Interface DreamDbConfig

pg pool/client options passed straight through to new pg.Pool(...). Dream knows nothing about these fields — pg's own types carry the documentation. Unset ⇒ pg applies its own defaults (backward compatible).

Omitted from the passthrough:

• user / password / database / host / port / ssl: Dream manages these (per-connection name, TLS directive) — hard invariants.
• connectionString: pg's ConnectionParameters re-parses the URL and lets its fields take precedence, bypassing Dream's per-connection database name and TLS directive. Parse DATABASE_URL into the discrete host/port/user/password/name/ssl fields in conf/dream.ts instead.
• min: node-pg's pg-pool does not honor it (silent no-op).
• types / Client / Promise / log / stream: programmatic, not credential config (types is already wired via Dream's parsers).

When another database adapter is added, a parallel mysql?: ... key (or similar) will appear here — this key is intentionally pg-specific.

TLS configuration passed straight through to pg.Pool's ssl field. Takes precedence over the deprecated useSsl when provided.

Set rejectUnauthorized: true (Node's own default) for verified TLS against the system CA store — the right choice for managed providers that present a public-CA-signed certificate (Supabase, Neon, Render, Azure Database for PostgreSQL on Flexible Server, etc.).

For providers that present a private-CA certificate (AWS RDS, GCP Cloud SQL), add a ca bundle: ssl: { rejectUnauthorized: true, ca: readFileSync('rds-ca.pem') }.

For providers that present a self-signed certificate (Heroku Hobby, some local docker images), set rejectUnauthorized: false — encrypted but unauthenticated.

Set false to disable TLS entirely. Omitting ssl (and useSsl) throws at app.set('db', ...) time so the safety question is a deliberate decision at the call site rather than a silent default.