fix: require server env vars

apps/freya-backend/src/auth/index.test.ts

@@ -1,83 +0,0 @@
-import { afterEach, describe, expect, test } from "bun:test"
-
-import type { Database } from "../db/index.ts"
-
-import { DEFAULT_ENABLED_SOURCE_IDS } from "../sources/default-sources.ts"
-import { createAuth } from "./index.ts"
-
-interface UserSourceInsertRow {
-	sourceId: string
-}
-
-interface RecordingDb {
-	db: Database
-	rows: () => UserSourceInsertRow[] | undefined
-}
-
-const originalBetterAuthSecret = process.env.BETTER_AUTH_SECRET
-
-function createRecordingDb(): RecordingDb {
-	let insertedRows: UserSourceInsertRow[] | undefined
-
-	const db = {
-		insert() {
-			return {
-				values(rows: UserSourceInsertRow[]) {
-					insertedRows = rows
-
-					return {
-						async onConflictDoNothing() {},
-					}
-				},
-			}
-		},
-	} as unknown as Database
-
-	return {
-		db,
-		rows: () => insertedRows,
-	}
-}
-
-afterEach(() => {
-	if (originalBetterAuthSecret === undefined) {
-		delete process.env.BETTER_AUTH_SECRET
-		return
-	}
-
-	process.env.BETTER_AUTH_SECRET = originalBetterAuthSecret
-})
-
-describe("createAuth", () => {
-	test("inserts default sources after Better Auth creates a user", async () => {
-		process.env.BETTER_AUTH_SECRET = "test-secret"
-		const recording = createRecordingDb()
-		const auth = createAuth(recording.db)
-		const afterCreateUser = auth.options.databaseHooks?.user?.create?.after
-
-		if (!afterCreateUser) {
-			throw new Error("Expected a user create after hook")
-		}
-
-		const now = new Date()
-		await afterCreateUser(
-			{
-				id: "user-1",
-				name: "Test User",
-				email: "test@example.com",
-				emailVerified: false,
-				image: null,
-				createdAt: now,
-				updatedAt: now,
-			},
-			null,
-		)
-
-		const rows = recording.rows()
-		if (!rows) {
-			throw new Error("Expected the auth hook to insert default sources")
-		}
-
-		expect(rows.map((row) => row.sourceId)).toEqual([...DEFAULT_ENABLED_SOURCE_IDS])
-	})
-})

apps/freya-backend/src/auth/index.ts

@@ -5,7 +5,6 @@ import { admin } from "better-auth/plugins"
 import type { Database } from "../db/index.ts"
 
 import * as schema from "../db/schema.ts"
-import { insertDefaultUserSources } from "../sources/default-sources.ts"
 
 export function createAuth(db: Database) {
 	if (!process.env.BETTER_AUTH_SECRET) {
@@ -23,15 +22,6 @@ export function createAuth(db: Database) {
 		emailAndPassword: {
 			enabled: true,
 		},
-		databaseHooks: {
-			user: {
-				create: {
-					async after(user, _context) {
-						await insertDefaultUserSources(db, user.id)
-					},
-				},
-			},
-		},
 		plugins: [admin()],
 	})
 }

apps/freya-backend/src/google-maps/provider.test.ts

@@ -30,7 +30,7 @@ describe("GoogleMapsSourceProvider", () => {
 
 	test("throws when service API key is empty", () => {
 		expect(() => new GoogleMapsSourceProvider({ apiKey: "" })).toThrow(
-			"Google Maps MCP API key must be configured",
+			"Google Maps API key must be configured",
 		)
 	})
 

apps/freya-backend/src/google-maps/provider.ts

@@ -15,7 +15,7 @@ export class GoogleMapsSourceProvider implements FeedSourceProvider {
 
 	constructor(options: GoogleMapsSourceProviderOptions) {
 		if (!nonEmptyString(options.apiKey)) {
-			throw new Error("Google Maps MCP API key must be configured")
+			throw new Error("Google Maps API key must be configured")
 		}
 
 		this.apiKey = options.apiKey

apps/freya-backend/src/lib/env.test.ts

@@ -0,0 +1,98 @@
+import { describe, expect, test } from "bun:test"
+
+import { ensureEnv } from "./env.ts"
+
+describe("ensureEnv", () => {
+	test("returns trimmed required env values", () => {
+		const env = ensureEnv({
+			BETTER_AUTH_SECRET: " auth-secret ",
+			CREDENTIAL_ENCRYPTION_KEY: " credential-key ",
+			DATABASE_URL: " postgres://example ",
+			EXA_API_KEY: " exa-key ",
+			GOOGLE_MAPS_API_KEY: " google-maps-key ",
+			OPENROUTER_API_KEY: " openrouter-key ",
+			OPENROUTER_MODEL: " model-name ",
+			TFL_API_KEY: " tfl-key ",
+			WEATHERKIT_KEY_ID: " weather-key-id ",
+			WEATHERKIT_PRIVATE_KEY: " weather-private-key ",
+			WEATHERKIT_SERVICE_ID: " weather-service-id ",
+			WEATHERKIT_TEAM_ID: " weather-team-id ",
+		})
+
+		expect(env).toEqual({
+			betterAuthSecret: "auth-secret",
+			credentialEncryptionKey: "credential-key",
+			databaseUrl: "postgres://example",
+			exaApiKey: "exa-key",
+			googleMapsApiKey: "google-maps-key",
+			openrouterApiKey: "openrouter-key",
+			openrouterModel: "model-name",
+			tflApiKey: "tfl-key",
+			weatherkitKeyId: "weather-key-id",
+			weatherkitPrivateKey: "weather-private-key",
+			weatherkitServiceId: "weather-service-id",
+			weatherkitTeamId: "weather-team-id",
+		})
+	})
+
+	test("does not allow the old Google Maps MCP fallback key", () => {
+		expect(() =>
+			ensureEnv({
+				BETTER_AUTH_SECRET: "auth-secret",
+				CREDENTIAL_ENCRYPTION_KEY: "credential-key",
+				DATABASE_URL: "postgres://example",
+				EXA_API_KEY: "exa-key",
+				GOOGLE_MAPS_MCP_API_KEY: "google-maps-mcp-key",
+				OPENROUTER_API_KEY: "openrouter-key",
+				TFL_API_KEY: "tfl-key",
+				WEATHERKIT_KEY_ID: "weather-key-id",
+				WEATHERKIT_PRIVATE_KEY: "weather-private-key",
+				WEATHERKIT_SERVICE_ID: "weather-service-id",
+				WEATHERKIT_TEAM_ID: "weather-team-id",
+			}),
+		).toThrow("Missing required environment variables: GOOGLE_MAPS_API_KEY")
+	})
+
+	test("allows openrouter model to be omitted", () => {
+		const env = ensureEnv({
+			BETTER_AUTH_SECRET: "auth-secret",
+			CREDENTIAL_ENCRYPTION_KEY: "credential-key",
+			DATABASE_URL: "postgres://example",
+			EXA_API_KEY: "exa-key",
+			GOOGLE_MAPS_API_KEY: "google-maps-key",
+			OPENROUTER_API_KEY: "openrouter-key",
+			TFL_API_KEY: "tfl-key",
+			WEATHERKIT_KEY_ID: "weather-key-id",
+			WEATHERKIT_PRIVATE_KEY: "weather-private-key",
+			WEATHERKIT_SERVICE_ID: "weather-service-id",
+			WEATHERKIT_TEAM_ID: "weather-team-id",
+		})
+
+		expect(env.googleMapsApiKey).toBe("google-maps-key")
+		expect(env.openrouterModel).toBeUndefined()
+	})
+
+	test("throws with all missing required env names", () => {
+		expect(() => ensureEnv({})).toThrow(
+			"Missing required environment variables: BETTER_AUTH_SECRET, CREDENTIAL_ENCRYPTION_KEY, DATABASE_URL, EXA_API_KEY, OPENROUTER_API_KEY, TFL_API_KEY, WEATHERKIT_PRIVATE_KEY, WEATHERKIT_KEY_ID, WEATHERKIT_TEAM_ID, WEATHERKIT_SERVICE_ID, GOOGLE_MAPS_API_KEY",
+		)
+	})
+
+	test("treats whitespace-only values as missing", () => {
+		expect(() =>
+			ensureEnv({
+				BETTER_AUTH_SECRET: "auth-secret",
+				CREDENTIAL_ENCRYPTION_KEY: "credential-key",
+				DATABASE_URL: "postgres://example",
+				EXA_API_KEY: " ",
+				GOOGLE_MAPS_API_KEY: "google-maps-key",
+				OPENROUTER_API_KEY: "openrouter-key",
+				TFL_API_KEY: "tfl-key",
+				WEATHERKIT_KEY_ID: "weather-key-id",
+				WEATHERKIT_PRIVATE_KEY: "weather-private-key",
+				WEATHERKIT_SERVICE_ID: "weather-service-id",
+				WEATHERKIT_TEAM_ID: "weather-team-id",
+			}),
+		).toThrow("Missing required environment variables: EXA_API_KEY")
+	})
+})

apps/freya-backend/src/lib/env.ts

@@ -0,0 +1,69 @@
+export interface ServerEnv {
+	betterAuthSecret: string
+	credentialEncryptionKey: string
+	databaseUrl: string
+	exaApiKey: string
+	googleMapsApiKey: string
+	openrouterApiKey: string
+	openrouterModel: string | undefined
+	tflApiKey: string
+	weatherkitKeyId: string
+	weatherkitPrivateKey: string
+	weatherkitServiceId: string
+	weatherkitTeamId: string
+}
+
+export function ensureEnv(env: Record<string, string | undefined>): ServerEnv {
+	const missing: string[] = []
+
+	const betterAuthSecret = readRequiredEnv(env, "BETTER_AUTH_SECRET", missing)
+	const credentialEncryptionKey = readRequiredEnv(env, "CREDENTIAL_ENCRYPTION_KEY", missing)
+	const databaseUrl = readRequiredEnv(env, "DATABASE_URL", missing)
+	const exaApiKey = readRequiredEnv(env, "EXA_API_KEY", missing)
+	const openrouterApiKey = readRequiredEnv(env, "OPENROUTER_API_KEY", missing)
+	const tflApiKey = readRequiredEnv(env, "TFL_API_KEY", missing)
+	const weatherkitPrivateKey = readRequiredEnv(env, "WEATHERKIT_PRIVATE_KEY", missing)
+	const weatherkitKeyId = readRequiredEnv(env, "WEATHERKIT_KEY_ID", missing)
+	const weatherkitTeamId = readRequiredEnv(env, "WEATHERKIT_TEAM_ID", missing)
+	const weatherkitServiceId = readRequiredEnv(env, "WEATHERKIT_SERVICE_ID", missing)
+	const googleMapsApiKey = readRequiredEnv(env, "GOOGLE_MAPS_API_KEY", missing)
+
+	if (missing.length > 0) {
+		throw new Error(`Missing required environment variables: ${missing.join(", ")}`)
+	}
+
+	return {
+		betterAuthSecret,
+		credentialEncryptionKey,
+		databaseUrl,
+		exaApiKey,
+		googleMapsApiKey,
+		openrouterApiKey,
+		openrouterModel: readOptionalEnv(env, "OPENROUTER_MODEL"),
+		tflApiKey,
+		weatherkitKeyId,
+		weatherkitPrivateKey,
+		weatherkitServiceId,
+		weatherkitTeamId,
+	}
+}
+
+function readRequiredEnv(
+	env: Record<string, string | undefined>,
+	name: string,
+	missing: string[],
+): string {
+	const value = readOptionalEnv(env, name)
+	if (!value) {
+		missing.push(name)
+	}
+	return value ?? ""
+}
+
+function readOptionalEnv(
+	env: Record<string, string | undefined>,
+	name: string,
+): string | undefined {
+	const value = env[name]?.trim()
+	return value ? value : undefined
+}

apps/freya-backend/src/location/provider.ts

@@ -3,7 +3,7 @@ import { LocationSource } from "@freya/source-location"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
 
 export class LocationSourceProvider implements FeedSourceProvider {
-	readonly sourceId = LocationSource.id
+	readonly sourceId = "freya.location"
 
 	async feedSourceForUser(
 		_userId: string,

apps/freya-backend/src/server.ts

@@ -13,6 +13,7 @@ import { createFeedEnhancer } from "./enhancement/enhance-feed.ts"
 import { createLlmClient } from "./enhancement/llm-client.ts"
 import { GoogleMapsSourceProvider } from "./google-maps/provider.ts"
 import { CredentialEncryptor } from "./lib/crypto.ts"
+import { ensureEnv } from "./lib/env.ts"
 import { registerLocationHttpHandlers } from "./location/http.ts"
 import { LocationSourceProvider } from "./location/provider.ts"
 import { ReminderSourceProvider } from "./reminders/provider.ts"
@@ -23,36 +24,19 @@ import { WeatherSourceProvider } from "./weather/provider.ts"
 import { WebSearchSourceProvider } from "./web-search/provider.ts"
 
 function main() {
-	const { db, close: closeDb } = createDatabase(process.env.DATABASE_URL!)
+	const env = ensureEnv(process.env)
+
+	const { db, close: closeDb } = createDatabase(env.databaseUrl)
 	const auth = createAuth(db)
 
-	const openrouterApiKey = process.env.OPENROUTER_API_KEY
-	const feedEnhancer = openrouterApiKey
-		? createFeedEnhancer({
+	const feedEnhancer = createFeedEnhancer({
 		client: createLlmClient({
-					apiKey: openrouterApiKey,
-					model: process.env.OPENROUTER_MODEL || undefined,
+			apiKey: env.openrouterApiKey,
+			model: env.openrouterModel,
 		}),
 	})
-		: null
-	if (!feedEnhancer) {
-		console.warn("[enhancement] OPENROUTER_API_KEY not set — feed enhancement disabled")
-	}
 
-	const credentialEncryptionKey = process.env.CREDENTIAL_ENCRYPTION_KEY
-	const credentialEncryptor = credentialEncryptionKey
-		? new CredentialEncryptor(credentialEncryptionKey)
-		: null
-	if (!credentialEncryptor) {
-		console.warn(
-			"[credentials] CREDENTIAL_ENCRYPTION_KEY not set — per-user credential storage disabled",
-		)
-	}
-
-	const googleMapsApiKey = process.env.GOOGLE_MAPS_API_KEY ?? process.env.GOOGLE_MAPS_MCP_API_KEY
-	if (!googleMapsApiKey) {
-		throw new Error("GOOGLE_MAPS_API_KEY or GOOGLE_MAPS_MCP_API_KEY must be set")
-	}
+	const credentialEncryptor = new CredentialEncryptor(env.credentialEncryptionKey)
 
 	const sessionManager = new UserSessionManager({
 		db,
@@ -62,16 +46,16 @@ function main() {
 			new ReminderSourceProvider({ db }),
 			new WeatherSourceProvider({
 				credentials: {
-					privateKey: process.env.WEATHERKIT_PRIVATE_KEY!,
-					keyId: process.env.WEATHERKIT_KEY_ID!,
-					teamId: process.env.WEATHERKIT_TEAM_ID!,
-					serviceId: process.env.WEATHERKIT_SERVICE_ID!,
+					privateKey: env.weatherkitPrivateKey,
+					keyId: env.weatherkitKeyId,
+					teamId: env.weatherkitTeamId,
+					serviceId: env.weatherkitServiceId,
 				},
 			}),
-			new TflSourceProvider({ apiKey: process.env.TFL_API_KEY! }),
-			new WebSearchSourceProvider({ apiKey: process.env.EXA_API_KEY }),
+			new TflSourceProvider({ apiKey: env.tflApiKey }),
+			new WebSearchSourceProvider({ apiKey: env.exaApiKey }),
 			new GoogleMapsSourceProvider({
-				apiKey: googleMapsApiKey,
+				apiKey: env.googleMapsApiKey,
 			}),
 		],
 		feedEnhancer,

apps/freya-backend/src/sources/default-sources.test.ts

@@ -1,85 +0,0 @@
-import { LocationSource } from "@freya/source-location"
-import { WebSearchSource } from "@freya/source-web-search"
-import { describe, expect, test } from "bun:test"
-
-import type { Database } from "../db/index.ts"
-
-import { userSources } from "../db/schema.ts"
-import { DEFAULT_ENABLED_SOURCE_IDS, insertDefaultUserSources } from "./default-sources.ts"
-
-interface UserSourceInsertRow {
-	userId: string
-	sourceId: string
-	enabled: boolean
-	config: unknown
-	createdAt: Date
-	updatedAt: Date
-}
-
-interface RecordingDb {
-	db: Database
-	table: () => unknown
-	rows: () => UserSourceInsertRow[] | undefined
-	conflictTarget: () => readonly unknown[] | undefined
-}
-
-function createRecordingDb(): RecordingDb {
-	let insertedTable: unknown
-	let insertedRows: UserSourceInsertRow[] | undefined
-	let target: readonly unknown[] | undefined
-
-	const db = {
-		insert(table: unknown) {
-			insertedTable = table
-
-			return {
-				values(rows: UserSourceInsertRow[]) {
-					insertedRows = rows
-
-					return {
-						async onConflictDoNothing(options: { target: readonly unknown[] }) {
-							target = options.target
-						},
-					}
-				},
-			}
-		},
-	} as unknown as Database
-
-	return {
-		db,
-		table: () => insertedTable,
-		rows: () => insertedRows,
-		conflictTarget: () => target,
-	}
-}
-
-describe("default user sources", () => {
-	test("defines location and web search as default enabled sources", () => {
-		expect(DEFAULT_ENABLED_SOURCE_IDS).toEqual([LocationSource.id, WebSearchSource.id])
-	})
-
-	test("inserts default enabled source rows for a user", async () => {
-		const recording = createRecordingDb()
-
-		await insertDefaultUserSources(recording.db, "user-1")
-
-		const rows = recording.rows()
-		if (!rows) {
-			throw new Error("Expected default source rows to be inserted")
-		}
-
-		expect(recording.table()).toBe(userSources)
-		expect(rows).toHaveLength(2)
-		expect(rows.map((row) => row.sourceId)).toEqual([...DEFAULT_ENABLED_SOURCE_IDS])
-		expect(recording.conflictTarget()).toEqual([userSources.userId, userSources.sourceId])
-
-		for (const row of rows) {
-			expect(row.userId).toBe("user-1")
-			expect(row.enabled).toBe(true)
-			expect(row.config).toEqual({})
-			expect(row.createdAt).toBeInstanceOf(Date)
-			expect(row.updatedAt).toBe(row.createdAt)
-		}
-	})
-})

apps/freya-backend/src/sources/default-sources.ts

@@ -1,30 +0,0 @@
-import { LocationSource } from "@freya/source-location"
-import { WebSearchSource } from "@freya/source-web-search"
-
-import type { Database } from "../db/index.ts"
-
-import { userSources } from "../db/schema.ts"
-
-export const DEFAULT_ENABLED_SOURCE_IDS = [LocationSource.id, WebSearchSource.id] as const
-
-export type DefaultEnabledSourceId = (typeof DEFAULT_ENABLED_SOURCE_IDS)[number]
-
-export async function insertDefaultUserSources(db: Database, userId: string): Promise<void> {
-	const now = new Date()
-
-	await db
-		.insert(userSources)
-		.values(
-			DEFAULT_ENABLED_SOURCE_IDS.map((sourceId) => ({
-				userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				createdAt: now,
-				updatedAt: now,
-			})),
-		)
-		.onConflictDoNothing({
-			target: [userSources.userId, userSources.sourceId],
-		})
-}

apps/freya-backend/src/web-search/provider.ts

@@ -7,7 +7,7 @@ export type WebSearchSourceProviderOptions =
 	| { apiKey?: never; client: WebSearchClient }
 
 export class WebSearchSourceProvider implements FeedSourceProvider {
-	readonly sourceId = WebSearchSource.id
+	readonly sourceId = "freya.web-search"
 
 	private readonly apiKey: string | undefined
 	private readonly client: WebSearchClient | undefined

packages/freya-source-location/src/location-source.test.ts

@@ -18,7 +18,7 @@ describe("LocationSource", () => {
 	describe("FeedSource interface", () => {
 		test("has correct id", () => {
 			const source = new LocationSource()
-			expect(source.id).toBe(LocationSource.id)
+			expect(source.id).toBe("freya.location")
 		})
 
 		test("fetchItems always returns empty array", async () => {

packages/freya-source-location/src/location-source.ts

@@ -5,6 +5,8 @@ import { type } from "arktype"
 
 import { Location, type LocationSourceOptions } from "./types.ts"
 
+export const LocationKey: ContextKey<Location> = contextKey("freya.location", "location")
+
 /**
  * A FeedSource that provides location context.
  *
@@ -14,9 +16,7 @@ import { Location, type LocationSourceOptions } from "./types.ts"
  * Does not produce feed items - always returns empty array from `fetchItems`.
  */
 export class LocationSource implements FeedSource {
-	static readonly id = "freya.location"
-
-	readonly id = LocationSource.id
+	readonly id = "freya.location"
 
 	private readonly historySize: number
 	private locations: Location[] = []
@@ -97,5 +97,3 @@ export class LocationSource implements FeedSource {
 		return []
 	}
 }
-
-export const LocationKey: ContextKey<Location> = contextKey(LocationSource.id, "location")

packages/freya-source-web-search/src/web-search-source.test.ts

@@ -37,7 +37,7 @@ describe("WebSearchSource", () => {
 	test("has correct id", () => {
 		const source = new WebSearchSource({ client: new RecordingSearchClient() })
 
-		expect(source.id).toBe(WebSearchSource.id)
+		expect(source.id).toBe("freya.web-search")
 	})
 
 	test("does not provide context or feed items", async () => {

packages/freya-source-web-search/src/web-search-source.ts

@@ -41,9 +41,7 @@ const SearchInput = type({
  * action and receive structured web results.
  */
 export class WebSearchSource implements FeedSource {
-	static readonly id = "freya.web-search"
-
-	readonly id = WebSearchSource.id
+	readonly id = "freya.web-search"
 
 	private readonly client: WebSearchClient