@neondatabase/config 0.7.0 → 0.7.2

package/dist/lib/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","names":[],"sources":["../../src/lib/schema.ts"],"mappings":";;;;;;AAgBA;;;;;;;;;;cAAa,uBAAqB,CAAA,CAAA;;;;;;cAiDrB,qBAAmB,CAAA,CAAA;;;;cAKnB,0BAAwB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;cAKxB,sBAAoB,CAAA,CAAA;iBA3DC,eAAA,YAAA,CAAA;IAAA,qBAAA,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,IAAA,CAAA,cAAA,CAAA,GAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,CAAA,CAAA,CAAA;IAiDrB,qBAEX,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,IAAA,CAAA,cAAA,CAAA,GAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,cAAA,CAAA,CAAA,CAAA,CAAA,CAAA,CAAA;IAAA,cAAA,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,KAAA,CAAA,aAAA,aAAA,CAAA,CAAA,CAAA;;;;;AAF8B;AAKhC;;AAAqC,cAsDxB,iBAtDwB,EAsDP,CAAA,CAAA,SAtDO,CAAA;;;;KAAA,eAAA,YAAA,CAAA;IAAA,IAAA,eAAA,YAAA,CAAA;EAAA,CAAA,gBAAA,CAAA,CAAA;AAKrC,CAAA,gBAAa,CAAA;;cAyDA,iBAAe,CAAA,CAAA;;;;cAOf,oBAAkB,CAAA,CAAA;;;;;;;;;;;;;;;;;cAOlB,sBAAoB,CAAA,CAAA;;;;;AAvEA;AAiDjC;AAKE,cA8BW,kBA9BX,EA8B6B,CAAA,CAAA,SA9B7B,CAAA;;;;;;;;;;;;;MAL4B,OAAA,eAAA,aAAA,CAAA,UAAA,CAAA,CAAA;IAAA,CAAA,gBAAA,CAAA,CAAA,CAAA;EAQjB,CAAA,gBAAA,CAIX,CAAA;CAAA,gBAAA,CAAA;;;;;;AAJ0B,cAyDf,iBAzDe,EAyDE,CAAA,CAAA,SAzDF,CAAA;EAAA,IAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;IAOf,OAAA,eAIX,aAAA,CAAA;EAAA,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0Fc,eAAA,QAAuB,CAAA,CAAE"}
+{"version":3,"file":"schema.d.ts","names":[],"sources":["../../src/lib/schema.ts"],"mappings":";;;;;;AAgBA;;;;;;;;;;cAAa,uBAAqB,CAAA,CAAA;;;;;;cAiDrB,qBAAmB,CAAA,CAAA;;;;cAKnB,0BAAwB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;;;AAtDH;AAiDlC;AAEE,cAYW,qBAZX,EAYgC,CAAA,CAAA,SAZhC,CAAA;;;;WAF8B,eAAA,YAAA,CAAA;EAAA,SAAA,eAAA,WAAA,YAAA,CAAA,CAAA;EAKnB,eAAA,eAGX,YAAA,CAAA;EAAA,mBAAA,eAAA,YAAA,CAAA;aAHmC,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,mBAAA,CAAA,cAAA,CAAA,UAAA,CAAA,CAAA,CAAA,CAAA;;;;;;AAAA;AASrC;;;cA4Ba,qBAAmB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;cA0BnB,oBAAkB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;SAtDG,eAAA,YAAA,CAAA;EAAA,YAAA,eAAA,YAAA,CAAA;EA4BrB,WAAA,eAuBV,YAAA,CAAA;EAAA,QAAA,eAAA,YAAA,CAAA;;;;;;;;;;;;;cAKU,sBAAoB,CAAA,CAAA;;;;;;;;;;;;cA6EpB,mBAAiB,CAAA,CAAA;;;;;;;;;cAQjB,iBAAe,CAAA,CAAA;;;;cAOf,oBAAkB,CAAA,CAAA;;IAxHC,OAAA,eAAA,aAAA,CAAA;EAAA,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EA0BnB,SAAA,eAAgE,YAAA,YAAA,aAAA,CAAA;IAAA,IAAA,aAAA;IAA9C,MAAA,aAAA;;;;;;;;;;;cAqGlB,sBAAoB,CAAA,CAAA;;;;;;;cAapB,oBAAkB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;AAlHA,cAgJlB,iBAhJkB,EAgJD,CAAA,CAAA,SAhJC,CAAA;MAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;IAAA,OAAA,eAAA,aAAA,CAAA;EAElB,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EAEX,OAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;MAF+B,GAAA,eAAA,YAAA,YAAA,aAAA,CAAA,CAAA;MAAA,GAAA,eAAA,YAAA,CAAA;QA6EpB,IAAA,eAKX,YAAA,CAAA;MAAA,CAAA,gBAAA,CAAA,CAAA;;;;;;;;;;;;;;AAL4B;AAQ9B;;iBA4IgB,eAAA,QAAuB,CAAA,CAAE"}

package/dist/lib/schema.js

@@ -55,6 +55,51 @@ const computeSettingsSchema = z.strictObject({
 const serviceToggleSchema = z.strictObject({ enabled: z.boolean().optional() });
 /** A service toggle as written in a policy: `boolean` or `{ enabled?: boolean }`. */
 const serviceToggleInputSchema = z.union([z.boolean(), serviceToggleSchema]);
+/**
+* Reusable Data API runtime settings (camelCase mirror of the Neon API `DataAPISettings`).
+* `strictObject` so a typo / snake_case key fails loudly instead of being silently dropped.
+*/
+const dataApiSettingsSchema = z.strictObject({
+	dbAggregatesEnabled: z.boolean().optional(),
+	dbAnonRole: z.string().optional(),
+	dbExtraSearchPath: z.string().optional(),
+	dbMaxRows: z.number().int().optional(),
+	dbSchemas: z.array(z.string()).optional(),
+	jwtRoleClaimKey: z.string().optional(),
+	jwtCacheMaxLifetime: z.number().int().optional(),
+	openapiMode: z.union([z.literal("ignore-privileges"), z.literal("disabled")]).optional(),
+	serverCorsAllowedOrigins: z.string().optional(),
+	serverTimingEnabled: z.boolean().optional()
+});
+/** Names of the external-IdP-only fields, forbidden when `authProvider` is `"neon"`. */
+const DATA_API_EXTERNAL_ONLY_KEYS = [
+	"jwksUrl",
+	"providerName",
+	"jwtAudience"
+];
+/**
+* Object form of the `dataApi` toggle. A single `strictObject` plus a `superRefine` (rather
+* than a discriminated union) so the `"neon"` default works without the discriminator being
+* present, and so the "external-only field with authProvider neon" error points at the exact
+* offending key — mirroring the `?: never` type-level guard at runtime.
+*/
+const dataApiConfigSchema = z.strictObject({
+	enabled: z.boolean().optional(),
+	authProvider: z.union([z.literal("neon"), z.literal("external")]).optional(),
+	jwksUrl: z.string().optional(),
+	providerName: z.string().optional(),
+	jwtAudience: z.string().optional(),
+	settings: dataApiSettingsSchema.optional()
+}).superRefine((cfg, ctx) => {
+	if ((cfg.authProvider ?? "neon") !== "neon") return;
+	for (const key of DATA_API_EXTERNAL_ONLY_KEYS) if (cfg[key] !== void 0) ctx.addIssue({
+		code: "custom",
+		path: [key],
+		message: `${key} is only allowed with authProvider: "external" — Neon supplies it for authProvider: "neon".`
+	});
+});
+/** A `dataApi` toggle as written in a policy: `boolean` or {@link dataApiConfigSchema}. */
+const dataApiInputSchema = z.union([z.boolean(), dataApiConfigSchema]);
 const postgresConfigSchema = z.strictObject({ computeSettings: computeSettingsSchema.optional() });
 /**
 * Branch-unique function slug. Mirrors the Neon Functions API path-segment rule
@@ -67,11 +112,27 @@ const functionSlugSchema = z.string().regex(/^[a-z0-9]{1,20}$/, "function slug m
 /** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */
 const bucketNameSchema = z.string().min(1).max(255);
 /**
-* Per-function environment map. Every value must be a defined string: a `process.env.X`
-* that is unset surfaces as `undefined` and is rejected here (rather than silently
-* shipping `undefined` into the deployment).
+* A single function environment-variable value. Must be a defined string: a `process.env.X`
+* that is unset evaluates to `undefined`, and the bare `z.string()` message for that case
+* (`Invalid input: expected string, received undefined`) gives no hint that an env var is the
+* culprit. The custom `error` replaces *only* the `undefined` case with a message that names
+* the offending function + env key (read from the issue path) and how to fix it; any other
+* wrong type keeps zod's default (`expected string, received number`, …).
 */
-const functionEnvSchema = z.record(z.string(), z.string());
+const functionEnvValueSchema = z.string({ error: (issue) => {
+	if (issue.input !== void 0) return void 0;
+	const path = issue.path ?? [];
+	const key = path.length > 0 ? String(path[path.length - 1]) : void 0;
+	const functionsIndex = path.indexOf("functions");
+	const slug = functionsIndex >= 0 && functionsIndex + 1 < path.length ? String(path[functionsIndex + 1]) : void 0;
+	return `${slug !== void 0 && key !== void 0 ? `Environment variable "${key}" for function "${slug}"` : key !== void 0 ? `Environment variable "${key}"` : "An environment variable"} is undefined — its value (typically a \`process.env.*\`) is unset. Set it (e.g. add it to your .env) or provide a fallback like \`process.env.X ?? ""\`.`;
+} });
+/**
+* Per-function environment map. Every value must be a defined string (see
+* {@link functionEnvValueSchema}): a `process.env.X` that is unset surfaces as `undefined` and
+* is rejected here (rather than silently shipping `undefined` into the deployment).
+*/
+const functionEnvSchema = z.record(z.string(), functionEnvValueSchema);
 /**
 * TCP port for a function's local dev server. Excludes 0 (which means "any port" to the OS
 * — `neon dev` expresses "pick one for me" by omitting `port`, not by passing 0).
@@ -137,10 +198,36 @@ const branchTuningSchema = z.strictObject({
 */
 const configInputSchema = z.strictObject({
 	auth: serviceToggleInputSchema.optional(),
-	dataApi: serviceToggleInputSchema.optional(),
+	dataApi: dataApiInputSchema.optional(),
 	preview: previewInputSchema.optional(),
 	branch: z.custom((value) => typeof value === "function", { message: "branch must be a function: `branch: (branch) => ({ … })`" }).optional()
+}).superRefine((cfg, ctx) => {
+	if (!isToggleEnabledValue(cfg.dataApi)) return;
+	if (dataApiAuthProviderValue(cfg.dataApi) !== "neon") return;
+	if (!isToggleEnabledValue(cfg.auth)) ctx.addIssue({
+		code: "custom",
+		path: ["auth"],
+		message: "dataApi with authProvider \"neon\" requires Neon Auth — set `auth: true` (or `auth: { enabled: true }`), or use `dataApi.authProvider: \"external\"` with your own `jwksUrl`."
+	});
 });
+/**
+* Whether a parsed `auth` / `dataApi` toggle value is enabled: a present object (or `true`)
+* is on unless `enabled` is explicitly `false`. Mirrors `isServiceEnabled` in
+* `define-config.ts`, operating on the already-validated runtime value.
+*/
+function isToggleEnabledValue(value) {
+	if (value === void 0 || value === null) return false;
+	if (typeof value === "boolean") return value;
+	if (typeof value === "object") return value.enabled !== false;
+	return false;
+}
+/** Read the (defaulted) `authProvider` from a parsed `dataApi` value. */
+function dataApiAuthProviderValue(value) {
+	if (value !== null && typeof value === "object") {
+		if (value.authProvider === "external") return "external";
+	}
+	return "neon";
+}
 function validateParentReference(args) {
 	const { ctx, path, parent } = args;
 	if (parent === void 0) return;
@@ -192,6 +279,6 @@ function normaliseIssueMessage(issue) {
 	return issue.message;
 }
 //#endregion
-export { branchTuningSchema, bucketDefSchema, computeSettingsSchema, configInputSchema, formatZodIssues, functionDefSchema, functionTuningSchema, postgresConfigSchema, previewInputSchema, serviceToggleInputSchema, serviceToggleSchema };
+export { branchTuningSchema, bucketDefSchema, computeSettingsSchema, configInputSchema, dataApiConfigSchema, dataApiInputSchema, dataApiSettingsSchema, formatZodIssues, functionDefSchema, functionTuningSchema, postgresConfigSchema, previewInputSchema, serviceToggleInputSchema, serviceToggleSchema };
 
 //# sourceMappingURL=schema.js.map

package/dist/lib/schema.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.js","names":[],"sources":["../../src/lib/schema.ts"],"sourcesContent":["import { z } from \"zod\";\nimport { parseBranchTtl, parseSuspendTimeout } from \"./duration.js\";\nimport { isWildcardPattern, validatePattern } from \"./patterns.js\";\n\n/**\n * Zod schema for {@link import(\"./types.js\").ComputeSettings}.\n *\n * - CU values must be one of: 0.25, 0.5, 1, 2, 4, 8\n * - `suspendTimeout` can be:\n *   - `false` (never suspend)\n *   - duration string like \"5m\", \"1h\" (must be 60s-604800s when parsed)\n *   - number in seconds (60-604800, or -1/0 for special values)\n *   - `undefined` (use platform default)\n *\n * Cross-field invariants (min <= max) are enforced via `superRefine`.\n */\nexport const computeSettingsSchema = z\n\t.strictObject({\n\t\tautoscalingLimitMinCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tautoscalingLimitMaxCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tsuspendTimeout: z\n\t\t\t.union([z.literal(false), z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return; // undefined is valid (use platform default)\n\t\t\t\tconst result = parseSuspendTimeout(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({\n\t\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\t\tmessage: result.error,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}),\n\t})\n\t.superRefine((settings, ctx) => {\n\t\tconst { autoscalingLimitMinCu: min, autoscalingLimitMaxCu: max } =\n\t\t\tsettings;\n\t\tif (min !== undefined && max !== undefined && min > max) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"autoscalingLimitMinCu\"],\n\t\t\t\tmessage: `autoscalingLimitMinCu (${min}) must be <= autoscalingLimitMaxCu (${max})`,\n\t\t\t});\n\t\t}\n\t});\n\n/** Object form of a service toggle (`{ enabled?: boolean }`). */\nexport const serviceToggleSchema = z.strictObject({\n\tenabled: z.boolean().optional(),\n});\n\n/** A service toggle as written in a policy: `boolean` or `{ enabled?: boolean }`. */\nexport const serviceToggleInputSchema = z.union([\n\tz.boolean(),\n\tserviceToggleSchema,\n]);\n\nexport const postgresConfigSchema = z.strictObject({\n\tcomputeSettings: computeSettingsSchema.optional(),\n});\n\n/**\n * Branch-unique function slug. Mirrors the Neon Functions API path-segment rule\n * (`platform/internal/platform/functions/name.go`): 1–20 lowercase letters and digits.\n * Used as the **key schema** of the `preview.functions` record, so a bad slug fails\n * validation with a path pointing at the offending key and duplicate slugs are impossible\n * by construction (object keys are unique).\n */\nconst functionSlugSchema = z\n\t.string()\n\t.regex(\n\t\t/^[a-z0-9]{1,20}$/,\n\t\t\"function slug must be 1-20 lowercase letters and digits (no hyphens or other characters)\",\n\t);\n\n/** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */\nconst bucketNameSchema = z.string().min(1).max(255);\n\n/**\n * Per-function environment map. Every value must be a defined string: a `process.env.X`\n * that is unset surfaces as `undefined` and is rejected here (rather than silently\n * shipping `undefined` into the deployment).\n */\nconst functionEnvSchema = z.record(z.string(), z.string());\n\n/**\n * TCP port for a function's local dev server. Excludes 0 (which means \"any port\" to the OS\n * — `neon dev` expresses \"pick one for me\" by omitting `port`, not by passing 0).\n */\nconst devPortSchema = z.number().int().min(1).max(65535);\n\n/**\n * Local-dev settings for a function (`neon dev` only; never affects deploy). `port` is bound\n * exactly when set (and `neon dev` fails if it is taken), or a free port is found when omitted.\n */\nconst functionDevConfigSchema = z.strictObject({\n\tport: devPortSchema.optional(),\n});\n\nconst runtimeSchema = z.literal(\"nodejs24\");\n\n/**\n * Static definition of a function (existence). The slug is the record key (validated by\n * {@link functionSlugSchema}), so it is not a field here. Deploy tuning (`runtime`) lives\n * in the `branch` closure, not here.\n */\nexport const functionDefSchema = z.strictObject({\n\tname: z.string().min(1).max(255),\n\tsource: z.string().min(1),\n\tenv: functionEnvSchema.optional(),\n\tdev: functionDevConfigSchema.optional(),\n});\n\n/** Static definition of a bucket (existence). Name is the record key. */\nexport const bucketDefSchema = z.strictObject({\n\taccess: z\n\t\t.union([z.literal(\"private\"), z.literal(\"public_read\")])\n\t\t.optional(),\n});\n\n/** Static, beta Preview feature set: AI Gateway toggle + functions/buckets records. */\nexport const previewInputSchema = z.strictObject({\n\taiGateway: serviceToggleInputSchema.optional(),\n\tfunctions: z.record(functionSlugSchema, functionDefSchema).optional(),\n\tbuckets: z.record(bucketNameSchema, bucketDefSchema).optional(),\n});\n\n/** Per-function deploy tuning returned by the `branch` closure. */\nexport const functionTuningSchema = z.strictObject({\n\truntime: runtimeSchema.optional(),\n});\n\n/** Per-branch Preview tuning. Keys must be slugs declared in the static `preview`. */\nconst previewTuningSchema = z.strictObject({\n\tfunctions: z.record(functionSlugSchema, functionTuningSchema).optional(),\n});\n\n/**\n * The object returned by the `branch` closure. Validated on every `resolveConfig` call so\n * tuning errors point at the concrete branch target that triggered them.\n */\nexport const branchTuningSchema = z\n\t.strictObject({\n\t\tparent: z.string().optional(),\n\t\tprotected: z.boolean().optional(),\n\t\tttl: z\n\t\t\t.union([z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return;\n\t\t\t\tconst result = parseBranchTtl(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({ code: \"custom\", message: result.error });\n\t\t\t\t}\n\t\t\t}),\n\t\tpostgres: postgresConfigSchema.optional(),\n\t\tpreview: previewTuningSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tvalidateParentReference({\n\t\t\tctx,\n\t\t\tpath: [\"parent\"],\n\t\t\tparent: cfg.parent,\n\t\t});\n\t});\n\n/**\n * The top-level object accepted by `defineConfig`. The `branch` closure is validated\n * structurally as a function here; its returned tuning is validated per-evaluation by\n * {@link branchTuningSchema} inside `resolveConfig`.\n */\nexport const configInputSchema = z.strictObject({\n\tauth: serviceToggleInputSchema.optional(),\n\tdataApi: serviceToggleInputSchema.optional(),\n\tpreview: previewInputSchema.optional(),\n\tbranch: z\n\t\t.custom<(...args: unknown[]) => unknown>(\n\t\t\t(value) => typeof value === \"function\",\n\t\t\t{\n\t\t\t\tmessage:\n\t\t\t\t\t\"branch must be a function: `branch: (branch) => ({ … })`\",\n\t\t\t},\n\t\t)\n\t\t.optional(),\n});\n\nfunction validateParentReference(args: {\n\tctx: z.RefinementCtx;\n\tpath: (string | number)[];\n\tparent: string | undefined;\n}): void {\n\tconst { ctx, path, parent } = args;\n\tif (parent === undefined) return;\n\n\tconst patternCheck = validatePattern(parent);\n\tif (\"error\" in patternCheck) {\n\t\tctx.addIssue({ code: \"custom\", path, message: patternCheck.error });\n\t} else if (isWildcardPattern(parent)) {\n\t\tctx.addIssue({\n\t\t\tcode: \"custom\",\n\t\t\tpath,\n\t\t\tmessage: `parent must be a concrete branch name (no wildcards), got \"${parent}\"`,\n\t\t});\n\t}\n}\n\n/**\n * Convert the structured {@link z.ZodError} produced by `configSchema.safeParse` into the\n * `string[]` shape used by {@link import(\"./errors.js\").ConfigValidationError}.\n *\n * Issue paths are rendered as dot-separated property accesses (`postgres.computeSettings`)\n * and unknown-key issues from `strictObject` are normalised so the message contains the\n * substring \"unknown key\" — keeping pre-zod assertions in test suites and downstream tools\n * stable.\n */\nexport function formatZodIssues(error: z.ZodError): string[] {\n\treturn error.issues.map((issue) => {\n\t\tconst path = renderPath(issue.path);\n\t\tconst message = normaliseIssueMessage(issue);\n\t\treturn path ? `${path}: ${message}` : message;\n\t});\n}\n\nfunction renderPath(path: ReadonlyArray<PropertyKey>): string {\n\tlet out = \"\";\n\tfor (const segment of path) {\n\t\tif (typeof segment === \"number\") out += `[${segment}]`;\n\t\telse if (out === \"\") out += String(segment);\n\t\telse out += `.${String(segment)}`;\n\t}\n\treturn out;\n}\n\nfunction normaliseIssueMessage(issue: z.core.$ZodIssue): string {\n\tif (issue.code === \"unrecognized_keys\") {\n\t\tconst keys = issue.keys ?? [];\n\t\tconst formatted = keys.map((k) => JSON.stringify(k)).join(\", \");\n\t\treturn `unknown key${keys.length === 1 ? \"\" : \"s\"}: ${formatted}`;\n\t}\n\tif (issue.code === \"invalid_key\") {\n\t\t// A record *key* that fails its key schema (e.g. a bad function slug) surfaces in\n\t\t// zod as a single `invalid_key` issue whose own `message` is the generic, useless\n\t\t// \"Invalid key in record\". The actual reason — the function-slug regex rule, say —\n\t\t// lives in the nested key-schema `issues`. Hoist those so the user sees *why* the\n\t\t// key was rejected (the offending key itself is already in the issue `path`).\n\t\tconst reasons = issue.issues\n\t\t\t.map((nested) => nested.message)\n\t\t\t.filter((message) => message.length > 0);\n\t\tif (reasons.length > 0) return reasons.join(\"; \");\n\t}\n\treturn issue.message;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAgBA,MAAa,wBAAwB,EACnC,aAAa;CACb,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,gBAAgB,EACd,MAAM;EAAC,EAAE,QAAQ,KAAK;EAAG,EAAE,OAAO;EAAG,EAAE,OAAO;CAAC,CAAC,CAAC,CACjD,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,oBAAoB,KAAK;EACxC,IAAI,WAAW,QACd,IAAI,SAAS;GACZ,MAAM;GACN,SAAS,OAAO;EACjB,CAAC;CAEH,CAAC;AACH,CAAC,CAAC,CACD,aAAa,UAAU,QAAQ;CAC/B,MAAM,EAAE,uBAAuB,KAAK,uBAAuB,QAC1D;CACD,IAAI,QAAQ,KAAA,KAAa,QAAQ,KAAA,KAAa,MAAM,KACnD,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,uBAAuB;EAC9B,SAAS,0BAA0B,IAAI,sCAAsC,IAAI;CAClF,CAAC;AAEH,CAAC;;AAGF,MAAa,sBAAsB,EAAE,aAAa,EACjD,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS,EAC/B,CAAC;;AAGD,MAAa,2BAA2B,EAAE,MAAM,CAC/C,EAAE,QAAQ,GACV,mBACD,CAAC;AAED,MAAa,uBAAuB,EAAE,aAAa,EAClD,iBAAiB,sBAAsB,SAAS,EACjD,CAAC;;;;;;;;AASD,MAAM,qBAAqB,EACzB,OAAO,CAAC,CACR,MACA,oBACA,0FACD;;AAGD,MAAM,mBAAmB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;;;;;;AAOlD,MAAM,oBAAoB,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;;;;;AAMzD,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK;;;;;AAMvD,MAAM,0BAA0B,EAAE,aAAa,EAC9C,MAAM,cAAc,SAAS,EAC9B,CAAC;AAED,MAAM,gBAAgB,EAAE,QAAQ,UAAU;;;;;;AAO1C,MAAa,oBAAoB,EAAE,aAAa;CAC/C,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;CAC/B,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;CACxB,KAAK,kBAAkB,SAAS;CAChC,KAAK,wBAAwB,SAAS;AACvC,CAAC;;AAGD,MAAa,kBAAkB,EAAE,aAAa,EAC7C,QAAQ,EACN,MAAM,CAAC,EAAE,QAAQ,SAAS,GAAG,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,CACvD,SAAS,EACZ,CAAC;;AAGD,MAAa,qBAAqB,EAAE,aAAa;CAChD,WAAW,yBAAyB,SAAS;CAC7C,WAAW,EAAE,OAAO,oBAAoB,iBAAiB,CAAC,CAAC,SAAS;CACpE,SAAS,EAAE,OAAO,kBAAkB,eAAe,CAAC,CAAC,SAAS;AAC/D,CAAC;;AAGD,MAAa,uBAAuB,EAAE,aAAa,EAClD,SAAS,cAAc,SAAS,EACjC,CAAC;;AAGD,MAAM,sBAAsB,EAAE,aAAa,EAC1C,WAAW,EAAE,OAAO,oBAAoB,oBAAoB,CAAC,CAAC,SAAS,EACxE,CAAC;;;;;AAMD,MAAa,qBAAqB,EAChC,aAAa;CACb,QAAQ,EAAE,OAAO,CAAC,CAAC,SAAS;CAC5B,WAAW,EAAE,QAAQ,CAAC,CAAC,SAAS;CAChC,KAAK,EACH,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAC/B,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,eAAe,KAAK;EACnC,IAAI,WAAW,QACd,IAAI,SAAS;GAAE,MAAM;GAAU,SAAS,OAAO;EAAM,CAAC;CAExD,CAAC;CACF,UAAU,qBAAqB,SAAS;CACxC,SAAS,oBAAoB,SAAS;AACvC,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAC1B,wBAAwB;EACvB;EACA,MAAM,CAAC,QAAQ;EACf,QAAQ,IAAI;CACb,CAAC;AACF,CAAC;;;;;;AAOF,MAAa,oBAAoB,EAAE,aAAa;CAC/C,MAAM,yBAAyB,SAAS;CACxC,SAAS,yBAAyB,SAAS;CAC3C,SAAS,mBAAmB,SAAS;CACrC,QAAQ,EACN,QACC,UAAU,OAAO,UAAU,YAC5B,EACC,SACC,2DACF,CACD,CAAC,CACA,SAAS;AACZ,CAAC;AAED,SAAS,wBAAwB,MAIxB;CACR,MAAM,EAAE,KAAK,MAAM,WAAW;CAC9B,IAAI,WAAW,KAAA,GAAW;CAE1B,MAAM,eAAe,gBAAgB,MAAM;CAC3C,IAAI,WAAW,cACd,IAAI,SAAS;EAAE,MAAM;EAAU;EAAM,SAAS,aAAa;CAAM,CAAC;MAC5D,IAAI,kBAAkB,MAAM,GAClC,IAAI,SAAS;EACZ,MAAM;EACN;EACA,SAAS,8DAA8D,OAAO;CAC/E,CAAC;AAEH;;;;;;;;;;AAWA,SAAgB,gBAAgB,OAA6B;CAC5D,OAAO,MAAM,OAAO,KAAK,UAAU;EAClC,MAAM,OAAO,WAAW,MAAM,IAAI;EAClC,MAAM,UAAU,sBAAsB,KAAK;EAC3C,OAAO,OAAO,GAAG,KAAK,IAAI,YAAY;CACvC,CAAC;AACF;AAEA,SAAS,WAAW,MAA0C;CAC7D,IAAI,MAAM;CACV,KAAK,MAAM,WAAW,MACrB,IAAI,OAAO,YAAY,UAAU,OAAO,IAAI,QAAQ;MAC/C,IAAI,QAAQ,IAAI,OAAO,OAAO,OAAO;MACrC,OAAO,IAAI,OAAO,OAAO;CAE/B,OAAO;AACR;AAEA,SAAS,sBAAsB,OAAiC;CAC/D,IAAI,MAAM,SAAS,qBAAqB;EACvC,MAAM,OAAO,MAAM,QAAQ,CAAC;EAC5B,MAAM,YAAY,KAAK,KAAK,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;EAC9D,OAAO,cAAc,KAAK,WAAW,IAAI,KAAK,IAAI,IAAI;CACvD;CACA,IAAI,MAAM,SAAS,eAAe;EAMjC,MAAM,UAAU,MAAM,OACpB,KAAK,WAAW,OAAO,OAAO,CAAC,CAC/B,QAAQ,YAAY,QAAQ,SAAS,CAAC;EACxC,IAAI,QAAQ,SAAS,GAAG,OAAO,QAAQ,KAAK,IAAI;CACjD;CACA,OAAO,MAAM;AACd"}
+{"version":3,"file":"schema.js","names":[],"sources":["../../src/lib/schema.ts"],"sourcesContent":["import { z } from \"zod\";\nimport { parseBranchTtl, parseSuspendTimeout } from \"./duration.js\";\nimport { isWildcardPattern, validatePattern } from \"./patterns.js\";\n\n/**\n * Zod schema for {@link import(\"./types.js\").ComputeSettings}.\n *\n * - CU values must be one of: 0.25, 0.5, 1, 2, 4, 8\n * - `suspendTimeout` can be:\n *   - `false` (never suspend)\n *   - duration string like \"5m\", \"1h\" (must be 60s-604800s when parsed)\n *   - number in seconds (60-604800, or -1/0 for special values)\n *   - `undefined` (use platform default)\n *\n * Cross-field invariants (min <= max) are enforced via `superRefine`.\n */\nexport const computeSettingsSchema = z\n\t.strictObject({\n\t\tautoscalingLimitMinCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tautoscalingLimitMaxCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tsuspendTimeout: z\n\t\t\t.union([z.literal(false), z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return; // undefined is valid (use platform default)\n\t\t\t\tconst result = parseSuspendTimeout(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({\n\t\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\t\tmessage: result.error,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}),\n\t})\n\t.superRefine((settings, ctx) => {\n\t\tconst { autoscalingLimitMinCu: min, autoscalingLimitMaxCu: max } =\n\t\t\tsettings;\n\t\tif (min !== undefined && max !== undefined && min > max) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"autoscalingLimitMinCu\"],\n\t\t\t\tmessage: `autoscalingLimitMinCu (${min}) must be <= autoscalingLimitMaxCu (${max})`,\n\t\t\t});\n\t\t}\n\t});\n\n/** Object form of a service toggle (`{ enabled?: boolean }`). */\nexport const serviceToggleSchema = z.strictObject({\n\tenabled: z.boolean().optional(),\n});\n\n/** A service toggle as written in a policy: `boolean` or `{ enabled?: boolean }`. */\nexport const serviceToggleInputSchema = z.union([\n\tz.boolean(),\n\tserviceToggleSchema,\n]);\n\n/**\n * Reusable Data API runtime settings (camelCase mirror of the Neon API `DataAPISettings`).\n * `strictObject` so a typo / snake_case key fails loudly instead of being silently dropped.\n */\nexport const dataApiSettingsSchema = z.strictObject({\n\tdbAggregatesEnabled: z.boolean().optional(),\n\tdbAnonRole: z.string().optional(),\n\tdbExtraSearchPath: z.string().optional(),\n\tdbMaxRows: z.number().int().optional(),\n\tdbSchemas: z.array(z.string()).optional(),\n\tjwtRoleClaimKey: z.string().optional(),\n\tjwtCacheMaxLifetime: z.number().int().optional(),\n\topenapiMode: z\n\t\t.union([z.literal(\"ignore-privileges\"), z.literal(\"disabled\")])\n\t\t.optional(),\n\tserverCorsAllowedOrigins: z.string().optional(),\n\tserverTimingEnabled: z.boolean().optional(),\n});\n\n/** Names of the external-IdP-only fields, forbidden when `authProvider` is `\"neon\"`. */\nconst DATA_API_EXTERNAL_ONLY_KEYS = [\n\t\"jwksUrl\",\n\t\"providerName\",\n\t\"jwtAudience\",\n] as const;\n\n/**\n * Object form of the `dataApi` toggle. A single `strictObject` plus a `superRefine` (rather\n * than a discriminated union) so the `\"neon\"` default works without the discriminator being\n * present, and so the \"external-only field with authProvider neon\" error points at the exact\n * offending key — mirroring the `?: never` type-level guard at runtime.\n */\nexport const dataApiConfigSchema = z\n\t.strictObject({\n\t\tenabled: z.boolean().optional(),\n\t\tauthProvider: z\n\t\t\t.union([z.literal(\"neon\"), z.literal(\"external\")])\n\t\t\t.optional(),\n\t\tjwksUrl: z.string().optional(),\n\t\tproviderName: z.string().optional(),\n\t\tjwtAudience: z.string().optional(),\n\t\tsettings: dataApiSettingsSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tconst provider = cfg.authProvider ?? \"neon\";\n\t\tif (provider !== \"neon\") return;\n\t\tfor (const key of DATA_API_EXTERNAL_ONLY_KEYS) {\n\t\t\tif (cfg[key] !== undefined) {\n\t\t\t\tctx.addIssue({\n\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\tpath: [key],\n\t\t\t\t\tmessage: `${key} is only allowed with authProvider: \"external\" — Neon supplies it for authProvider: \"neon\".`,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t});\n\n/** A `dataApi` toggle as written in a policy: `boolean` or {@link dataApiConfigSchema}. */\nexport const dataApiInputSchema = z.union([z.boolean(), dataApiConfigSchema]);\n\nexport const postgresConfigSchema = z.strictObject({\n\tcomputeSettings: computeSettingsSchema.optional(),\n});\n\n/**\n * Branch-unique function slug. Mirrors the Neon Functions API path-segment rule\n * (`platform/internal/platform/functions/name.go`): 1–20 lowercase letters and digits.\n * Used as the **key schema** of the `preview.functions` record, so a bad slug fails\n * validation with a path pointing at the offending key and duplicate slugs are impossible\n * by construction (object keys are unique).\n */\nconst functionSlugSchema = z\n\t.string()\n\t.regex(\n\t\t/^[a-z0-9]{1,20}$/,\n\t\t\"function slug must be 1-20 lowercase letters and digits (no hyphens or other characters)\",\n\t);\n\n/** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */\nconst bucketNameSchema = z.string().min(1).max(255);\n\n/**\n * A single function environment-variable value. Must be a defined string: a `process.env.X`\n * that is unset evaluates to `undefined`, and the bare `z.string()` message for that case\n * (`Invalid input: expected string, received undefined`) gives no hint that an env var is the\n * culprit. The custom `error` replaces *only* the `undefined` case with a message that names\n * the offending function + env key (read from the issue path) and how to fix it; any other\n * wrong type keeps zod's default (`expected string, received number`, …).\n */\nconst functionEnvValueSchema = z.string({\n\terror: (issue) => {\n\t\tif (issue.input !== undefined) return undefined;\n\t\tconst path = issue.path ?? [];\n\t\tconst key = path.length > 0 ? String(path[path.length - 1]) : undefined;\n\t\tconst functionsIndex = path.indexOf(\"functions\");\n\t\tconst slug =\n\t\t\tfunctionsIndex >= 0 && functionsIndex + 1 < path.length\n\t\t\t\t? String(path[functionsIndex + 1])\n\t\t\t\t: undefined;\n\t\tconst subject =\n\t\t\tslug !== undefined && key !== undefined\n\t\t\t\t? `Environment variable \"${key}\" for function \"${slug}\"`\n\t\t\t\t: key !== undefined\n\t\t\t\t\t? `Environment variable \"${key}\"`\n\t\t\t\t\t: \"An environment variable\";\n\t\treturn `${subject} is undefined — its value (typically a \\`process.env.*\\`) is unset. Set it (e.g. add it to your .env) or provide a fallback like \\`process.env.X ?? \"\"\\`.`;\n\t},\n});\n\n/**\n * Per-function environment map. Every value must be a defined string (see\n * {@link functionEnvValueSchema}): a `process.env.X` that is unset surfaces as `undefined` and\n * is rejected here (rather than silently shipping `undefined` into the deployment).\n */\nconst functionEnvSchema = z.record(z.string(), functionEnvValueSchema);\n\n/**\n * TCP port for a function's local dev server. Excludes 0 (which means \"any port\" to the OS\n * — `neon dev` expresses \"pick one for me\" by omitting `port`, not by passing 0).\n */\nconst devPortSchema = z.number().int().min(1).max(65535);\n\n/**\n * Local-dev settings for a function (`neon dev` only; never affects deploy). `port` is bound\n * exactly when set (and `neon dev` fails if it is taken), or a free port is found when omitted.\n */\nconst functionDevConfigSchema = z.strictObject({\n\tport: devPortSchema.optional(),\n});\n\nconst runtimeSchema = z.literal(\"nodejs24\");\n\n/**\n * Static definition of a function (existence). The slug is the record key (validated by\n * {@link functionSlugSchema}), so it is not a field here. Deploy tuning (`runtime`) lives\n * in the `branch` closure, not here.\n */\nexport const functionDefSchema = z.strictObject({\n\tname: z.string().min(1).max(255),\n\tsource: z.string().min(1),\n\tenv: functionEnvSchema.optional(),\n\tdev: functionDevConfigSchema.optional(),\n});\n\n/** Static definition of a bucket (existence). Name is the record key. */\nexport const bucketDefSchema = z.strictObject({\n\taccess: z\n\t\t.union([z.literal(\"private\"), z.literal(\"public_read\")])\n\t\t.optional(),\n});\n\n/** Static, beta Preview feature set: AI Gateway toggle + functions/buckets records. */\nexport const previewInputSchema = z.strictObject({\n\taiGateway: serviceToggleInputSchema.optional(),\n\tfunctions: z.record(functionSlugSchema, functionDefSchema).optional(),\n\tbuckets: z.record(bucketNameSchema, bucketDefSchema).optional(),\n});\n\n/** Per-function deploy tuning returned by the `branch` closure. */\nexport const functionTuningSchema = z.strictObject({\n\truntime: runtimeSchema.optional(),\n});\n\n/** Per-branch Preview tuning. Keys must be slugs declared in the static `preview`. */\nconst previewTuningSchema = z.strictObject({\n\tfunctions: z.record(functionSlugSchema, functionTuningSchema).optional(),\n});\n\n/**\n * The object returned by the `branch` closure. Validated on every `resolveConfig` call so\n * tuning errors point at the concrete branch target that triggered them.\n */\nexport const branchTuningSchema = z\n\t.strictObject({\n\t\tparent: z.string().optional(),\n\t\tprotected: z.boolean().optional(),\n\t\tttl: z\n\t\t\t.union([z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return;\n\t\t\t\tconst result = parseBranchTtl(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({ code: \"custom\", message: result.error });\n\t\t\t\t}\n\t\t\t}),\n\t\tpostgres: postgresConfigSchema.optional(),\n\t\tpreview: previewTuningSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tvalidateParentReference({\n\t\t\tctx,\n\t\t\tpath: [\"parent\"],\n\t\t\tparent: cfg.parent,\n\t\t});\n\t});\n\n/**\n * The top-level object accepted by `defineConfig`. The `branch` closure is validated\n * structurally as a function here; its returned tuning is validated per-evaluation by\n * {@link branchTuningSchema} inside `resolveConfig`.\n */\nexport const configInputSchema = z\n\t.strictObject({\n\t\tauth: serviceToggleInputSchema.optional(),\n\t\tdataApi: dataApiInputSchema.optional(),\n\t\tpreview: previewInputSchema.optional(),\n\t\tbranch: z\n\t\t\t.custom<(...args: unknown[]) => unknown>(\n\t\t\t\t(value) => typeof value === \"function\",\n\t\t\t\t{\n\t\t\t\t\tmessage:\n\t\t\t\t\t\t\"branch must be a function: `branch: (branch) => ({ … })`\",\n\t\t\t\t},\n\t\t\t)\n\t\t\t.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\t// A Data API verified by Neon Auth (`authProvider: \"neon\"`, the default) needs Neon\n\t\t// Auth enabled on the same branch so the tokens it verifies actually exist. Enforce\n\t\t// the same invariant the `defineConfig` type-level check expresses, at runtime.\n\t\tif (!isToggleEnabledValue(cfg.dataApi)) return;\n\t\tif (dataApiAuthProviderValue(cfg.dataApi) !== \"neon\") return;\n\t\tif (!isToggleEnabledValue(cfg.auth)) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"auth\"],\n\t\t\t\tmessage:\n\t\t\t\t\t'dataApi with authProvider \"neon\" requires Neon Auth — set `auth: true` (or `auth: { enabled: true }`), or use `dataApi.authProvider: \"external\"` with your own `jwksUrl`.',\n\t\t\t});\n\t\t}\n\t});\n\n/**\n * Whether a parsed `auth` / `dataApi` toggle value is enabled: a present object (or `true`)\n * is on unless `enabled` is explicitly `false`. Mirrors `isServiceEnabled` in\n * `define-config.ts`, operating on the already-validated runtime value.\n */\nfunction isToggleEnabledValue(value: unknown): boolean {\n\tif (value === undefined || value === null) return false;\n\tif (typeof value === \"boolean\") return value;\n\tif (typeof value === \"object\") {\n\t\treturn (value as { enabled?: unknown }).enabled !== false;\n\t}\n\treturn false;\n}\n\n/** Read the (defaulted) `authProvider` from a parsed `dataApi` value. */\nfunction dataApiAuthProviderValue(value: unknown): \"neon\" | \"external\" {\n\tif (value !== null && typeof value === \"object\") {\n\t\tconst provider = (value as { authProvider?: unknown }).authProvider;\n\t\tif (provider === \"external\") return \"external\";\n\t}\n\treturn \"neon\";\n}\n\nfunction validateParentReference(args: {\n\tctx: z.RefinementCtx;\n\tpath: (string | number)[];\n\tparent: string | undefined;\n}): void {\n\tconst { ctx, path, parent } = args;\n\tif (parent === undefined) return;\n\n\tconst patternCheck = validatePattern(parent);\n\tif (\"error\" in patternCheck) {\n\t\tctx.addIssue({ code: \"custom\", path, message: patternCheck.error });\n\t} else if (isWildcardPattern(parent)) {\n\t\tctx.addIssue({\n\t\t\tcode: \"custom\",\n\t\t\tpath,\n\t\t\tmessage: `parent must be a concrete branch name (no wildcards), got \"${parent}\"`,\n\t\t});\n\t}\n}\n\n/**\n * Convert the structured {@link z.ZodError} produced by `configSchema.safeParse` into the\n * `string[]` shape used by {@link import(\"./errors.js\").ConfigValidationError}.\n *\n * Issue paths are rendered as dot-separated property accesses (`postgres.computeSettings`)\n * and unknown-key issues from `strictObject` are normalised so the message contains the\n * substring \"unknown key\" — keeping pre-zod assertions in test suites and downstream tools\n * stable.\n */\nexport function formatZodIssues(error: z.ZodError): string[] {\n\treturn error.issues.map((issue) => {\n\t\tconst path = renderPath(issue.path);\n\t\tconst message = normaliseIssueMessage(issue);\n\t\treturn path ? `${path}: ${message}` : message;\n\t});\n}\n\nfunction renderPath(path: ReadonlyArray<PropertyKey>): string {\n\tlet out = \"\";\n\tfor (const segment of path) {\n\t\tif (typeof segment === \"number\") out += `[${segment}]`;\n\t\telse if (out === \"\") out += String(segment);\n\t\telse out += `.${String(segment)}`;\n\t}\n\treturn out;\n}\n\nfunction normaliseIssueMessage(issue: z.core.$ZodIssue): string {\n\tif (issue.code === \"unrecognized_keys\") {\n\t\tconst keys = issue.keys ?? [];\n\t\tconst formatted = keys.map((k) => JSON.stringify(k)).join(\", \");\n\t\treturn `unknown key${keys.length === 1 ? \"\" : \"s\"}: ${formatted}`;\n\t}\n\tif (issue.code === \"invalid_key\") {\n\t\t// A record *key* that fails its key schema (e.g. a bad function slug) surfaces in\n\t\t// zod as a single `invalid_key` issue whose own `message` is the generic, useless\n\t\t// \"Invalid key in record\". The actual reason — the function-slug regex rule, say —\n\t\t// lives in the nested key-schema `issues`. Hoist those so the user sees *why* the\n\t\t// key was rejected (the offending key itself is already in the issue `path`).\n\t\tconst reasons = issue.issues\n\t\t\t.map((nested) => nested.message)\n\t\t\t.filter((message) => message.length > 0);\n\t\tif (reasons.length > 0) return reasons.join(\"; \");\n\t}\n\treturn issue.message;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAgBA,MAAa,wBAAwB,EACnC,aAAa;CACb,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,gBAAgB,EACd,MAAM;EAAC,EAAE,QAAQ,KAAK;EAAG,EAAE,OAAO;EAAG,EAAE,OAAO;CAAC,CAAC,CAAC,CACjD,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,oBAAoB,KAAK;EACxC,IAAI,WAAW,QACd,IAAI,SAAS;GACZ,MAAM;GACN,SAAS,OAAO;EACjB,CAAC;CAEH,CAAC;AACH,CAAC,CAAC,CACD,aAAa,UAAU,QAAQ;CAC/B,MAAM,EAAE,uBAAuB,KAAK,uBAAuB,QAC1D;CACD,IAAI,QAAQ,KAAA,KAAa,QAAQ,KAAA,KAAa,MAAM,KACnD,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,uBAAuB;EAC9B,SAAS,0BAA0B,IAAI,sCAAsC,IAAI;CAClF,CAAC;AAEH,CAAC;;AAGF,MAAa,sBAAsB,EAAE,aAAa,EACjD,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS,EAC/B,CAAC;;AAGD,MAAa,2BAA2B,EAAE,MAAM,CAC/C,EAAE,QAAQ,GACV,mBACD,CAAC;;;;;AAMD,MAAa,wBAAwB,EAAE,aAAa;CACnD,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC1C,YAAY,EAAE,OAAO,CAAC,CAAC,SAAS;CAChC,mBAAmB,EAAE,OAAO,CAAC,CAAC,SAAS;CACvC,WAAW,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CACrC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS;CACxC,iBAAiB,EAAE,OAAO,CAAC,CAAC,SAAS;CACrC,qBAAqB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CAC/C,aAAa,EACX,MAAM,CAAC,EAAE,QAAQ,mBAAmB,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CAC9D,SAAS;CACX,0BAA0B,EAAE,OAAO,CAAC,CAAC,SAAS;CAC9C,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;AAC3C,CAAC;;AAGD,MAAM,8BAA8B;CACnC;CACA;CACA;AACD;;;;;;;AAQA,MAAa,sBAAsB,EACjC,aAAa;CACb,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC9B,cAAc,EACZ,MAAM,CAAC,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CACjD,SAAS;CACX,SAAS,EAAE,OAAO,CAAC,CAAC,SAAS;CAC7B,cAAc,EAAE,OAAO,CAAC,CAAC,SAAS;CAClC,aAAa,EAAE,OAAO,CAAC,CAAC,SAAS;CACjC,UAAU,sBAAsB,SAAS;AAC1C,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAE1B,KADiB,IAAI,gBAAgB,YACpB,QAAQ;CACzB,KAAK,MAAM,OAAO,6BACjB,IAAI,IAAI,SAAS,KAAA,GAChB,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,GAAG;EACV,SAAS,GAAG,IAAI;CACjB,CAAC;AAGJ,CAAC;;AAGF,MAAa,qBAAqB,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,mBAAmB,CAAC;AAE5E,MAAa,uBAAuB,EAAE,aAAa,EAClD,iBAAiB,sBAAsB,SAAS,EACjD,CAAC;;;;;;;;AASD,MAAM,qBAAqB,EACzB,OAAO,CAAC,CACR,MACA,oBACA,0FACD;;AAGD,MAAM,mBAAmB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;;;;;;;;;AAUlD,MAAM,yBAAyB,EAAE,OAAO,EACvC,QAAQ,UAAU;CACjB,IAAI,MAAM,UAAU,KAAA,GAAW,OAAO,KAAA;CACtC,MAAM,OAAO,MAAM,QAAQ,CAAC;CAC5B,MAAM,MAAM,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,IAAI,KAAA;CAC9D,MAAM,iBAAiB,KAAK,QAAQ,WAAW;CAC/C,MAAM,OACL,kBAAkB,KAAK,iBAAiB,IAAI,KAAK,SAC9C,OAAO,KAAK,iBAAiB,EAAE,IAC/B,KAAA;CAOJ,OAAO,GALN,SAAS,KAAA,KAAa,QAAQ,KAAA,IAC3B,yBAAyB,IAAI,kBAAkB,KAAK,KACpD,QAAQ,KAAA,IACP,yBAAyB,IAAI,KAC7B,0BACa;AACnB,EACD,CAAC;;;;;;AAOD,MAAM,oBAAoB,EAAE,OAAO,EAAE,OAAO,GAAG,sBAAsB;;;;;AAMrE,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK;;;;;AAMvD,MAAM,0BAA0B,EAAE,aAAa,EAC9C,MAAM,cAAc,SAAS,EAC9B,CAAC;AAED,MAAM,gBAAgB,EAAE,QAAQ,UAAU;;;;;;AAO1C,MAAa,oBAAoB,EAAE,aAAa;CAC/C,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;CAC/B,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;CACxB,KAAK,kBAAkB,SAAS;CAChC,KAAK,wBAAwB,SAAS;AACvC,CAAC;;AAGD,MAAa,kBAAkB,EAAE,aAAa,EAC7C,QAAQ,EACN,MAAM,CAAC,EAAE,QAAQ,SAAS,GAAG,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,CACvD,SAAS,EACZ,CAAC;;AAGD,MAAa,qBAAqB,EAAE,aAAa;CAChD,WAAW,yBAAyB,SAAS;CAC7C,WAAW,EAAE,OAAO,oBAAoB,iBAAiB,CAAC,CAAC,SAAS;CACpE,SAAS,EAAE,OAAO,kBAAkB,eAAe,CAAC,CAAC,SAAS;AAC/D,CAAC;;AAGD,MAAa,uBAAuB,EAAE,aAAa,EAClD,SAAS,cAAc,SAAS,EACjC,CAAC;;AAGD,MAAM,sBAAsB,EAAE,aAAa,EAC1C,WAAW,EAAE,OAAO,oBAAoB,oBAAoB,CAAC,CAAC,SAAS,EACxE,CAAC;;;;;AAMD,MAAa,qBAAqB,EAChC,aAAa;CACb,QAAQ,EAAE,OAAO,CAAC,CAAC,SAAS;CAC5B,WAAW,EAAE,QAAQ,CAAC,CAAC,SAAS;CAChC,KAAK,EACH,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAC/B,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,eAAe,KAAK;EACnC,IAAI,WAAW,QACd,IAAI,SAAS;GAAE,MAAM;GAAU,SAAS,OAAO;EAAM,CAAC;CAExD,CAAC;CACF,UAAU,qBAAqB,SAAS;CACxC,SAAS,oBAAoB,SAAS;AACvC,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAC1B,wBAAwB;EACvB;EACA,MAAM,CAAC,QAAQ;EACf,QAAQ,IAAI;CACb,CAAC;AACF,CAAC;;;;;;AAOF,MAAa,oBAAoB,EAC/B,aAAa;CACb,MAAM,yBAAyB,SAAS;CACxC,SAAS,mBAAmB,SAAS;CACrC,SAAS,mBAAmB,SAAS;CACrC,QAAQ,EACN,QACC,UAAU,OAAO,UAAU,YAC5B,EACC,SACC,2DACF,CACD,CAAC,CACA,SAAS;AACZ,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAI1B,IAAI,CAAC,qBAAqB,IAAI,OAAO,GAAG;CACxC,IAAI,yBAAyB,IAAI,OAAO,MAAM,QAAQ;CACtD,IAAI,CAAC,qBAAqB,IAAI,IAAI,GACjC,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,MAAM;EACb,SACC;CACF,CAAC;AAEH,CAAC;;;;;;AAOF,SAAS,qBAAqB,OAAyB;CACtD,IAAI,UAAU,KAAA,KAAa,UAAU,MAAM,OAAO;CAClD,IAAI,OAAO,UAAU,WAAW,OAAO;CACvC,IAAI,OAAO,UAAU,UACpB,OAAQ,MAAgC,YAAY;CAErD,OAAO;AACR;;AAGA,SAAS,yBAAyB,OAAqC;CACtE,IAAI,UAAU,QAAQ,OAAO,UAAU;MACpB,MAAqC,iBACtC,YAAY,OAAO;CAAA;CAErC,OAAO;AACR;AAEA,SAAS,wBAAwB,MAIxB;CACR,MAAM,EAAE,KAAK,MAAM,WAAW;CAC9B,IAAI,WAAW,KAAA,GAAW;CAE1B,MAAM,eAAe,gBAAgB,MAAM;CAC3C,IAAI,WAAW,cACd,IAAI,SAAS;EAAE,MAAM;EAAU;EAAM,SAAS,aAAa;CAAM,CAAC;MAC5D,IAAI,kBAAkB,MAAM,GAClC,IAAI,SAAS;EACZ,MAAM;EACN;EACA,SAAS,8DAA8D,OAAO;CAC/E,CAAC;AAEH;;;;;;;;;;AAWA,SAAgB,gBAAgB,OAA6B;CAC5D,OAAO,MAAM,OAAO,KAAK,UAAU;EAClC,MAAM,OAAO,WAAW,MAAM,IAAI;EAClC,MAAM,UAAU,sBAAsB,KAAK;EAC3C,OAAO,OAAO,GAAG,KAAK,IAAI,YAAY;CACvC,CAAC;AACF;AAEA,SAAS,WAAW,MAA0C;CAC7D,IAAI,MAAM;CACV,KAAK,MAAM,WAAW,MACrB,IAAI,OAAO,YAAY,UAAU,OAAO,IAAI,QAAQ;MAC/C,IAAI,QAAQ,IAAI,OAAO,OAAO,OAAO;MACrC,OAAO,IAAI,OAAO,OAAO;CAE/B,OAAO;AACR;AAEA,SAAS,sBAAsB,OAAiC;CAC/D,IAAI,MAAM,SAAS,qBAAqB;EACvC,MAAM,OAAO,MAAM,QAAQ,CAAC;EAC5B,MAAM,YAAY,KAAK,KAAK,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;EAC9D,OAAO,cAAc,KAAK,WAAW,IAAI,KAAK,IAAI,IAAI;CACvD;CACA,IAAI,MAAM,SAAS,eAAe;EAMjC,MAAM,UAAU,MAAM,OACpB,KAAK,WAAW,OAAO,OAAO,CAAC,CAC/B,QAAQ,YAAY,QAAQ,SAAS,CAAC;EACxC,IAAI,QAAQ,SAAS,GAAG,OAAO,QAAQ,KAAK,IAAI;CACjD;CACA,OAAO,MAAM;AACd"}

package/dist/lib/types.d.ts

@@ -85,7 +85,7 @@ interface ComputeSettings {
 }
 /**
  * Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the
- * `branch` argument passed to your `defineConfig((branch) => …)` callback. It describes
+ * `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes
  * **which** branch this invocation decides for; it is not a live branch handle and must not
  * be mutated. Switch on its fields and return the desired {@link BranchConfig}.
  */
@@ -125,9 +125,118 @@ interface ServiceToggle {
  * the type level — that's what makes `NeonEnv<typeof config>` exact.
  */
 type ServiceToggleInput = boolean | ServiceToggle;
+/**
+ * Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /
+ * `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables
+ * distribution so a union/`undefined` is judged as a single unit:
+ *
+ * - `false` / `{ enabled: false }` / `undefined` → `false`
+ * - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`
+ *   (a present toggle defaults to enabled)
+ * - the bare `boolean | … | undefined` (no literal info) → `false`
+ *
+ * Shared by the {@link Config} static cross-field checks and the `@neondatabase/env`
+ * `NeonEnv` namespace derivation, so both read "is this service on?" identically.
+ */
+type ServiceEnabled<T> = [T] extends [false] ? false : [T] extends [{
+  enabled: false;
+}] ? false : [T] extends [undefined] ? false : [T] extends [true] ? true : [T] extends [{
+  enabled: true;
+}] ? true : [T] extends [object] ? true : false;
 interface PostgresConfig {
   computeSettings?: ComputeSettings;
 }
+/**
+ * Authentication providers a Data API integration can verify JWTs against, as written in
+ * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
+ * at the API boundary):
+ *
+ * - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
+ *   JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
+ *   fields are forbidden (a type error) on this variant — and the policy must also enable
+ *   top-level `auth` (Neon Auth) so the tokens exist.
+ * - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
+ *   provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
+ */
+declare const DATA_API_AUTH_PROVIDERS: readonly ["neon", "external"];
+type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];
+/**
+ * Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,
+ * camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep
+ * the Neon defaults shown below. These are the **only** Data API fields that can change on
+ * an already-enabled integration — drift here is reconciled as an *update* (requires
+ * `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.
+ */
+interface DataApiSettings {
+  /** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */
+  dbAggregatesEnabled?: boolean;
+  /** Database role used for anonymous requests (`db_anon_role`). Default `"anonymous"`. */
+  dbAnonRole?: string;
+  /** Extra schemas appended to the search path (`db_extra_search_path`). */
+  dbExtraSearchPath?: string;
+  /** Maximum rows returned in a single request (`db_max_rows`). */
+  dbMaxRows?: number;
+  /** Schemas exposed via the API (`db_schemas`). Default `["public"]`. */
+  dbSchemas?: string[];
+  /** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `".role"`. */
+  jwtRoleClaimKey?: string;
+  /** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */
+  jwtCacheMaxLifetime?: number;
+  /** OpenAPI spec mode (`openapi_mode`). Default `"disabled"`. */
+  openapiMode?: "ignore-privileges" | "disabled";
+  /** CORS allowed origins (`server_cors_allowed_origins`). */
+  serverCorsAllowedOrigins?: string;
+  /** Emit server-timing headers (`server_timing_enabled`). */
+  serverTimingEnabled?: boolean;
+}
+/** Fields shared by every {@link DataApiConfig} variant. */
+interface DataApiConfigBase {
+  /** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */
+  enabled?: boolean;
+  /** Reusable runtime settings. Drift here is reconciled as an update. */
+  settings?: DataApiSettings;
+}
+/**
+ * Data API verified by **Neon Auth** (`authProvider: "neon"`, the default). The external
+ * IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any
+ * of them is a type error directing you to `authProvider: "external"`.
+ */
+interface DataApiNeonAuthConfig extends DataApiConfigBase {
+  authProvider?: "neon";
+  /** Forbidden with `authProvider: "neon"` — Neon provides the JWKS URL. */
+  jwksUrl?: never;
+  /** Forbidden with `authProvider: "neon"` — the provider is Neon Auth. */
+  providerName?: never;
+  /** Forbidden with `authProvider: "neon"` — Neon manages the audience. */
+  jwtAudience?: never;
+}
+/**
+ * Data API verified by an **external** IdP (`authProvider: "external"`). You provide the
+ * JWKS URL (and optionally a provider label / expected audience).
+ */
+interface DataApiExternalAuthConfig extends DataApiConfigBase {
+  authProvider: "external";
+  /** URL that publishes the IdP's JWKS (JSON Web Key Set). */
+  jwksUrl?: string;
+  /** Human label for the IdP (e.g. "Clerk", "Stytch", "Auth0"). */
+  providerName?: string;
+  /**
+   * Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;
+   * tokens with no `aud` claim are still accepted.
+   */
+  jwtAudience?: string;
+}
+/**
+ * Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:
+ * the `"neon"` variant forbids the external-IdP fields, the `"external"` variant allows them.
+ */
+type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;
+/**
+ * How the Data API is toggled in a policy: a bare boolean (like the other service toggles)
+ * or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it
+ * with Neon defaults; `false` / `{ enabled: false }` opt out.
+ */
+type DataApiInput = boolean | DataApiConfig;
 /**
  * Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.
  * Only `nodejs24` exists today; kept as a union so adding runtimes later is a
@@ -315,10 +424,15 @@ type BranchTuningFn<Preview extends PreviewInput | undefined = PreviewInput | un
  * literals; the defaults make the bare `Config` a usable "any policy" type for runtime
  * function signatures.
  */
-interface Config<Auth extends ServiceToggleInput | undefined = ServiceToggleInput | undefined, DataApi extends ServiceToggleInput | undefined = ServiceToggleInput | undefined, Preview extends PreviewInput | undefined = PreviewInput | undefined> {
+interface Config<Auth extends ServiceToggleInput | undefined = ServiceToggleInput | undefined, DataApi extends DataApiInput | undefined = DataApiInput | undefined, Preview extends PreviewInput | undefined = PreviewInput | undefined> {
   /** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */
   auth?: Auth;
-  /** Neon Data API integration toggle (GA). Static — drives `NeonEnv.dataApi`. */
+  /**
+   * Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or
+   * a {@link DataApiConfig} object selecting the auth provider (`"neon"` / `"external"`) and
+   * runtime {@link DataApiSettings}. With `authProvider: "neon"` the policy must also enable
+   * top-level `auth`.
+   */
   dataApi?: DataApi;
   /** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */
   preview?: Preview;
@@ -356,6 +470,19 @@ interface ResolvedPreviewConfig {
   buckets: ResolvedBucketConfig[];
   aiGatewayEnabled: boolean;
 }
+/**
+ * Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the
+ * policy enables `dataApi`. `authProvider` always resolves (defaults to `"neon"`); the
+ * external-IdP wiring is present only for `"external"`; `settings` carries the camelCase
+ * runtime settings (reconciled as an update when they drift).
+ */
+interface ResolvedDataApiConfig {
+  authProvider: DataApiAuthProvider;
+  jwksUrl?: string;
+  providerName?: string;
+  jwtAudience?: string;
+  settings?: DataApiSettings;
+}
 interface ResolvedBranchConfig {
   parent?: string;
   ttlSeconds?: number;
@@ -363,6 +490,11 @@ interface ResolvedBranchConfig {
   postgres?: PostgresConfig;
   authEnabled: boolean;
   dataApiEnabled: boolean;
+  /**
+   * Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the
+   * create-time auth wiring and the updatable {@link DataApiSettings}.
+   */
+  dataApi?: ResolvedDataApiConfig;
   preview?: ResolvedPreviewConfig;
 }
 /**
@@ -410,5 +542,5 @@ interface PushResult {
   conflicts: ConflictReport[];
 }
 //#endregion
-export { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceToggle, ServiceToggleInput };
+export { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DATA_API_AUTH_PROVIDERS, DataApiAuthProvider, DataApiConfig, DataApiExternalAuthConfig, DataApiInput, DataApiNeonAuthConfig, DataApiSettings, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedDataApiConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceEnabled, ServiceToggle, ServiceToggleInput };
 //# sourceMappingURL=types.d.ts.map

package/dist/lib/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/lib/types.ts"],"mappings":";;AAIA;AAGA;AAeA;AAQK,KA1BO,WAAA,GA0BP,IAAA,GAAwB,GAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA;AAAA;AAyBxB,KAhDO,YAAA,GAgDM,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA;;;;;;AAEc;AAUhC;;;;;;AAiCuC;AAStB,KAvFL,cAAA,GAuFiB,GAAA,MAAA,GAvFY,YAuFZ,EAAA;AAqB7B;AAgBA;AAEA;AASA;AAMA;AAuBA;KA5JK,wBAAA,GA4JuB,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA;;;AA6BJ;AAexB;AAWA;AAGA;AAOA,KA5MK,aAAA,GA4MqB,IAAA,GAKhB,IAAA,GAAA,KAAA,GAAA,IAAiB,GAAA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,KAAA;AAS3B;;;;;;KAlNK,aAwNM,CAAA,oBAxN4B,cAwN5B,CAAA,GAvNR,WAuNQ,GAAA,CAtNP,cAsNO,GAtNU,WAsNV,CAAA,OAAA,CAAA,CAAA,GAAA,MAAA;AAAM;AASjB;AAUA;;;;;AACa,UAhOI,eAAA,CAgOJ;EAAO;AASpB;;;;uBA4BY,CAAA,EA/Pa,WA+Pb;;;AACY;AACvB;;uBAGoC,CAAA,EA9PZ,WA8PY;;;;AAI1B;AAOX;;;;;;;;AAE0C;AAe1C;;;;;;;gBAO4C,CAAA,EAAA,KAAA,GA5QlB,aA4QkB,CA5QJ,wBA4QI,CAAA;;;;;;AASpB;AAOxB;AAAuC,UAnRtB,YAAA,CAmRsB;;MAK7B,EAAA,MAAA;;EAKc,EAAA,CAAA,EAAA,MAAA;EAIP;EAUA,MAAA,EAAA,OAAA;EAAqB;UAC1B,CAAA,EAAA,MAAA;;EACkB,SAAA,CAAA,EAAA,OAAA;EAIb;EAAoB,WAAA,CAAA,EAAA,OAAA;;WAO1B,CAAA,EAAA,MAAA;AAAqB;AAMhC;AAkBA;AAYA;;AAUU,UAjVO,aAAA,CAiVP;;EACgB,OAAA,CAAA,EAAA,OAAA;;;;;;;;;;;;;KAlUd,kBAAA,aAA+B;UAE1B,cAAA;oBACE;;;;;;;KAQP,eAAA;;;;;UAMK,iBAAA;;;;;;;;;;;;;;;;;;;;;;UAuBA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;QAwBV;;;;;QAKA;;;;;;;;;;;;;;KAeK,eAAA;;;;;;KAWA,uBAAA;;KAGA,iBAAA;;;;;;UAOK,SAAA;;;;;WAKP;;;;;;;;UASO,YAAA;;cAEJ;;cAEA,eAAe;;YAEjB,eAAe;;;;;;;;UAST,cAAA;;YAEN;;;;;;;UAQM;cACJ,QAAQ,OAAO,MAAM;;;;;;;;UASjB;;;;;;;;;;;;;;;;;;;;;;;;;QAyBV,cAAc;;;aAGT;YACD,cAAc;;;KAIpB,gCAAgC,4BACpC;;IAGG,cAAc;;;;;KAON,+BACK,2BAA2B,qCAC/B,iBAAiB,aAAa,gBAAgB;;;;;;;;;;;;;;UAe1C,oBACH,iCACV,gDAEa,iCACb,gDAEa,2BAA2B;;SAGpC;;YAEG;;YAEA;;WAED,eAAe;;;;;;UAOR,sBAAA;;;;OAIX;WACI;;;;;QAKH;;;UAIU,oBAAA;;UAER;;;;;;;UAQQ,qBAAA;aACL;WACF;;;UAIO,oBAAA;;;;aAIL;;;YAGD;;;;;UAMM,aAAA;;;;;;;;YAQN;;;;;;;;;UAUM,cAAA;;;;;;;;;;;UAYA,UAAA;;;;;;;;;;WAUP;aACE"}
+{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/lib/types.ts"],"mappings":";;AAIA;AAGA;AAeA;AAQK,KA1BO,WAAA,GA0BP,IAAA,GAAwB,GAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA,GAAA,CAAA;AAAA;AAyBxB,KAhDO,YAAA,GAgDM,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA,GAAA;;;;;;AAEc;AAUhC;;;;;;AAiCuC;AAStB,KAvFL,cAAA,GAuFiB,GAAA,MAAA,GAvFY,YAuFZ,EAAA;AAqB7B;AAgBA;AAeA;;;;KAnIK,wBAAA,GAuIA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA,GAAA,KAAA,GAAA,IAAA,GAAA,IAAA;;;;AAMI;AAIT;AAgBA;AACA,KAjJK,aAAA,GAiJO,IAAA,GAAmB,IAAA,GAAA,KAAW,GAAA,IAAA,GAAA,IAAA,GAAA,IAAuB,GAAA,KAAA,GAAA,KAAA;AASjE;AAqBC;AAeD;AAcA;AAiBA;;KArNK,aAqNuB,CAAA,oBArNW,cAqNX,CAAA,GApNzB,WAoNyB,GAAA,CAnNxB,cAmNwB,GAnNP,WAmNO,CAAA,OAAA,CAAA,CAAA,GAAA,MAAA;;AAAiD;AAO7E;AAOA;AAMA;AAuBA;;AAwBO,UA5QU,eAAA,CA4QV;;AAKiB;AAexB;AAWA;AAGA;EAOiB,qBAAS,CAAA,EA/SD,WAoTf;EASO;;;;;uBAMS,CAAA,EA7TD,WA6TC;;AAAT;AASjB;AAUA;;;;;;AACoB;AASpB;;;;;;;AA6BwB;AACvB;;gBAGoC,CAAA,EAAA,KAAA,GAtWX,aAsWW,CAtWG,wBAsWH,CAAA;;;;AAI1B;AAOX;;;AAC4C,UAzW3B,YAAA,CAyW2B;;MACe,EAAA,MAAA;;KAA7B,EAAA,MAAA;EAAY;EAezB,MAAA,EAAA,OAAM;EAAA;UACT,CAAA,EAAA,MAAA;;WAGG,CAAA,EAAA,OAAA;;aACA,CAAA,EAAA,OAAA;;WAGT,CAAA,EAAA,MAAA;;;;;AAWgB;AAOP,UA9XA,aAAA,CA8XsB;EAAA;SAIjC,CAAA,EAAA,OAAA;;;AAMkB;AAIxB;AAUA;;;;AAE8B;AAU9B;;;AAKY,KAvZA,kBAAA,GAuZA,OAAA,GAvZ+B,aAuZ/B;AAAe;AAG3B;;;;;AAYgC;AAMhC;AAkBA;AAYA;;;;AAW0B,KAtcd,cAscc,CAAA,CAAA,CAAA,GAAA,CAtcO,CAscP,CAAA,SAAA,CAAA,KAAA,CAAA,GAAA,KAAA,GAAA,CApctB,CAocsB,CAAA,SAAA,CAAA;;cAlcrB,kCAEC,4BAEC;;aAEC;UAIS,cAAA;oBACE;;;;;;;;;;;;;;cAeN;KACD,mBAAA,WAA8B;;;;;;;;UASzB,eAAA;;;;;;;;;;;;;;;;;;;;;;;UAwBP,iBAAA;;;;aAIE;;;;;;;UAQK,qBAAA,SAA8B;;;;;;;;;;;;;UAc9B,yBAAA,SAAkC;;;;;;;;;;;;;;;;KAiBvC,aAAA,GAAgB,wBAAwB;;;;;;KAOxC,YAAA,aAAyB;;;;;;KAOzB,eAAA;;;;;UAMK,iBAAA;;;;;;;;;;;;;;;;;;;;;;UAuBA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;QAwBV;;;;;QAKA;;;;;;;;;;;;;;KAeK,eAAA;;;;;;KAWA,uBAAA;;KAGA,iBAAA;;;;;;UAOK,SAAA;;;;;WAKP;;;;;;;;UASO,YAAA;;cAEJ;;cAEA,eAAe;;YAEjB,eAAe;;;;;;;;UAST,cAAA;;YAEN;;;;;;;UAQM;cACJ,QAAQ,OAAO,MAAM;;;;;;;;UASjB;;;;;;;;;;;;;;;;;;;;;;;;;QAyBV,cAAc;;;aAGT;YACD,cAAc;;;KAIpB,gCAAgC,4BACpC;;IAGG,cAAc;;;;;KAON,+BACK,2BAA2B,qCAC/B,iBAAiB,aAAa,gBAAgB;;;;;;;;;;;;;;UAe1C,oBACH,iCACV,gDAEa,2BAA2B,0CAC3B,2BAA2B;;SAGpC;;;;;;;YAOG;;YAEA;;WAED,eAAe;;;;;;UAOR,sBAAA;;;;OAIX;WACI;;;;;QAKH;;;UAIU,oBAAA;;UAER;;;;;;;UAQQ,qBAAA;aACL;WACF;;;;;;;;;UAUO,qBAAA;gBACF;;;;aAIH;;UAGK,oBAAA;;;;aAIL;;;;;;;YAOD;YACA;;;;;UAMM,aAAA;;;;;;;;YAQN;;;;;;;;;UAUM,cAAA;;;;;;;;;;;UAYA,UAAA;;;;;;;;;;WAUP;aACE"}

package/dist/lib/types.js

@@ -1 +1,18 @@
-export {};
+//#region src/lib/types.ts
+/**
+* Authentication providers a Data API integration can verify JWTs against, as written in
+* `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`
+* at the API boundary):
+*
+* - `"neon"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the
+*   JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`
+*   fields are forbidden (a type error) on this variant — and the policy must also enable
+*   top-level `auth` (Neon Auth) so the tokens exist.
+* - `"external"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You
+*   provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).
+*/
+const DATA_API_AUTH_PROVIDERS = ["neon", "external"];
+//#endregion
+export { DATA_API_AUTH_PROVIDERS };
+
+//# sourceMappingURL=types.js.map

package/dist/lib/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","names":[],"sources":["../../src/lib/types.ts"],"sourcesContent":["/**\n * Valid Neon Compute Unit values.\n * Most plans support 0.25, 0.5, 1, 2, 4, 8. Higher values may be available on Business plans.\n */\nexport type ComputeUnit = 0.25 | 0.5 | 1 | 2 | 4 | 8;\n\n/** Time units accepted in a {@link DurationString}: seconds, minutes, hours, days, weeks. */\nexport type DurationUnit = \"s\" | \"m\" | \"h\" | \"d\" | \"w\";\n\n/**\n * A Neon duration string: a positive integer **followed by a unit** — `s` (seconds),\n * `m` (minutes), `h` (hours), `d` (days), or `w` (weeks). Used by\n * {@link ComputeSettings.suspendTimeout} and {@link BranchTuning.ttl}.\n *\n * A **unit is required**: a bare numeric string like `\"7\"` is rejected at the type level. To\n * express a raw number of seconds, pass a `number` (`300`) — not a string (`\"300\"`). This\n * removes the old ambiguity where `\"7\"` silently meant 7 *seconds* instead of, say, `\"7d\"`.\n *\n * @example \"5m\"  // 5 minutes\n * @example \"1h\"  // 1 hour\n * @example \"7d\"  // 7 days\n */\nexport type DurationString = `${number}${DurationUnit}`;\n\n/**\n * Autocomplete suggestions for {@link ComputeSettings.suspendTimeout}. Every value sits inside\n * the Neon API's allowed scale-to-zero band: **60s–604800s** (1 minute – 1 week). This is *not*\n * a closed set — the field also accepts any other {@link DurationString} or a `number` of\n * seconds; out-of-range values type-check but are rejected at apply time.\n */\ntype SuspendTimeoutSuggestion =\n\t| \"1m\"\n\t| \"5m\"\n\t| \"15m\"\n\t| \"30m\"\n\t| \"1h\"\n\t| \"6h\"\n\t| \"12h\"\n\t| \"1d\"\n\t| \"7d\";\n\n/**\n * Autocomplete suggestions for {@link BranchTuning.ttl}. Every value sits within the Neon API's\n * branch-expiration limit (**max 30 days** from creation; the Console's own presets are 1h / 1d\n * / 7d). This is *not* a closed set — the field also accepts any other {@link DurationString} or\n * a `number` of seconds; values over 30 days are rejected at apply time.\n */\ntype TtlSuggestion = \"1h\" | \"6h\" | \"12h\" | \"1d\" | \"3d\" | \"7d\" | \"14d\" | \"30d\";\n\n/**\n * Compose a field's duration type: its curated autocomplete `Suggestions` plus the open\n * `DurationString` template (so any `<integer><unit>` string still type-checks) and a `number`\n * of seconds. Intersecting the template arm with `NonNullable<unknown>` stops TypeScript from\n * collapsing the literal suggestions into the template, which is what preserves the autocomplete.\n */\ntype DurationField<Suggestions extends DurationString> =\n\t| Suggestions\n\t| (DurationString & NonNullable<unknown>)\n\t| number;\n\n/**\n * Compute settings applied to the read/write endpoint of a branch.\n *\n * Mirrors the subset of {@link https://api-docs.neon.tech/reference/getting-started-with-neon-api Neon endpoint}\n * fields that we expose as IaC primitives. Anything left undefined falls back to the project's\n * `default_endpoint_settings` (which themselves fall back to Neon platform defaults).\n */\nexport interface ComputeSettings {\n\t/**\n\t * Minimum number of Compute Units. Set to 0.25 for true scale-to-zero.\n\t * @example 0.25  // scale-to-zero\n\t * @example 1     // always-on with 1 CU minimum\n\t */\n\tautoscalingLimitMinCu?: ComputeUnit;\n\t/**\n\t * Maximum number of Compute Units for autoscaling.\n\t * @example 2\n\t * @example 8\n\t */\n\tautoscalingLimitMaxCu?: ComputeUnit;\n\t/**\n\t * How long an idle compute waits before suspending (Neon's scale-to-zero). Accepts a\n\t * {@link DurationString} (autocompletes common values), a number of seconds, or `false`.\n\t *\n\t * - `false` — never suspend (always-on compute)\n\t * - {@link DurationString} — e.g. `\"5m\"`; autocompletes the in-range values `\"1m\"`, `\"5m\"`,\n\t *   `\"15m\"`, `\"30m\"`, `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`, `\"7d\"`, and accepts any other\n\t *   `<integer><unit>` (units: `s`, `m`, `h`, `d`, `w`). A **unit is required** — for raw\n\t *   seconds pass a `number`, not a string.\n\t * - `number` — custom timeout in **seconds**, must be in `60`–`604800` (1 minute to 1 week)\n\t * - `undefined` — use the Neon platform default (currently 300s / 5 minutes)\n\t *\n\t * Whichever form you use, the resolved timeout must fall in `60`–`604800` seconds (the Neon\n\t * API limit); the suggestions are all within that band, anything else is checked at apply.\n\t *\n\t * @example false  // never suspend (always-on)\n\t * @example \"5m\"   // suspend after 5 minutes idle\n\t * @example \"1h\"   // suspend after 1 hour idle\n\t * @example 300    // 5 minutes, expressed in seconds\n\t */\n\tsuspendTimeout?: false | DurationField<SuspendTimeoutSuggestion>;\n}\n\n/**\n * Read-only descriptor of the branch a {@link Config} policy is being evaluated for — the\n * `branch` argument passed to your `defineConfig({ branch: (branch) => … })` closure. It describes\n * **which** branch this invocation decides for; it is not a live branch handle and must not\n * be mutated. Switch on its fields and return the desired {@link BranchConfig}.\n */\nexport interface BranchTarget {\n\t/** Branch name being evaluated. For `branch dev`, this is the generated branch name. */\n\tname: string;\n\t/** Neon branch id when the branch already exists. Undefined during pre-create eval. */\n\tid?: string;\n\t/** Whether this branch already exists on Neon. */\n\texists: boolean;\n\t/** Parent branch id from Neon when known. */\n\tparentId?: string;\n\t/** Whether Neon marks this branch as the project default. */\n\tisDefault?: boolean;\n\t/** Whether Neon currently marks this branch protected. */\n\tisProtected?: boolean;\n\t/** Current expiration timestamp from Neon, when set. */\n\texpiresAt?: string;\n}\n\n/**\n * Object form of a branch-scoped service toggle. `{}` or `{ enabled: true }` enables it;\n * `{ enabled: false }` opts out. Used as the object half of {@link ServiceToggleInput}.\n */\nexport interface ServiceToggle {\n\t/** Defaults to `true` when the service namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n}\n\n/**\n * How a branch-scoped service (Neon Auth, Data API, AI Gateway) is toggled in a policy.\n *\n * - `true` / `{}` / `{ enabled: true }` — enabled.\n * - `false` / `{ enabled: false }` — disabled.\n * - omitted (`undefined`) — not part of the policy at all.\n *\n * These toggles are **static** (they live in the top-level `defineConfig({ … })` object,\n * not in the per-branch `branch` closure) so the secret set they imply can be derived at\n * the type level — that's what makes `NeonEnv<typeof config>` exact.\n */\nexport type ServiceToggleInput = boolean | ServiceToggle;\n\n/**\n * Resolve a **static** service toggle (`true` / `false` / `{ enabled?: boolean }` / object /\n * `undefined`) to a type-level boolean. The tuple wrapping (`[T] extends […]`) disables\n * distribution so a union/`undefined` is judged as a single unit:\n *\n * - `false` / `{ enabled: false }` / `undefined` → `false`\n * - `true` / `{ enabled: true }` / any other object (`{}`, `{ enabled?: boolean }`) → `true`\n *   (a present toggle defaults to enabled)\n * - the bare `boolean | … | undefined` (no literal info) → `false`\n *\n * Shared by the {@link Config} static cross-field checks and the `@neondatabase/env`\n * `NeonEnv` namespace derivation, so both read \"is this service on?\" identically.\n */\nexport type ServiceEnabled<T> = [T] extends [false]\n\t? false\n\t: [T] extends [{ enabled: false }]\n\t\t? false\n\t\t: [T] extends [undefined]\n\t\t\t? false\n\t\t\t: [T] extends [true]\n\t\t\t\t? true\n\t\t\t\t: [T] extends [{ enabled: true }]\n\t\t\t\t\t? true\n\t\t\t\t\t: [T] extends [object]\n\t\t\t\t\t\t? true\n\t\t\t\t\t\t: false;\n\nexport interface PostgresConfig {\n\tcomputeSettings?: ComputeSettings;\n}\n\n/**\n * Authentication providers a Data API integration can verify JWTs against, as written in\n * `neon.ts`. Friendly authoring values (mapped to the Neon API's `neon_auth` / `external`\n * at the API boundary):\n *\n * - `\"neon\"` — verify tokens minted by **Neon Auth** on the same branch. Neon supplies the\n *   JWKS URL / provider wiring for you, so the `jwksUrl` / `providerName` / `jwtAudience`\n *   fields are forbidden (a type error) on this variant — and the policy must also enable\n *   top-level `auth` (Neon Auth) so the tokens exist.\n * - `\"external\"` — verify tokens from a third-party IdP (Clerk, Stytch, Auth0, …). You\n *   provide `jwksUrl` (and optionally `providerName` / `jwtAudience`).\n */\nexport const DATA_API_AUTH_PROVIDERS = [\"neon\", \"external\"] as const;\nexport type DataApiAuthProvider = (typeof DATA_API_AUTH_PROVIDERS)[number];\n\n/**\n * Reusable runtime settings for a Data API integration (the Neon API `DataAPISettings`,\n * camelCased to match the rest of `neon.ts`). Every field is optional; omitted fields keep\n * the Neon defaults shown below. These are the **only** Data API fields that can change on\n * an already-enabled integration — drift here is reconciled as an *update* (requires\n * `updateExisting` / `--update-existing`); the create-only auth wiring above cannot.\n */\nexport interface DataApiSettings {\n\t/** Enable the aggregates feature (`db_aggregates_enabled`). Default `true`. */\n\tdbAggregatesEnabled?: boolean;\n\t/** Database role used for anonymous requests (`db_anon_role`). Default `\"anonymous\"`. */\n\tdbAnonRole?: string;\n\t/** Extra schemas appended to the search path (`db_extra_search_path`). */\n\tdbExtraSearchPath?: string;\n\t/** Maximum rows returned in a single request (`db_max_rows`). */\n\tdbMaxRows?: number;\n\t/** Schemas exposed via the API (`db_schemas`). Default `[\"public\"]`. */\n\tdbSchemas?: string[];\n\t/** JWT claim key used for role extraction (`jwt_role_claim_key`). Default `\".role\"`. */\n\tjwtRoleClaimKey?: string;\n\t/** Maximum lifetime of the JWT cache, in seconds (`jwt_cache_max_lifetime`). */\n\tjwtCacheMaxLifetime?: number;\n\t/** OpenAPI spec mode (`openapi_mode`). Default `\"disabled\"`. */\n\topenapiMode?: \"ignore-privileges\" | \"disabled\";\n\t/** CORS allowed origins (`server_cors_allowed_origins`). */\n\tserverCorsAllowedOrigins?: string;\n\t/** Emit server-timing headers (`server_timing_enabled`). */\n\tserverTimingEnabled?: boolean;\n}\n\n/** Fields shared by every {@link DataApiConfig} variant. */\ninterface DataApiConfigBase {\n\t/** Defaults to `true` when the `dataApi` namespace is present. Set `false` to opt out. */\n\tenabled?: boolean;\n\t/** Reusable runtime settings. Drift here is reconciled as an update. */\n\tsettings?: DataApiSettings;\n}\n\n/**\n * Data API verified by **Neon Auth** (`authProvider: \"neon\"`, the default). The external\n * IdP fields are statically forbidden (`?: never`) because Neon supplies them; declaring any\n * of them is a type error directing you to `authProvider: \"external\"`.\n */\nexport interface DataApiNeonAuthConfig extends DataApiConfigBase {\n\tauthProvider?: \"neon\";\n\t/** Forbidden with `authProvider: \"neon\"` — Neon provides the JWKS URL. */\n\tjwksUrl?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — the provider is Neon Auth. */\n\tproviderName?: never;\n\t/** Forbidden with `authProvider: \"neon\"` — Neon manages the audience. */\n\tjwtAudience?: never;\n}\n\n/**\n * Data API verified by an **external** IdP (`authProvider: \"external\"`). You provide the\n * JWKS URL (and optionally a provider label / expected audience).\n */\nexport interface DataApiExternalAuthConfig extends DataApiConfigBase {\n\tauthProvider: \"external\";\n\t/** URL that publishes the IdP's JWKS (JSON Web Key Set). */\n\tjwksUrl?: string;\n\t/** Human label for the IdP (e.g. \"Clerk\", \"Stytch\", \"Auth0\"). */\n\tproviderName?: string;\n\t/**\n\t * Expected `aud` claim. ⚠️ This only **rejects** tokens carrying a *different* audience;\n\t * tokens with no `aud` claim are still accepted.\n\t */\n\tjwtAudience?: string;\n}\n\n/**\n * Object form of the `dataApi` toggle. A discriminated union on {@link DataApiAuthProvider}:\n * the `\"neon\"` variant forbids the external-IdP fields, the `\"external\"` variant allows them.\n */\nexport type DataApiConfig = DataApiNeonAuthConfig | DataApiExternalAuthConfig;\n\n/**\n * How the Data API is toggled in a policy: a bare boolean (like the other service toggles)\n * or the richer {@link DataApiConfig} object. `true` / `{}` / `{ enabled: true }` enable it\n * with Neon defaults; `false` / `{ enabled: false }` opt out.\n */\nexport type DataApiInput = boolean | DataApiConfig;\n\n/**\n * Supported function runtimes. Mirrors the Neon Functions deploy API `runtime` enum.\n * Only `nodejs24` exists today; kept as a union so adding runtimes later is a\n * non-breaking, type-checked change.\n */\nexport type FunctionRuntime = \"nodejs24\";\n\n/**\n * Local-development settings for a function, used by `neon dev` when it serves every\n * function declared in `neon.ts` (i.e. invoked with no `--source`). Never affects deploy.\n */\nexport interface FunctionDevConfig {\n\t/**\n\t * Port the local server binds. Bound exactly (and `neon dev` fails loudly if it is taken)\n\t * when set; a free port is found automatically when omitted.\n\t */\n\tport?: number;\n}\n\n/**\n * Static definition of a Neon Function (Preview feature). Declares that the function\n * **exists** on every branch; its branch-unique slug is the **record key** in\n * {@link PreviewInput.functions} (not a field here), so slugs are statically enumerable,\n * cannot duplicate, and the `branch` closure can only tune slugs that are declared here.\n *\n * A function is invoked like a Cloudflare/Vercel handler — its source module\n * `export default { fetch }` or `export async function handler(req): Response`. The\n * `source` path is bundled (esbuild) and uploaded as a deployment; the newest deployment\n * becomes active.\n *\n * Runtime tuning is **not** here — it varies per branch and lives in the `branch` closure\n * (see {@link FunctionTuning}). Memory is fixed by the platform policy for now and is not\n * user-configurable.\n */\nexport interface FunctionDef {\n\t/** Free-form display name. @example \"Hello World\" */\n\tname: string;\n\t/**\n\t * Path to the function's entry module, **relative to `neon.ts`** (or absolute). The\n\t * module's default export (`{ fetch }`) or `handler` export is the function entry. This\n\t * path is resolved against the loaded `neon.ts` location and bundled with esbuild at\n\t * deploy time.\n\t *\n\t * We require a string path rather than an imported handler because a JS function value\n\t * carries no reference back to its source file, so esbuild has nothing to bundle from.\n\t * @example \"./functions/hello-world.ts\"\n\t */\n\tsource: string;\n\t/**\n\t * Environment variables injected into the deployed function, keyed by the var name the\n\t * function reads at runtime. The **keys** are static (preserved at the type level so\n\t * `parseEnv(config, \"<slug>\").function.<key>` is typed); the **values** are arbitrary\n\t * strings evaluated when `neon.ts` is loaded (typically `process.env.X`) and uploaded\n\t * at `config apply`. Every value must be a defined string — a `process.env.X` that is\n\t * `undefined` (unset) errors at validation time rather than silently shipping\n\t * `undefined`.\n\t * @example { resendApiKey: process.env.RESEND_API_KEY ?? \"\" }\n\t */\n\tenv?: Record<string, string>;\n\t/**\n\t * Local-development settings used by `neon dev` when serving every function from\n\t * `neon.ts`. Ignored at deploy time. See {@link FunctionDevConfig}.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/**\n * A single capability a branch-scoped service credential may exercise (Preview). A\n * credential is granted a set of these and may only perform the listed actions. Mirrors\n * the Neon API `CredentialScope` enum (`x-stability-level: beta`):\n *\n * - `storage:read` / `storage:write` — object-storage (bucket) access via the S3 key.\n * - `ai_gateway:invoke` — call the AI Gateway with the bearer `api_token`.\n * - `functions:invoke` — invoke Neon Functions with the bearer `api_token`.\n *\n * The set a policy needs is derived from its enabled Preview features (see\n * {@link deriveCredentialScopes}); it is never authored by hand.\n */\nexport type CredentialScope =\n\t| \"storage:read\"\n\t| \"storage:write\"\n\t| \"ai_gateway:invoke\"\n\t| \"functions:invoke\";\n\n/**\n * Who a credential acts as. `user` is the developer/app principal minted for local dev and\n * app bootstrap (`fetchEnv` / `env pull`); `function` is a deployed-function principal\n * (carries a `function_id`). The env tooling only mints `user` credentials today.\n */\nexport type CredentialPrincipalType = \"user\" | \"function\";\n\n/** Anonymous-access level for a branchable object-storage bucket. */\nexport type BucketAccessLevel = \"private\" | \"public_read\";\n\n/**\n * Static definition of a branchable object-storage bucket (Preview feature). The bucket's\n * name is the **record key** in {@link PreviewInput.buckets}, so names are statically\n * enumerable and cannot duplicate.\n */\nexport interface BucketDef {\n\t/**\n\t * Anonymous access level. `private` (default) requires authenticated reads/writes;\n\t * `public_read` allows anonymous GetObject/HeadObject.\n\t */\n\taccess?: BucketAccessLevel;\n}\n\n/**\n * Static, branch-scoped **Preview** features. Grouped under `preview` to signal they are\n * backed by Neon `x-stability-level: beta` endpoints and may change before GA. Everything\n * here is existential (it determines what exists on the branch); per-branch tuning lives in\n * the `branch` closure.\n */\nexport interface PreviewInput {\n\t/** Enable/disable the AI Gateway on the branch (toggle, like auth / dataApi). */\n\taiGateway?: ServiceToggleInput;\n\t/** Functions to deploy, keyed by branch-unique slug (`^[a-z0-9]{1,20}$`). */\n\tfunctions?: Record<string, FunctionDef>;\n\t/** Object-storage buckets to create, keyed by bucket name. */\n\tbuckets?: Record<string, BucketDef>;\n}\n\n/**\n * Per-branch deploy tuning for a single function. Returned (per slug) by the `branch`\n * closure. Deliberately **cannot** change the function's existence, source, name, env\n * **keys**, or memory — only runtime selection is currently configurable — so the static\n * secret/function set stays sound.\n */\nexport interface FunctionTuning {\n\t/** Runtime to execute the function with. Defaults to `\"nodejs24\"`. */\n\truntime?: FunctionRuntime;\n}\n\n/**\n * Per-branch tuning of Preview features. Only existing function slugs (those declared in\n * the static {@link PreviewInput.functions}) may be tuned — `Slug` is constrained to the\n * declared keys by {@link BranchTuningFn}.\n */\nexport interface PreviewTuning<Slug extends string = string> {\n\tfunctions?: Partial<Record<Slug, FunctionTuning>>;\n}\n\n/**\n * The per-branch tuning object returned by the `branch` closure. It can adjust branch\n * lifecycle (`parent`, `ttl`, `protected`), Postgres compute settings, and per-function\n * deploy tuning — but **cannot** add/remove services or functions. That guarantee is what\n * keeps the static secret set (and therefore `NeonEnv`) exact.\n */\nexport interface BranchTuning<Slug extends string = string> {\n\t/** Parent branch name used when creating a new branch. Not a Postgres setting. */\n\tparent?: string;\n\t/**\n\t * Branch time-to-live: how long after creation the branch should auto-expire. Applied\n\t * when creating a new branch and reconciled on existing branches (when `updateExisting`\n\t * is set). Accepts a {@link DurationString} (autocompletes common values) or a number of\n\t * seconds. Omit to keep the branch indefinitely.\n\t *\n\t * - {@link DurationString} — e.g. `\"7d\"`; autocompletes `\"1h\"`, `\"6h\"`, `\"12h\"`, `\"1d\"`,\n\t *   `\"3d\"`, `\"7d\"`, `\"14d\"`, `\"30d\"`, and accepts any other `<integer><unit>` (units: `s`,\n\t *   `m`, `h`, `d`, `w` — e.g. `\"12h\"`, `\"2w\"`). A **unit is required** — `\"7\"` is rejected;\n\t *   for raw seconds pass a `number`.\n\t * - `number` — custom TTL in **seconds** (e.g. `3600`)\n\t * - `undefined` — no expiry; the branch persists until explicitly deleted\n\t *\n\t * The Neon API caps branch expiration at **30 days** from creation, so the resolved TTL must\n\t * be `> 0` and `<= 30d`; the suggestions stay within that limit and anything longer is\n\t * rejected at apply.\n\t *\n\t * @example \"1d\"   // ephemeral preview branch: expires a day after creation\n\t * @example \"7d\"   // one-week TTL\n\t * @example \"30d\"  // the maximum the API allows\n\t * @example 3600   // 1 hour, expressed in seconds\n\t */\n\tttl?: DurationField<TtlSuggestion>;\n\t/** Whether the selected branch should be protected. Undefined means \"leave as-is\". */\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tpreview?: PreviewTuning<Slug>;\n}\n\n/** Extract the declared function slugs from a {@link PreviewInput} for closure typing. */\ntype FunctionSlugsOf<Preview extends PreviewInput | undefined> =\n\tPreview extends {\n\t\tfunctions: infer F;\n\t}\n\t\t? Extract<keyof F, string>\n\t\t: string;\n\n/**\n * Signature of the `branch` closure. Generic over the static {@link PreviewInput} so the\n * `preview.functions` keys it may tune are constrained to the slugs actually declared.\n */\nexport type BranchTuningFn<\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> = (branch: BranchTarget) => BranchTuning<FunctionSlugsOf<Preview>>;\n\n/**\n * A validated Neon branch policy — the value `defineConfig({ … })` returns and `neon.ts`\n * default-exports.\n *\n * Split into a **static** existential set (top-level `auth` / `dataApi` GA toggles plus the\n * beta `preview` block) and a **dynamic** per-branch `branch` closure for tuning. The\n * static half is what makes the secret set — and therefore `NeonEnv<typeof config>` and\n * `parseEnv` — exact; the closure can tune but never change what exists.\n *\n * Generic over the three static fields so the type system can read the exact toggle/slug\n * literals; the defaults make the bare `Config` a usable \"any policy\" type for runtime\n * function signatures.\n */\nexport interface Config<\n\tAuth extends ServiceToggleInput | undefined =\n\t\t| ServiceToggleInput\n\t\t| undefined,\n\tDataApi extends DataApiInput | undefined = DataApiInput | undefined,\n\tPreview extends PreviewInput | undefined = PreviewInput | undefined,\n> {\n\t/** Neon Auth integration toggle (GA). Static — drives `NeonEnv.auth`. */\n\tauth?: Auth;\n\t/**\n\t * Neon Data API integration (GA). Static — drives `NeonEnv.dataApi`. A boolean/toggle, or\n\t * a {@link DataApiConfig} object selecting the auth provider (`\"neon\"` / `\"external\"`) and\n\t * runtime {@link DataApiSettings}. With `authProvider: \"neon\"` the policy must also enable\n\t * top-level `auth`.\n\t */\n\tdataApi?: DataApi;\n\t/** Beta (Preview) feature set: AI Gateway, functions, buckets. Static. */\n\tpreview?: Preview;\n\t/** Per-branch tuning closure. Cannot change the static existential set. */\n\tbranch?: BranchTuningFn<Preview>;\n}\n\n/**\n * A function with all deploy defaults applied. `resolveConfig` fills in `runtime` so\n * downstream diff/apply never has to re-derive it.\n */\nexport interface ResolvedFunctionConfig {\n\tslug: string;\n\tname: string;\n\tsource: string;\n\tenv: Record<string, string>;\n\truntime: FunctionRuntime;\n\t/**\n\t * Local-development settings, passed through untouched from {@link FunctionDef.dev}\n\t * (no defaults applied). Only consumed by `neon dev`; deploy ignores it.\n\t */\n\tdev?: FunctionDevConfig;\n}\n\n/** A bucket with its access level defaulted to `private`. */\nexport interface ResolvedBucketConfig {\n\tname: string;\n\taccess: BucketAccessLevel;\n}\n\n/**\n * Normalized {@link PreviewInput}. Only present on {@link ResolvedBranchConfig} when the\n * policy returned a `preview` block. `aiGatewayEnabled` follows the same\n * \"present-and-not-`false`\" semantics as `authEnabled` / `dataApiEnabled`.\n */\nexport interface ResolvedPreviewConfig {\n\tfunctions: ResolvedFunctionConfig[];\n\tbuckets: ResolvedBucketConfig[];\n\taiGatewayEnabled: boolean;\n}\n\n/**\n * Normalized Data API integration. Present on {@link ResolvedBranchConfig} only when the\n * policy enables `dataApi`. `authProvider` always resolves (defaults to `\"neon\"`); the\n * external-IdP wiring is present only for `\"external\"`; `settings` carries the camelCase\n * runtime settings (reconciled as an update when they drift).\n */\nexport interface ResolvedDataApiConfig {\n\tauthProvider: DataApiAuthProvider;\n\tjwksUrl?: string;\n\tproviderName?: string;\n\tjwtAudience?: string;\n\tsettings?: DataApiSettings;\n}\n\nexport interface ResolvedBranchConfig {\n\tparent?: string;\n\tttlSeconds?: number;\n\tprotected?: boolean;\n\tpostgres?: PostgresConfig;\n\tauthEnabled: boolean;\n\tdataApiEnabled: boolean;\n\t/**\n\t * Resolved Data API integration. Present iff {@link dataApiEnabled} is `true`. Carries the\n\t * create-time auth wiring and the updatable {@link DataApiSettings}.\n\t */\n\tdataApi?: ResolvedDataApiConfig;\n\tpreview?: ResolvedPreviewConfig;\n}\n\n/**\n * One concrete change `pushConfig` made (or, in dry-run, would make) on the remote.\n */\nexport interface AppliedChange {\n\t/**\n\t * `service` covers branch-scoped integrations driven by the branch policy (e.g.\n\t * Neon Auth, Data API).\n\t */\n\tkind: \"branch\" | \"service\";\n\taction: \"create\" | \"update\" | \"noop\";\n\tidentifier: string;\n\tdetails?: Record<string, unknown>;\n}\n\n/**\n * A diff entry that conflicts with the desired config. `pushConfig` throws\n * {@link PushConflictError} on the first call when conflicts exist; pass\n * `updateExisting: true` to apply mutable drift (settings, `protected`, TTL, project\n * rename). Immutable fields (region, Postgres major version) are always conflicts —\n * recreate the project to change them.\n */\nexport interface ConflictReport {\n\tkind: \"branch\";\n\tidentifier: string;\n\tfield: string;\n\tcurrent: unknown;\n\tdesired: unknown;\n\treason: string;\n}\n\n/**\n * Result of a `pushConfig` invocation.\n */\nexport interface PushResult {\n\tprojectId: string;\n\torgId?: string;\n\tbranchId: string;\n\tbranchName: string;\n\t/**\n\t * `true` when `pushConfig` was called with `{ dryRun: true }`. `applied` then records\n\t * what **would** be applied on a real push; no API mutations were performed.\n\t */\n\tdryRun: boolean;\n\tapplied: AppliedChange[];\n\tconflicts: ConflictReport[];\n}\n"],"mappings":";;;;;;;;;;;;;AA+LA,MAAa,0BAA0B,CAAC,QAAQ,UAAU"}

package/dist/v1.d.ts

@@ -1,6 +1,6 @@
-import { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceToggle, ServiceToggleInput } from "./lib/types.js";
+import { AppliedChange, BranchTarget, BranchTuning, BranchTuningFn, BucketAccessLevel, BucketDef, ComputeSettings, ComputeUnit, Config, ConflictReport, CredentialPrincipalType, CredentialScope, DATA_API_AUTH_PROVIDERS, DataApiAuthProvider, DataApiConfig, DataApiExternalAuthConfig, DataApiInput, DataApiNeonAuthConfig, DataApiSettings, DurationString, DurationUnit, FunctionDef, FunctionDevConfig, FunctionRuntime, FunctionTuning, PostgresConfig, PreviewInput, PreviewTuning, PushResult, ResolvedBranchConfig, ResolvedBucketConfig, ResolvedDataApiConfig, ResolvedFunctionConfig, ResolvedPreviewConfig, ServiceEnabled, ServiceToggle, ServiceToggleInput } from "./lib/types.js";
 import { ConfigLoadError, ConfigValidationError, ErrorCode, MissingContextError, PlatformError, PushAbortedError, PushConflictError, isPlatformError } from "./lib/errors.js";
-import { CreateBranchInput, CreateBucketInput, CreateCredentialInput, CreateProjectInput, DeployFunctionInput, GetConnectionUriInput, NeonApi, NeonAuthSnapshot, NeonBranchSnapshot, NeonBranchStorageSnapshot, NeonBucketSnapshot, NeonCredentialMeta, NeonCredentialSecret, NeonDataApiSnapshot, NeonDatabaseSnapshot, NeonEndpointSnapshot, NeonFunctionDeploymentSnapshot, NeonFunctionSnapshot, NeonProjectSnapshot, NeonRoleSnapshot, UpdateBranchInput } from "./lib/neon-api.js";
+import { CreateBranchInput, CreateBucketInput, CreateCredentialInput, CreateProjectInput, DeployFunctionInput, EnableDataApiInput, GetConnectionUriInput, NeonApi, NeonAuthSnapshot, NeonBranchSnapshot, NeonBranchStorageSnapshot, NeonBucketSnapshot, NeonCredentialMeta, NeonCredentialSecret, NeonDataApiSnapshot, NeonDatabaseSnapshot, NeonEndpointSnapshot, NeonFunctionDeploymentSnapshot, NeonFunctionSnapshot, NeonProjectSnapshot, NeonRoleSnapshot, UpdateBranchInput } from "./lib/neon-api.js";
 import { createNeonApiFromOptions, resolveApiKey } from "./lib/auth.js";
 import { CredentialFeatureFlags, credentialScopesSatisfied, deriveCredentialScopes } from "./lib/credentials.js";
 import { defineConfig, resolveConfig } from "./lib/define-config.js";
@@ -55,6 +55,22 @@ declare const schemas: {
     }, zod_v4_core0.$strict>]>>;
     dataApi: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodBoolean, zod0.ZodObject<{
       enabled: zod0.ZodOptional<zod0.ZodBoolean>;
+      authProvider: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"neon">, zod0.ZodLiteral<"external">]>>;
+      jwksUrl: zod0.ZodOptional<zod0.ZodString>;
+      providerName: zod0.ZodOptional<zod0.ZodString>;
+      jwtAudience: zod0.ZodOptional<zod0.ZodString>;
+      settings: zod0.ZodOptional<zod0.ZodObject<{
+        dbAggregatesEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+        dbAnonRole: zod0.ZodOptional<zod0.ZodString>;
+        dbExtraSearchPath: zod0.ZodOptional<zod0.ZodString>;
+        dbMaxRows: zod0.ZodOptional<zod0.ZodNumber>;
+        dbSchemas: zod0.ZodOptional<zod0.ZodArray<zod0.ZodString>>;
+        jwtRoleClaimKey: zod0.ZodOptional<zod0.ZodString>;
+        jwtCacheMaxLifetime: zod0.ZodOptional<zod0.ZodNumber>;
+        openapiMode: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"ignore-privileges">, zod0.ZodLiteral<"disabled">]>>;
+        serverCorsAllowedOrigins: zod0.ZodOptional<zod0.ZodString>;
+        serverTimingEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+      }, zod_v4_core0.$strict>>;
     }, zod_v4_core0.$strict>]>>;
     preview: zod0.ZodOptional<zod0.ZodObject<{
       aiGateway: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodBoolean, zod0.ZodObject<{
@@ -99,6 +115,56 @@ declare const schemas: {
     autoscalingLimitMaxCu: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<0.25>, zod0.ZodLiteral<0.5>, zod0.ZodLiteral<1>, zod0.ZodLiteral<2>, zod0.ZodLiteral<4>, zod0.ZodLiteral<8>]>>;
     suspendTimeout: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<false>, zod0.ZodString, zod0.ZodNumber]>>;
   }, zod_v4_core0.$strict>;
+  readonly dataApi: zod0.ZodObject<{
+    enabled: zod0.ZodOptional<zod0.ZodBoolean>;
+    authProvider: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"neon">, zod0.ZodLiteral<"external">]>>;
+    jwksUrl: zod0.ZodOptional<zod0.ZodString>;
+    providerName: zod0.ZodOptional<zod0.ZodString>;
+    jwtAudience: zod0.ZodOptional<zod0.ZodString>;
+    settings: zod0.ZodOptional<zod0.ZodObject<{
+      dbAggregatesEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+      dbAnonRole: zod0.ZodOptional<zod0.ZodString>;
+      dbExtraSearchPath: zod0.ZodOptional<zod0.ZodString>;
+      dbMaxRows: zod0.ZodOptional<zod0.ZodNumber>;
+      dbSchemas: zod0.ZodOptional<zod0.ZodArray<zod0.ZodString>>;
+      jwtRoleClaimKey: zod0.ZodOptional<zod0.ZodString>;
+      jwtCacheMaxLifetime: zod0.ZodOptional<zod0.ZodNumber>;
+      openapiMode: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"ignore-privileges">, zod0.ZodLiteral<"disabled">]>>;
+      serverCorsAllowedOrigins: zod0.ZodOptional<zod0.ZodString>;
+      serverTimingEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+    }, zod_v4_core0.$strict>>;
+  }, zod_v4_core0.$strict>;
+  readonly dataApiInput: zod0.ZodUnion<readonly [zod0.ZodBoolean, zod0.ZodObject<{
+    enabled: zod0.ZodOptional<zod0.ZodBoolean>;
+    authProvider: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"neon">, zod0.ZodLiteral<"external">]>>;
+    jwksUrl: zod0.ZodOptional<zod0.ZodString>;
+    providerName: zod0.ZodOptional<zod0.ZodString>;
+    jwtAudience: zod0.ZodOptional<zod0.ZodString>;
+    settings: zod0.ZodOptional<zod0.ZodObject<{
+      dbAggregatesEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+      dbAnonRole: zod0.ZodOptional<zod0.ZodString>;
+      dbExtraSearchPath: zod0.ZodOptional<zod0.ZodString>;
+      dbMaxRows: zod0.ZodOptional<zod0.ZodNumber>;
+      dbSchemas: zod0.ZodOptional<zod0.ZodArray<zod0.ZodString>>;
+      jwtRoleClaimKey: zod0.ZodOptional<zod0.ZodString>;
+      jwtCacheMaxLifetime: zod0.ZodOptional<zod0.ZodNumber>;
+      openapiMode: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"ignore-privileges">, zod0.ZodLiteral<"disabled">]>>;
+      serverCorsAllowedOrigins: zod0.ZodOptional<zod0.ZodString>;
+      serverTimingEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+    }, zod_v4_core0.$strict>>;
+  }, zod_v4_core0.$strict>]>;
+  readonly dataApiSettings: zod0.ZodObject<{
+    dbAggregatesEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+    dbAnonRole: zod0.ZodOptional<zod0.ZodString>;
+    dbExtraSearchPath: zod0.ZodOptional<zod0.ZodString>;
+    dbMaxRows: zod0.ZodOptional<zod0.ZodNumber>;
+    dbSchemas: zod0.ZodOptional<zod0.ZodArray<zod0.ZodString>>;
+    jwtRoleClaimKey: zod0.ZodOptional<zod0.ZodString>;
+    jwtCacheMaxLifetime: zod0.ZodOptional<zod0.ZodNumber>;
+    openapiMode: zod0.ZodOptional<zod0.ZodUnion<readonly [zod0.ZodLiteral<"ignore-privileges">, zod0.ZodLiteral<"disabled">]>>;
+    serverCorsAllowedOrigins: zod0.ZodOptional<zod0.ZodString>;
+    serverTimingEnabled: zod0.ZodOptional<zod0.ZodBoolean>;
+  }, zod_v4_core0.$strict>;
   readonly function: zod0.ZodObject<{
     name: zod0.ZodString;
     source: zod0.ZodString;
@@ -141,5 +207,5 @@ declare const schemas: {
   }, zod_v4_core0.$strict>]>;
 };
 //#endregion
-export { type AppliedChange, type BranchTarget, type BranchTuning, type BranchTuningFn, type BucketAccessLevel, type BucketDef, type ComputeSettings, type ComputeUnit, type Config, ConfigLoadError, ConfigValidationError, type ConflictReport, type CreateBranchInput, type CreateBucketInput, type CreateCredentialInput, type CreateProjectInput, type CredentialFeatureFlags, type CredentialPrincipalType, type CredentialScope, type DeployFunctionInput, type DiffOptions, type DiffResult, type DurationString, type DurationUnit, ErrorCode, type FunctionDef, type FunctionDevConfig, type FunctionRuntime, type FunctionTuning, type GetConnectionUriInput, type LoadConfigOptions, MissingContextError, type NeonApi, type NeonAuthSnapshot, type NeonBranchSnapshot, type NeonBranchStorageSnapshot, type NeonBucketSnapshot, type NeonCredentialMeta, type NeonCredentialSecret, type NeonDataApiSnapshot, type NeonDatabaseSnapshot, type NeonEndpointSnapshot, type NeonFunctionDeploymentSnapshot, type NeonFunctionSnapshot, type NeonProjectSnapshot, type NeonRoleSnapshot, type PlanStep, PlatformError, type PostgresConfig, type PreviewInput, type PreviewTuning, PushAbortedError, PushConflictError, type PushResult, type RemotePreviewState, type RemoteServiceState, type RemoteState, type ResolvedBranchConfig, type ResolvedBucketConfig, type ResolvedFunctionConfig, type ResolvedPreviewConfig, type ServiceToggle, type ServiceToggleInput, type UpdateBranchInput, createNeonApiFromOptions, createRealNeonApi, credentialScopesSatisfied, defineConfig, deriveCredentialScopes, diffConfig, errors, isPlatformError, loadConfigFromFile, resolveApiKey, resolveConfig, schemas };
+export { type AppliedChange, type BranchTarget, type BranchTuning, type BranchTuningFn, type BucketAccessLevel, type BucketDef, type ComputeSettings, type ComputeUnit, type Config, ConfigLoadError, ConfigValidationError, type ConflictReport, type CreateBranchInput, type CreateBucketInput, type CreateCredentialInput, type CreateProjectInput, type CredentialFeatureFlags, type CredentialPrincipalType, type CredentialScope, DATA_API_AUTH_PROVIDERS, type DataApiAuthProvider, type DataApiConfig, type DataApiExternalAuthConfig, type DataApiInput, type DataApiNeonAuthConfig, type DataApiSettings, type DeployFunctionInput, type DiffOptions, type DiffResult, type DurationString, type DurationUnit, type EnableDataApiInput, ErrorCode, type FunctionDef, type FunctionDevConfig, type FunctionRuntime, type FunctionTuning, type GetConnectionUriInput, type LoadConfigOptions, MissingContextError, type NeonApi, type NeonAuthSnapshot, type NeonBranchSnapshot, type NeonBranchStorageSnapshot, type NeonBucketSnapshot, type NeonCredentialMeta, type NeonCredentialSecret, type NeonDataApiSnapshot, type NeonDatabaseSnapshot, type NeonEndpointSnapshot, type NeonFunctionDeploymentSnapshot, type NeonFunctionSnapshot, type NeonProjectSnapshot, type NeonRoleSnapshot, type PlanStep, PlatformError, type PostgresConfig, type PreviewInput, type PreviewTuning, PushAbortedError, PushConflictError, type PushResult, type RemotePreviewState, type RemoteServiceState, type RemoteState, type ResolvedBranchConfig, type ResolvedBucketConfig, type ResolvedDataApiConfig, type ResolvedFunctionConfig, type ResolvedPreviewConfig, type ServiceEnabled, type ServiceToggle, type ServiceToggleInput, type UpdateBranchInput, createNeonApiFromOptions, createRealNeonApi, credentialScopesSatisfied, defineConfig, deriveCredentialScopes, diffConfig, errors, isPlatformError, loadConfigFromFile, resolveApiKey, resolveConfig, schemas };
 //# sourceMappingURL=v1.d.ts.map