feat: migrate LLM provider to Cloudflare Workers AI

Replace OpenRouter SDK with direct Cloudflare Workers AI
REST API calls. Same model (glm-4.7-flash), validated with
arktype. Env vars: CF_ACCOUNT_ID, WORKERS_AI_API_KEY.

Co-authored-by: Ona <no-reply@ona.com>

.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-	"js/ts.experimental.useTsgo": true
-}

apps/admin-dashboard/package.json

@@ -34,7 +34,7 @@
 		"@types/react": "^19.2.5",
 		"@types/react-dom": "^19.2.3",
 		"@vitejs/plugin-react": "^5.1.1",
-		"typescript": "^6",
+		"typescript": "~5.9.3",
 		"vite": "^7.2.4"
 	}
 }

apps/admin-dashboard/src/components/source-config-panel.tsx

@@ -20,7 +20,13 @@ import {
 import { Separator } from "@/components/ui/separator"
 import { Switch } from "@/components/ui/switch"
 import { Tooltip, TooltipContent, TooltipTrigger } from "@/components/ui/tooltip"
-import { fetchSourceConfig, pushLocation, replaceSource, updateProviderConfig } from "@/lib/api"
+import {
+	fetchSourceConfig,
+	pushLocation,
+	replaceSource,
+	updateProviderConfig,
+	updateSourceCredentials,
+} from "@/lib/api"
 
 interface SourceConfigPanelProps {
 	source: SourceDefinition
@@ -74,24 +80,23 @@ export function SourceConfigPanel({ source, onUpdate }: SourceConfigPanelProps)
 
 	const saveMutation = useMutation({
 		mutationFn: async () => {
+			const promises: Promise<void>[] = [
+				replaceSource(source.id, { enabled, config: getUserConfig() }),
+			]
+
 			const credentialFields = getCredentialFields()
 			const hasCredentials = Object.values(credentialFields).some(
 				(v) => typeof v === "string" && v.length > 0,
 			)
+			if (hasCredentials) {
+				if (source.perUserCredentials) {
+					promises.push(updateSourceCredentials(source.id, credentialFields))
+				} else {
+					promises.push(updateProviderConfig(source.id, { credentials: credentialFields }))
+				}
+			}
 
-			const body: Parameters<typeof replaceSource>[1] = {
+			await Promise.all(promises)
-				enabled,
-				config: getUserConfig(),
-			}
-			if (hasCredentials && source.perUserCredentials) {
-				body.credentials = credentialFields
-			}
-			await replaceSource(source.id, body)
-
-			// For non-per-user credentials (provider-level), still use the admin endpoint.
-			if (hasCredentials && !source.perUserCredentials) {
-				await updateProviderConfig(source.id, { credentials: credentialFields })
-			}
 		},
 		onSuccess() {
 			setDirty({})

apps/admin-dashboard/src/lib/api.ts

@@ -114,7 +114,7 @@ const sourceDefinitions: SourceDefinition[] = [
 			timeZone: {
 				type: "string",
 				label: "Timezone",
-				description: 'IANA timezone for determining "today" (e.g. Europe/London). Defaults to UTC.',
+				description: "IANA timezone for determining \"today\" (e.g. Europe/London). Defaults to UTC.",
 			},
 		},
 	},
@@ -174,7 +174,7 @@ export async function fetchConfigs(): Promise<SourceConfig[]> {
 
 export async function replaceSource(
 	sourceId: string,
-	body: { enabled: boolean; config: unknown; credentials?: Record<string, unknown> },
+	body: { enabled: boolean; config: unknown },
 ): Promise<void> {
 	const res = await fetch(`${serverBase()}/sources/${sourceId}`, {
 		method: "PUT",

apps/admin-dashboard/tsconfig.app.json

@@ -3,11 +3,12 @@
 		"tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
 		"target": "ES2022",
 		"useDefineForClassFields": true,
-		"lib": ["ES2022", "DOM"],
+		"lib": ["ES2022", "DOM", "DOM.Iterable"],
 		"module": "ESNext",
 		"types": ["vite/client"],
 		"skipLibCheck": true,
 
+		/* Bundler mode */
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
@@ -15,12 +16,14 @@
 		"noEmit": true,
 		"jsx": "react-jsx",
 
+		/* Linting */
 		"strict": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,
 		"erasableSyntaxOnly": true,
 		"noFallthroughCasesInSwitch": true,
 		"noUncheckedSideEffectImports": true,
+		"baseUrl": ".",
 		"paths": {
 			"@/*": ["./src/*"]
 		}

apps/admin-dashboard/tsconfig.json

@@ -2,6 +2,7 @@
 	"files": [],
 	"references": [{ "path": "./tsconfig.app.json" }, { "path": "./tsconfig.node.json" }],
 	"compilerOptions": {
+		"baseUrl": ".",
 		"paths": {
 			"@/*": ["./src/*"]
 		}

apps/admin-dashboard/tsconfig.node.json

@@ -7,12 +7,14 @@
 		"types": ["node"],
 		"skipLibCheck": true,
 
+		/* Bundler mode */
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
 		"moduleDetection": "force",
 		"noEmit": true,
 
+		/* Linting */
 		"strict": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,

apps/aelis-backend/.env.example

@@ -10,10 +10,11 @@ CREDENTIAL_ENCRYPTION_KEY=
 # Base URL of the backend
 BETTER_AUTH_URL=http://localhost:3000
 
-# OpenRouter (LLM feed enhancement)
+# Cloudflare Workers AI (LLM feed enhancement)
-OPENROUTER_API_KEY=
+CF_ACCOUNT_ID=
-# Optional: override the default model (default: openai/gpt-4.1-mini)
+WORKERS_AI_API_KEY=
-# OPENROUTER_MODEL=openai/gpt-4.1-mini
+# Optional: override the default model (default: @cf/zai-org/glm-4.7-flash)
+# WORKERS_AI_MODEL=@cf/zai-org/glm-4.7-flash
 
 # Apple WeatherKit credentials
 WEATHERKIT_PRIVATE_KEY=

apps/aelis-backend/package.json

@@ -21,7 +21,6 @@
 		"@aelis/source-location": "workspace:*",
 		"@aelis/source-tfl": "workspace:*",
 		"@aelis/source-weatherkit": "workspace:*",
-		"@openrouter/sdk": "^0.9.11",
 		"arktype": "^2.1.29",
 		"better-auth": "^1",
 		"drizzle-orm": "^0.45.1",

apps/aelis-backend/src/db/index.ts

@@ -1,12 +1,9 @@
-import type { PgDatabase } from "drizzle-orm/pg-core"
-
 import { SQL } from "bun"
-import { drizzle, type BunSQLQueryResultHKT } from "drizzle-orm/bun-sql"
+import { drizzle, type BunSQLDatabase } from "drizzle-orm/bun-sql"
 
 import * as schema from "./schema.ts"
 
-/** Covers both the top-level drizzle instance and transaction handles. */
+export type Database = BunSQLDatabase<typeof schema>
-export type Database = PgDatabase<BunSQLQueryResultHKT, typeof schema>
 
 export interface DatabaseConnection {
 	db: Database

apps/aelis-backend/src/enhancement/llm-client.ts

@@ -1,13 +1,14 @@
-import { OpenRouter } from "@openrouter/sdk"
+import { type } from "arktype"
 
 import type { EnhancementResult } from "./schema.ts"
 
 import { enhancementResultJsonSchema, parseEnhancementResult } from "./schema.ts"
 
-const DEFAULT_MODEL = "z-ai/glm-4.7-flash"
+const DEFAULT_MODEL = "@cf/zai-org/glm-4.7-flash"
 const DEFAULT_TIMEOUT_MS = 30_000
 
 export interface LlmClientConfig {
+	accountId: string
 	apiKey: string
 	model?: string
 	timeoutMs?: number
@@ -22,43 +23,77 @@ export interface LlmClient {
 	enhance(request: LlmClientRequest): Promise<EnhancementResult | null>
 }
 
+const CloudflareApiResponse = type({
+	result: {
+		choices: type({
+			message: {
+				content: "string",
+				"role?": "string",
+			},
+		}).array(),
+	},
+	success: "boolean",
+	"errors?": type({ message: "string" }).array(),
+})
+
 /**
- * Creates a reusable LLM client backed by OpenRouter.
+ * Creates a reusable LLM client backed by Cloudflare Workers AI.
- * The OpenRouter SDK instance is created once and reused across calls.
+ * Uses the REST API with structured JSON output.
  */
 export function createLlmClient(config: LlmClientConfig): LlmClient {
-	const client = new OpenRouter({
-		apiKey: config.apiKey,
-		timeoutMs: config.timeoutMs ?? DEFAULT_TIMEOUT_MS,
-	})
 	const model = config.model ?? DEFAULT_MODEL
+	const timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS
+	const baseUrl = `https://api.cloudflare.com/client/v4/accounts/${config.accountId}/ai/run/${model}`
 
 	return {
 		async enhance(request) {
-			const response = await client.chat.send({
+			try {
-				chatGenerationParams: {
+				const res = await fetch(baseUrl, {
-					model,
+					method: "POST",
+					headers: {
+						Authorization: `Bearer ${config.apiKey}`,
+						"Content-Type": "application/json",
+					},
+					body: JSON.stringify({
 						messages: [
-						{ role: "system" as const, content: request.systemPrompt },
+							{ role: "system", content: request.systemPrompt },
-						{ role: "user" as const, content: request.userMessage },
+							{ role: "user", content: request.userMessage },
 						],
-					responseFormat: {
+						response_format: {
-						type: "json_schema" as const,
+							type: "json_schema",
-						jsonSchema: {
+							json_schema: {
 								name: "enhancement_result",
 								strict: false,
 								schema: enhancementResultJsonSchema,
 							},
 						},
-					reasoning: { effort: "none" },
 						stream: false,
-				},
+					}),
+					// @ts-expect-error — bun-types AbortSignal conflicts with ESNext lib in tsc; works at runtime and in VSCode
+					signal: AbortSignal.timeout(timeoutMs),
 				})
 
-			const message = response.choices?.[0]?.message
+				if (!res.ok) {
-			const content = message?.content ?? message?.reasoning
+					const body = await res.text()
-			if (typeof content !== "string") {
+					console.warn(`[enhancement] Cloudflare API error ${res.status}: ${body}`)
-				console.warn("[enhancement] LLM returned no content in response")
+					return null
+				}
+
+				const json: unknown = await res.json()
+				const parsed = CloudflareApiResponse(json)
+				if (parsed instanceof type.errors) {
+					console.warn("[enhancement] Unexpected API response shape:", parsed.summary)
+					return null
+				}
+
+				if (!parsed.success) {
+					console.warn("[enhancement] Cloudflare API errors:", parsed.errors)
+					return null
+				}
+
+				const content = parsed.result.choices[0]?.message.content
+				if (content === undefined) {
+					console.warn("[enhancement] LLM returned no choices in response")
 					return null
 				}
 
@@ -68,6 +103,14 @@ export function createLlmClient(config: LlmClientConfig): LlmClient {
 				}
 
 				return result
+			} catch (error) {
+				if (error instanceof DOMException && error.name === "TimeoutError") {
+					console.warn("[enhancement] LLM request timed out")
+				} else {
+					console.warn("[enhancement] LLM request failed:", error)
+				}
+				return null
+			}
 		},
 	}
 }

apps/aelis-backend/src/enhancement/schema.ts

@@ -15,8 +15,7 @@ export type SyntheticItem = typeof SyntheticItem.infer
 export type EnhancementResult = typeof EnhancementResult.infer
 
 /**
- * JSON Schema passed to OpenRouter's structured output.
+ * JSON Schema passed to Cloudflare Workers AI for structured output.
- * OpenRouter doesn't support arktype, so this is maintained separately.
  *
  * ⚠️  Must stay in sync with EnhancementResult above.
  * If you add/remove fields, update both schemas.

apps/aelis-backend/src/server.ts

@@ -23,17 +23,22 @@ function main() {
 	const { db, close: closeDb } = createDatabase(process.env.DATABASE_URL!)
 	const auth = createAuth(db)
 
-	const openrouterApiKey = process.env.OPENROUTER_API_KEY
+	const cfAccountId = process.env.CF_ACCOUNT_ID
-	const feedEnhancer = openrouterApiKey
+	const workersAiApiKey = process.env.WORKERS_AI_API_KEY
+	const feedEnhancer =
+		cfAccountId && workersAiApiKey
 			? createFeedEnhancer({
 					client: createLlmClient({
-					apiKey: openrouterApiKey,
+						accountId: cfAccountId,
-					model: process.env.OPENROUTER_MODEL || undefined,
+						apiKey: workersAiApiKey,
+						model: process.env.WORKERS_AI_MODEL || undefined,
 					}),
 				})
 			: null
 	if (!feedEnhancer) {
-		console.warn("[enhancement] OPENROUTER_API_KEY not set — feed enhancement disabled")
+		console.warn(
+			"[enhancement] CF_ACCOUNT_ID/WORKERS_AI_API_KEY not set — feed enhancement disabled",
+		)
 	}
 
 	const credentialEncryptionKey = process.env.CREDENTIAL_ENCRYPTION_KEY

apps/aelis-backend/src/session/user-session-manager.test.ts

@@ -81,27 +81,6 @@ mock.module("../sources/user-sources.ts", () => ({
 				updatedAt: now,
 			}
 		},
-		async findForUpdate(sourceId: string) {
-			// Delegates to find — row locking is a no-op in tests.
-			if (mockFindResult !== undefined) return mockFindResult
-			const now = new Date()
-			return {
-				id: crypto.randomUUID(),
-				userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}
-		},
-		async updateConfig(_sourceId: string, _update: { enabled?: boolean; config?: unknown }) {
-			// no-op for tests
-		},
-		async upsertConfig(_sourceId: string, _data: { enabled: boolean; config: unknown }) {
-			// no-op for tests
-		},
 		async updateCredentials(sourceId: string, credentials: Buffer) {
 			if (mockUpdateCredentialsError) {
 				throw mockUpdateCredentialsError
@@ -111,9 +90,7 @@ mock.module("../sources/user-sources.ts", () => ({
 	}),
 }))
 
-const fakeDb = {
+const fakeDb = {} as Database
-	transaction: <T>(fn: (tx: unknown) => Promise<T>) => fn(fakeDb),
-} as unknown as Database
 
 function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 	return {
@@ -847,121 +824,3 @@ describe("UserSessionManager.updateSourceCredentials", () => {
 		expect(factory).not.toHaveBeenCalled()
 	})
 })
-
-describe("UserSessionManager.saveSourceConfig", () => {
-	test("upserts config without credentials (existing behavior)", async () => {
-		setEnabledSources(["test"])
-		const factory = mock(async () => createStubSource("test"))
-		const provider: FeedSourceProvider = { sourceId: "test", feedSourceForUser: factory }
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [provider],
-			credentialEncryptor: testEncryptor,
-		})
-
-		// Create a session first so we can verify the source is refreshed
-		await manager.getOrCreate("user-1")
-
-		await manager.saveSourceConfig("user-1", "test", {
-			enabled: true,
-			config: { key: "value" },
-		})
-
-		// feedSourceForUser called once for session creation, once for upsert refresh
-		expect(factory).toHaveBeenCalledTimes(2)
-		// No credentials should have been persisted
-		expect(mockUpdateCredentialsCalls).toHaveLength(0)
-	})
-
-	test("upserts config with credentials — persists both and passes credentials to source", async () => {
-		setEnabledSources(["test"])
-		let receivedCredentials: unknown = null
-		const factory = mock(async (_userId: string, _config: unknown, creds: unknown) => {
-			receivedCredentials = creds
-			return createStubSource("test")
-		})
-		const provider: FeedSourceProvider = { sourceId: "test", feedSourceForUser: factory }
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [provider],
-			credentialEncryptor: testEncryptor,
-		})
-
-		// Create a session so the source refresh path runs
-		await manager.getOrCreate("user-1")
-
-		const creds = { username: "alice", password: "s3cret" }
-		await manager.saveSourceConfig("user-1", "test", {
-			enabled: true,
-			config: { serverUrl: "https://example.com" },
-			credentials: creds,
-		})
-
-		// Credentials were encrypted and persisted
-		expect(mockUpdateCredentialsCalls).toHaveLength(1)
-		const decrypted = JSON.parse(testEncryptor.decrypt(mockUpdateCredentialsCalls[0]!.credentials))
-		expect(decrypted).toEqual(creds)
-
-		// feedSourceForUser received the provided credentials (not null)
-		expect(receivedCredentials).toEqual(creds)
-	})
-
-	test("upserts config with credentials adds source to session when not already present", async () => {
-		// Start with no enabled sources so the session is empty
-		setEnabledSources([])
-		const factory = mock(async () => createStubSource("test"))
-		const provider: FeedSourceProvider = { sourceId: "test", feedSourceForUser: factory }
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [provider],
-			credentialEncryptor: testEncryptor,
-		})
-
-		const session = await manager.getOrCreate("user-1")
-		expect(session.hasSource("test")).toBe(false)
-
-		// Set mockFindResult to undefined so find() returns a row (simulating the row was just created by upsertConfig)
-		await manager.saveSourceConfig("user-1", "test", {
-			enabled: true,
-			config: {},
-			credentials: { token: "abc" },
-		})
-
-		// Source should now be in the session
-		expect(session.hasSource("test")).toBe(true)
-		expect(mockUpdateCredentialsCalls).toHaveLength(1)
-	})
-
-	test("throws CredentialStorageUnavailableError when credentials provided without encryptor", async () => {
-		setEnabledSources(["test"])
-		const provider = createStubProvider("test")
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [provider],
-			// No credentialEncryptor
-		})
-
-		await expect(
-			manager.saveSourceConfig("user-1", "test", {
-				enabled: true,
-				config: {},
-				credentials: { token: "abc" },
-			}),
-		).rejects.toBeInstanceOf(CredentialStorageUnavailableError)
-	})
-
-	test("throws SourceNotFoundError for unknown provider", async () => {
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [],
-			credentialEncryptor: testEncryptor,
-		})
-
-		await expect(
-			manager.saveSourceConfig("user-1", "unknown", {
-				enabled: true,
-				config: {},
-			}),
-		).rejects.toBeInstanceOf(SourceNotFoundError)
-	})
-})

apps/aelis-backend/src/session/user-session-manager.ts

@@ -126,10 +126,11 @@ export class UserSessionManager {
 			return
 		}
 
-		// Use a transaction with SELECT FOR UPDATE to prevent lost updates
+		// Fetch the existing row for config merging and credential access.
-		// when concurrent PATCH requests merge config against the same base.
+		// NOTE: find + updateConfig is not atomic. A concurrent update could
-		const { existingRow, mergedConfig } = await this.db.transaction(async (tx) => {
+		// read stale config. Use SELECT FOR UPDATE or atomic jsonb merge if
-			const existingRow = await sources(tx, userId).findForUpdate(sourceId)
+		// this becomes a problem.
+		const existingRow = await sources(this.db, userId).find(sourceId)
 
 		let mergedConfig: Record<string, unknown> | undefined
 		if (update.config !== undefined && provider.configSchema) {
@@ -143,14 +144,11 @@ export class UserSessionManager {
 		}
 
 		// Throws SourceNotFoundError if the row doesn't exist
-			await sources(tx, userId).updateConfig(sourceId, {
+		await sources(this.db, userId).updateConfig(sourceId, {
 			enabled: update.enabled,
 			config: mergedConfig,
 		})
 
-			return { existingRow, mergedConfig }
-		})
-
 		// Refresh the specific source in the active session instead of
 		// destroying the entire session.
 		const session = this.sessions.get(userId)
@@ -173,18 +171,13 @@ export class UserSessionManager {
 	 * inserts a new row if one doesn't exist and fully replaces config
 	 * (no merge).
 	 *
-	 * When `credentials` is provided, they are encrypted and persisted
-	 * alongside the config in the same flow, avoiding the race condition
-	 * of separate config + credential requests.
-	 *
 	 * @throws {SourceNotFoundError} if the sourceId has no registered provider
 	 * @throws {InvalidSourceConfigError} if config fails schema validation
-	 * @throws {CredentialStorageUnavailableError} if credentials are provided but no encryptor is configured
 	 */
-	async saveSourceConfig(
+	async upsertSourceConfig(
 		userId: string,
 		sourceId: string,
-		data: { enabled: boolean; config?: unknown; credentials?: unknown },
+		data: { enabled: boolean; config?: unknown },
 	): Promise<void> {
 		const provider = this.providers.get(sourceId)
 		if (!provider) {
@@ -198,42 +191,25 @@ export class UserSessionManager {
 			}
 		}
 
-		if (data.credentials !== undefined && !this.encryptor) {
-			throw new CredentialStorageUnavailableError()
-		}
-
 		const config = data.config ?? {}
 
-		// Run the upsert + credential update atomically so a failure in
+		// Fetch existing row before upsert to capture credentials for session refresh.
-		// either step doesn't leave the row in an inconsistent state.
+		// For new rows this will be undefined — credentials will be null.
-		const existingRow = await this.db.transaction(async (tx) => {
+		const existingRow = await sources(this.db, userId).find(sourceId)
-			const existing = await sources(tx, userId).find(sourceId)
 
-			await sources(tx, userId).upsertConfig(sourceId, {
+		await sources(this.db, userId).upsertConfig(sourceId, {
 			enabled: data.enabled,
 			config,
 		})
 
-			if (data.credentials !== undefined && this.encryptor) {
-				const encrypted = this.encryptor.encrypt(JSON.stringify(data.credentials))
-				await sources(tx, userId).updateCredentials(sourceId, encrypted)
-			}
-
-			return existing
-		})
-
 		const session = this.sessions.get(userId)
 		if (session) {
 			if (!data.enabled) {
 				session.removeSource(sourceId)
 			} else {
-				// Prefer the just-provided credentials over what was in the DB.
+				const credentials = existingRow?.credentials
-				let credentials: unknown = null
+					? this.decryptCredentials(existingRow.credentials)
-				if (data.credentials !== undefined) {
+					: null
-					credentials = data.credentials
-				} else if (existingRow?.credentials) {
-					credentials = this.decryptCredentials(existingRow.credentials)
-				}
 				const source = await provider.feedSourceForUser(userId, config, credentials)
 				if (session.hasSource(sourceId)) {
 					session.replaceSource(sourceId, source)

apps/aelis-backend/src/sources/http.test.ts

@@ -80,9 +80,6 @@ function createInMemoryStore() {
 				async find(sourceId: string) {
 					return rows.get(key(userId, sourceId))
 				},
-				async findForUpdate(sourceId: string) {
-					return rows.get(key(userId, sourceId))
-				},
 				async updateConfig(sourceId: string, update: { enabled?: boolean; config?: unknown }) {
 					const existing = rows.get(key(userId, sourceId))
 					if (!existing) {
@@ -128,9 +125,7 @@ mock.module("../sources/user-sources.ts", () => ({
 	},
 }))
 
-const fakeDb = {
+const fakeDb = {} as Database
-	transaction: <T>(fn: (tx: unknown) => Promise<T>) => fn(fakeDb),
-} as unknown as Database
 
 function createApp(providers: FeedSourceProvider[], userId?: string) {
 	const sessionManager = new UserSessionManager({ providers, db: fakeDb })
@@ -743,42 +738,6 @@ describe("PUT /api/sources/:sourceId", () => {
 
 		expect(res.status).toBe(204)
 	})
-
-	test("returns 204 when credentials are included alongside config", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createAppWithEncryptor(
-			[createStubProvider("aelis.weather", weatherConfig)],
-			MOCK_USER_ID,
-		)
-
-		const res = await put(app, "aelis.weather", {
-			enabled: true,
-			config: { units: "metric" },
-			credentials: { apiKey: "secret123" },
-		})
-
-		expect(res.status).toBe(204)
-		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
-		expect(row).toBeDefined()
-		expect(row!.enabled).toBe(true)
-		expect(row!.config).toEqual({ units: "metric" })
-	})
-
-	test("returns 503 when credentials are provided but no encryptor is configured", async () => {
-		activeStore = createInMemoryStore()
-		// createApp does NOT configure an encryptor
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await put(app, "aelis.weather", {
-			enabled: true,
-			config: { units: "metric" },
-			credentials: { apiKey: "secret123" },
-		})
-
-		expect(res.status).toBe(503)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("not configured")
-	})
 })
 
 describe("PUT /api/sources/:sourceId/credentials", () => {

apps/aelis-backend/src/sources/http.ts

@@ -34,13 +34,11 @@ const ReplaceSourceConfigRequestBody = type({
 	"+": "reject",
 	enabled: "boolean",
 	config: "unknown",
-	"credentials?": "unknown",
 })
 
 const ReplaceSourceConfigNoConfigRequestBody = type({
 	"+": "reject",
 	enabled: "boolean",
-	"credentials?": "unknown",
 })
 
 export function registerSourcesHttpHandlers(
@@ -163,15 +161,14 @@ async function handleReplaceSource(c: Context<Env>) {
 		return c.json({ error: parsed.summary }, 400)
 	}
 
-	const { enabled, credentials } = parsed
+	const { enabled } = parsed
 	const config = "config" in parsed ? parsed.config : undefined
 	const user = c.get("user")!
 
 	try {
-		await sessionManager.saveSourceConfig(user.id, sourceId, {
+		await sessionManager.upsertSourceConfig(user.id, sourceId, {
 			enabled,
 			config,
-			credentials,
 		})
 	} catch (err) {
 		if (err instanceof SourceNotFoundError) {
@@ -180,9 +177,6 @@ async function handleReplaceSource(c: Context<Env>) {
 		if (err instanceof InvalidSourceConfigError) {
 			return c.json({ error: err.message }, 400)
 		}
-		if (err instanceof CredentialStorageUnavailableError) {
-			return c.json({ error: err.message }, 503)
-		}
 		throw err
 	}
 

apps/aelis-backend/src/sources/user-sources.ts

@@ -26,18 +26,6 @@ export function sources(db: Database, userId: string) {
 			return rows[0]
 		},
 
-		/** Like find(), but acquires a row lock to prevent concurrent modifications. Must be called inside a transaction. */
-		async findForUpdate(sourceId: string) {
-			const rows = await db
-				.select()
-				.from(userSources)
-				.where(and(eq(userSources.userId, userId), eq(userSources.sourceId, sourceId)))
-				.limit(1)
-				.for("update")
-
-			return rows[0]
-		},
-
 		/** Enables a source for the user. Throws if the source row doesn't exist. */
 		async enableSource(sourceId: string) {
 			const rows = await db

apps/aelis-client/package.json

@@ -55,6 +55,6 @@
 		"eas-cli": "^18.0.1",
 		"eslint": "^9.25.0",
 		"eslint-config-expo": "~10.0.0",
-		"typescript": "^6"
+		"typescript": "~5.9.2"
 	}
 }

apps/waitlist-website/package.json

@@ -30,7 +30,7 @@
 		"@types/react": "^19.2.7",
 		"@types/react-dom": "^19.2.3",
 		"tailwindcss": "^4.1.13",
-		"typescript": "^6",
+		"typescript": "^5.9.2",
 		"vite": "^7.1.7",
 		"vite-tsconfig-paths": "^5.1.4"
 	}

apps/waitlist-website/tsconfig.json

@@ -1,16 +1,18 @@
 {
 	"include": ["**/*", "**/.server/**/*", "**/.client/**/*", ".react-router/types/**/*"],
 	"compilerOptions": {
-		"lib": ["DOM", "ES2022"],
+		"lib": ["DOM", "DOM.Iterable", "ES2022"],
 		"types": ["node", "vite/client"],
 		"target": "ES2022",
 		"module": "ES2022",
 		"moduleResolution": "bundler",
 		"jsx": "react-jsx",
 		"rootDirs": [".", "./.react-router/types"],
+		"baseUrl": ".",
 		"paths": {
 			"~/*": ["./app/*"]
 		},
+		"esModuleInterop": true,
 		"verbatimModuleSyntax": true,
 		"noEmit": true,
 		"resolveJsonModule": true,

bun.lock

@@ -7,13 +7,12 @@
       "devDependencies": {
         "@json-render/core": "^0.12.1",
         "@nym.sh/jrx": "^0.2.0",
-        "@types/bun": "latest",
+        "@types/bun": "^1.3.12",
-        "@typescript/native-preview": "^7.0.0-dev.20260412.1",
         "oxfmt": "^0.24.0",
         "oxlint": "^1.39.0",
       },
       "peerDependencies": {
-        "typescript": "^6",
+        "typescript": "^5",
       },
     },
     "apps/admin-dashboard": {
@@ -42,7 +41,7 @@
         "@types/react": "^19.2.5",
         "@types/react-dom": "^19.2.3",
         "@vitejs/plugin-react": "^5.1.1",
-        "typescript": "^6",
+        "typescript": "~5.9.3",
         "vite": "^7.2.4",
       },
     },
@@ -56,7 +55,6 @@
         "@aelis/source-location": "workspace:*",
         "@aelis/source-tfl": "workspace:*",
         "@aelis/source-weatherkit": "workspace:*",
-        "@openrouter/sdk": "^0.9.11",
         "arktype": "^2.1.29",
         "better-auth": "^1",
         "drizzle-orm": "^0.45.1",
@@ -112,7 +110,7 @@
         "eas-cli": "^18.0.1",
         "eslint": "^9.25.0",
         "eslint-config-expo": "~10.0.0",
-        "typescript": "^6",
+        "typescript": "~5.9.2",
       },
     },
     "apps/waitlist-website": {
@@ -139,7 +137,7 @@
         "@types/react": "^19.2.7",
         "@types/react-dom": "^19.2.3",
         "tailwindcss": "^4.1.13",
-        "typescript": "^6",
+        "typescript": "^5.9.2",
         "vite": "^7.1.7",
         "vite-tsconfig-paths": "^5.1.4",
       },
@@ -769,8 +767,6 @@
 
     "@open-draft/until": ["@open-draft/until@2.1.0", "", {}, "sha512-U69T3ItWHvLwGg5eJ0n3I62nWuE6ilHlmz7zM0npLBRvPRd7e6NYmg54vvRtP5mZG7kZqZCFVdsTWo7BPtBujg=="],
 
-    "@openrouter/sdk": ["@openrouter/sdk@0.9.11", "", { "dependencies": { "zod": "^3.25.0 || ^4.0.0" } }, "sha512-BgFu6NcIJO4a9aVjr04y3kZ8pyM71j15I+bzfVAGEvxnj+KQNIkBYQGgwrG3D+aT1QpDKLki8btcQmpaxUas6A=="],
-
     "@oxfmt/darwin-arm64": ["@oxfmt/darwin-arm64@0.24.0", "", { "os": "darwin", "cpu": "arm64" }, "sha512-aYXuGf/yq8nsyEcHindGhiz9I+GEqLkVq8CfPbd+6VE259CpPEH+CaGHEO1j6vIOmNr8KHRq+IAjeRO2uJpb8A=="],
 
     "@oxfmt/darwin-x64": ["@oxfmt/darwin-x64@0.24.0", "", { "os": "darwin", "cpu": "x64" }, "sha512-vs3b8Bs53hbiNvcNeBilzE/+IhDTWKjSBB3v/ztr664nZk65j0xr+5IHMBNz3CFppmX7o/aBta2PxY+t+4KoPg=="],
@@ -1373,7 +1369,7 @@
 
     "@types/babel__traverse": ["@types/babel__traverse@7.28.0", "", { "dependencies": { "@babel/types": "^7.28.2" } }, "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q=="],
 
-    "@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
+    "@types/bun": ["@types/bun@1.3.12", "", { "dependencies": { "bun-types": "1.3.12" } }, "sha512-DBv81elK+/VSwXHDlnH3Qduw+KxkTIWi7TXkAeh24zpi5l0B2kUg9Ga3tb4nJaPcOFswflgi/yAvMVBPrxMB+A=="],
 
     "@types/bunyan": ["@types/bunyan@1.8.11", "", { "dependencies": { "@types/node": "*" } }, "sha512-758fRH7umIMk5qt5ELmRMff4mLDlN+xyYzC+dkPTdKwbSkJFvz6xwyScrytPU0QIBbRRwbiE8/BIg8bpajerNQ=="],
 
@@ -1453,22 +1449,6 @@
 
     "@typescript-eslint/visitor-keys": ["@typescript-eslint/visitor-keys@8.57.0", "", { "dependencies": { "@typescript-eslint/types": "8.57.0", "eslint-visitor-keys": "^5.0.0" } }, "sha512-zm6xx8UT/Xy2oSr2ZXD0pZo7Jx2XsCoID2IUh9YSTFRu7z+WdwYTRk6LhUftm1crwqbuoF6I8zAFeCMw0YjwDg=="],
 
-    "@typescript/native-preview": ["@typescript/native-preview@7.0.0-dev.20260412.1", "", { "optionalDependencies": { "@typescript/native-preview-darwin-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-darwin-x64": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-arm": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-x64": "7.0.0-dev.20260412.1", "@typescript/native-preview-win32-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-win32-x64": "7.0.0-dev.20260412.1" }, "bin": { "tsgo": "bin/tsgo.js" } }, "sha512-tDw3XZt2BkjAlt/MJmnFGmbe9lgKmc5wezmrMoBIEvJcqz+/KVpVBVvjbkZoaiABnJmuG3G3b6IUFrEveTw6UQ=="],
-
-    "@typescript/native-preview-darwin-arm64": ["@typescript/native-preview-darwin-arm64@7.0.0-dev.20260412.1", "", { "os": "darwin", "cpu": "arm64" }, "sha512-sSkFG+hjtRWffg6FddF3dEkk7N3TRMEqfiUpixwcWhXgyocMdPw8wutTvQRBxQdgxeL9y01M2SO8A8YPPiEgVg=="],
-
-    "@typescript/native-preview-darwin-x64": ["@typescript/native-preview-darwin-x64@7.0.0-dev.20260412.1", "", { "os": "darwin", "cpu": "x64" }, "sha512-m2BTeaLkrHEEDg0D9snigddy01qTY+wgx+W+GpXAfx36PPvW4xWuGXNVWfSaB8bqAC9C8NeLnT/C9/G/rJ5v2w=="],
-
-    "@typescript/native-preview-linux-arm": ["@typescript/native-preview-linux-arm@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "arm" }, "sha512-wDLekbfsfmKMWORg7CTnEnpKj8oXpU/6AEBrtVN9CEUCiQAe6yH878nZHhJNzWQXHtrtFf3lY49Yplqmdxja3w=="],
-
-    "@typescript/native-preview-linux-arm64": ["@typescript/native-preview-linux-arm64@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-JAdsG6MlVV1hoAUKPy8zxAL7xLeNxz8JgCbLCJVqW8EyH29R9FD4cFTqr7CSIRTNUEDzDTrgnXUyoRtDe1gr+w=="],
-
-    "@typescript/native-preview-linux-x64": ["@typescript/native-preview-linux-x64@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "x64" }, "sha512-gYgppiQIqid3jZ7D8THh4k3Q+4bwidrQH6SL9Xgbk1qfP6/jwv8twuPqDOfZ+cK2OD55lQHp15fOh2lMNAC40Q=="],
-
-    "@typescript/native-preview-win32-arm64": ["@typescript/native-preview-win32-arm64@7.0.0-dev.20260412.1", "", { "os": "win32", "cpu": "arm64" }, "sha512-TOh7rH5H3jisHJqRXJSjmUGMzcbNBocS/hufhXPQIv+g3pdG5IKZoSnv3SV62I5d12FFDSS5KQon5MQPnOKAHg=="],
-
-    "@typescript/native-preview-win32-x64": ["@typescript/native-preview-win32-x64@7.0.0-dev.20260412.1", "", { "os": "win32", "cpu": "x64" }, "sha512-u+70wL89wspN1wKoX6FVNUATRGCG3BpleByP3H/UqOZvlwuMm8N7Gy8hEbM0U8bDyAuyP/daUfTBVkqXjjv9mA=="],
-
     "@ungap/structured-clone": ["@ungap/structured-clone@1.3.0", "", {}, "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g=="],
 
     "@unrs/resolver-binding-android-arm-eabi": ["@unrs/resolver-binding-android-arm-eabi@1.11.1", "", { "os": "android", "cpu": "arm" }, "sha512-ppLRUgHVaGRWUx0R0Ut06Mjo9gBaBkg3v/8AxusGLhsIotbBLuRk51rAzqLC8gq6NyyAojEXglNjzf6R948DNw=="],
@@ -1681,7 +1661,7 @@
 
     "buffer-from": ["buffer-from@1.1.2", "", {}, "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ=="],
 
-    "bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
+    "bun-types": ["bun-types@1.3.12", "", { "dependencies": { "@types/node": "*" } }, "sha512-HqOLj5PoFajAQciOMRiIZGNoKxDJSr6qigAttOX40vJuSp6DN/CxWp9s3C1Xwm4oH7ybueITwiaOcWXoYVoRkA=="],
 
     "bundle-name": ["bundle-name@4.1.0", "", { "dependencies": { "run-applescript": "^7.0.0" } }, "sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q=="],
 
@@ -3445,7 +3425,7 @@
 
     "typed-array-length": ["typed-array-length@1.0.7", "", { "dependencies": { "call-bind": "^1.0.7", "for-each": "^0.3.3", "gopd": "^1.0.1", "is-typed-array": "^1.1.13", "possible-typed-array-names": "^1.0.0", "reflect.getprototypeof": "^1.0.6" } }, "sha512-3KS2b+kL7fsuk/eJZ7EQdnEmQoaho/r6KUef7hxvltNA5DR8NAUM+8wJMbJyZ4G9/7i3v5zPBIMN5aybAh2/Jg=="],
 
-    "typescript": ["typescript@6.0.2", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ=="],
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
 
     "ua-parser-js": ["ua-parser-js@1.0.41", "", { "bin": { "ua-parser-js": "script/cli.js" } }, "sha512-LbBDqdIC5s8iROCUjMbW1f5dJQTEFB1+KO9ogbvlb3nm9n4YHa5p4KTvFPWvh2Hs8gZMBuiB1/8+pdfe/tDPug=="],
 
@@ -3921,6 +3901,8 @@
 
     "accepts/negotiator": ["negotiator@0.6.3", "", {}, "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="],
 
+    "aelis-client/@tanstack/react-query": ["@tanstack/react-query@5.90.21", "", { "dependencies": { "@tanstack/query-core": "5.90.20" }, "peerDependencies": { "react": "^18 || ^19" } }, "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg=="],
+
     "aelis-client/@types/react": ["@types/react@19.1.17", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-Qec1E3mhALmaspIrhWt9jkQMNdw6bReVu64mjvhbhq2NFPftLPVr+l1SZgmw/66WwBNpDh7ao5AT6gF5v41PFA=="],
 
     "aelis-client/react": ["react@19.1.0", "", {}, "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg=="],
@@ -3947,8 +3929,6 @@
 
     "body-parser/raw-body": ["raw-body@2.5.3", "", { "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.4.24", "unpipe": "~1.0.0" } }, "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA=="],
 
-    "bun-types/@types/node": ["@types/node@22.19.15", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-F0R/h2+dsy5wJAUe3tAU6oqa2qbWY5TpNfL/RGmo1y38hiyO1w3x2jPtt76wmuaJI4DQnOBu21cNXQ2STIUUWg=="],
-
     "c12/dotenv": ["dotenv@16.6.1", "", {}, "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow=="],
 
     "c12/jiti": ["jiti@2.6.1", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ=="],
@@ -4559,6 +4539,8 @@
 
     "@typescript-eslint/typescript-estree/minimatch/brace-expansion": ["brace-expansion@5.0.4", "", { "dependencies": { "balanced-match": "^4.0.2" } }, "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg=="],
 
+    "aelis-client/@tanstack/react-query/@tanstack/query-core": ["@tanstack/query-core@5.90.20", "", {}, "sha512-OMD2HLpNouXEfZJWcKeVKUgQ5n+n3A2JFmBaScpNDUqSrQSjiveC7dKMe53uJUg1nDG16ttFPz2xfilz6i2uVg=="],
+
     "aelis-client/react-dom/scheduler": ["scheduler@0.26.0", "", {}, "sha512-NlHwttCI/l5gCPR3D1nNXtWABUmBwvZpEQiD4IXSbIDq8BzLIK/7Ir5gTFSGZDUu37K5cMNp0hFtzO38sC7gWA=="],
 
     "better-opn/open/define-lazy-prop": ["define-lazy-prop@2.0.0", "", {}, "sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og=="],
@@ -4567,8 +4549,6 @@
 
     "body-parser/debug/ms": ["ms@2.0.0", "", {}, "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="],
 
-    "bun-types/@types/node/undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
-
     "chrome-launcher/@types/node/undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
 
     "chromium-edge-launcher/@types/node/undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],

package.json

@@ -16,12 +16,11 @@
 	"devDependencies": {
 		"@json-render/core": "^0.12.1",
 		"@nym.sh/jrx": "^0.2.0",
-		"@types/bun": "latest",
+		"@types/bun": "^1.3.12",
-		"@typescript/native-preview": "^7.0.0-dev.20260412.1",
 		"oxfmt": "^0.24.0",
 		"oxlint": "^1.39.0"
 	},
 	"peerDependencies": {
-		"typescript": "^6"
+		"typescript": "^5"
 	}
 }

tsconfig.json

@@ -1,5 +1,6 @@
 {
 	"compilerOptions": {
+		// Environment setup & latest features
 		"lib": ["ESNext"],
 		"target": "ESNext",
 		"module": "Preserve",
@@ -7,19 +8,20 @@
 		"jsx": "react-jsx",
 		"allowJs": true,
 
+		// Bundler mode
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
 		"noEmit": true,
 
-		"types": ["bun"],
+		// Best practices
-
 		"strict": true,
 		"skipLibCheck": true,
 		"noFallthroughCasesInSwitch": true,
 		"noUncheckedIndexedAccess": true,
 		"noImplicitOverride": true,
 
+		// Some stricter flags (disabled by default)
 		"noUnusedLocals": false,
 		"noUnusedParameters": false,
 		"noPropertyAccessFromIndexSignature": false