@neondatabase/config 0.0.0 → 0.2.0

package/LICENSE.md

@@ -0,0 +1,178 @@
+# Apache License 2.0
+
+                                Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+import { AppliedChange, BranchConfig, BranchTarget, BucketAccessLevel, BucketConfig, ComputeSettings, Config, ConflictReport, FunctionConfig, FunctionDevConfig, FunctionMemoryMib, FunctionRuntime, PostgresConfig, PreviewConfig, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceToggle } from "./lib/types.js";
+import { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError } from "./lib/errors.js";
+import { CreateBranchInput, CreateBucketInput, CreateProjectInput, DeployFunctionInput, GetConnectionUriInput, NeonApi, NeonAuthSnapshot, NeonBranchSnapshot, NeonBucketSnapshot, NeonDataApiSnapshot, NeonDatabaseSnapshot, NeonEndpointSnapshot, NeonFunctionDeploymentSnapshot, NeonFunctionSnapshot, NeonProjectSnapshot, NeonRoleSnapshot, UpdateBranchInput } from "./lib/neon-api.js";
+import { createNeonApiFromOptions, resolveApiKey } from "./lib/auth.js";
+import { defineConfig, resolveConfig } from "./lib/define-config.js";
+import { DiffOptions, DiffResult, PlanStep, RemotePreviewState, RemoteServiceState, RemoteState, diffConfig } from "./lib/diff.js";
+import { LoadConfigOptions, loadConfigFromFile } from "./lib/loader.js";
+import { createRealNeonApi } from "./lib/neon-api-real.js";
+import { errors, schemas } from "./v1.js";
+export { AppliedChange, BranchConfig, BranchTarget, BucketAccessLevel, BucketConfig, ComputeSettings, Config, ConfigLoadError, ConfigValidationError, ConflictReport, CreateBranchInput, CreateBucketInput, CreateProjectInput, DeployFunctionInput, DiffOptions, DiffResult, ErrorCode, FunctionConfig, FunctionDevConfig, FunctionMemoryMib, FunctionRuntime, GetConnectionUriInput, LoadConfigOptions, MissingContextError, NeonApi, NeonAuthSnapshot, NeonBranchSnapshot, NeonBucketSnapshot, NeonDataApiSnapshot, NeonDatabaseSnapshot, NeonEndpointSnapshot, NeonFunctionDeploymentSnapshot, NeonFunctionSnapshot, NeonProjectSnapshot, NeonRoleSnapshot, PlanStep, PlatformError, PostgresConfig, PreviewConfig, PushAbortedError, PushConflictError, PushResult, RemotePreviewState, RemoteServiceState, RemoteState, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceToggle, UpdateBranchInput, createNeonApiFromOptions, createRealNeonApi, defineConfig, diffConfig, errors, loadConfigFromFile, resolveApiKey, resolveConfig, schemas };

package/dist/index.js

@@ -0,0 +1,8 @@
+import { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError } from "./lib/errors.js";
+import { createRealNeonApi } from "./lib/neon-api-real.js";
+import { createNeonApiFromOptions, resolveApiKey } from "./lib/auth.js";
+import { defineConfig, resolveConfig } from "./lib/define-config.js";
+import { diffConfig } from "./lib/diff.js";
+import { loadConfigFromFile } from "./lib/loader.js";
+import { errors, schemas } from "./v1.js";
+export { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError, createNeonApiFromOptions, createRealNeonApi, defineConfig, diffConfig, errors, loadConfigFromFile, resolveApiKey, resolveConfig, schemas };

package/dist/lib/auth.d.ts

@@ -0,0 +1,63 @@
+import { NeonApi } from "./neon-api.js";
+
+//#region src/lib/auth.d.ts
+
+/**
+ * Minimal shape of `~/.config/neonctl/credentials.json` we read. `neonctl` writes more
+ * fields (refresh_token, expires_at, …) but only `access_token` is what we need — it's a
+ * Bearer token the Neon API accepts on the same endpoints `napi_*` API keys do.
+ */
+interface NeonctlCredentials {
+  access_token: string;
+  [key: string]: unknown;
+}
+/**
+ * Locate and read the OAuth credentials neonctl writes after `neon auth`.
+ *
+ * Resolution:
+ * 1. `options.configDir` (explicit override — mirrors neonctl's `--config-dir` flag).
+ * 2. `NEONCTL_CONFIG_DIR` environment variable.
+ * 3. `<home>/.config/neonctl/credentials.json` (the neonctl default; `home` reads
+ *    `HOME`, falling back to `USERPROFILE` for Windows parity).
+ *
+ * Returns `null` (never throws) when the file is missing, unreadable, malformed, or has
+ * no `access_token` — so callers can use this as a quiet fallback in a resolution chain
+ * without try/catch noise.
+ */
+declare function readNeonctlCredentials(options?: {
+  configDir?: string;
+}): NeonctlCredentials | null;
+/**
+ * Resolution chain for the Bearer token sent to the Neon API. Each entry wins over the
+ * next:
+ *
+ * 1. `options.apiKey` (explicit).
+ * 2. `NEON_API_KEY` environment variable.
+ * 3. `access_token` from `~/.config/neonctl/credentials.json` (or `NEONCTL_CONFIG_DIR`).
+ *
+ * Returns `null` when no source provides one. Callers wrap the null case in a
+ * `PLATFORM_MISSING_API_KEY` error with a message tailored to the operation.
+ */
+declare function resolveApiKey(options?: {
+  apiKey?: string;
+  configDir?: string;
+}): {
+  token: string;
+  source: "option" | "env" | "neonctl";
+} | null;
+/**
+ * Resolve the Neon API key via the standard chain (option → `NEON_API_KEY` env →
+ * `~/.config/neonctl/credentials.json`) and construct a real {@link NeonApi} adapter from
+ * it, or throw a uniform `PLATFORM_MISSING_API_KEY` error if no key can be found.
+ *
+ * Used by `pullConfig`, `pushConfig`, `fetchEnv`, and `branch` to build their default
+ * `NeonApi` when the caller doesn't inject one. `operation` is the calling function's
+ * name (e.g. `"pushConfig"`, `"branch"`) — it's prepended to the error message so users
+ * can tell which call surfaced the missing key.
+ */
+declare function createNeonApiFromOptions(operation: string, options?: {
+  apiKey?: string;
+}): NeonApi;
+//#endregion
+export { NeonctlCredentials, createNeonApiFromOptions, readNeonctlCredentials, resolveApiKey };
+//# sourceMappingURL=auth.d.ts.map

package/dist/lib/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/lib/auth.ts"],"mappings":";;;;;;AAWA;AAkBA;AA8CA;AA6BgB,UA7FC,kBAAA,CA6FuB;;;;;;;;;;;;;;;;;iBA3ExB,sBAAA;;IAEb;;;;;;;;;;;;iBA4Ca,aAAA;;;;;;;;;;;;;;;;;iBA6BA,wBAAA;;IAKb"}

package/dist/lib/auth.js

@@ -0,0 +1,93 @@
+import { ErrorCode, PlatformError } from "./errors.js";
+import { createRealNeonApi } from "./neon-api-real.js";
+import { existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
+//#region src/lib/auth.ts
+/**
+* Locate and read the OAuth credentials neonctl writes after `neon auth`.
+*
+* Resolution:
+* 1. `options.configDir` (explicit override — mirrors neonctl's `--config-dir` flag).
+* 2. `NEONCTL_CONFIG_DIR` environment variable.
+* 3. `<home>/.config/neonctl/credentials.json` (the neonctl default; `home` reads
+*    `HOME`, falling back to `USERPROFILE` for Windows parity).
+*
+* Returns `null` (never throws) when the file is missing, unreadable, malformed, or has
+* no `access_token` — so callers can use this as a quiet fallback in a resolution chain
+* without try/catch noise.
+*/
+function readNeonctlCredentials(options = {}) {
+	const home = process.env.HOME ?? process.env.USERPROFILE;
+	const configDir = options.configDir ?? process.env.NEONCTL_CONFIG_DIR ?? (home ? resolve(home, ".config", "neonctl") : void 0);
+	if (!configDir) return null;
+	const credentialsPath = resolve(configDir, "credentials.json");
+	if (!existsSync(credentialsPath)) return null;
+	let raw;
+	try {
+		raw = readFileSync(credentialsPath, "utf-8");
+	} catch {
+		return null;
+	}
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		return null;
+	}
+	if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+	const obj = parsed;
+	if (typeof obj.access_token !== "string" || obj.access_token === "") return null;
+	return obj;
+}
+/**
+* Resolution chain for the Bearer token sent to the Neon API. Each entry wins over the
+* next:
+*
+* 1. `options.apiKey` (explicit).
+* 2. `NEON_API_KEY` environment variable.
+* 3. `access_token` from `~/.config/neonctl/credentials.json` (or `NEONCTL_CONFIG_DIR`).
+*
+* Returns `null` when no source provides one. Callers wrap the null case in a
+* `PLATFORM_MISSING_API_KEY` error with a message tailored to the operation.
+*/
+function resolveApiKey(options = {}) {
+	if (options.apiKey && options.apiKey.trim() !== "") return {
+		token: options.apiKey.trim(),
+		source: "option"
+	};
+	const envKey = process.env.NEON_API_KEY;
+	if (typeof envKey === "string" && envKey.trim() !== "") return {
+		token: envKey.trim(),
+		source: "env"
+	};
+	const creds = readNeonctlCredentials(options.configDir ? { configDir: options.configDir } : {});
+	if (creds) return {
+		token: creds.access_token,
+		source: "neonctl"
+	};
+	return null;
+}
+/**
+* Resolve the Neon API key via the standard chain (option → `NEON_API_KEY` env →
+* `~/.config/neonctl/credentials.json`) and construct a real {@link NeonApi} adapter from
+* it, or throw a uniform `PLATFORM_MISSING_API_KEY` error if no key can be found.
+*
+* Used by `pullConfig`, `pushConfig`, `fetchEnv`, and `branch` to build their default
+* `NeonApi` when the caller doesn't inject one. `operation` is the calling function's
+* name (e.g. `"pushConfig"`, `"branch"`) — it's prepended to the error message so users
+* can tell which call surfaced the missing key.
+*/
+function createNeonApiFromOptions(operation, options = {}) {
+	const resolved = resolveApiKey(options.apiKey ? { apiKey: options.apiKey } : {});
+	if (resolved) return createRealNeonApi({ apiKey: resolved.token });
+	throw new PlatformError(ErrorCode.MissingApiKey, [
+		`${operation} has no Neon API key to work with.`,
+		"Tried (in order): `apiKey` option, NEON_API_KEY env, and `~/.config/neonctl/credentials.json`.",
+		"Either pass `apiKey` directly, set NEON_API_KEY, run `npx neonctl auth` to populate the credentials file, or pass a custom `api` adapter (e.g. an in-memory fake for tests).",
+		"Generate a key at https://console.neon.tech/app/settings/api-keys."
+	].join(" "));
+}
+//#endregion
+export { createNeonApiFromOptions, readNeonctlCredentials, resolveApiKey };
+
+//# sourceMappingURL=auth.js.map

package/dist/lib/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","names":[],"sources":["../../src/lib/auth.ts"],"sourcesContent":["import { existsSync, readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\nimport { ErrorCode, PlatformError } from \"./errors.js\";\nimport type { NeonApi } from \"./neon-api.js\";\nimport { createRealNeonApi } from \"./neon-api-real.js\";\n\n/**\n * Minimal shape of `~/.config/neonctl/credentials.json` we read. `neonctl` writes more\n * fields (refresh_token, expires_at, …) but only `access_token` is what we need — it's a\n * Bearer token the Neon API accepts on the same endpoints `napi_*` API keys do.\n */\nexport interface NeonctlCredentials {\n\taccess_token: string;\n\t[key: string]: unknown;\n}\n\n/**\n * Locate and read the OAuth credentials neonctl writes after `neon auth`.\n *\n * Resolution:\n * 1. `options.configDir` (explicit override — mirrors neonctl's `--config-dir` flag).\n * 2. `NEONCTL_CONFIG_DIR` environment variable.\n * 3. `<home>/.config/neonctl/credentials.json` (the neonctl default; `home` reads\n *    `HOME`, falling back to `USERPROFILE` for Windows parity).\n *\n * Returns `null` (never throws) when the file is missing, unreadable, malformed, or has\n * no `access_token` — so callers can use this as a quiet fallback in a resolution chain\n * without try/catch noise.\n */\nexport function readNeonctlCredentials(\n\toptions: { configDir?: string } = {},\n): NeonctlCredentials | null {\n\tconst home = process.env.HOME ?? process.env.USERPROFILE;\n\tconst configDir =\n\t\toptions.configDir ??\n\t\tprocess.env.NEONCTL_CONFIG_DIR ??\n\t\t(home ? resolve(home, \".config\", \"neonctl\") : undefined);\n\tif (!configDir) return null;\n\n\tconst credentialsPath = resolve(configDir, \"credentials.json\");\n\tif (!existsSync(credentialsPath)) return null;\n\n\tlet raw: string;\n\ttry {\n\t\traw = readFileSync(credentialsPath, \"utf-8\");\n\t} catch {\n\t\treturn null;\n\t}\n\n\tlet parsed: unknown;\n\ttry {\n\t\tparsed = JSON.parse(raw);\n\t} catch {\n\t\treturn null;\n\t}\n\n\tif (parsed === null || typeof parsed !== \"object\" || Array.isArray(parsed))\n\t\treturn null;\n\tconst obj = parsed as Record<string, unknown>;\n\tif (typeof obj.access_token !== \"string\" || obj.access_token === \"\")\n\t\treturn null;\n\treturn obj as NeonctlCredentials;\n}\n\n/**\n * Resolution chain for the Bearer token sent to the Neon API. Each entry wins over the\n * next:\n *\n * 1. `options.apiKey` (explicit).\n * 2. `NEON_API_KEY` environment variable.\n * 3. `access_token` from `~/.config/neonctl/credentials.json` (or `NEONCTL_CONFIG_DIR`).\n *\n * Returns `null` when no source provides one. Callers wrap the null case in a\n * `PLATFORM_MISSING_API_KEY` error with a message tailored to the operation.\n */\nexport function resolveApiKey(\n\toptions: { apiKey?: string; configDir?: string } = {},\n): { token: string; source: \"option\" | \"env\" | \"neonctl\" } | null {\n\tif (options.apiKey && options.apiKey.trim() !== \"\") {\n\t\treturn { token: options.apiKey.trim(), source: \"option\" };\n\t}\n\tconst envKey = process.env.NEON_API_KEY;\n\tif (typeof envKey === \"string\" && envKey.trim() !== \"\") {\n\t\treturn { token: envKey.trim(), source: \"env\" };\n\t}\n\tconst creds = readNeonctlCredentials(\n\t\toptions.configDir ? { configDir: options.configDir } : {},\n\t);\n\tif (creds) {\n\t\treturn { token: creds.access_token, source: \"neonctl\" };\n\t}\n\treturn null;\n}\n\n/**\n * Resolve the Neon API key via the standard chain (option → `NEON_API_KEY` env →\n * `~/.config/neonctl/credentials.json`) and construct a real {@link NeonApi} adapter from\n * it, or throw a uniform `PLATFORM_MISSING_API_KEY` error if no key can be found.\n *\n * Used by `pullConfig`, `pushConfig`, `fetchEnv`, and `branch` to build their default\n * `NeonApi` when the caller doesn't inject one. `operation` is the calling function's\n * name (e.g. `\"pushConfig\"`, `\"branch\"`) — it's prepended to the error message so users\n * can tell which call surfaced the missing key.\n */\nexport function createNeonApiFromOptions(\n\toperation: string,\n\toptions: {\n\t\tapiKey?: string;\n\t} = {},\n): NeonApi {\n\tconst resolved = resolveApiKey(\n\t\toptions.apiKey ? { apiKey: options.apiKey } : {},\n\t);\n\tif (resolved) return createRealNeonApi({ apiKey: resolved.token });\n\tthrow new PlatformError(\n\t\tErrorCode.MissingApiKey,\n\t\t[\n\t\t\t`${operation} has no Neon API key to work with.`,\n\t\t\t\"Tried (in order): `apiKey` option, NEON_API_KEY env, and `~/.config/neonctl/credentials.json`.\",\n\t\t\t\"Either pass `apiKey` directly, set NEON_API_KEY, run `npx neonctl auth` to populate the credentials file, or pass a custom `api` adapter (e.g. an in-memory fake for tests).\",\n\t\t\t\"Generate a key at https://console.neon.tech/app/settings/api-keys.\",\n\t\t].join(\" \"),\n\t);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AA6BA,SAAgB,uBACf,UAAkC,CAAC,GACP;CAC5B,MAAM,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI;CAC7C,MAAM,YACL,QAAQ,aACR,QAAQ,IAAI,uBACX,OAAO,QAAQ,MAAM,WAAW,SAAS,IAAI,KAAA;CAC/C,IAAI,CAAC,WAAW,OAAO;CAEvB,MAAM,kBAAkB,QAAQ,WAAW,kBAAkB;CAC7D,IAAI,CAAC,WAAW,eAAe,GAAG,OAAO;CAEzC,IAAI;CACJ,IAAI;EACH,MAAM,aAAa,iBAAiB,OAAO;CAC5C,QAAQ;EACP,OAAO;CACR;CAEA,IAAI;CACJ,IAAI;EACH,SAAS,KAAK,MAAM,GAAG;CACxB,QAAQ;EACP,OAAO;CACR;CAEA,IAAI,WAAW,QAAQ,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,GACxE,OAAO;CACR,MAAM,MAAM;CACZ,IAAI,OAAO,IAAI,iBAAiB,YAAY,IAAI,iBAAiB,IAChE,OAAO;CACR,OAAO;AACR;;;;;;;;;;;;AAaA,SAAgB,cACf,UAAmD,CAAC,GACa;CACjE,IAAI,QAAQ,UAAU,QAAQ,OAAO,KAAK,MAAM,IAC/C,OAAO;EAAE,OAAO,QAAQ,OAAO,KAAK;EAAG,QAAQ;CAAS;CAEzD,MAAM,SAAS,QAAQ,IAAI;CAC3B,IAAI,OAAO,WAAW,YAAY,OAAO,KAAK,MAAM,IACnD,OAAO;EAAE,OAAO,OAAO,KAAK;EAAG,QAAQ;CAAM;CAE9C,MAAM,QAAQ,uBACb,QAAQ,YAAY,EAAE,WAAW,QAAQ,UAAU,IAAI,CAAC,CACzD;CACA,IAAI,OACH,OAAO;EAAE,OAAO,MAAM;EAAc,QAAQ;CAAU;CAEvD,OAAO;AACR;;;;;;;;;;;AAYA,SAAgB,yBACf,WACA,UAEI,CAAC,GACK;CACV,MAAM,WAAW,cAChB,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC,CAChD;CACA,IAAI,UAAU,OAAO,kBAAkB,EAAE,QAAQ,SAAS,MAAM,CAAC;CACjE,MAAM,IAAI,cACT,UAAU,eACV;EACC,GAAG,UAAU;EACb;EACA;EACA;CACD,EAAE,KAAK,GAAG,CACX;AACD"}

package/dist/lib/define-config.d.ts

@@ -0,0 +1,43 @@
+import { BranchTarget, Config, ResolvedBranchConfig } from "./types.js";
+
+//#region src/lib/define-config.d.ts
+
+/**
+ * Validate and freeze a Neon Platform branch policy.
+ *
+ * Used at the top of `neon.ts`:
+ * ```ts
+ * import { defineConfig } from "@neondatabase/config/v1";
+ *
+ * export default defineConfig((branch) => {
+ *   if (branch.name === "main") {
+ *     return { protected: true, auth: {} };
+ *   }
+ *   return { parent: "main", ttl: "7d" };
+ * });
+ * ```
+ *
+ * The `branch` parameter is a **read-only {@link BranchTarget} descriptor** of the branch
+ * this policy invocation is deciding for — not a live branch handle. You don't mutate it
+ * (`branch.protected = true` does nothing); you switch on its facts (`branch.name`,
+ * `branch.isDefault`, `branch.exists`, …) and **return** the desired {@link BranchConfig}.
+ * The same callback runs in two modes: against an existing branch (fields populated from
+ * Neon) and during pre-create evaluation (`exists: false`, `id` undefined).
+ *
+ * Pure function — no I/O, no side effects. The returned policy validates its output every
+ * time it is evaluated so errors point at the concrete branch target that triggered them.
+ */
+declare function defineConfig<const C extends Config>(input: C): C;
+/**
+ * Evaluate a branch policy for a specific branch target and return a normalized config.
+ */
+declare function resolveConfig(config: Config, branch: BranchTarget): ResolvedBranchConfig;
+/**
+ * Normalize a region identifier to Neon's `<cloud>-<region>` format. When the user writes
+ * `us-east-1` we assume `aws-us-east-1`. Pure helper used by both the validator and the
+ * NeonApi adapter.
+ */
+declare function normalizeRegion(region: string): string;
+//#endregion
+export { defineConfig, normalizeRegion, resolveConfig };
+//# sourceMappingURL=define-config.d.ts.map

package/dist/lib/define-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-config.d.ts","names":[],"sources":["../../src/lib/define-config.ts"],"mappings":";;;;;;AA4CA;;;;;AAAiE;AAcjE;;;;;AAGuB;AA0FvB;;;;;;;;;;;iBA3GgB,6BAA6B,eAAe,IAAI;;;;iBAchD,aAAA,SACP,gBACA,eACN;;;;;;iBA0Fa,eAAA"}

package/dist/lib/define-config.js

@@ -0,0 +1,112 @@
+import { ConfigValidationError } from "./errors.js";
+import { parseDuration } from "./duration.js";
+import { branchConfigSchema, formatZodIssues } from "./schema.js";
+//#region src/lib/define-config.ts
+/** Default deploy parameters applied to functions that omit them in `neon.ts`. */
+const DEFAULT_FUNCTION_RUNTIME = "nodejs24";
+const DEFAULT_FUNCTION_MEMORY_MIB = 512;
+const REGION_PREFIX = /^(aws|azure|gcp)-/;
+/**
+* Validate and freeze a Neon Platform branch policy.
+*
+* Used at the top of `neon.ts`:
+* ```ts
+* import { defineConfig } from "@neondatabase/config/v1";
+*
+* export default defineConfig((branch) => {
+*   if (branch.name === "main") {
+*     return { protected: true, auth: {} };
+*   }
+*   return { parent: "main", ttl: "7d" };
+* });
+* ```
+*
+* The `branch` parameter is a **read-only {@link BranchTarget} descriptor** of the branch
+* this policy invocation is deciding for — not a live branch handle. You don't mutate it
+* (`branch.protected = true` does nothing); you switch on its facts (`branch.name`,
+* `branch.isDefault`, `branch.exists`, …) and **return** the desired {@link BranchConfig}.
+* The same callback runs in two modes: against an existing branch (fields populated from
+* Neon) and during pre-create evaluation (`exists: false`, `id` undefined).
+*
+* Pure function — no I/O, no side effects. The returned policy validates its output every
+* time it is evaluated so errors point at the concrete branch target that triggered them.
+*/
+function defineConfig(input) {
+	if (typeof input !== "function") throw new ConfigValidationError(["defineConfig expects a function: `export default defineConfig((branch) => ({ ... }))`.", "Project-level config has moved to `neonctl link`; neon.ts now describes branch-level policy only."]);
+	return Object.freeze(input);
+}
+/**
+* Evaluate a branch policy for a specific branch target and return a normalized config.
+*/
+function resolveConfig(config, branch) {
+	let raw;
+	try {
+		raw = config(Object.freeze({ ...branch }));
+	} catch (cause) {
+		throw new ConfigValidationError([`Config function threw while evaluating branch "${branch.name}".`, cause?.message ?? String(cause)]);
+	}
+	const parsed = branchConfigSchema.safeParse(raw);
+	if (!parsed.success) throw new ConfigValidationError(formatZodIssues(parsed.error));
+	const cfg = parsed.data;
+	const issues = [];
+	let ttlSeconds;
+	if (cfg.ttl !== void 0) {
+		const parsedTtl = parseDuration(cfg.ttl);
+		if ("error" in parsedTtl) issues.push(`ttl: ${parsedTtl.error}`);
+		else ttlSeconds = parsedTtl.seconds;
+	}
+	if (issues.length > 0) throw new ConfigValidationError(issues);
+	const resolved = {
+		authEnabled: isServiceEnabled(cfg.auth),
+		dataApiEnabled: isServiceEnabled(cfg.dataApi)
+	};
+	if (cfg.parent !== void 0) resolved.parent = cfg.parent;
+	if (ttlSeconds !== void 0) resolved.ttlSeconds = ttlSeconds;
+	if (cfg.protected !== void 0) resolved.protected = cfg.protected;
+	if (cfg.postgres) resolved.postgres = { ...cfg.postgres.computeSettings ? { computeSettings: { ...cfg.postgres.computeSettings } } : {} };
+	if (cfg.preview) resolved.preview = resolvePreviewConfig(cfg.preview);
+	return resolved;
+}
+function isServiceEnabled(service) {
+	return service !== void 0 && service.enabled !== false;
+}
+/**
+* Normalize a {@link PreviewConfig} into a {@link ResolvedPreviewConfig}: apply per-function
+* deploy defaults, default each bucket's access level to `private`, and collapse the
+* `aiGateway` toggle to a boolean using the same present-and-not-`false` rule as
+* `auth` / `dataApi`.
+*/
+function resolvePreviewConfig(preview) {
+	return {
+		functions: (preview.functions ?? []).map(resolveFunctionConfig),
+		buckets: (preview.buckets ?? []).map((bucket) => ({
+			name: bucket.name,
+			access: bucket.access ?? "private"
+		})),
+		aiGatewayEnabled: isServiceEnabled(preview.aiGateway)
+	};
+}
+function resolveFunctionConfig(fn) {
+	return {
+		slug: fn.slug,
+		name: fn.name,
+		source: fn.source,
+		env: { ...fn.env ?? {} },
+		runtime: fn.runtime ?? DEFAULT_FUNCTION_RUNTIME,
+		memoryMib: fn.memoryMib ?? DEFAULT_FUNCTION_MEMORY_MIB,
+		...fn.dev ? { dev: fn.dev } : {}
+	};
+}
+/**
+* Normalize a region identifier to Neon's `<cloud>-<region>` format. When the user writes
+* `us-east-1` we assume `aws-us-east-1`. Pure helper used by both the validator and the
+* NeonApi adapter.
+*/
+function normalizeRegion(region) {
+	if (REGION_PREFIX.test(region)) return region;
+	return `aws-${region}`;
+}
+//#endregion
+export { defineConfig, normalizeRegion, resolveConfig };
+
+//# sourceMappingURL=define-config.js.map

package/dist/lib/define-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-config.js","names":[],"sources":["../../src/lib/define-config.ts"],"sourcesContent":["import { parseDuration } from \"./duration.js\";\nimport { ConfigValidationError } from \"./errors.js\";\nimport { branchConfigSchema, formatZodIssues } from \"./schema.js\";\nimport type {\n\tBranchTarget,\n\tConfig,\n\tFunctionConfig,\n\tPreviewConfig,\n\tResolvedBranchConfig,\n\tResolvedFunctionConfig,\n\tResolvedPreviewConfig,\n} from \"./types.js\";\n\n/** Default deploy parameters applied to functions that omit them in `neon.ts`. */\nconst DEFAULT_FUNCTION_RUNTIME = \"nodejs24\" as const;\nconst DEFAULT_FUNCTION_MEMORY_MIB = 512 as const;\n\nconst REGION_PREFIX = /^(aws|azure|gcp)-/;\n\n/**\n * Validate and freeze a Neon Platform branch policy.\n *\n * Used at the top of `neon.ts`:\n * ```ts\n * import { defineConfig } from \"@neondatabase/config/v1\";\n *\n * export default defineConfig((branch) => {\n *   if (branch.name === \"main\") {\n *     return { protected: true, auth: {} };\n *   }\n *   return { parent: \"main\", ttl: \"7d\" };\n * });\n * ```\n *\n * The `branch` parameter is a **read-only {@link BranchTarget} descriptor** of the branch\n * this policy invocation is deciding for — not a live branch handle. You don't mutate it\n * (`branch.protected = true` does nothing); you switch on its facts (`branch.name`,\n * `branch.isDefault`, `branch.exists`, …) and **return** the desired {@link BranchConfig}.\n * The same callback runs in two modes: against an existing branch (fields populated from\n * Neon) and during pre-create evaluation (`exists: false`, `id` undefined).\n *\n * Pure function — no I/O, no side effects. The returned policy validates its output every\n * time it is evaluated so errors point at the concrete branch target that triggered them.\n */\nexport function defineConfig<const C extends Config>(input: C): C {\n\tif (typeof input !== \"function\") {\n\t\tthrow new ConfigValidationError([\n\t\t\t\"defineConfig expects a function: `export default defineConfig((branch) => ({ ... }))`.\",\n\t\t\t\"Project-level config has moved to `neonctl link`; neon.ts now describes branch-level policy only.\",\n\t\t]);\n\t}\n\n\treturn Object.freeze(input) as C;\n}\n\n/**\n * Evaluate a branch policy for a specific branch target and return a normalized config.\n */\nexport function resolveConfig(\n\tconfig: Config,\n\tbranch: BranchTarget,\n): ResolvedBranchConfig {\n\tlet raw: unknown;\n\ttry {\n\t\traw = config(Object.freeze({ ...branch }));\n\t} catch (cause) {\n\t\tthrow new ConfigValidationError([\n\t\t\t`Config function threw while evaluating branch \"${branch.name}\".`,\n\t\t\t(cause as Error)?.message ?? String(cause),\n\t\t]);\n\t}\n\n\tconst parsed = branchConfigSchema.safeParse(raw);\n\tif (!parsed.success) {\n\t\tthrow new ConfigValidationError(formatZodIssues(parsed.error));\n\t}\n\n\tconst cfg = parsed.data;\n\tconst issues: string[] = [];\n\tlet ttlSeconds: number | undefined;\n\tif (cfg.ttl !== undefined) {\n\t\tconst parsedTtl = parseDuration(cfg.ttl);\n\t\tif (\"error\" in parsedTtl) {\n\t\t\tissues.push(`ttl: ${parsedTtl.error}`);\n\t\t} else {\n\t\t\tttlSeconds = parsedTtl.seconds;\n\t\t}\n\t}\n\tif (issues.length > 0) {\n\t\tthrow new ConfigValidationError(issues);\n\t}\n\n\tconst resolved: ResolvedBranchConfig = {\n\t\tauthEnabled: isServiceEnabled(cfg.auth),\n\t\tdataApiEnabled: isServiceEnabled(cfg.dataApi),\n\t};\n\tif (cfg.parent !== undefined) resolved.parent = cfg.parent;\n\tif (ttlSeconds !== undefined) resolved.ttlSeconds = ttlSeconds;\n\tif (cfg.protected !== undefined) resolved.protected = cfg.protected;\n\tif (cfg.postgres) {\n\t\tresolved.postgres = {\n\t\t\t...(cfg.postgres.computeSettings\n\t\t\t\t? { computeSettings: { ...cfg.postgres.computeSettings } }\n\t\t\t\t: {}),\n\t\t};\n\t}\n\tif (cfg.preview) {\n\t\tresolved.preview = resolvePreviewConfig(cfg.preview);\n\t}\n\treturn resolved;\n}\n\nfunction isServiceEnabled(service: { enabled?: boolean } | undefined): boolean {\n\treturn service !== undefined && service.enabled !== false;\n}\n\n/**\n * Normalize a {@link PreviewConfig} into a {@link ResolvedPreviewConfig}: apply per-function\n * deploy defaults, default each bucket's access level to `private`, and collapse the\n * `aiGateway` toggle to a boolean using the same present-and-not-`false` rule as\n * `auth` / `dataApi`.\n */\nfunction resolvePreviewConfig(preview: PreviewConfig): ResolvedPreviewConfig {\n\treturn {\n\t\tfunctions: (preview.functions ?? []).map(resolveFunctionConfig),\n\t\tbuckets: (preview.buckets ?? []).map((bucket) => ({\n\t\t\tname: bucket.name,\n\t\t\taccess: bucket.access ?? \"private\",\n\t\t})),\n\t\taiGatewayEnabled: isServiceEnabled(preview.aiGateway),\n\t};\n}\n\nfunction resolveFunctionConfig(fn: FunctionConfig): ResolvedFunctionConfig {\n\treturn {\n\t\tslug: fn.slug,\n\t\tname: fn.name,\n\t\tsource: fn.source,\n\t\tenv: { ...(fn.env ?? {}) },\n\t\truntime: fn.runtime ?? DEFAULT_FUNCTION_RUNTIME,\n\t\tmemoryMib: fn.memoryMib ?? DEFAULT_FUNCTION_MEMORY_MIB,\n\t\t// Passed through untouched (no defaults); only `neon dev` reads it.\n\t\t...(fn.dev ? { dev: fn.dev } : {}),\n\t};\n}\n\n/**\n * Normalize a region identifier to Neon's `<cloud>-<region>` format. When the user writes\n * `us-east-1` we assume `aws-us-east-1`. Pure helper used by both the validator and the\n * NeonApi adapter.\n */\nexport function normalizeRegion(region: string): string {\n\tif (REGION_PREFIX.test(region)) return region;\n\treturn `aws-${region}`;\n}\n"],"mappings":";;;;;AAcA,MAAM,2BAA2B;AACjC,MAAM,8BAA8B;AAEpC,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BtB,SAAgB,aAAqC,OAAa;CACjE,IAAI,OAAO,UAAU,YACpB,MAAM,IAAI,sBAAsB,CAC/B,0FACA,mGACD,CAAC;CAGF,OAAO,OAAO,OAAO,KAAK;AAC3B;;;;AAKA,SAAgB,cACf,QACA,QACuB;CACvB,IAAI;CACJ,IAAI;EACH,MAAM,OAAO,OAAO,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC;CAC1C,SAAS,OAAO;EACf,MAAM,IAAI,sBAAsB,CAC/B,kDAAkD,OAAO,KAAK,KAC7D,OAAiB,WAAW,OAAO,KAAK,CAC1C,CAAC;CACF;CAEA,MAAM,SAAS,mBAAmB,UAAU,GAAG;CAC/C,IAAI,CAAC,OAAO,SACX,MAAM,IAAI,sBAAsB,gBAAgB,OAAO,KAAK,CAAC;CAG9D,MAAM,MAAM,OAAO;CACnB,MAAM,SAAmB,CAAC;CAC1B,IAAI;CACJ,IAAI,IAAI,QAAQ,KAAA,GAAW;EAC1B,MAAM,YAAY,cAAc,IAAI,GAAG;EACvC,IAAI,WAAW,WACd,OAAO,KAAK,QAAQ,UAAU,OAAO;OAErC,aAAa,UAAU;CAEzB;CACA,IAAI,OAAO,SAAS,GACnB,MAAM,IAAI,sBAAsB,MAAM;CAGvC,MAAM,WAAiC;EACtC,aAAa,iBAAiB,IAAI,IAAI;EACtC,gBAAgB,iBAAiB,IAAI,OAAO;CAC7C;CACA,IAAI,IAAI,WAAW,KAAA,GAAW,SAAS,SAAS,IAAI;CACpD,IAAI,eAAe,KAAA,GAAW,SAAS,aAAa;CACpD,IAAI,IAAI,cAAc,KAAA,GAAW,SAAS,YAAY,IAAI;CAC1D,IAAI,IAAI,UACP,SAAS,WAAW,EACnB,GAAI,IAAI,SAAS,kBACd,EAAE,iBAAiB,EAAE,GAAG,IAAI,SAAS,gBAAgB,EAAE,IACvD,CAAC,EACL;CAED,IAAI,IAAI,SACP,SAAS,UAAU,qBAAqB,IAAI,OAAO;CAEpD,OAAO;AACR;AAEA,SAAS,iBAAiB,SAAqD;CAC9E,OAAO,YAAY,KAAA,KAAa,QAAQ,YAAY;AACrD;;;;;;;AAQA,SAAS,qBAAqB,SAA+C;CAC5E,OAAO;EACN,YAAY,QAAQ,aAAa,CAAC,GAAG,IAAI,qBAAqB;EAC9D,UAAU,QAAQ,WAAW,CAAC,GAAG,KAAK,YAAY;GACjD,MAAM,OAAO;GACb,QAAQ,OAAO,UAAU;EAC1B,EAAE;EACF,kBAAkB,iBAAiB,QAAQ,SAAS;CACrD;AACD;AAEA,SAAS,sBAAsB,IAA4C;CAC1E,OAAO;EACN,MAAM,GAAG;EACT,MAAM,GAAG;EACT,QAAQ,GAAG;EACX,KAAK,EAAE,GAAI,GAAG,OAAO,CAAC,EAAG;EACzB,SAAS,GAAG,WAAW;EACvB,WAAW,GAAG,aAAa;EAE3B,GAAI,GAAG,MAAM,EAAE,KAAK,GAAG,IAAI,IAAI,CAAC;CACjC;AACD;;;;;;AAOA,SAAgB,gBAAgB,QAAwB;CACvD,IAAI,cAAc,KAAK,MAAM,GAAG,OAAO;CACvC,OAAO,OAAO;AACf"}