fix(backend): reject unknown fields in source config

Add "+": "reject" to all arktype schemas so undeclared
keys return 400. Sources without a configSchema now
reject the config field entirely at the HTTP layer.

Co-authored-by: Ona <no-reply@ona.com>

apps/aelis-backend/src/auth/index.ts

@@ -16,9 +16,6 @@ export function createAuth(db: Database) {
 			provider: "pg",
 			schema,
 		}),
-		advanced: {
-			disableCSRFCheck: process.env.NODE_ENV !== "production",
-		},
 		emailAndPassword: {
 			enabled: true,
 		},

apps/aelis-backend/src/enhancement/llm-client.ts

@@ -50,13 +50,11 @@ export function createLlmClient(config: LlmClientConfig): LlmClient {
 							schema: enhancementResultJsonSchema,
 						},
 					},
-					reasoning: { effort: "none" },
 					stream: false,
 				},
 			})
 
-			const message = response.choices?.[0]?.message
+			const content = response.choices?.[0]?.message?.content
-			const content = message?.content ?? message?.reasoning
 			if (typeof content !== "string") {
 				console.warn("[enhancement] LLM returned no content in response")
 				return null

apps/aelis-backend/src/server.ts

@@ -1,5 +1,4 @@
 import { Hono } from "hono"
-import { cors } from "hono/cors"
 
 import { registerAdminHttpHandlers } from "./admin/http.ts"
 import { createRequireAdmin } from "./auth/admin-middleware.ts"
@@ -51,34 +50,6 @@ function main() {
 
 	const app = new Hono()
 
-	const isDev = process.env.NODE_ENV !== "production"
-	const allowedOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()) ?? []
-
-	function resolveOrigin(origin: string): string | undefined {
-		if (isDev) return origin
-		return allowedOrigins.includes(origin) ? origin : undefined
-	}
-
-	app.use(
-		"/api/auth/*",
-		cors({
-			origin: resolveOrigin,
-			allowHeaders: ["Content-Type", "Authorization"],
-			allowMethods: ["POST", "GET", "OPTIONS"],
-			exposeHeaders: ["Content-Length"],
-			maxAge: 600,
-			credentials: true,
-		}),
-	)
-
-	app.use(
-		"*",
-		cors({
-			origin: resolveOrigin,
-			credentials: true,
-		}),
-	)
-
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
 	const authSessionMiddleware = createRequireSession(auth)

apps/aelis-backend/src/session/user-session-manager.ts

@@ -38,27 +38,6 @@ export class UserSessionManager {
 		return this.providers.get(sourceId)
 	}
 
-	/**
-	 * Returns the user's config for a source, or defaults if no row exists.
-	 *
-	 * @throws {SourceNotFoundError} if the sourceId has no registered provider
-	 */
-	async fetchSourceConfig(
-		userId: string,
-		sourceId: string,
-	): Promise<{ enabled: boolean; config: unknown }> {
-		const provider = this.providers.get(sourceId)
-		if (!provider) {
-			throw new SourceNotFoundError(sourceId, userId)
-		}
-
-		const row = await sources(this.db, userId).find(sourceId)
-		return {
-			enabled: row?.enabled ?? false,
-			config: row?.config ?? {},
-		}
-	}
-
 	async getOrCreate(userId: string): Promise<UserSession> {
 		const existing = this.sessions.get(userId)
 		if (existing) return existing

apps/aelis-backend/src/sources/http.test.ts

@@ -138,10 +138,6 @@ function patch(app: Hono, sourceId: string, body: unknown) {
 	})
 }
 
-function get(app: Hono, sourceId: string) {
-	return app.request(`/api/sources/${sourceId}`, { method: "GET" })
-}
-
 function put(app: Hono, sourceId: string, body: unknown) {
 	return app.request(`/api/sources/${sourceId}`, {
 		method: "PUT",
@@ -154,72 +150,6 @@ function put(app: Hono, sourceId: string, body: unknown) {
 // Tests
 // ---------------------------------------------------------------------------
 
-describe("GET /api/sources/:sourceId", () => {
-	test("returns 401 without auth", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)])
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(401)
-	})
-
-	test("returns 404 for unknown source", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "unknown.source")
-
-		expect(res.status).toBe(404)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("not found")
-	})
-
-	test("returns enabled and config for existing source", async () => {
-		activeStore = createInMemoryStore()
-		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
-			enabled: true,
-			config: { units: "metric" },
-		})
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(true)
-		expect(body.config).toEqual({ units: "metric" })
-	})
-
-	test("returns defaults when user has no row for source", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(false)
-		expect(body.config).toEqual({})
-	})
-
-	test("returns disabled source", async () => {
-		activeStore = createInMemoryStore()
-		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
-			enabled: false,
-			config: { units: "imperial" },
-		})
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(false)
-		expect(body.config).toEqual({ units: "imperial" })
-	})
-})
-
 describe("PATCH /api/sources/:sourceId", () => {
 	test("returns 401 without auth", async () => {
 		activeStore = createInMemoryStore()

apps/aelis-backend/src/sources/http.ts

@@ -45,31 +45,10 @@ export function registerSourcesHttpHandlers(
 		await next()
 	})
 
-	app.get("/api/sources/:sourceId", inject, authSessionMiddleware, handleGetSource)
 	app.patch("/api/sources/:sourceId", inject, authSessionMiddleware, handleUpdateSource)
 	app.put("/api/sources/:sourceId", inject, authSessionMiddleware, handleReplaceSource)
 }
 
-async function handleGetSource(c: Context<Env>) {
-	const sourceId = c.req.param("sourceId")
-	if (!sourceId) {
-		return c.body(null, 404)
-	}
-
-	const sessionManager = c.get("sessionManager")
-	const user = c.get("user")!
-
-	try {
-		const result = await sessionManager.fetchSourceConfig(user.id, sourceId)
-		return c.json(result)
-	} catch (err) {
-		if (err instanceof SourceNotFoundError) {
-			return c.json({ error: err.message }, 404)
-		}
-		throw err
-	}
-}
-
 async function handleUpdateSource(c: Context<Env>) {
 	const sourceId = c.req.param("sourceId")
 	if (!sourceId) {