchName: step.branchName,
+					slug: step.fn.slug,
+					source: step.fn.source,
+					runtime: step.fn.runtime,
+					memoryMib: step.fn.memoryMib,
+					deploymentId: deployment.id
+				}
+			};
+		}
+		case "enable-ai-gateway":
+			await ctx.api.enableAiGateway(ctx.remoteProjectId, step.branchId);
+			return {
+				kind: "service",
+				action: "create",
+				identifier: "aiGateway",
+				details: { branchName: step.branchName }
+			};
+	}
+}
+//#endregion
+export { pushConfig };
+
+//# sourceMappingURL=push-config.js.map

package/dist/lib/push-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"push-config.js","names":[],"sources":["../../src/lib/push-config.ts"],"sourcesContent":["import {\n\ttype AppliedChange,\n\ttype Config,\n\tcreateNeonApiFromOptions,\n\tdiffConfig,\n\tErrorCode,\n\ttype NeonApi,\n\ttype NeonBranchSnapshot,\n\ttype PlanStep,\n\tPlatformError,\n\tPushAbortedError,\n\tPushConflictError,\n\ttype PushResult,\n\ttype RemotePreviewState,\n\ttype RemoteServiceState,\n\ttype RemoteState,\n\tresolveConfig,\n} from \"@neondatabase/config\";\nimport { buildFunctionBundle } from \"./function-bundle.js\";\n\nexport interface PushConfigOptions {\n\t/**\n\t * Neon project id. **Required** — the management API addresses every branch through\n\t * its project, so there is no way to push without it. `pushConfig` never creates a\n\t * project; resolve the id yourself (e.g. via neonctl) and pass it in.\n\t */\n\tprojectId: string;\n\t/**\n\t * Neon branch id (`br-…`). **Required.** `pushConfig` never creates a branch — it must\n\t * already exist on the project. Resolve names to ids before calling.\n\t */\n\tbranchId: string;\n\t/** Neon API key. Falls back to `NEON_API_KEY` / neonctl credentials. Ignored when `api` is supplied. */\n\tapiKey?: string;\n\t/**\n\t * Inject a custom NeonApi adapter. Primarily used by tests; production callers can rely\n\t * on the default real adapter built from `apiKey`.\n\t */\n\tapi?: NeonApi;\n\t/**\n\t * Auto-confirm overriding existing remote settings.\n\t *\n\t * When `true`, mutable drift on the selected branch (TTL, `protected` flag, compute\n\t * settings) is applied as actual mutations and the override-confirm prompt is\n\t * skipped. When `false` (default) the behaviour depends on whether `confirm` is\n\t * supplied:\n\t *   - With `confirm`: the callback is asked whether to apply the override.\n\t *   - Without `confirm`: drift is reported as a `PushConflictError` (legacy\n\t *     non-interactive default — preserved so programmatic SDK callers don't\n\t *     silently start mutating remote state).\n\t */\n\tupdateExisting?: boolean;\n\t/**\n\t * Auto-confirm pushing to a protected branch.\n\t *\n\t * When `true`, no protected-branch confirmation is asked. When `false` (default):\n\t *   - With `confirm`: the callback is asked.\n\t *   - Without `confirm`: the push proceeds (legacy SDK default).\n\t */\n\tallowProtectedBranch?: boolean;\n\t/**\n\t * Optional confirmation callback. Invoked once with a single context object before\n\t * any mutations run when the push needs confirmation: pushing to a protected\n\t * branch (unless `allowProtectedBranch` is `true`) and/or applying mutable drift\n\t * (unless `updateExisting` is `true`).\n\t *\n\t * Both prompts collapse into a single callback invocation when both apply, so the\n\t * CLI can render one combined \"are you sure?\" prompt.\n\t *\n\t * Resolves to `true` to proceed, `false` to abort with {@link PushAbortedError}.\n\t *\n\t * Never invoked on `dryRun`.\n\t */\n\tconfirm?: (context: PushConfirmContext) => boolean | Promise<boolean>;\n\t/**\n\t * When `true`, compute the full plan against the live remote state but **do not\n\t * execute any mutations**. The resulting `PushResult.applied` array records every\n\t * change that *would* run on a real push (with the same action / identifier / details\n\t * shape, so the existing CLI summary formatter just works), and conflicts are\n\t * reported instead of thrown.\n\t *\n\t * Used by `plan(config, branchId)` and any caller that wants a \"would this push do\n\t * something dangerous?\" check before invoking `pushConfig` for real.\n\t */\n\tdryRun?: boolean;\n}\n\n/**\n * Context handed to a {@link PushConfigOptions.confirm} callback. Both flags can be\n * `true` simultaneously when the push targets a protected branch *and* would override\n * existing settings — render a single combined prompt covering both reasons.\n */\nexport interface PushConfirmContext {\n\t/** Name of the target branch on Neon. */\n\tbranchName: string;\n\t/**\n\t * `true` when the target branch has the `protected` flag on Neon and the caller\n\t * did not pass `allowProtectedBranch: true`.\n\t */\n\tprotectedBranch: boolean;\n\t/**\n\t * `true` when the plan would override existing remote settings (TTL, `protected`\n\t * flag, compute settings on an existing endpoint) and the caller did not pass\n\t * `updateExisting: true`. Additive operations (enabling Neon Auth / Data API for\n\t * the first time) are **not** counted here — those are unambiguous and never\n\t * prompt.\n\t */\n\toverrideUpdates: boolean;\n}\n\n/**\n * Push a Neon branch policy to a specific project + branch.\n *\n * Filesystem- and env-agnostic: the caller supplies an already-validated `Config` object\n * (from `defineConfig` / `loadConfigFromFile`) and explicit `projectId` + `branch` in\n * `options`. `pushConfig` performs no `.neon` lookups and reads no `NEON_*` env vars.\n *\n * It will **not** create a project or branch — both must already exist on Neon.\n */\nexport async function pushConfig(\n\tconfig: Config,\n\toptions: PushConfigOptions,\n): Promise<PushResult> {\n\tconst api = options.api ?? createApiFromOptions(options);\n\tconst projectId = options.projectId;\n\n\tconst dryRun = options.dryRun === true;\n\tconst updateExisting = options.updateExisting === true;\n\tconst allowProtectedBranch = options.allowProtectedBranch === true;\n\n\tconst remoteProject = await api.getProject(projectId);\n\n\tconst [branches, endpoints] = await Promise.all([\n\t\tapi.listBranches(remoteProject.id),\n\t\tapi.listEndpoints(remoteProject.id),\n\t]);\n\tconst branch = resolveRemoteBranch(options.branchId, branches);\n\tconst resolved = resolveConfig(config, {\n\t\tname: branch.name,\n\t\tid: branch.id,\n\t\texists: true,\n\t\t...(branch.parentId ? { parentId: branch.parentId } : {}),\n\t\tisDefault: branch.isDefault,\n\t\tisProtected: branch.protected,\n\t\t...(branch.expiresAt ? { expiresAt: branch.expiresAt } : {}),\n\t});\n\tconst services = await resolveServiceState({\n\t\tapi,\n\t\tprojectId: remoteProject.id,\n\t\tbranch,\n\t\twantsAuth: resolved.authEnabled,\n\t\twantsDataApi: resolved.dataApiEnabled,\n\t});\n\tconst remote: RemoteState = {\n\t\tprojectId: remoteProject.id,\n\t\tbranch,\n\t\tendpoint: endpoints.find(\n\t\t\t(ep) => ep.type === \"read_write\" && ep.branchId === branch.id,\n\t\t),\n\t\tservices,\n\t};\n\t// Only fetch Preview state when the policy actually uses it — keeps pushes that don't\n\t// touch functions/buckets/aiGateway at the same number of API calls as before.\n\tif (resolved.preview) {\n\t\tremote.preview = await resolvePreviewState({\n\t\t\tapi,\n\t\t\tprojectId: remoteProject.id,\n\t\t\tbranchId: branch.id,\n\t\t});\n\t}\n\n\t// Always compute the plan with `updateExisting: true` so we can see what *would* be\n\t// overridden. The decision of whether to apply / prompt / fail is gated below using\n\t// the recorded steps.\n\tconst diff = diffConfig(resolved, remote, { updateExisting: true });\n\tconst overrideSteps = diff.plan.filter(isOverrideStep);\n\tconst needsOverrideConfirm = overrideSteps.length > 0 && !updateExisting;\n\tconst needsProtectedConfirm = branch.protected && !allowProtectedBranch;\n\n\tif (!dryRun && diff.conflicts.length > 0) {\n\t\tthrow new PushConflictError(diff.conflicts);\n\t}\n\n\tif (!dryRun && (needsOverrideConfirm || needsProtectedConfirm)) {\n\t\tif (options.confirm) {\n\t\t\tconst ok = await options.confirm({\n\t\t\t\tbranchName: branch.name,\n\t\t\t\tprotectedBranch: needsProtectedConfirm,\n\t\t\t\toverrideUpdates: needsOverrideConfirm,\n\t\t\t});\n\t\t\tif (!ok) {\n\t\t\t\tconst reasons: (\"protected-branch\" | \"override-updates\")[] = [];\n\t\t\t\tif (needsProtectedConfirm) reasons.push(\"protected-branch\");\n\t\t\t\tif (needsOverrideConfirm) reasons.push(\"override-updates\");\n\t\t\t\tthrow new PushAbortedError(branch.name, reasons);\n\t\t\t}\n\t\t} else if (needsOverrideConfirm) {\n\t\t\t// Legacy non-interactive fallback: surface the would-be drift as a\n\t\t\t// `PushConflictError` so programmatic callers that skipped both\n\t\t\t// `updateExisting` and `confirm` see the previous fail-fast behavior.\n\t\t\tconst legacy = diffConfig(resolved, remote, {\n\t\t\t\tupdateExisting: false,\n\t\t\t});\n\t\t\tthrow new PushConflictError(legacy.conflicts);\n\t\t}\n\t\t// Protected branch + no confirm callback: legacy default proceeds without\n\t\t// any extra check (no programmatic regression).\n\t}\n\n\tconst applied: AppliedChange[] = [\n\t\t{ kind: \"branch\", action: \"noop\", identifier: branch.name },\n\t];\n\n\tconst branchById = new Map(branches.map((b) => [b.id, b] as const));\n\tconst branchByName = new Map(branches.map((b) => [b.name, b] as const));\n\n\tfor (const step of diff.plan) {\n\t\tconst change = dryRun\n\t\t\t? synthesizeAppliedChange(step)\n\t\t\t: await applyStep(step, {\n\t\t\t\t\tapi,\n\t\t\t\t\tremoteProjectId: remoteProject.id,\n\t\t\t\t\tbranchById,\n\t\t\t\t\tbranchByName,\n\t\t\t\t});\n\t\tapplied.push(change);\n\t}\n\n\tconst result: PushResult = {\n\t\tprojectId: remoteProject.id,\n\t\tbranchId: branch.id,\n\t\tbranchName: branch.name,\n\t\tdryRun,\n\t\tapplied,\n\t\tconflicts: diff.conflicts,\n\t};\n\tif (remoteProject.orgId) result.orgId = remoteProject.orgId;\n\treturn result;\n}\n\n/**\n * `update-*` plan steps mutate existing remote state. `enable-*` steps are additive (no\n * existing resource to override) and never trigger the override-confirm prompt.\n */\nfunction isOverrideStep(step: PlanStep): boolean {\n\treturn (\n\t\tstep.kind === \"update-branch-ttl\" ||\n\t\tstep.kind === \"update-branch-protected\" ||\n\t\tstep.kind === \"update-endpoint\"\n\t);\n}\n\n/**\n * Build an {@link AppliedChange} from a {@link PlanStep} without calling the Neon API.\n * Used by dry-run mode so callers see the same record shape they would on a live push,\n * just with no side effects. Identifiers are the branch names from the plan; any\n * sub-resource ids (`branchId`, `endpointId`) flow through unchanged when known.\n */\nfunction synthesizeAppliedChange(step: PlanStep): AppliedChange {\n\tswitch (step.kind) {\n\t\tcase \"update-branch-ttl\":\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: step.branchName,\n\t\t\t\tdetails: { field: \"ttl\", expiresAt: step.expiresAt },\n\t\t\t};\n\t\tcase \"update-branch-protected\":\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: step.branchName,\n\t\t\t\tdetails: { field: \"protected\", protected: step.protected },\n\t\t\t};\n\t\tcase \"update-endpoint\":\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: step.branchName,\n\t\t\t\tdetails: {\n\t\t\t\t\tfield: \"computeSettings\",\n\t\t\t\t\tendpointId: step.endpointId,\n\t\t\t\t\tsettings: step.settings,\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"enable-auth\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"auth\",\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\t...(step.databaseName\n\t\t\t\t\t\t? { databaseName: step.databaseName }\n\t\t\t\t\t\t: {}),\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"enable-data-api\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"dataApi\",\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tdatabaseName: step.databaseName,\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"create-bucket\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: `bucket:${step.bucketName}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tbucketName: step.bucketName,\n\t\t\t\t\taccessLevel: step.accessLevel,\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"create-function\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: `function:${step.fn.slug}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tslug: step.fn.slug,\n\t\t\t\t\tname: step.fn.name,\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"deploy-function\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: `function:${step.fn.slug}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tslug: step.fn.slug,\n\t\t\t\t\tsource: step.fn.source,\n\t\t\t\t\truntime: step.fn.runtime,\n\t\t\t\t\tmemoryMib: step.fn.memoryMib,\n\t\t\t\t},\n\t\t\t};\n\t\tcase \"enable-ai-gateway\":\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"aiGateway\",\n\t\t\t\tdetails: { branchName: step.branchName },\n\t\t\t};\n\t}\n}\n\nfunction createApiFromOptions(options: PushConfigOptions): NeonApi {\n\treturn createNeonApiFromOptions(\"pushConfig\", {\n\t\t...(options.apiKey ? { apiKey: options.apiKey } : {}),\n\t});\n}\n\nfunction resolveRemoteBranch(\n\tbranchId: string,\n\tbranches: NeonBranchSnapshot[],\n): NeonBranchSnapshot {\n\tconst found = branches.find((b) => b.id === branchId);\n\tif (found) return found;\n\tthrow new PlatformError(\n\t\tErrorCode.BranchNotFound,\n\t\t[\n\t\t\t`pushConfig: branch id ${JSON.stringify(branchId)} does not exist on the project.`,\n\t\t\t`Available branches: ${branches.map((b) => `${b.name} (${b.id})`).join(\", \") || \"(none)\"}.`,\n\t\t\t\"Pass an existing branch id, or create the branch first with the neonctl CLI.\",\n\t\t].join(\" \"),\n\t\t{ details: { branchId, available: branches.map((b) => b.id) } },\n\t);\n}\n\n/**\n * Pre-fetch the current state of branch-scoped integrations on the selected branch.\n */\nasync function resolveServiceState(args: {\n\tapi: NeonApi;\n\tprojectId: string;\n\tbranch: NeonBranchSnapshot;\n\twantsAuth: boolean;\n\twantsDataApi: boolean;\n}): Promise<RemoteServiceState> {\n\tconst { api, projectId, branch, wantsAuth, wantsDataApi } = args;\n\tif (!wantsAuth && !wantsDataApi) {\n\t\treturn {\n\t\t\tdatabaseName: \"neondb\",\n\t\t\tauthEnabled: false,\n\t\t\tdataApiEnabled: false,\n\t\t};\n\t}\n\n\tconst databaseName = await pickServiceDatabaseName(\n\t\tapi,\n\t\tprojectId,\n\t\tbranch.id,\n\t);\n\n\tconst [auth, dataApi] = await Promise.all([\n\t\twantsAuth\n\t\t\t? api.getNeonAuth(projectId, branch.id)\n\t\t\t: Promise.resolve(null),\n\t\twantsDataApi\n\t\t\t? api.getNeonDataApi(projectId, branch.id, databaseName)\n\t\t\t: Promise.resolve(null),\n\t]);\n\treturn {\n\t\tdatabaseName,\n\t\tauthEnabled: auth !== null,\n\t\tdataApiEnabled: dataApi !== null,\n\t};\n}\n\n/**\n * Pre-fetch the current state of branch-scoped Preview features (buckets, functions, AI\n * Gateway) so the diff can be computed additively. Only called when the policy has a\n * `preview` block.\n */\nasync function resolvePreviewState(args: {\n\tapi: NeonApi;\n\tprojectId: string;\n\tbranchId: string;\n}): Promise<RemotePreviewState> {\n\tconst { api, projectId, branchId } = args;\n\tconst [buckets, functions, aiGatewayEnabled] = await Promise.all([\n\t\tapi.listBranchBuckets(projectId, branchId),\n\t\tapi.listBranchFunctions(projectId, branchId),\n\t\tapi.getAiGatewayEnabled(projectId, branchId),\n\t]);\n\treturn { buckets, functions, aiGatewayEnabled };\n}\n\n/**\n * Resolve the database name for a Data API integration. Auto-pick when the branch has\n * exactly one database; otherwise fall back to Neon's default (`neondb`) so the call\n * stays useful even on branches with multiple databases — push doesn't have a way to\n * surface a \"pick one\" prompt the way `fetchEnv` does.\n */\nasync function pickServiceDatabaseName(\n\tapi: NeonApi,\n\tprojectId: string,\n\tbranchId: string,\n): Promise<string> {\n\tconst databases = await api.listBranchDatabases(projectId, branchId);\n\tif (databases.length === 1) return databases[0].name;\n\tconst neondb = databases.find((d) => d.name === \"neondb\");\n\tif (neondb) return neondb.name;\n\treturn databases[0]?.name ?? \"neondb\";\n}\n\ninterface ApplyContext {\n\tapi: NeonApi;\n\tremoteProjectId: string;\n\tbranchById: Map<string, NeonBranchSnapshot>;\n\tbranchByName: Map<string, NeonBranchSnapshot>;\n}\n\nasync function applyStep(\n\tstep: PlanStep,\n\tctx: ApplyContext,\n): Promise<AppliedChange> {\n\tswitch (step.kind) {\n\t\tcase \"update-branch-ttl\": {\n\t\t\tconst updated = await ctx.api.updateBranch(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\t{\n\t\t\t\t\texpiresAt: step.expiresAt ?? null,\n\t\t\t\t},\n\t\t\t);\n\t\t\tctx.branchById.set(updated.id, updated);\n\t\t\tctx.branchByName.set(updated.name, updated);\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: updated.name,\n\t\t\t\tdetails: { field: \"ttl\", expiresAt: step.expiresAt },\n\t\t\t};\n\t\t}\n\t\tcase \"update-branch-protected\": {\n\t\t\tconst updated = await ctx.api.updateBranch(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\t{ protected: step.protected },\n\t\t\t);\n\t\t\tctx.branchById.set(updated.id, updated);\n\t\t\tctx.branchByName.set(updated.name, updated);\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: updated.name,\n\t\t\t\tdetails: { field: \"protected\", protected: step.protected },\n\t\t\t};\n\t\t}\n\t\tcase \"update-endpoint\": {\n\t\t\tconst updated = await ctx.api.updateEndpoint(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.endpointId,\n\t\t\t\tstep.settings,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tkind: \"branch\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: step.branchName,\n\t\t\t\tdetails: {\n\t\t\t\t\tfield: \"computeSettings\",\n\t\t\t\t\tendpointId: updated.id,\n\t\t\t\t\tsettings: step.settings,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"enable-auth\": {\n\t\t\tawait ctx.api.enableNeonAuth(ctx.remoteProjectId, step.branchId, {\n\t\t\t\t...(step.databaseName\n\t\t\t\t\t? { databaseName: step.databaseName }\n\t\t\t\t\t: {}),\n\t\t\t});\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"auth\",\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\t...(step.databaseName\n\t\t\t\t\t\t? { databaseName: step.databaseName }\n\t\t\t\t\t\t: {}),\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"enable-data-api\": {\n\t\t\tawait ctx.api.enableProjectBranchDataApi(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\tstep.databaseName,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"dataApi\",\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tdatabaseName: step.databaseName,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"create-bucket\": {\n\t\t\tawait ctx.api.createBranchBucket(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\t{ name: step.bucketName, accessLevel: step.accessLevel },\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: `bucket:${step.bucketName}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tbucketName: step.bucketName,\n\t\t\t\t\taccessLevel: step.accessLevel,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"create-function\": {\n\t\t\tawait ctx.api.createBranchFunction(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\t{ slug: step.fn.slug, name: step.fn.name },\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: `function:${step.fn.slug}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tslug: step.fn.slug,\n\t\t\t\t\tname: step.fn.name,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"deploy-function\": {\n\t\t\tconst bundle = await buildFunctionBundle(step.fn);\n\t\t\tconst deployment = await ctx.api.deployBranchFunction(\n\t\t\t\tctx.remoteProjectId,\n\t\t\t\tstep.branchId,\n\t\t\t\tstep.fn.slug,\n\t\t\t\t{\n\t\t\t\t\tbundle,\n\t\t\t\t\truntime: step.fn.runtime,\n\t\t\t\t\tmemoryMib: step.fn.memoryMib,\n\t\t\t\t\tenvironment: step.fn.env,\n\t\t\t\t},\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"update\",\n\t\t\t\tidentifier: `function:${step.fn.slug}`,\n\t\t\t\tdetails: {\n\t\t\t\t\tbranchName: step.branchName,\n\t\t\t\t\tslug: step.fn.slug,\n\t\t\t\t\tsource: step.fn.source,\n\t\t\t\t\truntime: step.fn.runtime,\n\t\t\t\t\tmemoryMib: step.fn.memoryMib,\n\t\t\t\t\tdeploymentId: deployment.id,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tcase \"enable-ai-gateway\": {\n\t\t\tawait ctx.api.enableAiGateway(ctx.remoteProjectId, step.branchId);\n\t\t\treturn {\n\t\t\t\tkind: \"service\",\n\t\t\t\taction: \"create\",\n\t\t\t\tidentifier: \"aiGateway\",\n\t\t\t\tdetails: { branchName: step.branchName },\n\t\t\t};\n\t\t}\n\t}\n}\n"],"mappings":";;;;;;;;;;;;AAuHA,eAAsB,WACrB,QACA,SACsB;CACtB,MAAM,MAAM,QAAQ,OAAO,qBAAqB,OAAO;CACvD,MAAM,YAAY,QAAQ;CAE1B,MAAM,SAAS,QAAQ,WAAW;CAClC,MAAM,iBAAiB,QAAQ,mBAAmB;CAClD,MAAM,uBAAuB,QAAQ,yBAAyB;CAE9D,MAAM,gBAAgB,MAAM,IAAI,WAAW,SAAS;CAEpD,MAAM,CAAC,UAAU,aAAa,MAAM,QAAQ,IAAI,CAC/C,IAAI,aAAa,cAAc,EAAE,GACjC,IAAI,cAAc,cAAc,EAAE,CACnC,CAAC;CACD,MAAM,SAAS,oBAAoB,QAAQ,UAAU,QAAQ;CAC7D,MAAM,WAAW,cAAc,QAAQ;EACtC,MAAM,OAAO;EACb,IAAI,OAAO;EACX,QAAQ;EACR,GAAI,OAAO,WAAW,EAAE,UAAU,OAAO,SAAS,IAAI,CAAC;EACvD,WAAW,OAAO;EAClB,aAAa,OAAO;EACpB,GAAI,OAAO,YAAY,EAAE,WAAW,OAAO,UAAU,IAAI,CAAC;CAC3D,CAAC;CACD,MAAM,WAAW,MAAM,oBAAoB;EAC1C;EACA,WAAW,cAAc;EACzB;EACA,WAAW,SAAS;EACpB,cAAc,SAAS;CACxB,CAAC;CACD,MAAM,SAAsB;EAC3B,WAAW,cAAc;EACzB;EACA,UAAU,UAAU,MAClB,OAAO,GAAG,SAAS,gBAAgB,GAAG,aAAa,OAAO,EAC5D;EACA;CACD;CAGA,IAAI,SAAS,SACZ,OAAO,UAAU,MAAM,oBAAoB;EAC1C;EACA,WAAW,cAAc;EACzB,UAAU,OAAO;CAClB,CAAC;CAMF,MAAM,OAAO,WAAW,UAAU,QAAQ,EAAE,gBAAgB,KAAK,CAAC;CAElE,MAAM,uBADgB,KAAK,KAAK,OAAO,cACE,EAAE,SAAS,KAAK,CAAC;CAC1D,MAAM,wBAAwB,OAAO,aAAa,CAAC;CAEnD,IAAI,CAAC,UAAU,KAAK,UAAU,SAAS,GACtC,MAAM,IAAI,kBAAkB,KAAK,SAAS;CAG3C,IAAI,CAAC,WAAW,wBAAwB;MACnC,QAAQ;OAMP,CAAC,MALY,QAAQ,QAAQ;IAChC,YAAY,OAAO;IACnB,iBAAiB;IACjB,iBAAiB;GAClB,CAAC,GACQ;IACR,MAAM,UAAuD,CAAC;IAC9D,IAAI,uBAAuB,QAAQ,KAAK,kBAAkB;IAC1D,IAAI,sBAAsB,QAAQ,KAAK,kBAAkB;IACzD,MAAM,IAAI,iBAAiB,OAAO,MAAM,OAAO;GAChD;SACM,IAAI,sBAOV,MAAM,IAAI,kBAHK,WAAW,UAAU,QAAQ,EAC3C,gBAAgB,MACjB,CACiC,EAAE,SAAS;CAAA;CAM9C,MAAM,UAA2B,CAChC;EAAE,MAAM;EAAU,QAAQ;EAAQ,YAAY,OAAO;CAAK,CAC3D;CAEA,MAAM,aAAa,IAAI,IAAI,SAAS,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,CAAU,CAAC;CAClE,MAAM,eAAe,IAAI,IAAI,SAAS,KAAK,MAAM,CAAC,EAAE,MAAM,CAAC,CAAU,CAAC;CAEtE,KAAK,MAAM,QAAQ,KAAK,MAAM;EAC7B,MAAM,SAAS,SACZ,wBAAwB,IAAI,IAC5B,MAAM,UAAU,MAAM;GACtB;GACA,iBAAiB,cAAc;GAC/B;GACA;EACD,CAAC;EACH,QAAQ,KAAK,MAAM;CACpB;CAEA,MAAM,SAAqB;EAC1B,WAAW,cAAc;EACzB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA;EACA,WAAW,KAAK;CACjB;CACA,IAAI,cAAc,OAAO,OAAO,QAAQ,cAAc;CACtD,OAAO;AACR;;;;;AAMA,SAAS,eAAe,MAAyB;CAChD,OACC,KAAK,SAAS,uBACd,KAAK,SAAS,6BACd,KAAK,SAAS;AAEhB;;;;;;;AAQA,SAAS,wBAAwB,MAA+B;CAC/D,QAAQ,KAAK,MAAb;EACC,KAAK,qBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,KAAK;GACjB,SAAS;IAAE,OAAO;IAAO,WAAW,KAAK;GAAU;EACpD;EACD,KAAK,2BACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,KAAK;GACjB,SAAS;IAAE,OAAO;IAAa,WAAW,KAAK;GAAU;EAC1D;EACD,KAAK,mBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,KAAK;GACjB,SAAS;IACR,OAAO;IACP,YAAY,KAAK;IACjB,UAAU,KAAK;GAChB;EACD;EACD,KAAK,eACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY;GACZ,SAAS;IACR,YAAY,KAAK;IACjB,GAAI,KAAK,eACN,EAAE,cAAc,KAAK,aAAa,IAClC,CAAC;GACL;EACD;EACD,KAAK,mBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY;GACZ,SAAS;IACR,YAAY,KAAK;IACjB,cAAc,KAAK;GACpB;EACD;EACD,KAAK,iBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,UAAU,KAAK;GAC3B,SAAS;IACR,YAAY,KAAK;IACjB,YAAY,KAAK;IACjB,aAAa,KAAK;GACnB;EACD;EACD,KAAK,mBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,YAAY,KAAK,GAAG;GAChC,SAAS;IACR,YAAY,KAAK;IACjB,MAAM,KAAK,GAAG;IACd,MAAM,KAAK,GAAG;GACf;EACD;EACD,KAAK,mBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY,YAAY,KAAK,GAAG;GAChC,SAAS;IACR,YAAY,KAAK;IACjB,MAAM,KAAK,GAAG;IACd,QAAQ,KAAK,GAAG;IAChB,SAAS,KAAK,GAAG;IACjB,WAAW,KAAK,GAAG;GACpB;EACD;EACD,KAAK,qBACJ,OAAO;GACN,MAAM;GACN,QAAQ;GACR,YAAY;GACZ,SAAS,EAAE,YAAY,KAAK,WAAW;EACxC;CACF;AACD;AAEA,SAAS,qBAAqB,SAAqC;CAClE,OAAO,yBAAyB,cAAc,EAC7C,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC,EACpD,CAAC;AACF;AAEA,SAAS,oBACR,UACA,UACqB;CACrB,MAAM,QAAQ,SAAS,MAAM,MAAM,EAAE,OAAO,QAAQ;CACpD,IAAI,OAAO,OAAO;CAClB,MAAM,IAAI,cACT,UAAU,gBACV;EACC,yBAAyB,KAAK,UAAU,QAAQ,EAAE;EAClD,uBAAuB,SAAS,KAAK,MAAM,GAAG,EAAE,KAAK,IAAI,EAAE,GAAG,EAAE,EAAE,KAAK,IAAI,KAAK,SAAS;EACzF;CACD,EAAE,KAAK,GAAG,GACV,EAAE,SAAS;EAAE;EAAU,WAAW,SAAS,KAAK,MAAM,EAAE,EAAE;CAAE,EAAE,CAC/D;AACD;;;;AAKA,eAAe,oBAAoB,MAMH;CAC/B,MAAM,EAAE,KAAK,WAAW,QAAQ,WAAW,iBAAiB;CAC5D,IAAI,CAAC,aAAa,CAAC,cAClB,OAAO;EACN,cAAc;EACd,aAAa;EACb,gBAAgB;CACjB;CAGD,MAAM,eAAe,MAAM,wBAC1B,KACA,WACA,OAAO,EACR;CAEA,MAAM,CAAC,MAAM,WAAW,MAAM,QAAQ,IAAI,CACzC,YACG,IAAI,YAAY,WAAW,OAAO,EAAE,IACpC,QAAQ,QAAQ,IAAI,GACvB,eACG,IAAI,eAAe,WAAW,OAAO,IAAI,YAAY,IACrD,QAAQ,QAAQ,IAAI,CACxB,CAAC;CACD,OAAO;EACN;EACA,aAAa,SAAS;EACtB,gBAAgB,YAAY;CAC7B;AACD;;;;;;AAOA,eAAe,oBAAoB,MAIH;CAC/B,MAAM,EAAE,KAAK,WAAW,aAAa;CACrC,MAAM,CAAC,SAAS,WAAW,oBAAoB,MAAM,QAAQ,IAAI;EAChE,IAAI,kBAAkB,WAAW,QAAQ;EACzC,IAAI,oBAAoB,WAAW,QAAQ;EAC3C,IAAI,oBAAoB,WAAW,QAAQ;CAC5C,CAAC;CACD,OAAO;EAAE;EAAS;EAAW;CAAiB;AAC/C;;;;;;;AAQA,eAAe,wBACd,KACA,WACA,UACkB;CAClB,MAAM,YAAY,MAAM,IAAI,oBAAoB,WAAW,QAAQ;CACnE,IAAI,UAAU,WAAW,GAAG,OAAO,UAAU,GAAG;CAChD,MAAM,SAAS,UAAU,MAAM,MAAM,EAAE,SAAS,QAAQ;CACxD,IAAI,QAAQ,OAAO,OAAO;CAC1B,OAAO,UAAU,IAAI,QAAQ;AAC9B;AASA,eAAe,UACd,MACA,KACyB;CACzB,QAAQ,KAAK,MAAb;EACC,KAAK,qBAAqB;GACzB,MAAM,UAAU,MAAM,IAAI,IAAI,aAC7B,IAAI,iBACJ,KAAK,UACL,EACC,WAAW,KAAK,aAAa,KAC9B,CACD;GACA,IAAI,WAAW,IAAI,QAAQ,IAAI,OAAO;GACtC,IAAI,aAAa,IAAI,QAAQ,MAAM,OAAO;GAC1C,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,QAAQ;IACpB,SAAS;KAAE,OAAO;KAAO,WAAW,KAAK;IAAU;GACpD;EACD;EACA,KAAK,2BAA2B;GAC/B,MAAM,UAAU,MAAM,IAAI,IAAI,aAC7B,IAAI,iBACJ,KAAK,UACL,EAAE,WAAW,KAAK,UAAU,CAC7B;GACA,IAAI,WAAW,IAAI,QAAQ,IAAI,OAAO;GACtC,IAAI,aAAa,IAAI,QAAQ,MAAM,OAAO;GAC1C,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,QAAQ;IACpB,SAAS;KAAE,OAAO;KAAa,WAAW,KAAK;IAAU;GAC1D;EACD;EACA,KAAK,mBAAmB;GACvB,MAAM,UAAU,MAAM,IAAI,IAAI,eAC7B,IAAI,iBACJ,KAAK,YACL,KAAK,QACN;GACA,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,KAAK;IACjB,SAAS;KACR,OAAO;KACP,YAAY,QAAQ;KACpB,UAAU,KAAK;IAChB;GACD;EACD;EACA,KAAK;GACJ,MAAM,IAAI,IAAI,eAAe,IAAI,iBAAiB,KAAK,UAAU,EAChE,GAAI,KAAK,eACN,EAAE,cAAc,KAAK,aAAa,IAClC,CAAC,EACL,CAAC;GACD,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,SAAS;KACR,YAAY,KAAK;KACjB,GAAI,KAAK,eACN,EAAE,cAAc,KAAK,aAAa,IAClC,CAAC;IACL;GACD;EAED,KAAK;GACJ,MAAM,IAAI,IAAI,2BACb,IAAI,iBACJ,KAAK,UACL,KAAK,YACN;GACA,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,SAAS;KACR,YAAY,KAAK;KACjB,cAAc,KAAK;IACpB;GACD;EAED,KAAK;GACJ,MAAM,IAAI,IAAI,mBACb,IAAI,iBACJ,KAAK,UACL;IAAE,MAAM,KAAK;IAAY,aAAa,KAAK;GAAY,CACxD;GACA,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,UAAU,KAAK;IAC3B,SAAS;KACR,YAAY,KAAK;KACjB,YAAY,KAAK;KACjB,aAAa,KAAK;IACnB;GACD;EAED,KAAK;GACJ,MAAM,IAAI,IAAI,qBACb,IAAI,iBACJ,KAAK,UACL;IAAE,MAAM,KAAK,GAAG;IAAM,MAAM,KAAK,GAAG;GAAK,CAC1C;GACA,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,YAAY,KAAK,GAAG;IAChC,SAAS;KACR,YAAY,KAAK;KACjB,MAAM,KAAK,GAAG;KACd,MAAM,KAAK,GAAG;IACf;GACD;EAED,KAAK,mBAAmB;GACvB,MAAM,SAAS,MAAM,oBAAoB,KAAK,EAAE;GAChD,MAAM,aAAa,MAAM,IAAI,IAAI,qBAChC,IAAI,iBACJ,KAAK,UACL,KAAK,GAAG,MACR;IACC;IACA,SAAS,KAAK,GAAG;IACjB,WAAW,KAAK,GAAG;IACnB,aAAa,KAAK,GAAG;GACtB,CACD;GACA,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY,YAAY,KAAK,GAAG;IAChC,SAAS;KACR,YAAY,KAAK;KACjB,MAAM,KAAK,GAAG;KACd,QAAQ,KAAK,GAAG;KAChB,SAAS,KAAK,GAAG;KACjB,WAAW,KAAK,GAAG;KACnB,cAAc,WAAW;IAC1B;GACD;EACD;EACA,KAAK;GACJ,MAAM,IAAI,IAAI,gBAAgB,IAAI,iBAAiB,KAAK,QAAQ;GAChE,OAAO;IACN,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,SAAS,EAAE,YAAY,KAAK,WAAW;GACxC;CAEF;AACD"}

package/dist/v1.d.ts

@@ -0,0 +1,6 @@
+import { buildFunctionBundle } from "./lib/function-bundle.js";
+import { PullConfigOptions, PulledBranchConfig, PulledPreview, pullConfig } from "./lib/pull-config.js";
+import { PushConfigOptions, PushConfirmContext, pushConfig } from "./lib/push-config.js";
+import { ApplyOptions, ConfigOperationOptions, apply, inspect, plan } from "./lib/operations.js";
+import { AppliedChange, Config, ConfigLoadError, ConfigValidationError, ConflictReport, ErrorCode, LoadConfigOptions, MissingContextError, NeonApi, PlatformError, PushAbortedError, PushConflictError, PushResult, createNeonApiFromOptions, createRealNeonApi, defineConfig, loadConfigFromFile } from "@neondatabase/config";
+export { type AppliedChange, type ApplyOptions, type Config, ConfigLoadError, type ConfigOperationOptions, ConfigValidationError, type ConflictReport, ErrorCode, type LoadConfigOptions, MissingContextError, type NeonApi, PlatformError, type PullConfigOptions, type PulledBranchConfig, type PulledPreview, PushAbortedError, type PushConfigOptions, type PushConfirmContext, PushConflictError, type PushResult, apply, buildFunctionBundle, createNeonApiFromOptions, createRealNeonApi, defineConfig, inspect, loadConfigFromFile, plan, pullConfig, pushConfig };

package/dist/v1.js

@@ -0,0 +1,6 @@
+import { buildFunctionBundle } from "./lib/function-bundle.js";
+import { pullConfig } from "./lib/pull-config.js";
+import { pushConfig } from "./lib/push-config.js";
+import { apply, inspect, plan } from "./lib/operations.js";
+import { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError, createNeonApiFromOptions, createRealNeonApi, defineConfig, loadConfigFromFile } from "@neondatabase/config";
+export { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError, apply, buildFunctionBundle, createNeonApiFromOptions, createRealNeonApi, defineConfig, inspect, loadConfigFromFile, plan, pullConfig, pushConfig };

package/package.json

@@ -1,23 +1,70 @@
 {
-	"name": "@neondatabase/config-runtime",
-	"version": "0.0.0",
-	"description": "Imperative runtime for @neondatabase/config: inspect/plan/apply a neon.ts policy against the Neon API and bundle + deploy Neon Functions. Pulls in esbuild; import this from CLIs and CI, not from neon.ts.",
-	"keywords": [
-		"neon",
-		"database",
-		"postgres",
-		"iac",
-		"config-as-code",
-		"platform",
-		"deploy"
-	],
-	"repository": {
-		"type": "git",
-		"url": "git+https://github.com/neondatabase/neon-pkgs.git"
-	},
-	"license": "Apache-2.0",
-	"author": {
-		"name": "Neon",
-		"url": "https://neon.com"
-	}
-}
+  "name": "@neondatabase/config-runtime",
+  "version": "0.1.0",
+  "description": "Imperative runtime for @neondatabase/config: inspect/plan/apply a neon.ts policy against the Neon API and bundle + deploy Neon Functions. Pulls in esbuild; import this from CLIs and CI, not from neon.ts.",
+  "keywords": [
+    "neon",
+    "database",
+    "postgres",
+    "iac",
+    "config-as-code",
+    "platform",
+    "deploy"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/neondatabase/neon-pkgs.git"
+  },
+  "license": "Apache-2.0",
+  "author": {
+    "name": "Neon",
+    "url": "https://neon.com"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./v1": {
+      "types": "./dist/v1.d.ts",
+      "import": "./dist/v1.js",
+      "default": "./dist/v1.js"
+    }
+  },
+  "files": [
+    "README.md",
+    "dist/",
+    "package.json"
+  ],
+  "devDependencies": {
+    "@neondatabase/api-client": "^2.7.1",
+    "@types/node": "^20.19.0",
+    "@vitest/coverage-v8": "3.0.9",
+    "console-fail-test": "0.5.0",
+    "tsdown": "^0.14.1",
+    "typescript": "^5.8.2",
+    "vitest": "^3.0.9"
+  },
+  "dependencies": {
+    "esbuild": "^0.25.0",
+    "fflate": "^0.8.2",
+    "@neondatabase/config": "0.1.0"
+  },
+  "engines": {
+    "node": ">=22"
+  },
+  "publishConfig": {
+    "provenance": false
+  },
+  "scripts": {
+    "build": "tsc --noEmit && tsdown",
+    "test": "vitest --passWithNoTests",
+    "test:ci": "vitest run --passWithNoTests",
+    "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "tsc": "tsc"
+  }
+}