@neondatabase/config 0.7.1 → 0.8.0

package/dist/lib/define-config.d.ts

@@ -1,4 +1,4 @@
-import { BranchTarget, BranchTuningFn, Config, DataApiInput, PreviewInput, ResolvedBranchConfig, ServiceEnabled, ServiceToggleInput } from "./types.js";
+import { BranchTarget, BranchTuningFn, BucketDef, Config, DataApiInput, FunctionDef, PreviewInput, ResolvedBranchConfig, ServiceEnabled, ServiceToggleInput } from "./types.js";
 
 //#region src/lib/define-config.d.ts
 
@@ -10,21 +10,61 @@ import { BranchTarget, BranchTuningFn, Config, DataApiInput, PreviewInput, Resol
 type DataApiUsesNeonAuth<DataApi> = ServiceEnabled<DataApi> extends true ? [DataApi] extends [{
   authProvider: "external";
 }] ? false : true : false;
-/** An `auth` toggle value that is statically guaranteed enabled (`true` / `{}` / `{ enabled: true }`). */
-type EnabledAuthToggle = true | {
-  enabled?: true;
-};
 /**
- * Static cross-field guard for {@link defineConfig}. When the policy enables a Neon-Auth
- * Data API (`authProvider: "neon"`, the default) but does **not** enable top-level `auth`,
- * this resolves to `{ auth: EnabledAuthToggle }` — intersected into the parameter type, it
- * makes `auth` required and rejects `auth: false` / a missing `auth`, surfacing the rule at
- * author time. Otherwise it is `unknown` (a no-op intersection). The runtime `superRefine`
- * in {@link configInputSchema} enforces the same invariant for non-typed callers.
+ * Human-readable hint surfaced as the **expected type** of `dataApi` when a Neon-Auth Data
+ * API is declared without Neon Auth enabled (see {@link DataApiField}). TypeScript prints the
+ * offending value against this string literal — `Type 'true' is not assignable to type
+ * '…requires `auth: true`…'` — which points straight at the fix, instead of the opaque
+ * `Type 'true' is not assignable to type 'never'` an intersection guard produces.
+ *
+ * It documents **both** fixes: enabling Neon Auth (`auth: true`), and running the Data API
+ * *without* Neon Auth by verifying a third-party IdP (`authProvider: 'external'` + `jwksUrl`).
+ */
+type NeonAuthRequiredHint = "`dataApi` with Neon Auth (the default `authProvider: 'neon'`) requires Neon Auth, so add `auth: true`. To enable the Data API WITHOUT Neon Auth, verify a third-party IdP instead: `dataApi: { authProvider: 'external', jwksUrl: 'https://your-idp/.well-known/jwks.json' }`";
+/**
+ * Static cross-field guard for {@link defineConfig}, expressed as the **type of the `dataApi`
+ * field** rather than an intersected requirement on `auth`.
+ *
+ * - A Neon-Auth Data API (`authProvider: "neon"`, the default) with top-level `auth` enabled,
+ *   or any external Data API: the field keeps its normal `DataApi & DataApiInput` type (the
+ *   `& DataApiInput` preserves member autocomplete; the `const DataApi` still types the
+ *   returned {@link Config}).
+ * - A Neon-Auth Data API **without** `auth` enabled: the field's expected type collapses to
+ *   the {@link NeonAuthRequiredHint} message, so the author sees the rule (and the two fixes)
+ *   right on the `dataApi` value.
+ *
+ * The runtime `superRefine` in {@link configInputSchema} enforces the same invariant for
+ * non-typed (plain-JS) callers, so the behavior is identical — only the type-level message
+ * changes.
+ */
+type DataApiField<Auth, DataApi> = DataApiUsesNeonAuth<DataApi> extends true ? ServiceEnabled<Auth> extends true ? DataApi & DataApiInput : NeonAuthRequiredHint : DataApi & DataApiInput;
+/**
+ * Autocomplete bridge for the nested `preview.functions` / `preview.buckets` slug objects.
+ *
+ * {@link PreviewInput} types those records with a string index signature
+ * (`Record<string, FunctionDef>` / `Record<string, BucketDef>`). When `defineConfig` infers
+ * `const Preview`, every authored slug becomes a **named** property on the inferred literal
+ * (e.g. `{ hello: { name; source } }`), and a named property **shadows** the index signature
+ * when the editor computes the contextual type of that slug's value — so the rest of
+ * {@link FunctionDef} / {@link BucketDef} (`env`, `dev`, `access`, …) never surfaces as
+ * completions inside `hello: { … }` / `uploads: { … }`.
+ *
+ * Re-declaring each inferred slug's value as `FunctionDef` / `BucketDef` (a *named* member, via
+ * a mapped type over the already-inferred keys) puts those members back onto the contextual
+ * type without going through an index signature, which restores autocomplete. Intersected with
+ * `Preview & PreviewInput` it neither widens what is accepted (the values were already
+ * `FunctionDef` / `BucketDef`) nor perturbs the inferred `const Preview` — so slug inference for
+ * `BranchTuningFn<Preview>` and the returned {@link Config} is unchanged.
  */
-type RequiresNeonAuth<Auth, DataApi> = DataApiUsesNeonAuth<DataApi> extends true ? ServiceEnabled<Auth> extends true ? unknown : {
-  auth: EnabledAuthToggle;
-} : unknown;
+type PreviewAutocomplete<Preview> = (Preview extends {
+  functions: infer F;
+} ? {
+  functions: { [Slug in keyof F]: FunctionDef };
+} : unknown) & (Preview extends {
+  buckets: infer B;
+} ? {
+  buckets: { [Name in keyof B]: BucketDef };
+} : unknown);
 /**
  * Validate and freeze a Neon Platform branch policy.
  *
@@ -60,10 +100,10 @@ type RequiresNeonAuth<Auth, DataApi> = DataApiUsesNeonAuth<DataApi> extends true
  */
 declare function defineConfig<const Auth extends ServiceToggleInput | undefined = undefined, const DataApi extends DataApiInput | undefined = undefined, const Preview extends PreviewInput | undefined = undefined>(input: {
   auth?: Auth & ServiceToggleInput;
-  dataApi?: DataApi & DataApiInput;
-  preview?: Preview & PreviewInput;
+  dataApi?: DataApiField<Auth, DataApi>;
+  preview?: Preview & PreviewInput & PreviewAutocomplete<Preview>;
   branch?: BranchTuningFn<Preview>;
-} & RequiresNeonAuth<Auth, DataApi>): Config<Auth, DataApi, Preview>;
+}): Config<Auth, DataApi, Preview>;
 /**
  * Evaluate a branch policy for a specific branch target and return a normalized config.
  *
@@ -79,5 +119,5 @@ declare function resolveConfig(config: Config, branch: BranchTarget): ResolvedBr
  */
 declare function normalizeRegion(region: string): string;
 //#endregion
-export { defineConfig, normalizeRegion, resolveConfig };
+export { DataApiField, NeonAuthRequiredHint, defineConfig, normalizeRegion, resolveConfig };
 //# sourceMappingURL=define-config.d.ts.map

package/dist/lib/define-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"define-config.d.ts","names":[],"sources":["../../src/lib/define-config.ts"],"mappings":";;;;;;AAuBoB;;;KAYf,mBAA+B,CAAA,OAAA,CAAA,GAAA,cAAA,CAAe,OAAf,CAAA,SAAA,IAAA,GAAA,CAChC,OADgC,CAAA,SAAA,CAAA;cAChC,EAAA,UAAA;AAAO,CAAA,CAAA,GAAA,KAAA,GAAA,IAAA,GAAA,KAAA;AAAA;AAMW,KAAjB,iBAAA,GAUgB,IAAA,GAAA;EAAA,OAAA,CAAA,EAAA,IAAA;;;;;;AAGQ;AAoC7B;;;KAvCK,gBAyCkB,CAAA,IAAA,EAAA,OAAA,CAAA,GAzCgB,mBAyChB,CAzCoC,OAyCpC,CAAA,SAAA,IAAA,GAxCpB,cAwCoB,CAxCL,IAwCK,CAAA,SAAA,IAAA,GAAA,OAAA,GAAA;MACA,EAvCX,iBAuCW;WASd;;;;;;;;;;;;;;;AAKA;AA4BT;;;;;AAGuB;AAgKvB;;;;;;;;;;;;iBAhNgB,gCACI,kEACG,4DACA;SASd,OAAO;YACJ,UAAU;YACV,UAAU;WACX,eAAe;IACrB,iBAAiB,MAAM,WACzB,OAAO,MAAM,SAAS;;;;;;;;iBA4BT,aAAA,SACP,gBACA,eACN;;;;;;iBAgKa,eAAA"}
+{"version":3,"file":"define-config.d.ts","names":[],"sources":["../../src/lib/define-config.ts"],"mappings":";;;;;;AAwBoB;;;KAYf,mBAA+B,CAAA,OAAA,CAAA,GAAA,cAAA,CAAe,OAAf,CAAA,SAAA,IAAA,GAAA,CAChC,OADgC,CAAA,SAAA,CAAA;cAChC,EAAA,UAAA;AAAO,CAAA,CAAA,GAAA,KAAA,GAAA,IAAA,GAAA,KAAA;AAiBX;AAqBA;;;;;;;;;AAKI,KA1BQ,oBAAA,GA0BR,+QAAA;;AAAsB;AAAC;;;;;;;;AAwBkB;AAoC7C;;;;;AAWQ,KA5EI,YA4EJ,CAAA,IAAA,EAAA,OAAA,CAAA,GA3EP,mBA2EO,CA3Ea,OA2Eb,CAAA,SAAA,IAAA,GA1EJ,cA0EI,CA1EW,IA0EX,CAAA,SAAA,IAAA,GAzEH,OAyEG,GAzEO,YAyEP,GAxEH,oBAwEG,GAvEJ,OAuEI,GAvEM,YAuEN;;;;;;;;;;;;;;;AAUE;AA4BV;;;KAzFK,mBA2FI,CAAA,OAAA,CAAA,GAAA,CA3F4B,OA2F5B,SAAA;WACN,EAAA,KAAA,EAAA;AAAoB,CAAA,GAAA;EAgKP,SAAA,EAAA,iBA3PiB,IAAI;gBAEnC;;;4BAC8B,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoCpB,gCACI,kEACG,4DACA;SAQf,OAAO;YAIJ,aAAa,MAAM;YAInB,UAAU,eAAe,oBAAoB;WAC9C,eAAe;IACrB,OAAO,MAAM,SAAS;;;;;;;;iBA4BV,aAAA,SACP,gBACA,eACN;;;;;;iBAgKa,eAAA"}

package/dist/lib/define-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"define-config.js","names":[],"sources":["../../src/lib/define-config.ts"],"sourcesContent":["import { parseBranchTtl } from \"./duration.js\";\nimport { ConfigValidationError } from \"./errors.js\";\nimport {\n\tbranchTuningSchema,\n\tconfigInputSchema,\n\tformatZodIssues,\n} from \"./schema.js\";\nimport type {\n\tBranchTarget,\n\tBranchTuning,\n\tBranchTuningFn,\n\tConfig,\n\tDataApiInput,\n\tDataApiSettings,\n\tFunctionDef,\n\tFunctionTuning,\n\tPreviewInput,\n\tResolvedBranchConfig,\n\tResolvedDataApiConfig,\n\tResolvedFunctionConfig,\n\tResolvedPreviewConfig,\n\tServiceEnabled,\n\tServiceToggleInput,\n} from \"./types.js\";\n\n/** Default deploy parameters applied to functions that omit them in `neon.ts`. */\nconst DEFAULT_FUNCTION_RUNTIME = \"nodejs24\" as const;\n\nconst REGION_PREFIX = /^(aws|azure|gcp)-/;\n\n/**\n * Whether a `dataApi` toggle is **enabled and verified by Neon Auth** at the type level: it is\n * on (see {@link ServiceEnabled}) and not the explicit `authProvider: \"external\"` variant\n * (so the default / `\"neon\"` provider). This is the case that requires top-level Neon Auth.\n */\ntype DataApiUsesNeonAuth<DataApi> = ServiceEnabled<DataApi> extends true\n\t? [DataApi] extends [{ authProvider: \"external\" }]\n\t\t? false\n\t\t: true\n\t: false;\n\n/** An `auth` toggle value that is statically guaranteed enabled (`true` / `{}` / `{ enabled: true }`). */\ntype EnabledAuthToggle = true | { enabled?: true };\n\n/**\n * Static cross-field guard for {@link defineConfig}. When the policy enables a Neon-Auth\n * Data API (`authProvider: \"neon\"`, the default) but does **not** enable top-level `auth`,\n * this resolves to `{ auth: EnabledAuthToggle }` — intersected into the parameter type, it\n * makes `auth` required and rejects `auth: false` / a missing `auth`, surfacing the rule at\n * author time. Otherwise it is `unknown` (a no-op intersection). The runtime `superRefine`\n * in {@link configInputSchema} enforces the same invariant for non-typed callers.\n */\ntype RequiresNeonAuth<Auth, DataApi> = DataApiUsesNeonAuth<DataApi> extends true\n\t? ServiceEnabled<Auth> extends true\n\t\t? unknown\n\t\t: { auth: EnabledAuthToggle }\n\t: unknown;\n\n/**\n * Validate and freeze a Neon Platform branch policy.\n *\n * Used at the top of `neon.ts`:\n * ```ts\n * import { defineConfig } from \"@neondatabase/config/v1\";\n *\n * export default defineConfig({\n *   auth: true,\n *   preview: {\n *     functions: {\n *       hello: { name: \"Hello\", source: \"./functions/hello.ts\", dev: { port: 8787 } },\n *     },\n *   },\n *   branch: (branch) => ({ protected: branch.name === \"main\" }),\n * });\n * ```\n *\n * The policy is split into a **static** existential set (top-level `auth` / `dataApi`\n * toggles and the beta `preview` block) and a **dynamic** per-branch `branch` closure. The\n * static half determines which secrets exist — so `NeonEnv<typeof config>` and `parseEnv`\n * are exact — while the closure can only *tune* a branch (lifecycle, compute, per-function\n * deploy settings), never change what exists.\n *\n * The `branch` callback receives a read-only {@link BranchTarget} descriptor of the branch\n * being decided for (not a live handle); switch on its facts (`branch.name`,\n * `branch.isDefault`, `branch.exists`, …) and **return** the desired tuning. It runs in two\n * modes: against an existing branch (fields populated from Neon) and during pre-create\n * evaluation (`exists: false`, `id` undefined).\n *\n * Pure: no I/O, no side effects. The static parts are validated here; the closure's output\n * is validated every time it is evaluated so errors point at the concrete branch target.\n */\nexport function defineConfig<\n\tconst Auth extends ServiceToggleInput | undefined = undefined,\n\tconst DataApi extends DataApiInput | undefined = undefined,\n\tconst Preview extends PreviewInput | undefined = undefined,\n>(\n\tinput: {\n\t\t// Each field is intersected with its concrete interface (not just typed as the bare\n\t\t// generic). The generic alone — e.g. `preview?: Preview` — gives editors no members to\n\t\t// complete against in the object-literal position (they see `{} | undefined`), so you\n\t\t// lose hints for `aiGateway` / `functions` / `buckets`. `& PreviewInput` restores the\n\t\t// full shape for autocomplete while still inferring the `const` literal that types the\n\t\t// `branch` closure's slugs (BranchTuningFn<Preview>) and the returned Config.\n\t\tauth?: Auth & ServiceToggleInput;\n\t\tdataApi?: DataApi & DataApiInput;\n\t\tpreview?: Preview & PreviewInput;\n\t\tbranch?: BranchTuningFn<Preview>;\n\t} & RequiresNeonAuth<Auth, DataApi>,\n): Config<Auth, DataApi, Preview> {\n\tif (typeof input === \"function\") {\n\t\tthrow new ConfigValidationError([\n\t\t\t\"defineConfig now expects an object, not a function: `export default defineConfig({ auth: true, preview: { … }, branch: (branch) => ({ … }) })`.\",\n\t\t\t\"The static services/preview set moved to the top level; per-branch logic moved into the `branch` closure.\",\n\t\t]);\n\t}\n\tif (input === null || typeof input !== \"object\") {\n\t\tthrow new ConfigValidationError([\n\t\t\t\"defineConfig expects a configuration object: `export default defineConfig({ … })`.\",\n\t\t]);\n\t}\n\n\tconst parsed = configInputSchema.safeParse(input);\n\tif (!parsed.success) {\n\t\tthrow new ConfigValidationError(formatZodIssues(parsed.error));\n\t}\n\n\treturn Object.freeze({ ...input }) as Config<Auth, DataApi, Preview>;\n}\n\n/**\n * Evaluate a branch policy for a specific branch target and return a normalized config.\n *\n * Merges the static existential set (services + preview functions/buckets) with the\n * per-branch tuning returned by the `branch` closure into the same {@link\n * ResolvedBranchConfig} the rest of the runtime (diff / push / fetchEnv) consumes.\n */\nexport function resolveConfig(\n\tconfig: Config,\n\tbranch: BranchTarget,\n): ResolvedBranchConfig {\n\tconst tuning = evaluateBranchTuning(config.branch, branch);\n\n\tconst resolved: ResolvedBranchConfig = {\n\t\tauthEnabled: isServiceEnabled(config.auth),\n\t\tdataApiEnabled: isDataApiEnabled(config.dataApi),\n\t};\n\tconst dataApi = resolveDataApi(config.dataApi);\n\tif (dataApi) resolved.dataApi = dataApi;\n\tif (tuning.parent !== undefined) resolved.parent = tuning.parent;\n\tif (tuning.ttl !== undefined) {\n\t\t// `branchTuningSchema` already validated `ttl` with the same `parseBranchTtl`, so\n\t\t// this only converts the validated value to seconds — it cannot fail here.\n\t\tconst parsedTtl = parseBranchTtl(tuning.ttl);\n\t\tif (!(\"error\" in parsedTtl)) resolved.ttlSeconds = parsedTtl.seconds;\n\t}\n\tif (tuning.protected !== undefined) resolved.protected = tuning.protected;\n\tif (tuning.postgres?.computeSettings) {\n\t\tresolved.postgres = {\n\t\t\tcomputeSettings: { ...tuning.postgres.computeSettings },\n\t\t};\n\t}\n\n\tconst preview = resolvePreviewConfig(config.preview, tuning);\n\tif (preview) resolved.preview = preview;\n\n\treturn resolved;\n}\n\n/**\n * Run the `branch` closure (when present) for the target and validate its output. The\n * closure is optional — a fully static policy resolves with empty tuning.\n */\nfunction evaluateBranchTuning(\n\tbranchFn: BranchTuningFn | undefined,\n\ttarget: BranchTarget,\n): BranchTuning {\n\tif (!branchFn) return {};\n\tlet raw: unknown;\n\ttry {\n\t\traw = branchFn(Object.freeze({ ...target }));\n\t} catch (cause) {\n\t\tthrow new ConfigValidationError([\n\t\t\t`Branch policy threw while evaluating branch \"${target.name}\".`,\n\t\t\t(cause as Error)?.message ?? String(cause),\n\t\t]);\n\t}\n\tconst parsed = branchTuningSchema.safeParse(raw ?? {});\n\tif (!parsed.success) {\n\t\tthrow new ConfigValidationError(formatZodIssues(parsed.error));\n\t}\n\treturn parsed.data as BranchTuning;\n}\n\nfunction isServiceEnabled(toggle: ServiceToggleInput | undefined): boolean {\n\tif (toggle === undefined) return false;\n\tif (typeof toggle === \"boolean\") return toggle;\n\treturn toggle.enabled !== false;\n}\n\n/** Whether a {@link DataApiInput} is enabled (present object/`true` unless `enabled: false`). */\nfunction isDataApiEnabled(input: DataApiInput | undefined): boolean {\n\tif (input === undefined) return false;\n\tif (typeof input === \"boolean\") return input;\n\treturn input.enabled !== false;\n}\n\n/**\n * Normalize a {@link DataApiInput} into a {@link ResolvedDataApiConfig}, or `undefined` when\n * the Data API is not enabled. `authProvider` defaults to `\"neon\"`; the external-IdP wiring\n * is carried through only for the `\"external\"` provider; `settings` is copied with its\n * `undefined` entries dropped so diffing only considers fields the policy actually set.\n */\nfunction resolveDataApi(\n\tinput: DataApiInput | undefined,\n): ResolvedDataApiConfig | undefined {\n\tif (!isDataApiEnabled(input)) return undefined;\n\tif (typeof input !== \"object\") {\n\t\t// Bare `true`: enabled with Neon Auth and all-default settings.\n\t\treturn { authProvider: \"neon\" };\n\t}\n\tconst authProvider = input.authProvider ?? \"neon\";\n\tconst resolved: ResolvedDataApiConfig = { authProvider };\n\tif (authProvider === \"external\") {\n\t\tif (input.jwksUrl !== undefined) resolved.jwksUrl = input.jwksUrl;\n\t\tif (input.providerName !== undefined)\n\t\t\tresolved.providerName = input.providerName;\n\t\tif (input.jwtAudience !== undefined)\n\t\t\tresolved.jwtAudience = input.jwtAudience;\n\t}\n\tconst settings = normalizeDataApiSettings(input.settings);\n\tif (settings) resolved.settings = settings;\n\treturn resolved;\n}\n\n/** Copy a {@link DataApiSettings}, dropping `undefined` entries; `undefined` when empty. */\nfunction normalizeDataApiSettings(\n\tsettings: DataApiSettings | undefined,\n): DataApiSettings | undefined {\n\tif (!settings) return undefined;\n\tconst out: DataApiSettings = {};\n\tfor (const [key, value] of Object.entries(settings)) {\n\t\tif (value !== undefined) {\n\t\t\t(out as Record<string, unknown>)[key] = value;\n\t\t}\n\t}\n\treturn Object.keys(out).length > 0 ? out : undefined;\n}\n\n/**\n * Normalize the static {@link PreviewInput} (merged with per-branch function tuning) into a\n * {@link ResolvedPreviewConfig}. Returns `undefined` when the policy declares no `preview`\n * block so the field can be omitted entirely. Function slugs / bucket names come from the\n * record keys.\n */\nfunction resolvePreviewConfig(\n\tpreview: PreviewInput | undefined,\n\ttuning: BranchTuning,\n): ResolvedPreviewConfig | undefined {\n\tif (!preview) return undefined;\n\tconst fnTuning = tuning.preview?.functions ?? {};\n\tconst functions: ResolvedFunctionConfig[] = Object.entries(\n\t\tpreview.functions ?? {},\n\t).map(([slug, def]) =>\n\t\tresolveFunctionConfig(slug, def, fnTuning[slug] ?? {}),\n\t);\n\tconst buckets = Object.entries(preview.buckets ?? {}).map(\n\t\t([name, def]) => ({\n\t\t\tname,\n\t\t\taccess: def.access ?? \"private\",\n\t\t}),\n\t);\n\treturn {\n\t\tfunctions,\n\t\tbuckets,\n\t\taiGatewayEnabled: isServiceEnabled(preview.aiGateway),\n\t};\n}\n\nfunction resolveFunctionConfig(\n\tslug: string,\n\tdef: FunctionDef,\n\ttuning: FunctionTuning,\n): ResolvedFunctionConfig {\n\treturn {\n\t\tslug,\n\t\tname: def.name,\n\t\tsource: def.source,\n\t\tenv: { ...(def.env ?? {}) },\n\t\truntime: tuning.runtime ?? DEFAULT_FUNCTION_RUNTIME,\n\t\t// Passed through untouched (no defaults); only `neon dev` reads it.\n\t\t...(def.dev ? { dev: def.dev } : {}),\n\t};\n}\n\n/**\n * Normalize a region identifier to Neon's `<cloud>-<region>` format. When the user writes\n * `us-east-1` we assume `aws-us-east-1`. Pure helper used by both the validator and the\n * NeonApi adapter.\n */\nexport function normalizeRegion(region: string): string {\n\tif (REGION_PREFIX.test(region)) return region;\n\treturn `aws-${region}`;\n}\n"],"mappings":";;;;;AA0BA,MAAM,2BAA2B;AAEjC,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+DtB,SAAgB,aAKf,OAYiC;CACjC,IAAI,OAAO,UAAU,YACpB,MAAM,IAAI,sBAAsB,CAC/B,mJACA,2GACD,CAAC;CAEF,IAAI,UAAU,QAAQ,OAAO,UAAU,UACtC,MAAM,IAAI,sBAAsB,CAC/B,oFACD,CAAC;CAGF,MAAM,SAAS,kBAAkB,UAAU,KAAK;CAChD,IAAI,CAAC,OAAO,SACX,MAAM,IAAI,sBAAsB,gBAAgB,OAAO,KAAK,CAAC;CAG9D,OAAO,OAAO,OAAO,EAAE,GAAG,MAAM,CAAC;AAClC;;;;;;;;AASA,SAAgB,cACf,QACA,QACuB;CACvB,MAAM,SAAS,qBAAqB,OAAO,QAAQ,MAAM;CAEzD,MAAM,WAAiC;EACtC,aAAa,iBAAiB,OAAO,IAAI;EACzC,gBAAgB,iBAAiB,OAAO,OAAO;CAChD;CACA,MAAM,UAAU,eAAe,OAAO,OAAO;CAC7C,IAAI,SAAS,SAAS,UAAU;CAChC,IAAI,OAAO,WAAW,KAAA,GAAW,SAAS,SAAS,OAAO;CAC1D,IAAI,OAAO,QAAQ,KAAA,GAAW;EAG7B,MAAM,YAAY,eAAe,OAAO,GAAG;EAC3C,IAAI,EAAE,WAAW,YAAY,SAAS,aAAa,UAAU;CAC9D;CACA,IAAI,OAAO,cAAc,KAAA,GAAW,SAAS,YAAY,OAAO;CAChE,IAAI,OAAO,UAAU,iBACpB,SAAS,WAAW,EACnB,iBAAiB,EAAE,GAAG,OAAO,SAAS,gBAAgB,EACvD;CAGD,MAAM,UAAU,qBAAqB,OAAO,SAAS,MAAM;CAC3D,IAAI,SAAS,SAAS,UAAU;CAEhC,OAAO;AACR;;;;;AAMA,SAAS,qBACR,UACA,QACe;CACf,IAAI,CAAC,UAAU,OAAO,CAAC;CACvB,IAAI;CACJ,IAAI;EACH,MAAM,SAAS,OAAO,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC;CAC5C,SAAS,OAAO;EACf,MAAM,IAAI,sBAAsB,CAC/B,gDAAgD,OAAO,KAAK,KAC3D,OAAiB,WAAW,OAAO,KAAK,CAC1C,CAAC;CACF;CACA,MAAM,SAAS,mBAAmB,UAAU,OAAO,CAAC,CAAC;CACrD,IAAI,CAAC,OAAO,SACX,MAAM,IAAI,sBAAsB,gBAAgB,OAAO,KAAK,CAAC;CAE9D,OAAO,OAAO;AACf;AAEA,SAAS,iBAAiB,QAAiD;CAC1E,IAAI,WAAW,KAAA,GAAW,OAAO;CACjC,IAAI,OAAO,WAAW,WAAW,OAAO;CACxC,OAAO,OAAO,YAAY;AAC3B;;AAGA,SAAS,iBAAiB,OAA0C;CACnE,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,IAAI,OAAO,UAAU,WAAW,OAAO;CACvC,OAAO,MAAM,YAAY;AAC1B;;;;;;;AAQA,SAAS,eACR,OACoC;CACpC,IAAI,CAAC,iBAAiB,KAAK,GAAG,OAAO,KAAA;CACrC,IAAI,OAAO,UAAU,UAEpB,OAAO,EAAE,cAAc,OAAO;CAE/B,MAAM,eAAe,MAAM,gBAAgB;CAC3C,MAAM,WAAkC,EAAE,aAAa;CACvD,IAAI,iBAAiB,YAAY;EAChC,IAAI,MAAM,YAAY,KAAA,GAAW,SAAS,UAAU,MAAM;EAC1D,IAAI,MAAM,iBAAiB,KAAA,GAC1B,SAAS,eAAe,MAAM;EAC/B,IAAI,MAAM,gBAAgB,KAAA,GACzB,SAAS,cAAc,MAAM;CAC/B;CACA,MAAM,WAAW,yBAAyB,MAAM,QAAQ;CACxD,IAAI,UAAU,SAAS,WAAW;CAClC,OAAO;AACR;;AAGA,SAAS,yBACR,UAC8B;CAC9B,IAAI,CAAC,UAAU,OAAO,KAAA;CACtB,MAAM,MAAuB,CAAC;CAC9B,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,GACjD,IAAI,UAAU,KAAA,GACb,IAAiC,OAAO;CAG1C,OAAO,OAAO,KAAK,GAAG,CAAC,CAAC,SAAS,IAAI,MAAM,KAAA;AAC5C;;;;;;;AAQA,SAAS,qBACR,SACA,QACoC;CACpC,IAAI,CAAC,SAAS,OAAO,KAAA;CACrB,MAAM,WAAW,OAAO,SAAS,aAAa,CAAC;CAY/C,OAAO;EACN,WAZ2C,OAAO,QAClD,QAAQ,aAAa,CAAC,CACvB,CAAC,CAAC,KAAK,CAAC,MAAM,SACb,sBAAsB,MAAM,KAAK,SAAS,SAAS,CAAC,CAAC,CAS7C;EACR,SARe,OAAO,QAAQ,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,KACpD,CAAC,MAAM,UAAU;GACjB;GACA,QAAQ,IAAI,UAAU;EACvB,EAIM;EACN,kBAAkB,iBAAiB,QAAQ,SAAS;CACrD;AACD;AAEA,SAAS,sBACR,MACA,KACA,QACyB;CACzB,OAAO;EACN;EACA,MAAM,IAAI;EACV,QAAQ,IAAI;EACZ,KAAK,EAAE,GAAI,IAAI,OAAO,CAAC,EAAG;EAC1B,SAAS,OAAO,WAAW;EAE3B,GAAI,IAAI,MAAM,EAAE,KAAK,IAAI,IAAI,IAAI,CAAC;CACnC;AACD;;;;;;AAOA,SAAgB,gBAAgB,QAAwB;CACvD,IAAI,cAAc,KAAK,MAAM,GAAG,OAAO;CACvC,OAAO,OAAO;AACf"}
+{"version":3,"file":"define-config.js","names":[],"sources":["../../src/lib/define-config.ts"],"sourcesContent":["import { parseBranchTtl } from \"./duration.js\";\nimport { ConfigValidationError } from \"./errors.js\";\nimport {\n\tbranchTuningSchema,\n\tconfigInputSchema,\n\tformatZodIssues,\n} from \"./schema.js\";\nimport type {\n\tBranchTarget,\n\tBranchTuning,\n\tBranchTuningFn,\n\tBucketDef,\n\tConfig,\n\tDataApiInput,\n\tDataApiSettings,\n\tFunctionDef,\n\tFunctionTuning,\n\tPreviewInput,\n\tResolvedBranchConfig,\n\tResolvedDataApiConfig,\n\tResolvedFunctionConfig,\n\tResolvedPreviewConfig,\n\tServiceEnabled,\n\tServiceToggleInput,\n} from \"./types.js\";\n\n/** Default deploy parameters applied to functions that omit them in `neon.ts`. */\nconst DEFAULT_FUNCTION_RUNTIME = \"nodejs24\" as const;\n\nconst REGION_PREFIX = /^(aws|azure|gcp)-/;\n\n/**\n * Whether a `dataApi` toggle is **enabled and verified by Neon Auth** at the type level: it is\n * on (see {@link ServiceEnabled}) and not the explicit `authProvider: \"external\"` variant\n * (so the default / `\"neon\"` provider). This is the case that requires top-level Neon Auth.\n */\ntype DataApiUsesNeonAuth<DataApi> = ServiceEnabled<DataApi> extends true\n\t? [DataApi] extends [{ authProvider: \"external\" }]\n\t\t? false\n\t\t: true\n\t: false;\n\n/**\n * Human-readable hint surfaced as the **expected type** of `dataApi` when a Neon-Auth Data\n * API is declared without Neon Auth enabled (see {@link DataApiField}). TypeScript prints the\n * offending value against this string literal — `Type 'true' is not assignable to type\n * '…requires `auth: true`…'` — which points straight at the fix, instead of the opaque\n * `Type 'true' is not assignable to type 'never'` an intersection guard produces.\n *\n * It documents **both** fixes: enabling Neon Auth (`auth: true`), and running the Data API\n * *without* Neon Auth by verifying a third-party IdP (`authProvider: 'external'` + `jwksUrl`).\n */\n// Exported (type-only) for the type tests in `define-config.test-d.ts`; intentionally not\n// re-exported from `v1.ts` / `index.ts`, so it stays an internal implementation detail.\nexport type NeonAuthRequiredHint =\n\t\"`dataApi` with Neon Auth (the default `authProvider: 'neon'`) requires Neon Auth, so add `auth: true`. To enable the Data API WITHOUT Neon Auth, verify a third-party IdP instead: `dataApi: { authProvider: 'external', jwksUrl: 'https://your-idp/.well-known/jwks.json' }`\";\n\n/**\n * Static cross-field guard for {@link defineConfig}, expressed as the **type of the `dataApi`\n * field** rather than an intersected requirement on `auth`.\n *\n * - A Neon-Auth Data API (`authProvider: \"neon\"`, the default) with top-level `auth` enabled,\n *   or any external Data API: the field keeps its normal `DataApi & DataApiInput` type (the\n *   `& DataApiInput` preserves member autocomplete; the `const DataApi` still types the\n *   returned {@link Config}).\n * - A Neon-Auth Data API **without** `auth` enabled: the field's expected type collapses to\n *   the {@link NeonAuthRequiredHint} message, so the author sees the rule (and the two fixes)\n *   right on the `dataApi` value.\n *\n * The runtime `superRefine` in {@link configInputSchema} enforces the same invariant for\n * non-typed (plain-JS) callers, so the behavior is identical — only the type-level message\n * changes.\n */\n// Exported (type-only) for the type tests in `define-config.test-d.ts`; intentionally not\n// re-exported from `v1.ts` / `index.ts`, so it stays an internal implementation detail.\nexport type DataApiField<Auth, DataApi> =\n\tDataApiUsesNeonAuth<DataApi> extends true\n\t\t? ServiceEnabled<Auth> extends true\n\t\t\t? DataApi & DataApiInput\n\t\t\t: NeonAuthRequiredHint\n\t\t: DataApi & DataApiInput;\n\n/**\n * Autocomplete bridge for the nested `preview.functions` / `preview.buckets` slug objects.\n *\n * {@link PreviewInput} types those records with a string index signature\n * (`Record<string, FunctionDef>` / `Record<string, BucketDef>`). When `defineConfig` infers\n * `const Preview`, every authored slug becomes a **named** property on the inferred literal\n * (e.g. `{ hello: { name; source } }`), and a named property **shadows** the index signature\n * when the editor computes the contextual type of that slug's value — so the rest of\n * {@link FunctionDef} / {@link BucketDef} (`env`, `dev`, `access`, …) never surfaces as\n * completions inside `hello: { … }` / `uploads: { … }`.\n *\n * Re-declaring each inferred slug's value as `FunctionDef` / `BucketDef` (a *named* member, via\n * a mapped type over the already-inferred keys) puts those members back onto the contextual\n * type without going through an index signature, which restores autocomplete. Intersected with\n * `Preview & PreviewInput` it neither widens what is accepted (the values were already\n * `FunctionDef` / `BucketDef`) nor perturbs the inferred `const Preview` — so slug inference for\n * `BranchTuningFn<Preview>` and the returned {@link Config} is unchanged.\n */\ntype PreviewAutocomplete<Preview> = (Preview extends { functions: infer F }\n\t? { functions: { [Slug in keyof F]: FunctionDef } }\n\t: unknown) &\n\t(Preview extends { buckets: infer B }\n\t\t? { buckets: { [Name in keyof B]: BucketDef } }\n\t\t: unknown);\n\n/**\n * Validate and freeze a Neon Platform branch policy.\n *\n * Used at the top of `neon.ts`:\n * ```ts\n * import { defineConfig } from \"@neondatabase/config/v1\";\n *\n * export default defineConfig({\n *   auth: true,\n *   preview: {\n *     functions: {\n *       hello: { name: \"Hello\", source: \"./functions/hello.ts\", dev: { port: 8787 } },\n *     },\n *   },\n *   branch: (branch) => ({ protected: branch.name === \"main\" }),\n * });\n * ```\n *\n * The policy is split into a **static** existential set (top-level `auth` / `dataApi`\n * toggles and the beta `preview` block) and a **dynamic** per-branch `branch` closure. The\n * static half determines which secrets exist — so `NeonEnv<typeof config>` and `parseEnv`\n * are exact — while the closure can only *tune* a branch (lifecycle, compute, per-function\n * deploy settings), never change what exists.\n *\n * The `branch` callback receives a read-only {@link BranchTarget} descriptor of the branch\n * being decided for (not a live handle); switch on its facts (`branch.name`,\n * `branch.isDefault`, `branch.exists`, …) and **return** the desired tuning. It runs in two\n * modes: against an existing branch (fields populated from Neon) and during pre-create\n * evaluation (`exists: false`, `id` undefined).\n *\n * Pure: no I/O, no side effects. The static parts are validated here; the closure's output\n * is validated every time it is evaluated so errors point at the concrete branch target.\n */\nexport function defineConfig<\n\tconst Auth extends ServiceToggleInput | undefined = undefined,\n\tconst DataApi extends DataApiInput | undefined = undefined,\n\tconst Preview extends PreviewInput | undefined = undefined,\n>(input: {\n\t// Each field is intersected with its concrete interface (not just typed as the bare\n\t// generic). The generic alone — e.g. `preview?: Preview` — gives editors no members to\n\t// complete against in the object-literal position (they see `{} | undefined`), so you\n\t// lose hints for `aiGateway` / `functions` / `buckets`. `& PreviewInput` restores the\n\t// full shape for autocomplete while still inferring the `const` literal that types the\n\t// `branch` closure's slugs (BranchTuningFn<Preview>) and the returned Config.\n\tauth?: Auth & ServiceToggleInput;\n\t// The `dataApi` field carries the Neon-Auth cross-field guard at the type level (see\n\t// `DataApiField`): a Neon-Auth Data API without `auth` enabled surfaces a readable hint\n\t// as the field's expected type instead of collapsing the value to `never`.\n\tdataApi?: DataApiField<Auth, DataApi>;\n\t// `& PreviewInput` restores top-level member hints (aiGateway/functions/buckets);\n\t// `& PreviewAutocomplete<Preview>` restores hints *inside* each function/bucket slug\n\t// object (see `PreviewAutocomplete`), which the bare index signature otherwise hides.\n\tpreview?: Preview & PreviewInput & PreviewAutocomplete<Preview>;\n\tbranch?: BranchTuningFn<Preview>;\n}): Config<Auth, DataApi, Preview> {\n\tif (typeof input === \"function\") {\n\t\tthrow new ConfigValidationError([\n\t\t\t\"defineConfig now expects an object, not a function: `export default defineConfig({ auth: true, preview: { … }, branch: (branch) => ({ … }) })`.\",\n\t\t\t\"The static services/preview set moved to the top level; per-branch logic moved into the `branch` closure.\",\n\t\t]);\n\t}\n\tif (input === null || typeof input !== \"object\") {\n\t\tthrow new ConfigValidationError([\n\t\t\t\"defineConfig expects a configuration object: `export default defineConfig({ … })`.\",\n\t\t]);\n\t}\n\n\tconst parsed = configInputSchema.safeParse(input);\n\tif (!parsed.success) {\n\t\tthrow new ConfigValidationError(formatZodIssues(parsed.error));\n\t}\n\n\treturn Object.freeze({ ...input }) as Config<Auth, DataApi, Preview>;\n}\n\n/**\n * Evaluate a branch policy for a specific branch target and return a normalized config.\n *\n * Merges the static existential set (services + preview functions/buckets) with the\n * per-branch tuning returned by the `branch` closure into the same {@link\n * ResolvedBranchConfig} the rest of the runtime (diff / push / fetchEnv) consumes.\n */\nexport function resolveConfig(\n\tconfig: Config,\n\tbranch: BranchTarget,\n): ResolvedBranchConfig {\n\tconst tuning = evaluateBranchTuning(config.branch, branch);\n\n\tconst resolved: ResolvedBranchConfig = {\n\t\tauthEnabled: isServiceEnabled(config.auth),\n\t\tdataApiEnabled: isDataApiEnabled(config.dataApi),\n\t};\n\tconst dataApi = resolveDataApi(config.dataApi);\n\tif (dataApi) resolved.dataApi = dataApi;\n\tif (tuning.parent !== undefined) resolved.parent = tuning.parent;\n\tif (tuning.ttl !== undefined) {\n\t\t// `branchTuningSchema` already validated `ttl` with the same `parseBranchTtl`, so\n\t\t// this only converts the validated value to seconds — it cannot fail here.\n\t\tconst parsedTtl = parseBranchTtl(tuning.ttl);\n\t\tif (!(\"error\" in parsedTtl)) resolved.ttlSeconds = parsedTtl.seconds;\n\t}\n\tif (tuning.protected !== undefined) resolved.protected = tuning.protected;\n\tif (tuning.postgres?.computeSettings) {\n\t\tresolved.postgres = {\n\t\t\tcomputeSettings: { ...tuning.postgres.computeSettings },\n\t\t};\n\t}\n\n\tconst preview = resolvePreviewConfig(config.preview, tuning);\n\tif (preview) resolved.preview = preview;\n\n\treturn resolved;\n}\n\n/**\n * Run the `branch` closure (when present) for the target and validate its output. The\n * closure is optional — a fully static policy resolves with empty tuning.\n */\nfunction evaluateBranchTuning(\n\tbranchFn: BranchTuningFn | undefined,\n\ttarget: BranchTarget,\n): BranchTuning {\n\tif (!branchFn) return {};\n\tlet raw: unknown;\n\ttry {\n\t\traw = branchFn(Object.freeze({ ...target }));\n\t} catch (cause) {\n\t\tthrow new ConfigValidationError([\n\t\t\t`Branch policy threw while evaluating branch \"${target.name}\".`,\n\t\t\t(cause as Error)?.message ?? String(cause),\n\t\t]);\n\t}\n\tconst parsed = branchTuningSchema.safeParse(raw ?? {});\n\tif (!parsed.success) {\n\t\tthrow new ConfigValidationError(formatZodIssues(parsed.error));\n\t}\n\treturn parsed.data as BranchTuning;\n}\n\nfunction isServiceEnabled(toggle: ServiceToggleInput | undefined): boolean {\n\tif (toggle === undefined) return false;\n\tif (typeof toggle === \"boolean\") return toggle;\n\treturn toggle.enabled !== false;\n}\n\n/** Whether a {@link DataApiInput} is enabled (present object/`true` unless `enabled: false`). */\nfunction isDataApiEnabled(input: DataApiInput | undefined): boolean {\n\tif (input === undefined) return false;\n\tif (typeof input === \"boolean\") return input;\n\treturn input.enabled !== false;\n}\n\n/**\n * Normalize a {@link DataApiInput} into a {@link ResolvedDataApiConfig}, or `undefined` when\n * the Data API is not enabled. `authProvider` defaults to `\"neon\"`; the external-IdP wiring\n * is carried through only for the `\"external\"` provider; `settings` is copied with its\n * `undefined` entries dropped so diffing only considers fields the policy actually set.\n */\nfunction resolveDataApi(\n\tinput: DataApiInput | undefined,\n): ResolvedDataApiConfig | undefined {\n\tif (!isDataApiEnabled(input)) return undefined;\n\tif (typeof input !== \"object\") {\n\t\t// Bare `true`: enabled with Neon Auth and all-default settings.\n\t\treturn { authProvider: \"neon\" };\n\t}\n\tconst authProvider = input.authProvider ?? \"neon\";\n\tconst resolved: ResolvedDataApiConfig = { authProvider };\n\tif (authProvider === \"external\") {\n\t\tif (input.jwksUrl !== undefined) resolved.jwksUrl = input.jwksUrl;\n\t\tif (input.providerName !== undefined)\n\t\t\tresolved.providerName = input.providerName;\n\t\tif (input.jwtAudience !== undefined)\n\t\t\tresolved.jwtAudience = input.jwtAudience;\n\t}\n\tconst settings = normalizeDataApiSettings(input.settings);\n\tif (settings) resolved.settings = settings;\n\treturn resolved;\n}\n\n/** Copy a {@link DataApiSettings}, dropping `undefined` entries; `undefined` when empty. */\nfunction normalizeDataApiSettings(\n\tsettings: DataApiSettings | undefined,\n): DataApiSettings | undefined {\n\tif (!settings) return undefined;\n\tconst out: DataApiSettings = {};\n\tfor (const [key, value] of Object.entries(settings)) {\n\t\tif (value !== undefined) {\n\t\t\t(out as Record<string, unknown>)[key] = value;\n\t\t}\n\t}\n\treturn Object.keys(out).length > 0 ? out : undefined;\n}\n\n/**\n * Normalize the static {@link PreviewInput} (merged with per-branch function tuning) into a\n * {@link ResolvedPreviewConfig}. Returns `undefined` when the policy declares no `preview`\n * block so the field can be omitted entirely. Function slugs / bucket names come from the\n * record keys.\n */\nfunction resolvePreviewConfig(\n\tpreview: PreviewInput | undefined,\n\ttuning: BranchTuning,\n): ResolvedPreviewConfig | undefined {\n\tif (!preview) return undefined;\n\tconst fnTuning = tuning.preview?.functions ?? {};\n\tconst functions: ResolvedFunctionConfig[] = Object.entries(\n\t\tpreview.functions ?? {},\n\t).map(([slug, def]) =>\n\t\tresolveFunctionConfig(slug, def, fnTuning[slug] ?? {}),\n\t);\n\tconst buckets = Object.entries(preview.buckets ?? {}).map(\n\t\t([name, def]) => ({\n\t\t\tname,\n\t\t\taccess: def.access ?? \"private\",\n\t\t}),\n\t);\n\treturn {\n\t\tfunctions,\n\t\tbuckets,\n\t\taiGatewayEnabled: isServiceEnabled(preview.aiGateway),\n\t};\n}\n\nfunction resolveFunctionConfig(\n\tslug: string,\n\tdef: FunctionDef,\n\ttuning: FunctionTuning,\n): ResolvedFunctionConfig {\n\treturn {\n\t\tslug,\n\t\tname: def.name,\n\t\tsource: def.source,\n\t\tenv: { ...(def.env ?? {}) },\n\t\truntime: tuning.runtime ?? DEFAULT_FUNCTION_RUNTIME,\n\t\t// Passed through untouched (no defaults); only `neon dev` reads it.\n\t\t...(def.dev ? { dev: def.dev } : {}),\n\t};\n}\n\n/**\n * Normalize a region identifier to Neon's `<cloud>-<region>` format. When the user writes\n * `us-east-1` we assume `aws-us-east-1`. Pure helper used by both the validator and the\n * NeonApi adapter.\n */\nexport function normalizeRegion(region: string): string {\n\tif (REGION_PREFIX.test(region)) return region;\n\treturn `aws-${region}`;\n}\n"],"mappings":";;;;;AA2BA,MAAM,2BAA2B;AAEjC,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+GtB,SAAgB,aAId,OAiBiC;CAClC,IAAI,OAAO,UAAU,YACpB,MAAM,IAAI,sBAAsB,CAC/B,mJACA,2GACD,CAAC;CAEF,IAAI,UAAU,QAAQ,OAAO,UAAU,UACtC,MAAM,IAAI,sBAAsB,CAC/B,oFACD,CAAC;CAGF,MAAM,SAAS,kBAAkB,UAAU,KAAK;CAChD,IAAI,CAAC,OAAO,SACX,MAAM,IAAI,sBAAsB,gBAAgB,OAAO,KAAK,CAAC;CAG9D,OAAO,OAAO,OAAO,EAAE,GAAG,MAAM,CAAC;AAClC;;;;;;;;AASA,SAAgB,cACf,QACA,QACuB;CACvB,MAAM,SAAS,qBAAqB,OAAO,QAAQ,MAAM;CAEzD,MAAM,WAAiC;EACtC,aAAa,iBAAiB,OAAO,IAAI;EACzC,gBAAgB,iBAAiB,OAAO,OAAO;CAChD;CACA,MAAM,UAAU,eAAe,OAAO,OAAO;CAC7C,IAAI,SAAS,SAAS,UAAU;CAChC,IAAI,OAAO,WAAW,KAAA,GAAW,SAAS,SAAS,OAAO;CAC1D,IAAI,OAAO,QAAQ,KAAA,GAAW;EAG7B,MAAM,YAAY,eAAe,OAAO,GAAG;EAC3C,IAAI,EAAE,WAAW,YAAY,SAAS,aAAa,UAAU;CAC9D;CACA,IAAI,OAAO,cAAc,KAAA,GAAW,SAAS,YAAY,OAAO;CAChE,IAAI,OAAO,UAAU,iBACpB,SAAS,WAAW,EACnB,iBAAiB,EAAE,GAAG,OAAO,SAAS,gBAAgB,EACvD;CAGD,MAAM,UAAU,qBAAqB,OAAO,SAAS,MAAM;CAC3D,IAAI,SAAS,SAAS,UAAU;CAEhC,OAAO;AACR;;;;;AAMA,SAAS,qBACR,UACA,QACe;CACf,IAAI,CAAC,UAAU,OAAO,CAAC;CACvB,IAAI;CACJ,IAAI;EACH,MAAM,SAAS,OAAO,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC;CAC5C,SAAS,OAAO;EACf,MAAM,IAAI,sBAAsB,CAC/B,gDAAgD,OAAO,KAAK,KAC3D,OAAiB,WAAW,OAAO,KAAK,CAC1C,CAAC;CACF;CACA,MAAM,SAAS,mBAAmB,UAAU,OAAO,CAAC,CAAC;CACrD,IAAI,CAAC,OAAO,SACX,MAAM,IAAI,sBAAsB,gBAAgB,OAAO,KAAK,CAAC;CAE9D,OAAO,OAAO;AACf;AAEA,SAAS,iBAAiB,QAAiD;CAC1E,IAAI,WAAW,KAAA,GAAW,OAAO;CACjC,IAAI,OAAO,WAAW,WAAW,OAAO;CACxC,OAAO,OAAO,YAAY;AAC3B;;AAGA,SAAS,iBAAiB,OAA0C;CACnE,IAAI,UAAU,KAAA,GAAW,OAAO;CAChC,IAAI,OAAO,UAAU,WAAW,OAAO;CACvC,OAAO,MAAM,YAAY;AAC1B;;;;;;;AAQA,SAAS,eACR,OACoC;CACpC,IAAI,CAAC,iBAAiB,KAAK,GAAG,OAAO,KAAA;CACrC,IAAI,OAAO,UAAU,UAEpB,OAAO,EAAE,cAAc,OAAO;CAE/B,MAAM,eAAe,MAAM,gBAAgB;CAC3C,MAAM,WAAkC,EAAE,aAAa;CACvD,IAAI,iBAAiB,YAAY;EAChC,IAAI,MAAM,YAAY,KAAA,GAAW,SAAS,UAAU,MAAM;EAC1D,IAAI,MAAM,iBAAiB,KAAA,GAC1B,SAAS,eAAe,MAAM;EAC/B,IAAI,MAAM,gBAAgB,KAAA,GACzB,SAAS,cAAc,MAAM;CAC/B;CACA,MAAM,WAAW,yBAAyB,MAAM,QAAQ;CACxD,IAAI,UAAU,SAAS,WAAW;CAClC,OAAO;AACR;;AAGA,SAAS,yBACR,UAC8B;CAC9B,IAAI,CAAC,UAAU,OAAO,KAAA;CACtB,MAAM,MAAuB,CAAC;CAC9B,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,GACjD,IAAI,UAAU,KAAA,GACb,IAAiC,OAAO;CAG1C,OAAO,OAAO,KAAK,GAAG,CAAC,CAAC,SAAS,IAAI,MAAM,KAAA;AAC5C;;;;;;;AAQA,SAAS,qBACR,SACA,QACoC;CACpC,IAAI,CAAC,SAAS,OAAO,KAAA;CACrB,MAAM,WAAW,OAAO,SAAS,aAAa,CAAC;CAY/C,OAAO;EACN,WAZ2C,OAAO,QAClD,QAAQ,aAAa,CAAC,CACvB,CAAC,CAAC,KAAK,CAAC,MAAM,SACb,sBAAsB,MAAM,KAAK,SAAS,SAAS,CAAC,CAAC,CAS7C;EACR,SARe,OAAO,QAAQ,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,KACpD,CAAC,MAAM,UAAU;GACjB;GACA,QAAQ,IAAI,UAAU;EACvB,EAIM;EACN,kBAAkB,iBAAiB,QAAQ,SAAS;CACrD;AACD;AAEA,SAAS,sBACR,MACA,KACA,QACyB;CACzB,OAAO;EACN;EACA,MAAM,IAAI;EACV,QAAQ,IAAI;EACZ,KAAK,EAAE,GAAI,IAAI,OAAO,CAAC,EAAG;EAC1B,SAAS,OAAO,WAAW;EAE3B,GAAI,IAAI,MAAM,EAAE,KAAK,IAAI,IAAI,IAAI,CAAC;CACnC;AACD;;;;;;AAOA,SAAgB,gBAAgB,QAAwB;CACvD,IAAI,cAAc,KAAK,MAAM,GAAG,OAAO;CACvC,OAAO,OAAO;AACf"}

package/dist/lib/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","names":[],"sources":["../../src/lib/schema.ts"],"mappings":";;;;;;AAgBA;;;;;;;;;;cAAa,uBAAqB,CAAA,CAAA;;;;;;cAiDrB,qBAAmB,CAAA,CAAA;;;;cAKnB,0BAAwB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;;;AAtDH;AAiDlC;AAEE,cAYW,qBAZX,EAYgC,CAAA,CAAA,SAZhC,CAAA;;;;WAF8B,eAAA,YAAA,CAAA;EAAA,SAAA,eAAA,WAAA,YAAA,CAAA,CAAA;EAKnB,eAAA,eAGX,YAAA,CAAA;EAAA,mBAAA,eAAA,YAAA,CAAA;aAHmC,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,mBAAA,CAAA,cAAA,CAAA,UAAA,CAAA,CAAA,CAAA,CAAA;;;;;;AAAA;AASrC;;;cA4Ba,qBAAmB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;cA0BnB,oBAAkB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;SAtDG,eAAA,YAAA,CAAA;EAAA,YAAA,eAAA,YAAA,CAAA;EA4BrB,WAAA,eAuBV,YAAA,CAAA;EAAA,QAAA,eAAA,YAAA,CAAA;;;;;;;;;;;;;cAKU,sBAAoB,CAAA,CAAA;;;;;;;;;;;;cAiDpB,mBAAiB,CAAA,CAAA;;;;;;;;;cAQjB,iBAAe,CAAA,CAAA;;;;cAOf,oBAAkB,CAAA,CAAA;;IA5FC,OAAA,eAAA,aAAA,CAAA;EAAA,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EA0BnB,SAAA,eAAgE,YAAA,YAAA,aAAA,CAAA;IAAA,IAAA,aAAA;IAA9C,MAAA,aAAA;;;;;;;;;;;cAyElB,sBAAoB,CAAA,CAAA;;;;;;;cAapB,oBAAkB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;AAtFA,cAoHlB,iBApHkB,EAoHD,CAAA,CAAA,SApHC,CAAA;MAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;IAAA,OAAA,eAAA,aAAA,CAAA;EAElB,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EAEX,OAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;MAF+B,GAAA,eAAA,YAAA,YAAA,aAAA,CAAA,CAAA;MAAA,GAAA,eAAA,YAAA,CAAA;QAiDpB,IAAA,eAKX,YAAA,CAAA;MAAA,CAAA,gBAAA,CAAA,CAAA;;;;;;;;;;;;;;AAL4B;AAQ9B;;iBA4IgB,eAAA,QAAuB,CAAA,CAAE"}
+{"version":3,"file":"schema.d.ts","names":[],"sources":["../../src/lib/schema.ts"],"mappings":";;;;;;AAgBA;;;;;;;;;;cAAa,uBAAqB,CAAA,CAAA;;;;;;cAiDrB,qBAAmB,CAAA,CAAA;;;;cAKnB,0BAAwB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;;;AAtDH;AAiDlC;AAEE,cAYW,qBAZX,EAYgC,CAAA,CAAA,SAZhC,CAAA;;;;WAF8B,eAAA,YAAA,CAAA;EAAA,SAAA,eAAA,WAAA,YAAA,CAAA,CAAA;EAKnB,eAAA,eAGX,YAAA,CAAA;EAAA,mBAAA,eAAA,YAAA,CAAA;aAHmC,eAAA,WAAA,CAAA,SAAA,aAAA,CAAA,mBAAA,CAAA,cAAA,CAAA,UAAA,CAAA,CAAA,CAAA,CAAA;;;;;;AAAA;AASrC;;;cA4Ba,qBAAmB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;cA0BnB,oBAAkB,CAAA,CAAA,mBAAA,CAAA,CAAA,YAAA,CAAA,CAAA;;;SAtDG,eAAA,YAAA,CAAA;EAAA,YAAA,eAAA,YAAA,CAAA;EA4BrB,WAAA,eAuBV,YAAA,CAAA;EAAA,QAAA,eAAA,YAAA,CAAA;;;;;;;;;;;;;cAKU,sBAAoB,CAAA,CAAA;;;;;;;;;;;;cA6EpB,mBAAiB,CAAA,CAAA;;;;;;;;;cAQjB,iBAAe,CAAA,CAAA;;;;cAOf,oBAAkB,CAAA,CAAA;;IAxHC,OAAA,eAAA,aAAA,CAAA;EAAA,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EA0BnB,SAAA,eAAgE,YAAA,YAAA,aAAA,CAAA;IAAA,IAAA,aAAA;IAA9C,MAAA,aAAA;;;;;;;;;;;cAqGlB,sBAAoB,CAAA,CAAA;;;;;;;cAapB,oBAAkB,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;AAlHA,cAgJlB,iBAhJkB,EAgJD,CAAA,CAAA,SAhJC,CAAA;MAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;IAAA,OAAA,eAAA,aAAA,CAAA;EAElB,CAAA,gBAAA,CAAA,CAAA,CAAA,CAAA;EAEX,OAAA,eAAA,WAAA,CAAA,SAAA,aAAA,aAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;MAF+B,GAAA,eAAA,YAAA,YAAA,aAAA,CAAA,CAAA;MAAA,GAAA,eAAA,YAAA,CAAA;QA6EpB,IAAA,eAKX,YAAA,CAAA;MAAA,CAAA,gBAAA,CAAA,CAAA;;;;;;;;;;;;;;AAL4B;AAQ9B;;iBA4IgB,eAAA,QAAuB,CAAA,CAAE"}

package/dist/lib/schema.js

@@ -112,11 +112,27 @@ const functionSlugSchema = z.string().regex(/^[a-z0-9]{1,20}$/, "function slug m
 /** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */
 const bucketNameSchema = z.string().min(1).max(255);
 /**
-* Per-function environment map. Every value must be a defined string: a `process.env.X`
-* that is unset surfaces as `undefined` and is rejected here (rather than silently
-* shipping `undefined` into the deployment).
+* A single function environment-variable value. Must be a defined string: a `process.env.X`
+* that is unset evaluates to `undefined`, and the bare `z.string()` message for that case
+* (`Invalid input: expected string, received undefined`) gives no hint that an env var is the
+* culprit. The custom `error` replaces *only* the `undefined` case with a message that names
+* the offending function + env key (read from the issue path) and how to fix it; any other
+* wrong type keeps zod's default (`expected string, received number`, …).
 */
-const functionEnvSchema = z.record(z.string(), z.string());
+const functionEnvValueSchema = z.string({ error: (issue) => {
+	if (issue.input !== void 0) return void 0;
+	const path = issue.path ?? [];
+	const key = path.length > 0 ? String(path[path.length - 1]) : void 0;
+	const functionsIndex = path.indexOf("functions");
+	const slug = functionsIndex >= 0 && functionsIndex + 1 < path.length ? String(path[functionsIndex + 1]) : void 0;
+	return `${slug !== void 0 && key !== void 0 ? `Environment variable "${key}" for function "${slug}"` : key !== void 0 ? `Environment variable "${key}"` : "An environment variable"} is undefined — its value (typically a \`process.env.*\`) is unset. Set it (e.g. add it to your .env) or provide a fallback like \`process.env.X ?? ""\`.`;
+} });
+/**
+* Per-function environment map. Every value must be a defined string (see
+* {@link functionEnvValueSchema}): a `process.env.X` that is unset surfaces as `undefined` and
+* is rejected here (rather than silently shipping `undefined` into the deployment).
+*/
+const functionEnvSchema = z.record(z.string(), functionEnvValueSchema);
 /**
 * TCP port for a function's local dev server. Excludes 0 (which means "any port" to the OS
 * — `neon dev` expresses "pick one for me" by omitting `port`, not by passing 0).

package/dist/lib/schema.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.js","names":[],"sources":["../../src/lib/schema.ts"],"sourcesContent":["import { z } from \"zod\";\nimport { parseBranchTtl, parseSuspendTimeout } from \"./duration.js\";\nimport { isWildcardPattern, validatePattern } from \"./patterns.js\";\n\n/**\n * Zod schema for {@link import(\"./types.js\").ComputeSettings}.\n *\n * - CU values must be one of: 0.25, 0.5, 1, 2, 4, 8\n * - `suspendTimeout` can be:\n *   - `false` (never suspend)\n *   - duration string like \"5m\", \"1h\" (must be 60s-604800s when parsed)\n *   - number in seconds (60-604800, or -1/0 for special values)\n *   - `undefined` (use platform default)\n *\n * Cross-field invariants (min <= max) are enforced via `superRefine`.\n */\nexport const computeSettingsSchema = z\n\t.strictObject({\n\t\tautoscalingLimitMinCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tautoscalingLimitMaxCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tsuspendTimeout: z\n\t\t\t.union([z.literal(false), z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return; // undefined is valid (use platform default)\n\t\t\t\tconst result = parseSuspendTimeout(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({\n\t\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\t\tmessage: result.error,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}),\n\t})\n\t.superRefine((settings, ctx) => {\n\t\tconst { autoscalingLimitMinCu: min, autoscalingLimitMaxCu: max } =\n\t\t\tsettings;\n\t\tif (min !== undefined && max !== undefined && min > max) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"autoscalingLimitMinCu\"],\n\t\t\t\tmessage: `autoscalingLimitMinCu (${min}) must be <= autoscalingLimitMaxCu (${max})`,\n\t\t\t});\n\t\t}\n\t});\n\n/** Object form of a service toggle (`{ enabled?: boolean }`). */\nexport const serviceToggleSchema = z.strictObject({\n\tenabled: z.boolean().optional(),\n});\n\n/** A service toggle as written in a policy: `boolean` or `{ enabled?: boolean }`. */\nexport const serviceToggleInputSchema = z.union([\n\tz.boolean(),\n\tserviceToggleSchema,\n]);\n\n/**\n * Reusable Data API runtime settings (camelCase mirror of the Neon API `DataAPISettings`).\n * `strictObject` so a typo / snake_case key fails loudly instead of being silently dropped.\n */\nexport const dataApiSettingsSchema = z.strictObject({\n\tdbAggregatesEnabled: z.boolean().optional(),\n\tdbAnonRole: z.string().optional(),\n\tdbExtraSearchPath: z.string().optional(),\n\tdbMaxRows: z.number().int().optional(),\n\tdbSchemas: z.array(z.string()).optional(),\n\tjwtRoleClaimKey: z.string().optional(),\n\tjwtCacheMaxLifetime: z.number().int().optional(),\n\topenapiMode: z\n\t\t.union([z.literal(\"ignore-privileges\"), z.literal(\"disabled\")])\n\t\t.optional(),\n\tserverCorsAllowedOrigins: z.string().optional(),\n\tserverTimingEnabled: z.boolean().optional(),\n});\n\n/** Names of the external-IdP-only fields, forbidden when `authProvider` is `\"neon\"`. */\nconst DATA_API_EXTERNAL_ONLY_KEYS = [\n\t\"jwksUrl\",\n\t\"providerName\",\n\t\"jwtAudience\",\n] as const;\n\n/**\n * Object form of the `dataApi` toggle. A single `strictObject` plus a `superRefine` (rather\n * than a discriminated union) so the `\"neon\"` default works without the discriminator being\n * present, and so the \"external-only field with authProvider neon\" error points at the exact\n * offending key — mirroring the `?: never` type-level guard at runtime.\n */\nexport const dataApiConfigSchema = z\n\t.strictObject({\n\t\tenabled: z.boolean().optional(),\n\t\tauthProvider: z\n\t\t\t.union([z.literal(\"neon\"), z.literal(\"external\")])\n\t\t\t.optional(),\n\t\tjwksUrl: z.string().optional(),\n\t\tproviderName: z.string().optional(),\n\t\tjwtAudience: z.string().optional(),\n\t\tsettings: dataApiSettingsSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tconst provider = cfg.authProvider ?? \"neon\";\n\t\tif (provider !== \"neon\") return;\n\t\tfor (const key of DATA_API_EXTERNAL_ONLY_KEYS) {\n\t\t\tif (cfg[key] !== undefined) {\n\t\t\t\tctx.addIssue({\n\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\tpath: [key],\n\t\t\t\t\tmessage: `${key} is only allowed with authProvider: \"external\" — Neon supplies it for authProvider: \"neon\".`,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t});\n\n/** A `dataApi` toggle as written in a policy: `boolean` or {@link dataApiConfigSchema}. */\nexport const dataApiInputSchema = z.union([z.boolean(), dataApiConfigSchema]);\n\nexport const postgresConfigSchema = z.strictObject({\n\tcomputeSettings: computeSettingsSchema.optional(),\n});\n\n/**\n * Branch-unique function slug. Mirrors the Neon Functions API path-segment rule\n * (`platform/internal/platform/functions/name.go`): 1–20 lowercase letters and digits.\n * Used as the **key schema** of the `preview.functions` record, so a bad slug fails\n * validation with a path pointing at the offending key and duplicate slugs are impossible\n * by construction (object keys are unique).\n */\nconst functionSlugSchema = z\n\t.string()\n\t.regex(\n\t\t/^[a-z0-9]{1,20}$/,\n\t\t\"function slug must be 1-20 lowercase letters and digits (no hyphens or other characters)\",\n\t);\n\n/** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */\nconst bucketNameSchema = z.string().min(1).max(255);\n\n/**\n * Per-function environment map. Every value must be a defined string: a `process.env.X`\n * that is unset surfaces as `undefined` and is rejected here (rather than silently\n * shipping `undefined` into the deployment).\n */\nconst functionEnvSchema = z.record(z.string(), z.string());\n\n/**\n * TCP port for a function's local dev server. Excludes 0 (which means \"any port\" to the OS\n * — `neon dev` expresses \"pick one for me\" by omitting `port`, not by passing 0).\n */\nconst devPortSchema = z.number().int().min(1).max(65535);\n\n/**\n * Local-dev settings for a function (`neon dev` only; never affects deploy). `port` is bound\n * exactly when set (and `neon dev` fails if it is taken), or a free port is found when omitted.\n */\nconst functionDevConfigSchema = z.strictObject({\n\tport: devPortSchema.optional(),\n});\n\nconst runtimeSchema = z.literal(\"nodejs24\");\n\n/**\n * Static definition of a function (existence). The slug is the record key (validated by\n * {@link functionSlugSchema}), so it is not a field here. Deploy tuning (`runtime`) lives\n * in the `branch` closure, not here.\n */\nexport const functionDefSchema = z.strictObject({\n\tname: z.string().min(1).max(255),\n\tsource: z.string().min(1),\n\tenv: functionEnvSchema.optional(),\n\tdev: functionDevConfigSchema.optional(),\n});\n\n/** Static definition of a bucket (existence). Name is the record key. */\nexport const bucketDefSchema = z.strictObject({\n\taccess: z\n\t\t.union([z.literal(\"private\"), z.literal(\"public_read\")])\n\t\t.optional(),\n});\n\n/** Static, beta Preview feature set: AI Gateway toggle + functions/buckets records. */\nexport const previewInputSchema = z.strictObject({\n\taiGateway: serviceToggleInputSchema.optional(),\n\tfunctions: z.record(functionSlugSchema, functionDefSchema).optional(),\n\tbuckets: z.record(bucketNameSchema, bucketDefSchema).optional(),\n});\n\n/** Per-function deploy tuning returned by the `branch` closure. */\nexport const functionTuningSchema = z.strictObject({\n\truntime: runtimeSchema.optional(),\n});\n\n/** Per-branch Preview tuning. Keys must be slugs declared in the static `preview`. */\nconst previewTuningSchema = z.strictObject({\n\tfunctions: z.record(functionSlugSchema, functionTuningSchema).optional(),\n});\n\n/**\n * The object returned by the `branch` closure. Validated on every `resolveConfig` call so\n * tuning errors point at the concrete branch target that triggered them.\n */\nexport const branchTuningSchema = z\n\t.strictObject({\n\t\tparent: z.string().optional(),\n\t\tprotected: z.boolean().optional(),\n\t\tttl: z\n\t\t\t.union([z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return;\n\t\t\t\tconst result = parseBranchTtl(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({ code: \"custom\", message: result.error });\n\t\t\t\t}\n\t\t\t}),\n\t\tpostgres: postgresConfigSchema.optional(),\n\t\tpreview: previewTuningSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tvalidateParentReference({\n\t\t\tctx,\n\t\t\tpath: [\"parent\"],\n\t\t\tparent: cfg.parent,\n\t\t});\n\t});\n\n/**\n * The top-level object accepted by `defineConfig`. The `branch` closure is validated\n * structurally as a function here; its returned tuning is validated per-evaluation by\n * {@link branchTuningSchema} inside `resolveConfig`.\n */\nexport const configInputSchema = z\n\t.strictObject({\n\t\tauth: serviceToggleInputSchema.optional(),\n\t\tdataApi: dataApiInputSchema.optional(),\n\t\tpreview: previewInputSchema.optional(),\n\t\tbranch: z\n\t\t\t.custom<(...args: unknown[]) => unknown>(\n\t\t\t\t(value) => typeof value === \"function\",\n\t\t\t\t{\n\t\t\t\t\tmessage:\n\t\t\t\t\t\t\"branch must be a function: `branch: (branch) => ({ … })`\",\n\t\t\t\t},\n\t\t\t)\n\t\t\t.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\t// A Data API verified by Neon Auth (`authProvider: \"neon\"`, the default) needs Neon\n\t\t// Auth enabled on the same branch so the tokens it verifies actually exist. Enforce\n\t\t// the same invariant the `defineConfig` type-level check expresses, at runtime.\n\t\tif (!isToggleEnabledValue(cfg.dataApi)) return;\n\t\tif (dataApiAuthProviderValue(cfg.dataApi) !== \"neon\") return;\n\t\tif (!isToggleEnabledValue(cfg.auth)) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"auth\"],\n\t\t\t\tmessage:\n\t\t\t\t\t'dataApi with authProvider \"neon\" requires Neon Auth — set `auth: true` (or `auth: { enabled: true }`), or use `dataApi.authProvider: \"external\"` with your own `jwksUrl`.',\n\t\t\t});\n\t\t}\n\t});\n\n/**\n * Whether a parsed `auth` / `dataApi` toggle value is enabled: a present object (or `true`)\n * is on unless `enabled` is explicitly `false`. Mirrors `isServiceEnabled` in\n * `define-config.ts`, operating on the already-validated runtime value.\n */\nfunction isToggleEnabledValue(value: unknown): boolean {\n\tif (value === undefined || value === null) return false;\n\tif (typeof value === \"boolean\") return value;\n\tif (typeof value === \"object\") {\n\t\treturn (value as { enabled?: unknown }).enabled !== false;\n\t}\n\treturn false;\n}\n\n/** Read the (defaulted) `authProvider` from a parsed `dataApi` value. */\nfunction dataApiAuthProviderValue(value: unknown): \"neon\" | \"external\" {\n\tif (value !== null && typeof value === \"object\") {\n\t\tconst provider = (value as { authProvider?: unknown }).authProvider;\n\t\tif (provider === \"external\") return \"external\";\n\t}\n\treturn \"neon\";\n}\n\nfunction validateParentReference(args: {\n\tctx: z.RefinementCtx;\n\tpath: (string | number)[];\n\tparent: string | undefined;\n}): void {\n\tconst { ctx, path, parent } = args;\n\tif (parent === undefined) return;\n\n\tconst patternCheck = validatePattern(parent);\n\tif (\"error\" in patternCheck) {\n\t\tctx.addIssue({ code: \"custom\", path, message: patternCheck.error });\n\t} else if (isWildcardPattern(parent)) {\n\t\tctx.addIssue({\n\t\t\tcode: \"custom\",\n\t\t\tpath,\n\t\t\tmessage: `parent must be a concrete branch name (no wildcards), got \"${parent}\"`,\n\t\t});\n\t}\n}\n\n/**\n * Convert the structured {@link z.ZodError} produced by `configSchema.safeParse` into the\n * `string[]` shape used by {@link import(\"./errors.js\").ConfigValidationError}.\n *\n * Issue paths are rendered as dot-separated property accesses (`postgres.computeSettings`)\n * and unknown-key issues from `strictObject` are normalised so the message contains the\n * substring \"unknown key\" — keeping pre-zod assertions in test suites and downstream tools\n * stable.\n */\nexport function formatZodIssues(error: z.ZodError): string[] {\n\treturn error.issues.map((issue) => {\n\t\tconst path = renderPath(issue.path);\n\t\tconst message = normaliseIssueMessage(issue);\n\t\treturn path ? `${path}: ${message}` : message;\n\t});\n}\n\nfunction renderPath(path: ReadonlyArray<PropertyKey>): string {\n\tlet out = \"\";\n\tfor (const segment of path) {\n\t\tif (typeof segment === \"number\") out += `[${segment}]`;\n\t\telse if (out === \"\") out += String(segment);\n\t\telse out += `.${String(segment)}`;\n\t}\n\treturn out;\n}\n\nfunction normaliseIssueMessage(issue: z.core.$ZodIssue): string {\n\tif (issue.code === \"unrecognized_keys\") {\n\t\tconst keys = issue.keys ?? [];\n\t\tconst formatted = keys.map((k) => JSON.stringify(k)).join(\", \");\n\t\treturn `unknown key${keys.length === 1 ? \"\" : \"s\"}: ${formatted}`;\n\t}\n\tif (issue.code === \"invalid_key\") {\n\t\t// A record *key* that fails its key schema (e.g. a bad function slug) surfaces in\n\t\t// zod as a single `invalid_key` issue whose own `message` is the generic, useless\n\t\t// \"Invalid key in record\". The actual reason — the function-slug regex rule, say —\n\t\t// lives in the nested key-schema `issues`. Hoist those so the user sees *why* the\n\t\t// key was rejected (the offending key itself is already in the issue `path`).\n\t\tconst reasons = issue.issues\n\t\t\t.map((nested) => nested.message)\n\t\t\t.filter((message) => message.length > 0);\n\t\tif (reasons.length > 0) return reasons.join(\"; \");\n\t}\n\treturn issue.message;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAgBA,MAAa,wBAAwB,EACnC,aAAa;CACb,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,gBAAgB,EACd,MAAM;EAAC,EAAE,QAAQ,KAAK;EAAG,EAAE,OAAO;EAAG,EAAE,OAAO;CAAC,CAAC,CAAC,CACjD,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,oBAAoB,KAAK;EACxC,IAAI,WAAW,QACd,IAAI,SAAS;GACZ,MAAM;GACN,SAAS,OAAO;EACjB,CAAC;CAEH,CAAC;AACH,CAAC,CAAC,CACD,aAAa,UAAU,QAAQ;CAC/B,MAAM,EAAE,uBAAuB,KAAK,uBAAuB,QAC1D;CACD,IAAI,QAAQ,KAAA,KAAa,QAAQ,KAAA,KAAa,MAAM,KACnD,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,uBAAuB;EAC9B,SAAS,0BAA0B,IAAI,sCAAsC,IAAI;CAClF,CAAC;AAEH,CAAC;;AAGF,MAAa,sBAAsB,EAAE,aAAa,EACjD,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS,EAC/B,CAAC;;AAGD,MAAa,2BAA2B,EAAE,MAAM,CAC/C,EAAE,QAAQ,GACV,mBACD,CAAC;;;;;AAMD,MAAa,wBAAwB,EAAE,aAAa;CACnD,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC1C,YAAY,EAAE,OAAO,CAAC,CAAC,SAAS;CAChC,mBAAmB,EAAE,OAAO,CAAC,CAAC,SAAS;CACvC,WAAW,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CACrC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS;CACxC,iBAAiB,EAAE,OAAO,CAAC,CAAC,SAAS;CACrC,qBAAqB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CAC/C,aAAa,EACX,MAAM,CAAC,EAAE,QAAQ,mBAAmB,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CAC9D,SAAS;CACX,0BAA0B,EAAE,OAAO,CAAC,CAAC,SAAS;CAC9C,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;AAC3C,CAAC;;AAGD,MAAM,8BAA8B;CACnC;CACA;CACA;AACD;;;;;;;AAQA,MAAa,sBAAsB,EACjC,aAAa;CACb,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC9B,cAAc,EACZ,MAAM,CAAC,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CACjD,SAAS;CACX,SAAS,EAAE,OAAO,CAAC,CAAC,SAAS;CAC7B,cAAc,EAAE,OAAO,CAAC,CAAC,SAAS;CAClC,aAAa,EAAE,OAAO,CAAC,CAAC,SAAS;CACjC,UAAU,sBAAsB,SAAS;AAC1C,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAE1B,KADiB,IAAI,gBAAgB,YACpB,QAAQ;CACzB,KAAK,MAAM,OAAO,6BACjB,IAAI,IAAI,SAAS,KAAA,GAChB,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,GAAG;EACV,SAAS,GAAG,IAAI;CACjB,CAAC;AAGJ,CAAC;;AAGF,MAAa,qBAAqB,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,mBAAmB,CAAC;AAE5E,MAAa,uBAAuB,EAAE,aAAa,EAClD,iBAAiB,sBAAsB,SAAS,EACjD,CAAC;;;;;;;;AASD,MAAM,qBAAqB,EACzB,OAAO,CAAC,CACR,MACA,oBACA,0FACD;;AAGD,MAAM,mBAAmB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;;;;;;AAOlD,MAAM,oBAAoB,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;;;;;AAMzD,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK;;;;;AAMvD,MAAM,0BAA0B,EAAE,aAAa,EAC9C,MAAM,cAAc,SAAS,EAC9B,CAAC;AAED,MAAM,gBAAgB,EAAE,QAAQ,UAAU;;;;;;AAO1C,MAAa,oBAAoB,EAAE,aAAa;CAC/C,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;CAC/B,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;CACxB,KAAK,kBAAkB,SAAS;CAChC,KAAK,wBAAwB,SAAS;AACvC,CAAC;;AAGD,MAAa,kBAAkB,EAAE,aAAa,EAC7C,QAAQ,EACN,MAAM,CAAC,EAAE,QAAQ,SAAS,GAAG,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,CACvD,SAAS,EACZ,CAAC;;AAGD,MAAa,qBAAqB,EAAE,aAAa;CAChD,WAAW,yBAAyB,SAAS;CAC7C,WAAW,EAAE,OAAO,oBAAoB,iBAAiB,CAAC,CAAC,SAAS;CACpE,SAAS,EAAE,OAAO,kBAAkB,eAAe,CAAC,CAAC,SAAS;AAC/D,CAAC;;AAGD,MAAa,uBAAuB,EAAE,aAAa,EAClD,SAAS,cAAc,SAAS,EACjC,CAAC;;AAGD,MAAM,sBAAsB,EAAE,aAAa,EAC1C,WAAW,EAAE,OAAO,oBAAoB,oBAAoB,CAAC,CAAC,SAAS,EACxE,CAAC;;;;;AAMD,MAAa,qBAAqB,EAChC,aAAa;CACb,QAAQ,EAAE,OAAO,CAAC,CAAC,SAAS;CAC5B,WAAW,EAAE,QAAQ,CAAC,CAAC,SAAS;CAChC,KAAK,EACH,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAC/B,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,eAAe,KAAK;EACnC,IAAI,WAAW,QACd,IAAI,SAAS;GAAE,MAAM;GAAU,SAAS,OAAO;EAAM,CAAC;CAExD,CAAC;CACF,UAAU,qBAAqB,SAAS;CACxC,SAAS,oBAAoB,SAAS;AACvC,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAC1B,wBAAwB;EACvB;EACA,MAAM,CAAC,QAAQ;EACf,QAAQ,IAAI;CACb,CAAC;AACF,CAAC;;;;;;AAOF,MAAa,oBAAoB,EAC/B,aAAa;CACb,MAAM,yBAAyB,SAAS;CACxC,SAAS,mBAAmB,SAAS;CACrC,SAAS,mBAAmB,SAAS;CACrC,QAAQ,EACN,QACC,UAAU,OAAO,UAAU,YAC5B,EACC,SACC,2DACF,CACD,CAAC,CACA,SAAS;AACZ,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAI1B,IAAI,CAAC,qBAAqB,IAAI,OAAO,GAAG;CACxC,IAAI,yBAAyB,IAAI,OAAO,MAAM,QAAQ;CACtD,IAAI,CAAC,qBAAqB,IAAI,IAAI,GACjC,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,MAAM;EACb,SACC;CACF,CAAC;AAEH,CAAC;;;;;;AAOF,SAAS,qBAAqB,OAAyB;CACtD,IAAI,UAAU,KAAA,KAAa,UAAU,MAAM,OAAO;CAClD,IAAI,OAAO,UAAU,WAAW,OAAO;CACvC,IAAI,OAAO,UAAU,UACpB,OAAQ,MAAgC,YAAY;CAErD,OAAO;AACR;;AAGA,SAAS,yBAAyB,OAAqC;CACtE,IAAI,UAAU,QAAQ,OAAO,UAAU;MACpB,MAAqC,iBACtC,YAAY,OAAO;CAAA;CAErC,OAAO;AACR;AAEA,SAAS,wBAAwB,MAIxB;CACR,MAAM,EAAE,KAAK,MAAM,WAAW;CAC9B,IAAI,WAAW,KAAA,GAAW;CAE1B,MAAM,eAAe,gBAAgB,MAAM;CAC3C,IAAI,WAAW,cACd,IAAI,SAAS;EAAE,MAAM;EAAU;EAAM,SAAS,aAAa;CAAM,CAAC;MAC5D,IAAI,kBAAkB,MAAM,GAClC,IAAI,SAAS;EACZ,MAAM;EACN;EACA,SAAS,8DAA8D,OAAO;CAC/E,CAAC;AAEH;;;;;;;;;;AAWA,SAAgB,gBAAgB,OAA6B;CAC5D,OAAO,MAAM,OAAO,KAAK,UAAU;EAClC,MAAM,OAAO,WAAW,MAAM,IAAI;EAClC,MAAM,UAAU,sBAAsB,KAAK;EAC3C,OAAO,OAAO,GAAG,KAAK,IAAI,YAAY;CACvC,CAAC;AACF;AAEA,SAAS,WAAW,MAA0C;CAC7D,IAAI,MAAM;CACV,KAAK,MAAM,WAAW,MACrB,IAAI,OAAO,YAAY,UAAU,OAAO,IAAI,QAAQ;MAC/C,IAAI,QAAQ,IAAI,OAAO,OAAO,OAAO;MACrC,OAAO,IAAI,OAAO,OAAO;CAE/B,OAAO;AACR;AAEA,SAAS,sBAAsB,OAAiC;CAC/D,IAAI,MAAM,SAAS,qBAAqB;EACvC,MAAM,OAAO,MAAM,QAAQ,CAAC;EAC5B,MAAM,YAAY,KAAK,KAAK,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;EAC9D,OAAO,cAAc,KAAK,WAAW,IAAI,KAAK,IAAI,IAAI;CACvD;CACA,IAAI,MAAM,SAAS,eAAe;EAMjC,MAAM,UAAU,MAAM,OACpB,KAAK,WAAW,OAAO,OAAO,CAAC,CAC/B,QAAQ,YAAY,QAAQ,SAAS,CAAC;EACxC,IAAI,QAAQ,SAAS,GAAG,OAAO,QAAQ,KAAK,IAAI;CACjD;CACA,OAAO,MAAM;AACd"}
+{"version":3,"file":"schema.js","names":[],"sources":["../../src/lib/schema.ts"],"sourcesContent":["import { z } from \"zod\";\nimport { parseBranchTtl, parseSuspendTimeout } from \"./duration.js\";\nimport { isWildcardPattern, validatePattern } from \"./patterns.js\";\n\n/**\n * Zod schema for {@link import(\"./types.js\").ComputeSettings}.\n *\n * - CU values must be one of: 0.25, 0.5, 1, 2, 4, 8\n * - `suspendTimeout` can be:\n *   - `false` (never suspend)\n *   - duration string like \"5m\", \"1h\" (must be 60s-604800s when parsed)\n *   - number in seconds (60-604800, or -1/0 for special values)\n *   - `undefined` (use platform default)\n *\n * Cross-field invariants (min <= max) are enforced via `superRefine`.\n */\nexport const computeSettingsSchema = z\n\t.strictObject({\n\t\tautoscalingLimitMinCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tautoscalingLimitMaxCu: z\n\t\t\t.union([\n\t\t\t\tz.literal(0.25),\n\t\t\t\tz.literal(0.5),\n\t\t\t\tz.literal(1),\n\t\t\t\tz.literal(2),\n\t\t\t\tz.literal(4),\n\t\t\t\tz.literal(8),\n\t\t\t])\n\t\t\t.optional(),\n\t\tsuspendTimeout: z\n\t\t\t.union([z.literal(false), z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return; // undefined is valid (use platform default)\n\t\t\t\tconst result = parseSuspendTimeout(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({\n\t\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\t\tmessage: result.error,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}),\n\t})\n\t.superRefine((settings, ctx) => {\n\t\tconst { autoscalingLimitMinCu: min, autoscalingLimitMaxCu: max } =\n\t\t\tsettings;\n\t\tif (min !== undefined && max !== undefined && min > max) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"autoscalingLimitMinCu\"],\n\t\t\t\tmessage: `autoscalingLimitMinCu (${min}) must be <= autoscalingLimitMaxCu (${max})`,\n\t\t\t});\n\t\t}\n\t});\n\n/** Object form of a service toggle (`{ enabled?: boolean }`). */\nexport const serviceToggleSchema = z.strictObject({\n\tenabled: z.boolean().optional(),\n});\n\n/** A service toggle as written in a policy: `boolean` or `{ enabled?: boolean }`. */\nexport const serviceToggleInputSchema = z.union([\n\tz.boolean(),\n\tserviceToggleSchema,\n]);\n\n/**\n * Reusable Data API runtime settings (camelCase mirror of the Neon API `DataAPISettings`).\n * `strictObject` so a typo / snake_case key fails loudly instead of being silently dropped.\n */\nexport const dataApiSettingsSchema = z.strictObject({\n\tdbAggregatesEnabled: z.boolean().optional(),\n\tdbAnonRole: z.string().optional(),\n\tdbExtraSearchPath: z.string().optional(),\n\tdbMaxRows: z.number().int().optional(),\n\tdbSchemas: z.array(z.string()).optional(),\n\tjwtRoleClaimKey: z.string().optional(),\n\tjwtCacheMaxLifetime: z.number().int().optional(),\n\topenapiMode: z\n\t\t.union([z.literal(\"ignore-privileges\"), z.literal(\"disabled\")])\n\t\t.optional(),\n\tserverCorsAllowedOrigins: z.string().optional(),\n\tserverTimingEnabled: z.boolean().optional(),\n});\n\n/** Names of the external-IdP-only fields, forbidden when `authProvider` is `\"neon\"`. */\nconst DATA_API_EXTERNAL_ONLY_KEYS = [\n\t\"jwksUrl\",\n\t\"providerName\",\n\t\"jwtAudience\",\n] as const;\n\n/**\n * Object form of the `dataApi` toggle. A single `strictObject` plus a `superRefine` (rather\n * than a discriminated union) so the `\"neon\"` default works without the discriminator being\n * present, and so the \"external-only field with authProvider neon\" error points at the exact\n * offending key — mirroring the `?: never` type-level guard at runtime.\n */\nexport const dataApiConfigSchema = z\n\t.strictObject({\n\t\tenabled: z.boolean().optional(),\n\t\tauthProvider: z\n\t\t\t.union([z.literal(\"neon\"), z.literal(\"external\")])\n\t\t\t.optional(),\n\t\tjwksUrl: z.string().optional(),\n\t\tproviderName: z.string().optional(),\n\t\tjwtAudience: z.string().optional(),\n\t\tsettings: dataApiSettingsSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tconst provider = cfg.authProvider ?? \"neon\";\n\t\tif (provider !== \"neon\") return;\n\t\tfor (const key of DATA_API_EXTERNAL_ONLY_KEYS) {\n\t\t\tif (cfg[key] !== undefined) {\n\t\t\t\tctx.addIssue({\n\t\t\t\t\tcode: \"custom\",\n\t\t\t\t\tpath: [key],\n\t\t\t\t\tmessage: `${key} is only allowed with authProvider: \"external\" — Neon supplies it for authProvider: \"neon\".`,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t});\n\n/** A `dataApi` toggle as written in a policy: `boolean` or {@link dataApiConfigSchema}. */\nexport const dataApiInputSchema = z.union([z.boolean(), dataApiConfigSchema]);\n\nexport const postgresConfigSchema = z.strictObject({\n\tcomputeSettings: computeSettingsSchema.optional(),\n});\n\n/**\n * Branch-unique function slug. Mirrors the Neon Functions API path-segment rule\n * (`platform/internal/platform/functions/name.go`): 1–20 lowercase letters and digits.\n * Used as the **key schema** of the `preview.functions` record, so a bad slug fails\n * validation with a path pointing at the offending key and duplicate slugs are impossible\n * by construction (object keys are unique).\n */\nconst functionSlugSchema = z\n\t.string()\n\t.regex(\n\t\t/^[a-z0-9]{1,20}$/,\n\t\t\"function slug must be 1-20 lowercase letters and digits (no hyphens or other characters)\",\n\t);\n\n/** Bucket name: 1–255 chars. Used as the key schema of the `preview.buckets` record. */\nconst bucketNameSchema = z.string().min(1).max(255);\n\n/**\n * A single function environment-variable value. Must be a defined string: a `process.env.X`\n * that is unset evaluates to `undefined`, and the bare `z.string()` message for that case\n * (`Invalid input: expected string, received undefined`) gives no hint that an env var is the\n * culprit. The custom `error` replaces *only* the `undefined` case with a message that names\n * the offending function + env key (read from the issue path) and how to fix it; any other\n * wrong type keeps zod's default (`expected string, received number`, …).\n */\nconst functionEnvValueSchema = z.string({\n\terror: (issue) => {\n\t\tif (issue.input !== undefined) return undefined;\n\t\tconst path = issue.path ?? [];\n\t\tconst key = path.length > 0 ? String(path[path.length - 1]) : undefined;\n\t\tconst functionsIndex = path.indexOf(\"functions\");\n\t\tconst slug =\n\t\t\tfunctionsIndex >= 0 && functionsIndex + 1 < path.length\n\t\t\t\t? String(path[functionsIndex + 1])\n\t\t\t\t: undefined;\n\t\tconst subject =\n\t\t\tslug !== undefined && key !== undefined\n\t\t\t\t? `Environment variable \"${key}\" for function \"${slug}\"`\n\t\t\t\t: key !== undefined\n\t\t\t\t\t? `Environment variable \"${key}\"`\n\t\t\t\t\t: \"An environment variable\";\n\t\treturn `${subject} is undefined — its value (typically a \\`process.env.*\\`) is unset. Set it (e.g. add it to your .env) or provide a fallback like \\`process.env.X ?? \"\"\\`.`;\n\t},\n});\n\n/**\n * Per-function environment map. Every value must be a defined string (see\n * {@link functionEnvValueSchema}): a `process.env.X` that is unset surfaces as `undefined` and\n * is rejected here (rather than silently shipping `undefined` into the deployment).\n */\nconst functionEnvSchema = z.record(z.string(), functionEnvValueSchema);\n\n/**\n * TCP port for a function's local dev server. Excludes 0 (which means \"any port\" to the OS\n * — `neon dev` expresses \"pick one for me\" by omitting `port`, not by passing 0).\n */\nconst devPortSchema = z.number().int().min(1).max(65535);\n\n/**\n * Local-dev settings for a function (`neon dev` only; never affects deploy). `port` is bound\n * exactly when set (and `neon dev` fails if it is taken), or a free port is found when omitted.\n */\nconst functionDevConfigSchema = z.strictObject({\n\tport: devPortSchema.optional(),\n});\n\nconst runtimeSchema = z.literal(\"nodejs24\");\n\n/**\n * Static definition of a function (existence). The slug is the record key (validated by\n * {@link functionSlugSchema}), so it is not a field here. Deploy tuning (`runtime`) lives\n * in the `branch` closure, not here.\n */\nexport const functionDefSchema = z.strictObject({\n\tname: z.string().min(1).max(255),\n\tsource: z.string().min(1),\n\tenv: functionEnvSchema.optional(),\n\tdev: functionDevConfigSchema.optional(),\n});\n\n/** Static definition of a bucket (existence). Name is the record key. */\nexport const bucketDefSchema = z.strictObject({\n\taccess: z\n\t\t.union([z.literal(\"private\"), z.literal(\"public_read\")])\n\t\t.optional(),\n});\n\n/** Static, beta Preview feature set: AI Gateway toggle + functions/buckets records. */\nexport const previewInputSchema = z.strictObject({\n\taiGateway: serviceToggleInputSchema.optional(),\n\tfunctions: z.record(functionSlugSchema, functionDefSchema).optional(),\n\tbuckets: z.record(bucketNameSchema, bucketDefSchema).optional(),\n});\n\n/** Per-function deploy tuning returned by the `branch` closure. */\nexport const functionTuningSchema = z.strictObject({\n\truntime: runtimeSchema.optional(),\n});\n\n/** Per-branch Preview tuning. Keys must be slugs declared in the static `preview`. */\nconst previewTuningSchema = z.strictObject({\n\tfunctions: z.record(functionSlugSchema, functionTuningSchema).optional(),\n});\n\n/**\n * The object returned by the `branch` closure. Validated on every `resolveConfig` call so\n * tuning errors point at the concrete branch target that triggered them.\n */\nexport const branchTuningSchema = z\n\t.strictObject({\n\t\tparent: z.string().optional(),\n\t\tprotected: z.boolean().optional(),\n\t\tttl: z\n\t\t\t.union([z.string(), z.number()])\n\t\t\t.optional()\n\t\t\t.superRefine((value, ctx) => {\n\t\t\t\tif (value === undefined) return;\n\t\t\t\tconst result = parseBranchTtl(value);\n\t\t\t\tif (\"error\" in result) {\n\t\t\t\t\tctx.addIssue({ code: \"custom\", message: result.error });\n\t\t\t\t}\n\t\t\t}),\n\t\tpostgres: postgresConfigSchema.optional(),\n\t\tpreview: previewTuningSchema.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\tvalidateParentReference({\n\t\t\tctx,\n\t\t\tpath: [\"parent\"],\n\t\t\tparent: cfg.parent,\n\t\t});\n\t});\n\n/**\n * The top-level object accepted by `defineConfig`. The `branch` closure is validated\n * structurally as a function here; its returned tuning is validated per-evaluation by\n * {@link branchTuningSchema} inside `resolveConfig`.\n */\nexport const configInputSchema = z\n\t.strictObject({\n\t\tauth: serviceToggleInputSchema.optional(),\n\t\tdataApi: dataApiInputSchema.optional(),\n\t\tpreview: previewInputSchema.optional(),\n\t\tbranch: z\n\t\t\t.custom<(...args: unknown[]) => unknown>(\n\t\t\t\t(value) => typeof value === \"function\",\n\t\t\t\t{\n\t\t\t\t\tmessage:\n\t\t\t\t\t\t\"branch must be a function: `branch: (branch) => ({ … })`\",\n\t\t\t\t},\n\t\t\t)\n\t\t\t.optional(),\n\t})\n\t.superRefine((cfg, ctx) => {\n\t\t// A Data API verified by Neon Auth (`authProvider: \"neon\"`, the default) needs Neon\n\t\t// Auth enabled on the same branch so the tokens it verifies actually exist. Enforce\n\t\t// the same invariant the `defineConfig` type-level check expresses, at runtime.\n\t\tif (!isToggleEnabledValue(cfg.dataApi)) return;\n\t\tif (dataApiAuthProviderValue(cfg.dataApi) !== \"neon\") return;\n\t\tif (!isToggleEnabledValue(cfg.auth)) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tpath: [\"auth\"],\n\t\t\t\tmessage:\n\t\t\t\t\t'dataApi with authProvider \"neon\" requires Neon Auth — set `auth: true` (or `auth: { enabled: true }`), or use `dataApi.authProvider: \"external\"` with your own `jwksUrl`.',\n\t\t\t});\n\t\t}\n\t});\n\n/**\n * Whether a parsed `auth` / `dataApi` toggle value is enabled: a present object (or `true`)\n * is on unless `enabled` is explicitly `false`. Mirrors `isServiceEnabled` in\n * `define-config.ts`, operating on the already-validated runtime value.\n */\nfunction isToggleEnabledValue(value: unknown): boolean {\n\tif (value === undefined || value === null) return false;\n\tif (typeof value === \"boolean\") return value;\n\tif (typeof value === \"object\") {\n\t\treturn (value as { enabled?: unknown }).enabled !== false;\n\t}\n\treturn false;\n}\n\n/** Read the (defaulted) `authProvider` from a parsed `dataApi` value. */\nfunction dataApiAuthProviderValue(value: unknown): \"neon\" | \"external\" {\n\tif (value !== null && typeof value === \"object\") {\n\t\tconst provider = (value as { authProvider?: unknown }).authProvider;\n\t\tif (provider === \"external\") return \"external\";\n\t}\n\treturn \"neon\";\n}\n\nfunction validateParentReference(args: {\n\tctx: z.RefinementCtx;\n\tpath: (string | number)[];\n\tparent: string | undefined;\n}): void {\n\tconst { ctx, path, parent } = args;\n\tif (parent === undefined) return;\n\n\tconst patternCheck = validatePattern(parent);\n\tif (\"error\" in patternCheck) {\n\t\tctx.addIssue({ code: \"custom\", path, message: patternCheck.error });\n\t} else if (isWildcardPattern(parent)) {\n\t\tctx.addIssue({\n\t\t\tcode: \"custom\",\n\t\t\tpath,\n\t\t\tmessage: `parent must be a concrete branch name (no wildcards), got \"${parent}\"`,\n\t\t});\n\t}\n}\n\n/**\n * Convert the structured {@link z.ZodError} produced by `configSchema.safeParse` into the\n * `string[]` shape used by {@link import(\"./errors.js\").ConfigValidationError}.\n *\n * Issue paths are rendered as dot-separated property accesses (`postgres.computeSettings`)\n * and unknown-key issues from `strictObject` are normalised so the message contains the\n * substring \"unknown key\" — keeping pre-zod assertions in test suites and downstream tools\n * stable.\n */\nexport function formatZodIssues(error: z.ZodError): string[] {\n\treturn error.issues.map((issue) => {\n\t\tconst path = renderPath(issue.path);\n\t\tconst message = normaliseIssueMessage(issue);\n\t\treturn path ? `${path}: ${message}` : message;\n\t});\n}\n\nfunction renderPath(path: ReadonlyArray<PropertyKey>): string {\n\tlet out = \"\";\n\tfor (const segment of path) {\n\t\tif (typeof segment === \"number\") out += `[${segment}]`;\n\t\telse if (out === \"\") out += String(segment);\n\t\telse out += `.${String(segment)}`;\n\t}\n\treturn out;\n}\n\nfunction normaliseIssueMessage(issue: z.core.$ZodIssue): string {\n\tif (issue.code === \"unrecognized_keys\") {\n\t\tconst keys = issue.keys ?? [];\n\t\tconst formatted = keys.map((k) => JSON.stringify(k)).join(\", \");\n\t\treturn `unknown key${keys.length === 1 ? \"\" : \"s\"}: ${formatted}`;\n\t}\n\tif (issue.code === \"invalid_key\") {\n\t\t// A record *key* that fails its key schema (e.g. a bad function slug) surfaces in\n\t\t// zod as a single `invalid_key` issue whose own `message` is the generic, useless\n\t\t// \"Invalid key in record\". The actual reason — the function-slug regex rule, say —\n\t\t// lives in the nested key-schema `issues`. Hoist those so the user sees *why* the\n\t\t// key was rejected (the offending key itself is already in the issue `path`).\n\t\tconst reasons = issue.issues\n\t\t\t.map((nested) => nested.message)\n\t\t\t.filter((message) => message.length > 0);\n\t\tif (reasons.length > 0) return reasons.join(\"; \");\n\t}\n\treturn issue.message;\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAgBA,MAAa,wBAAwB,EACnC,aAAa;CACb,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,uBAAuB,EACrB,MAAM;EACN,EAAE,QAAQ,GAAI;EACd,EAAE,QAAQ,EAAG;EACb,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;EACX,EAAE,QAAQ,CAAC;CACZ,CAAC,CAAC,CACD,SAAS;CACX,gBAAgB,EACd,MAAM;EAAC,EAAE,QAAQ,KAAK;EAAG,EAAE,OAAO;EAAG,EAAE,OAAO;CAAC,CAAC,CAAC,CACjD,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,oBAAoB,KAAK;EACxC,IAAI,WAAW,QACd,IAAI,SAAS;GACZ,MAAM;GACN,SAAS,OAAO;EACjB,CAAC;CAEH,CAAC;AACH,CAAC,CAAC,CACD,aAAa,UAAU,QAAQ;CAC/B,MAAM,EAAE,uBAAuB,KAAK,uBAAuB,QAC1D;CACD,IAAI,QAAQ,KAAA,KAAa,QAAQ,KAAA,KAAa,MAAM,KACnD,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,uBAAuB;EAC9B,SAAS,0BAA0B,IAAI,sCAAsC,IAAI;CAClF,CAAC;AAEH,CAAC;;AAGF,MAAa,sBAAsB,EAAE,aAAa,EACjD,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS,EAC/B,CAAC;;AAGD,MAAa,2BAA2B,EAAE,MAAM,CAC/C,EAAE,QAAQ,GACV,mBACD,CAAC;;;;;AAMD,MAAa,wBAAwB,EAAE,aAAa;CACnD,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC1C,YAAY,EAAE,OAAO,CAAC,CAAC,SAAS;CAChC,mBAAmB,EAAE,OAAO,CAAC,CAAC,SAAS;CACvC,WAAW,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CACrC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS;CACxC,iBAAiB,EAAE,OAAO,CAAC,CAAC,SAAS;CACrC,qBAAqB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;CAC/C,aAAa,EACX,MAAM,CAAC,EAAE,QAAQ,mBAAmB,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CAC9D,SAAS;CACX,0BAA0B,EAAE,OAAO,CAAC,CAAC,SAAS;CAC9C,qBAAqB,EAAE,QAAQ,CAAC,CAAC,SAAS;AAC3C,CAAC;;AAGD,MAAM,8BAA8B;CACnC;CACA;CACA;AACD;;;;;;;AAQA,MAAa,sBAAsB,EACjC,aAAa;CACb,SAAS,EAAE,QAAQ,CAAC,CAAC,SAAS;CAC9B,cAAc,EACZ,MAAM,CAAC,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,UAAU,CAAC,CAAC,CAAC,CACjD,SAAS;CACX,SAAS,EAAE,OAAO,CAAC,CAAC,SAAS;CAC7B,cAAc,EAAE,OAAO,CAAC,CAAC,SAAS;CAClC,aAAa,EAAE,OAAO,CAAC,CAAC,SAAS;CACjC,UAAU,sBAAsB,SAAS;AAC1C,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAE1B,KADiB,IAAI,gBAAgB,YACpB,QAAQ;CACzB,KAAK,MAAM,OAAO,6BACjB,IAAI,IAAI,SAAS,KAAA,GAChB,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,GAAG;EACV,SAAS,GAAG,IAAI;CACjB,CAAC;AAGJ,CAAC;;AAGF,MAAa,qBAAqB,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,mBAAmB,CAAC;AAE5E,MAAa,uBAAuB,EAAE,aAAa,EAClD,iBAAiB,sBAAsB,SAAS,EACjD,CAAC;;;;;;;;AASD,MAAM,qBAAqB,EACzB,OAAO,CAAC,CACR,MACA,oBACA,0FACD;;AAGD,MAAM,mBAAmB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;;;;;;;;;AAUlD,MAAM,yBAAyB,EAAE,OAAO,EACvC,QAAQ,UAAU;CACjB,IAAI,MAAM,UAAU,KAAA,GAAW,OAAO,KAAA;CACtC,MAAM,OAAO,MAAM,QAAQ,CAAC;CAC5B,MAAM,MAAM,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,IAAI,KAAA;CAC9D,MAAM,iBAAiB,KAAK,QAAQ,WAAW;CAC/C,MAAM,OACL,kBAAkB,KAAK,iBAAiB,IAAI,KAAK,SAC9C,OAAO,KAAK,iBAAiB,EAAE,IAC/B,KAAA;CAOJ,OAAO,GALN,SAAS,KAAA,KAAa,QAAQ,KAAA,IAC3B,yBAAyB,IAAI,kBAAkB,KAAK,KACpD,QAAQ,KAAA,IACP,yBAAyB,IAAI,KAC7B,0BACa;AACnB,EACD,CAAC;;;;;;AAOD,MAAM,oBAAoB,EAAE,OAAO,EAAE,OAAO,GAAG,sBAAsB;;;;;AAMrE,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK;;;;;AAMvD,MAAM,0BAA0B,EAAE,aAAa,EAC9C,MAAM,cAAc,SAAS,EAC9B,CAAC;AAED,MAAM,gBAAgB,EAAE,QAAQ,UAAU;;;;;;AAO1C,MAAa,oBAAoB,EAAE,aAAa;CAC/C,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG;CAC/B,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;CACxB,KAAK,kBAAkB,SAAS;CAChC,KAAK,wBAAwB,SAAS;AACvC,CAAC;;AAGD,MAAa,kBAAkB,EAAE,aAAa,EAC7C,QAAQ,EACN,MAAM,CAAC,EAAE,QAAQ,SAAS,GAAG,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,CACvD,SAAS,EACZ,CAAC;;AAGD,MAAa,qBAAqB,EAAE,aAAa;CAChD,WAAW,yBAAyB,SAAS;CAC7C,WAAW,EAAE,OAAO,oBAAoB,iBAAiB,CAAC,CAAC,SAAS;CACpE,SAAS,EAAE,OAAO,kBAAkB,eAAe,CAAC,CAAC,SAAS;AAC/D,CAAC;;AAGD,MAAa,uBAAuB,EAAE,aAAa,EAClD,SAAS,cAAc,SAAS,EACjC,CAAC;;AAGD,MAAM,sBAAsB,EAAE,aAAa,EAC1C,WAAW,EAAE,OAAO,oBAAoB,oBAAoB,CAAC,CAAC,SAAS,EACxE,CAAC;;;;;AAMD,MAAa,qBAAqB,EAChC,aAAa;CACb,QAAQ,EAAE,OAAO,CAAC,CAAC,SAAS;CAC5B,WAAW,EAAE,QAAQ,CAAC,CAAC,SAAS;CAChC,KAAK,EACH,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAC/B,SAAS,CAAC,CACV,aAAa,OAAO,QAAQ;EAC5B,IAAI,UAAU,KAAA,GAAW;EACzB,MAAM,SAAS,eAAe,KAAK;EACnC,IAAI,WAAW,QACd,IAAI,SAAS;GAAE,MAAM;GAAU,SAAS,OAAO;EAAM,CAAC;CAExD,CAAC;CACF,UAAU,qBAAqB,SAAS;CACxC,SAAS,oBAAoB,SAAS;AACvC,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAC1B,wBAAwB;EACvB;EACA,MAAM,CAAC,QAAQ;EACf,QAAQ,IAAI;CACb,CAAC;AACF,CAAC;;;;;;AAOF,MAAa,oBAAoB,EAC/B,aAAa;CACb,MAAM,yBAAyB,SAAS;CACxC,SAAS,mBAAmB,SAAS;CACrC,SAAS,mBAAmB,SAAS;CACrC,QAAQ,EACN,QACC,UAAU,OAAO,UAAU,YAC5B,EACC,SACC,2DACF,CACD,CAAC,CACA,SAAS;AACZ,CAAC,CAAC,CACD,aAAa,KAAK,QAAQ;CAI1B,IAAI,CAAC,qBAAqB,IAAI,OAAO,GAAG;CACxC,IAAI,yBAAyB,IAAI,OAAO,MAAM,QAAQ;CACtD,IAAI,CAAC,qBAAqB,IAAI,IAAI,GACjC,IAAI,SAAS;EACZ,MAAM;EACN,MAAM,CAAC,MAAM;EACb,SACC;CACF,CAAC;AAEH,CAAC;;;;;;AAOF,SAAS,qBAAqB,OAAyB;CACtD,IAAI,UAAU,KAAA,KAAa,UAAU,MAAM,OAAO;CAClD,IAAI,OAAO,UAAU,WAAW,OAAO;CACvC,IAAI,OAAO,UAAU,UACpB,OAAQ,MAAgC,YAAY;CAErD,OAAO;AACR;;AAGA,SAAS,yBAAyB,OAAqC;CACtE,IAAI,UAAU,QAAQ,OAAO,UAAU;MACpB,MAAqC,iBACtC,YAAY,OAAO;CAAA;CAErC,OAAO;AACR;AAEA,SAAS,wBAAwB,MAIxB;CACR,MAAM,EAAE,KAAK,MAAM,WAAW;CAC9B,IAAI,WAAW,KAAA,GAAW;CAE1B,MAAM,eAAe,gBAAgB,MAAM;CAC3C,IAAI,WAAW,cACd,IAAI,SAAS;EAAE,MAAM;EAAU;EAAM,SAAS,aAAa;CAAM,CAAC;MAC5D,IAAI,kBAAkB,MAAM,GAClC,IAAI,SAAS;EACZ,MAAM;EACN;EACA,SAAS,8DAA8D,OAAO;CAC/E,CAAC;AAEH;;;;;;;;;;AAWA,SAAgB,gBAAgB,OAA6B;CAC5D,OAAO,MAAM,OAAO,KAAK,UAAU;EAClC,MAAM,OAAO,WAAW,MAAM,IAAI;EAClC,MAAM,UAAU,sBAAsB,KAAK;EAC3C,OAAO,OAAO,GAAG,KAAK,IAAI,YAAY;CACvC,CAAC;AACF;AAEA,SAAS,WAAW,MAA0C;CAC7D,IAAI,MAAM;CACV,KAAK,MAAM,WAAW,MACrB,IAAI,OAAO,YAAY,UAAU,OAAO,IAAI,QAAQ;MAC/C,IAAI,QAAQ,IAAI,OAAO,OAAO,OAAO;MACrC,OAAO,IAAI,OAAO,OAAO;CAE/B,OAAO;AACR;AAEA,SAAS,sBAAsB,OAAiC;CAC/D,IAAI,MAAM,SAAS,qBAAqB;EACvC,MAAM,OAAO,MAAM,QAAQ,CAAC;EAC5B,MAAM,YAAY,KAAK,KAAK,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;EAC9D,OAAO,cAAc,KAAK,WAAW,IAAI,KAAK,IAAI,IAAI;CACvD;CACA,IAAI,MAAM,SAAS,eAAe;EAMjC,MAAM,UAAU,MAAM,OACpB,KAAK,WAAW,OAAO,OAAO,CAAC,CAC/B,QAAQ,YAAY,QAAQ,SAAS,CAAC;EACxC,IAAI,QAAQ,SAAS,GAAG,OAAO,QAAQ,KAAK,IAAI;CACjD;CACA,OAAO,MAAM;AACd"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@neondatabase/config",
-  "version": "0.7.1",
+  "version": "0.8.0",
   "description": "Config-as-Code for the Neon Platform. Define a `neon.ts` policy and inspect/diff/deploy it against the Neon API as plain TypeScript functions.",
   "keywords": [
     "neon",
@@ -62,6 +62,7 @@
     "build": "tsc --noEmit && tsdown",
     "test": "vitest --passWithNoTests",
     "test:ci": "vitest run --passWithNoTests",
+    "test:types": "vitest run --typecheck.enabled --typecheck.only",
     "test:e2e": "vitest run --config vitest.e2e.config.ts",
     "tsc": "tsc"
   }