fix: add source to session on cred update

When updateSourceCredentials was called for a source not yet in the
active session (e.g. because credentials were missing at config time),
the source was never instantiated despite being enabled in the DB.

Now, if the source row is enabled but absent from the session, the
source is added instead of skipped.

Co-authored-by: Ona <no-reply@ona.com>

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+	"js/ts.experimental.useTsgo": true
+}

apps/admin-dashboard/package.json

@@ -34,7 +34,7 @@
 		"@types/react": "^19.2.5",
 		"@types/react-dom": "^19.2.3",
 		"@vitejs/plugin-react": "^5.1.1",
-		"typescript": "~5.9.3",
+		"typescript": "^6",
 		"vite": "^7.2.4"
 	}
 }

apps/admin-dashboard/src/components/source-config-panel.tsx

@@ -20,7 +20,13 @@ import {
 import { Separator } from "@/components/ui/separator"
 import { Switch } from "@/components/ui/switch"
 import { Tooltip, TooltipContent, TooltipTrigger } from "@/components/ui/tooltip"
-import { fetchSourceConfig, pushLocation, replaceSource, updateProviderConfig } from "@/lib/api"
+import {
+	fetchSourceConfig,
+	pushLocation,
+	replaceSource,
+	updateProviderConfig,
+	updateSourceCredentials,
+} from "@/lib/api"
 
 interface SourceConfigPanelProps {
 	source: SourceDefinition
@@ -83,7 +89,11 @@ export function SourceConfigPanel({ source, onUpdate }: SourceConfigPanelProps)
 				(v) => typeof v === "string" && v.length > 0,
 			)
 			if (hasCredentials) {
-				promises.push(updateProviderConfig(source.id, { credentials: credentialFields }))
+				if (source.perUserCredentials) {
+					promises.push(updateSourceCredentials(source.id, credentialFields))
+				} else {
+					promises.push(updateProviderConfig(source.id, { credentials: credentialFields }))
+				}
 			}
 
 			await Promise.all(promises)

apps/admin-dashboard/src/lib/api.ts

@@ -23,6 +23,8 @@ export interface SourceDefinition {
 	name: string
 	description: string
 	alwaysEnabled?: boolean
+	/** When true, secret fields are stored as per-user credentials via /api/sources/:id/credentials. */
+	perUserCredentials?: boolean
 	fields: Record<string, ConfigFieldDef>
 }
 
@@ -78,6 +80,44 @@ const sourceDefinitions: SourceDefinition[] = [
 			},
 		},
 	},
+	{
+		id: "aelis.caldav",
+		name: "CalDAV",
+		description: "Calendar events from any CalDAV server (Nextcloud, Radicale, Baikal, etc.).",
+		perUserCredentials: true,
+		fields: {
+			serverUrl: {
+				type: "string",
+				label: "Server URL",
+				required: true,
+				secret: false,
+				description: "CalDAV server URL (e.g. https://nextcloud.example.com/remote.php/dav)",
+			},
+			username: {
+				type: "string",
+				label: "Username",
+				required: true,
+				secret: false,
+			},
+			password: {
+				type: "string",
+				label: "Password",
+				required: true,
+				secret: true,
+			},
+			lookAheadDays: {
+				type: "number",
+				label: "Look-ahead Days",
+				defaultValue: 0,
+				description: "Number of additional days beyond today to fetch events for",
+			},
+			timeZone: {
+				type: "string",
+				label: "Timezone",
+				description: "IANA timezone for determining \"today\" (e.g. Europe/London). Defaults to UTC.",
+			},
+		},
+	},
 	{
 		id: "aelis.tfl",
 		name: "TfL",
@@ -164,6 +204,22 @@ export async function updateProviderConfig(
 	}
 }
 
+export async function updateSourceCredentials(
+	sourceId: string,
+	credentials: Record<string, unknown>,
+): Promise<void> {
+	const res = await fetch(`${serverBase()}/sources/${sourceId}/credentials`, {
+		method: "PUT",
+		headers: { "Content-Type": "application/json" },
+		credentials: "include",
+		body: JSON.stringify(credentials),
+	})
+	if (!res.ok) {
+		const data = (await res.json()) as { error?: string }
+		throw new Error(data.error ?? `Failed to update credentials: ${res.status}`)
+	}
+}
+
 export interface LocationInput {
 	lat: number
 	lng: number

apps/admin-dashboard/tsconfig.app.json

@@ -3,12 +3,11 @@
 		"tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
 		"target": "ES2022",
 		"useDefineForClassFields": true,
-		"lib": ["ES2022", "DOM", "DOM.Iterable"],
+		"lib": ["ES2022", "DOM"],
 		"module": "ESNext",
 		"types": ["vite/client"],
 		"skipLibCheck": true,
 
-		/* Bundler mode */
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
@@ -16,14 +15,12 @@
 		"noEmit": true,
 		"jsx": "react-jsx",
 
-		/* Linting */
 		"strict": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,
 		"erasableSyntaxOnly": true,
 		"noFallthroughCasesInSwitch": true,
 		"noUncheckedSideEffectImports": true,
-		"baseUrl": ".",
 		"paths": {
 			"@/*": ["./src/*"]
 		}

apps/admin-dashboard/tsconfig.json

@@ -2,7 +2,6 @@
 	"files": [],
 	"references": [{ "path": "./tsconfig.app.json" }, { "path": "./tsconfig.node.json" }],
 	"compilerOptions": {
-		"baseUrl": ".",
 		"paths": {
 			"@/*": ["./src/*"]
 		}

apps/admin-dashboard/tsconfig.node.json

@@ -7,14 +7,12 @@
 		"types": ["node"],
 		"skipLibCheck": true,
 
-		/* Bundler mode */
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
 		"moduleDetection": "force",
 		"noEmit": true,
 
-		/* Linting */
 		"strict": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,

apps/aelis-backend/.env.example

@@ -5,7 +5,7 @@ DATABASE_URL=postgresql://user:password@localhost:5432/aris
 BETTER_AUTH_SECRET=
 
 # Encryption key for source credentials at rest (32 bytes, generate with: openssl rand -base64 32)
-CREDENTIALS_ENCRYPTION_KEY=
+CREDENTIAL_ENCRYPTION_KEY=
 
 # Base URL of the backend
 BETTER_AUTH_URL=http://localhost:3000

apps/aelis-backend/src/caldav/provider.test.ts

@@ -0,0 +1,85 @@
+import { describe, expect, test } from "bun:test"
+
+import { CalDavSourceProvider } from "./provider.ts"
+
+describe("CalDavSourceProvider", () => {
+	const provider = new CalDavSourceProvider()
+
+	test("sourceId is aelis.caldav", () => {
+		expect(provider.sourceId).toBe("aelis.caldav")
+	})
+
+	test("throws when credentials are null", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		await expect(provider.feedSourceForUser("user-1", config, null)).rejects.toThrow(
+			"No CalDAV credentials configured",
+		)
+	})
+
+	test("throws when credentials are missing password", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		await expect(provider.feedSourceForUser("user-1", config, {})).rejects.toThrow(
+			"password must be a string",
+		)
+	})
+
+	test("throws when config is missing serverUrl", async () => {
+		const credentials = { password: "app-specific-password" }
+		await expect(
+			provider.feedSourceForUser("user-1", { username: "user@icloud.com" }, credentials),
+		).rejects.toThrow("Invalid CalDAV config")
+	})
+
+	test("throws when config is missing username", async () => {
+		const credentials = { password: "app-specific-password" }
+		await expect(
+			provider.feedSourceForUser("user-1", { serverUrl: "https://caldav.icloud.com" }, credentials),
+		).rejects.toThrow("Invalid CalDAV config")
+	})
+
+	test("throws when config has extra keys", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+			extra: true,
+		}
+		const credentials = { password: "app-specific-password" }
+		await expect(provider.feedSourceForUser("user-1", config, credentials)).rejects.toThrow(
+			"Invalid CalDAV config",
+		)
+	})
+
+	test("throws when credentials have extra keys", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		const credentials = { password: "app-specific-password", extra: true }
+		await expect(provider.feedSourceForUser("user-1", config, credentials)).rejects.toThrow(
+			"extra must be removed",
+		)
+	})
+
+	test("returns CalDavSource with valid config and credentials", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+			lookAheadDays: 3,
+			timeZone: "Europe/London",
+		}
+		const credentials = { password: "app-specific-password" }
+
+		const source = await provider.feedSourceForUser("user-1", config, credentials)
+		expect(source).toBeDefined()
+		expect(source.id).toBe("aelis.caldav")
+	})
+
+	test("returns CalDavSource with minimal config", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+		}
+		const credentials = { password: "app-specific-password" }
+
+		const source = await provider.feedSourceForUser("user-1", config, credentials)
+		expect(source).toBeDefined()
+		expect(source.id).toBe("aelis.caldav")
+	})
+})

apps/aelis-backend/src/caldav/provider.ts

@@ -0,0 +1,53 @@
+import { CalDavSource } from "@aelis/source-caldav"
+import { type } from "arktype"
+
+import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
+
+import { InvalidSourceCredentialsError } from "../sources/errors.ts"
+
+const caldavConfig = type({
+	"+": "reject",
+	serverUrl: "string",
+	username: "string",
+	"lookAheadDays?": "number",
+	"timeZone?": "string",
+})
+
+const caldavCredentials = type({
+	"+": "reject",
+	password: "string",
+})
+
+export class CalDavSourceProvider implements FeedSourceProvider {
+	readonly sourceId = "aelis.caldav"
+	readonly configSchema = caldavConfig
+
+	async feedSourceForUser(
+		_userId: string,
+		config: unknown,
+		credentials: unknown,
+	): Promise<CalDavSource> {
+		const parsed = caldavConfig(config)
+		if (parsed instanceof type.errors) {
+			throw new Error(`Invalid CalDAV config: ${parsed.summary}`)
+		}
+
+		if (!credentials) {
+			throw new InvalidSourceCredentialsError("aelis.caldav", "No CalDAV credentials configured")
+		}
+
+		const creds = caldavCredentials(credentials)
+		if (creds instanceof type.errors) {
+			throw new InvalidSourceCredentialsError("aelis.caldav", creds.summary)
+		}
+
+		return new CalDavSource({
+			serverUrl: parsed.serverUrl,
+			authMethod: "basic",
+			username: parsed.username,
+			password: creds.password,
+			lookAheadDays: parsed.lookAheadDays,
+			timeZone: parsed.timeZone,
+		})
+	}
+}

apps/aelis-backend/src/location/provider.ts

@@ -5,7 +5,11 @@ import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
 export class LocationSourceProvider implements FeedSourceProvider {
 	readonly sourceId = "aelis.location"
 
-	async feedSourceForUser(_userId: string, _config: unknown): Promise<LocationSource> {
+	async feedSourceForUser(
+		_userId: string,
+		_config: unknown,
+		_credentials: unknown,
+	): Promise<LocationSource> {
 		return new LocationSource()
 	}
 }

apps/aelis-backend/src/server.ts

@@ -6,10 +6,12 @@ import { createRequireAdmin } from "./auth/admin-middleware.ts"
 import { registerAuthHandlers } from "./auth/http.ts"
 import { createAuth } from "./auth/index.ts"
 import { createRequireSession } from "./auth/session-middleware.ts"
+import { CalDavSourceProvider } from "./caldav/provider.ts"
 import { createDatabase } from "./db/index.ts"
 import { registerFeedHttpHandlers } from "./engine/http.ts"
 import { createFeedEnhancer } from "./enhancement/enhance-feed.ts"
 import { createLlmClient } from "./enhancement/llm-client.ts"
+import { CredentialEncryptor } from "./lib/crypto.ts"
 import { registerLocationHttpHandlers } from "./location/http.ts"
 import { LocationSourceProvider } from "./location/provider.ts"
 import { UserSessionManager } from "./session/index.ts"
@@ -34,9 +36,20 @@ function main() {
 		console.warn("[enhancement] OPENROUTER_API_KEY not set — feed enhancement disabled")
 	}
 
+	const credentialEncryptionKey = process.env.CREDENTIAL_ENCRYPTION_KEY
+	const credentialEncryptor = credentialEncryptionKey
+		? new CredentialEncryptor(credentialEncryptionKey)
+		: null
+	if (!credentialEncryptor) {
+		console.warn(
+			"[credentials] CREDENTIAL_ENCRYPTION_KEY not set — per-user credential storage disabled",
+		)
+	}
+
 	const sessionManager = new UserSessionManager({
 		db,
 		providers: [
+			new CalDavSourceProvider(),
 			new LocationSourceProvider(),
 			new WeatherSourceProvider({
 				credentials: {
@@ -49,6 +62,7 @@ function main() {
 			new TflSourceProvider({ apiKey: process.env.TFL_API_KEY! }),
 		],
 		feedEnhancer,
+		credentialEncryptor,
 	})
 
 	const app = new Hono()

apps/aelis-backend/src/session/feed-source-provider.ts

@@ -8,5 +8,5 @@ export interface FeedSourceProvider {
 	readonly sourceId: string
 	/** Arktype schema for validating user-provided config. Omit if the source has no config. */
 	readonly configSchema?: ConfigSchema
-	feedSourceForUser(userId: string, config: unknown): Promise<FeedSource>
+	feedSourceForUser(userId: string, config: unknown, credentials: unknown): Promise<FeedSource>
 }

apps/aelis-backend/src/session/user-session-manager.test.ts

@@ -7,6 +7,12 @@ import { beforeEach, describe, expect, mock, spyOn, test } from "bun:test"
 import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
+import { CredentialEncryptor } from "../lib/crypto.ts"
+import {
+	CredentialStorageUnavailableError,
+	InvalidSourceCredentialsError,
+} from "../sources/errors.ts"
+import { SourceNotFoundError } from "../sources/errors.ts"
 import { UserSessionManager } from "./user-session-manager.ts"
 
 /**
@@ -38,6 +44,13 @@ function getEnabledSourceIds(userId: string): string[] {
  */
 let mockFindResult: unknown | undefined
 
+/**
+ * Spy for `updateCredentials` calls. Tests can inspect calls via
+ * `mockUpdateCredentialsCalls` or override behavior.
+ */
+const mockUpdateCredentialsCalls: Array<{ sourceId: string; credentials: Buffer }> = []
+let mockUpdateCredentialsError: Error | null = null
+
 // Mock the sources module so UserSessionManager's DB query returns controlled data.
 mock.module("../sources/user-sources.ts", () => ({
 	sources: (_db: Database, userId: string) => ({
@@ -68,6 +81,12 @@ mock.module("../sources/user-sources.ts", () => ({
 				updatedAt: now,
 			}
 		},
+		async updateCredentials(sourceId: string, credentials: Buffer) {
+			if (mockUpdateCredentialsError) {
+				throw mockUpdateCredentialsError
+			}
+			mockUpdateCredentialsCalls.push({ sourceId, credentials })
+		},
 	}),
 }))
 
@@ -93,8 +112,11 @@ function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 
 function createStubProvider(
 	sourceId: string,
-	factory: (userId: string, config: Record<string, unknown>) => Promise<FeedSource> = async () =>
-		createStubSource(sourceId),
+	factory: (
+		userId: string,
+		config: Record<string, unknown>,
+		credentials: unknown,
+	) => Promise<FeedSource> = async () => createStubSource(sourceId),
 ): FeedSourceProvider {
 	return { sourceId, feedSourceForUser: factory }
 }
@@ -116,6 +138,8 @@ const weatherProvider: FeedSourceProvider = {
 beforeEach(() => {
 	enabledByUser.clear()
 	mockFindResult = undefined
+	mockUpdateCredentialsCalls.length = 0
+	mockUpdateCredentialsError = null
 })
 
 describe("UserSessionManager", () => {
@@ -681,3 +705,147 @@ describe("UserSessionManager.replaceProvider", () => {
 		expect(feedAfter.items[0]!.data.version).toBe(1)
 	})
 })
+
+const TEST_ENCRYPTION_KEY = "/bv1nbzC4ozZkT/pcv5oQfl+JAMuMZDUSVDesG2dur8="
+const testEncryptor = new CredentialEncryptor(TEST_ENCRYPTION_KEY)
+
+describe("UserSessionManager.updateSourceCredentials", () => {
+	test("encrypts and persists credentials", async () => {
+		setEnabledSources(["test"])
+		const provider = createStubProvider("test")
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			credentialEncryptor: testEncryptor,
+		})
+
+		await manager.updateSourceCredentials("user-1", "test", { token: "secret-123" })
+
+		expect(mockUpdateCredentialsCalls).toHaveLength(1)
+		expect(mockUpdateCredentialsCalls[0]!.sourceId).toBe("test")
+
+		// Verify the persisted buffer decrypts to the original credentials
+		const decrypted = JSON.parse(testEncryptor.decrypt(mockUpdateCredentialsCalls[0]!.credentials))
+		expect(decrypted).toEqual({ token: "secret-123" })
+	})
+
+	test("throws CredentialStorageUnavailableError when encryptor is not configured", async () => {
+		setEnabledSources(["test"])
+		const provider = createStubProvider("test")
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			// no credentialEncryptor
+		})
+
+		await expect(
+			manager.updateSourceCredentials("user-1", "test", { token: "x" }),
+		).rejects.toBeInstanceOf(CredentialStorageUnavailableError)
+	})
+
+	test("throws SourceNotFoundError for unknown source", async () => {
+		setEnabledSources([])
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [],
+			credentialEncryptor: testEncryptor,
+		})
+
+		await expect(
+			manager.updateSourceCredentials("user-1", "unknown", { token: "x" }),
+		).rejects.toBeInstanceOf(SourceNotFoundError)
+	})
+
+	test("propagates InvalidSourceCredentialsError from provider", async () => {
+		setEnabledSources(["test"])
+		let callCount = 0
+		const provider: FeedSourceProvider = {
+			sourceId: "test",
+			async feedSourceForUser(_userId: string, _config: unknown, _credentials: unknown) {
+				callCount++
+				// Succeed on first call (session creation), throw on refresh
+				if (callCount > 1) {
+					throw new InvalidSourceCredentialsError("test", "bad credentials")
+				}
+				return createStubSource("test")
+			},
+		}
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			credentialEncryptor: testEncryptor,
+		})
+
+		// Create a session first so the refresh path is exercised
+		await manager.getOrCreate("user-1")
+
+		await expect(
+			manager.updateSourceCredentials("user-1", "test", { token: "bad" }),
+		).rejects.toBeInstanceOf(InvalidSourceCredentialsError)
+
+		// Credentials should still have been persisted before the provider threw
+		expect(mockUpdateCredentialsCalls).toHaveLength(1)
+	})
+
+	test("refreshes source in active session after credential update", async () => {
+		setEnabledSources(["test"])
+		let receivedCredentials: unknown = null
+		const provider = createStubProvider("test", async (_userId, _config, credentials) => {
+			receivedCredentials = credentials
+			return createStubSource("test")
+		})
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			credentialEncryptor: testEncryptor,
+		})
+
+		await manager.getOrCreate("user-1")
+		await manager.updateSourceCredentials("user-1", "test", { token: "refreshed" })
+
+		expect(receivedCredentials).toEqual({ token: "refreshed" })
+	})
+
+	test("adds source to session when source is enabled but not yet in session", async () => {
+		// Simulate a source that was never added to the session (e.g. credentials
+		// were missing at config time), but is enabled in the DB.
+		setEnabledSources([]) // no sources during session creation
+		const factory = mock(async () => createStubSource("test"))
+		const provider: FeedSourceProvider = { sourceId: "test", feedSourceForUser: factory }
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			credentialEncryptor: testEncryptor,
+		})
+
+		const session = await manager.getOrCreate("user-1")
+		// Source is NOT in the session
+		expect(session.hasSource("test")).toBe(false)
+
+		// mockFindResult returns an enabled row by default, so the source
+		// row exists and is enabled in the DB.
+		await manager.updateSourceCredentials("user-1", "test", { token: "new-token" })
+
+		// Source should now be added to the session
+		expect(session.hasSource("test")).toBe(true)
+		expect(factory).toHaveBeenCalledTimes(1)
+	})
+
+	test("persists credentials without session refresh when no active session", async () => {
+		setEnabledSources(["test"])
+		const factory = mock(async () => createStubSource("test"))
+		const provider: FeedSourceProvider = { sourceId: "test", feedSourceForUser: factory }
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [provider],
+			credentialEncryptor: testEncryptor,
+		})
+
+		// No session created — just update credentials
+		await manager.updateSourceCredentials("user-1", "test", { token: "stored" })
+
+		expect(mockUpdateCredentialsCalls).toHaveLength(1)
+		// feedSourceForUser should not have been called (no session to refresh)
+		expect(factory).not.toHaveBeenCalled()
+	})
+})

apps/aelis-backend/src/session/user-session-manager.ts

@@ -5,9 +5,14 @@ import merge from "lodash.merge"
 
 import type { Database } from "../db/index.ts"
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
+import type { CredentialEncryptor } from "../lib/crypto.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
-import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
+import {
+	CredentialStorageUnavailableError,
+	InvalidSourceConfigError,
+	SourceNotFoundError,
+} from "../sources/errors.ts"
 import { sources } from "../sources/user-sources.ts"
 import { UserSession } from "./user-session.ts"
 
@@ -15,6 +20,7 @@ export interface UserSessionManagerConfig {
 	db: Database
 	providers: FeedSourceProvider[]
 	feedEnhancer?: FeedEnhancer | null
+	credentialEncryptor?: CredentialEncryptor | null
 }
 
 export class UserSessionManager {
@@ -23,7 +29,7 @@ export class UserSessionManager {
 	private readonly db: Database
 	private readonly providers = new Map<string, FeedSourceProvider>()
 	private readonly feedEnhancer: FeedEnhancer | null
-	private readonly db: Database
+	private readonly encryptor: CredentialEncryptor | null
 
 	constructor(config: UserSessionManagerConfig) {
 		this.db = config.db
@@ -31,7 +37,7 @@ export class UserSessionManager {
 			this.providers.set(provider.sourceId, provider)
 		}
 		this.feedEnhancer = config.feedEnhancer ?? null
-		this.db = config.db
+		this.encryptor = config.credentialEncryptor ?? null
 	}
 
 	getProvider(sourceId: string): FeedSourceProvider | undefined {
@@ -120,14 +126,15 @@ export class UserSessionManager {
 			return
 		}
 
-		// When config is provided, fetch existing to deep-merge before validating.
+		// Fetch the existing row for config merging and credential access.
 		// NOTE: find + updateConfig is not atomic. A concurrent update could
 		// read stale config. Use SELECT FOR UPDATE or atomic jsonb merge if
 		// this becomes a problem.
+		const existingRow = await sources(this.db, userId).find(sourceId)
+
 		let mergedConfig: Record<string, unknown> | undefined
 		if (update.config !== undefined && provider.configSchema) {
-			const existing = await sources(this.db, userId).find(sourceId)
-			const existingConfig = (existing?.config ?? {}) as Record<string, unknown>
+			const existingConfig = (existingRow?.config ?? {}) as Record<string, unknown>
 			mergedConfig = merge({}, existingConfig, update.config)
 
 			const validated = provider.configSchema(mergedConfig)
@@ -149,7 +156,10 @@ export class UserSessionManager {
 			if (update.enabled === false) {
 				session.removeSource(sourceId)
 			} else {
-				const source = await provider.feedSourceForUser(userId, mergedConfig ?? {})
+				const credentials = existingRow?.credentials
+					? this.decryptCredentials(existingRow.credentials)
+					: null
+				const source = await provider.feedSourceForUser(userId, mergedConfig ?? {}, credentials)
 				session.replaceSource(sourceId, source)
 			}
 		}
@@ -182,6 +192,11 @@ export class UserSessionManager {
 		}
 
 		const config = data.config ?? {}
+
+		// Fetch existing row before upsert to capture credentials for session refresh.
+		// For new rows this will be undefined — credentials will be null.
+		const existingRow = await sources(this.db, userId).find(sourceId)
+
 		await sources(this.db, userId).upsertConfig(sourceId, {
 			enabled: data.enabled,
 			config,
@@ -192,7 +207,52 @@ export class UserSessionManager {
 			if (!data.enabled) {
 				session.removeSource(sourceId)
 			} else {
-				const source = await provider.feedSourceForUser(userId, config)
+				const credentials = existingRow?.credentials
+					? this.decryptCredentials(existingRow.credentials)
+					: null
+				const source = await provider.feedSourceForUser(userId, config, credentials)
+				if (session.hasSource(sourceId)) {
+					session.replaceSource(sourceId, source)
+				} else {
+					session.addSource(source)
+				}
+			}
+		}
+	}
+
+	/**
+	 * Validates, encrypts, and persists per-user credentials for a source,
+	 * then refreshes the active session.
+	 *
+	 * @throws {SourceNotFoundError} if the source row doesn't exist or has no registered provider
+	 * @throws {CredentialStorageUnavailableError} if no CredentialEncryptor is configured
+	 */
+	async updateSourceCredentials(
+		userId: string,
+		sourceId: string,
+		credentials: unknown,
+	): Promise<void> {
+		const provider = this.providers.get(sourceId)
+		if (!provider) {
+			throw new SourceNotFoundError(sourceId, userId)
+		}
+
+		if (!this.encryptor) {
+			throw new CredentialStorageUnavailableError()
+		}
+
+		const encrypted = this.encryptor.encrypt(JSON.stringify(credentials))
+		await sources(this.db, userId).updateCredentials(sourceId, encrypted)
+
+		// Refresh the source in the active session.
+		// If feedSourceForUser throws (e.g. provider rejects the credentials),
+		// the DB already has the new credentials but the session keeps the old
+		// source. The next session creation will pick up the persisted credentials.
+		const session = this.sessions.get(userId)
+		if (session) {
+			const row = await sources(this.db, userId).find(sourceId)
+			if (row?.enabled) {
+				const source = await provider.feedSourceForUser(userId, row.config ?? {}, credentials)
 				if (session.hasSource(sourceId)) {
 					session.replaceSource(sourceId, source)
 				} else {
@@ -254,7 +314,12 @@ export class UserSessionManager {
 			const row = await sources(this.db, session.userId).find(provider.sourceId)
 			if (!row?.enabled) return
 
-			const newSource = await provider.feedSourceForUser(session.userId, row.config ?? {})
+			const credentials = row.credentials ? this.decryptCredentials(row.credentials) : null
+			const newSource = await provider.feedSourceForUser(
+				session.userId,
+				row.config ?? {},
+				credentials,
+			)
 			session.replaceSource(provider.sourceId, newSource)
 		} catch (err) {
 			console.error(
@@ -271,7 +336,8 @@ export class UserSessionManager {
 		for (const row of enabledRows) {
 			const provider = this.providers.get(row.sourceId)
 			if (provider) {
-				promises.push(provider.feedSourceForUser(userId, row.config ?? {}))
+				const credentials = row.credentials ? this.decryptCredentials(row.credentials) : null
+				promises.push(provider.feedSourceForUser(userId, row.config ?? {}, credentials))
 			}
 		}
 
@@ -302,4 +368,19 @@ export class UserSessionManager {
 
 		return new UserSession(userId, feedSources, this.feedEnhancer)
 	}
+
+	/**
+	 * Decrypts a credentials buffer from the DB, returning parsed JSON or null.
+	 * Returns null (with a warning) if decryption or parsing fails — e.g. due to
+	 * key rotation, data corruption, or malformed JSON.
+	 */
+	private decryptCredentials(credentials: Buffer): unknown {
+		if (!this.encryptor) return null
+		try {
+			return JSON.parse(this.encryptor.decrypt(credentials))
+		} catch (err) {
+			console.warn("[UserSessionManager] Failed to decrypt credentials:", err)
+			return null
+		}
+	}
 }

apps/aelis-backend/src/sources/errors.ts

@@ -24,3 +24,26 @@ export class InvalidSourceConfigError extends Error {
 		this.sourceId = sourceId
 	}
 }
+
+/**
+ * Thrown by providers when credentials fail validation.
+ */
+export class InvalidSourceCredentialsError extends Error {
+	readonly sourceId: string
+
+	constructor(sourceId: string, summary: string) {
+		super(summary)
+		this.name = "InvalidSourceCredentialsError"
+		this.sourceId = sourceId
+	}
+}
+
+/**
+ * Thrown when credential storage is not configured (missing encryption key).
+ */
+export class CredentialStorageUnavailableError extends Error {
+	constructor() {
+		super("Credential storage is not configured")
+		this.name = "CredentialStorageUnavailableError"
+	}
+}

apps/aelis-backend/src/sources/http.test.ts

@@ -7,10 +7,11 @@ import type { Database } from "../db/index.ts"
 import type { ConfigSchema, FeedSourceProvider } from "../session/feed-source-provider.ts"
 
 import { mockAuthSessionMiddleware } from "../auth/session-middleware.ts"
+import { CredentialEncryptor } from "../lib/crypto.ts"
 import { UserSessionManager } from "../session/user-session-manager.ts"
 import { tflConfig } from "../tfl/provider.ts"
 import { weatherConfig } from "../weather/provider.ts"
-import { SourceNotFoundError } from "./errors.ts"
+import { InvalidSourceCredentialsError, SourceNotFoundError } from "./errors.ts"
 import { registerSourcesHttpHandlers } from "./http.ts"
 
 // ---------------------------------------------------------------------------
@@ -39,7 +40,7 @@ function createStubProvider(sourceId: string, configSchema?: ConfigSchema): Feed
 	return {
 		sourceId,
 		configSchema,
-		async feedSourceForUser() {
+		async feedSourceForUser(_userId: string, _config: unknown, _credentials: unknown) {
 			return createStubSource(sourceId)
 		},
 	}
@@ -105,6 +106,12 @@ function createInMemoryStore() {
 						})
 					}
 				},
+				async updateCredentials(sourceId: string, _credentials: Buffer) {
+					const existing = rows.get(key(userId, sourceId))
+					if (!existing) {
+						throw new SourceNotFoundError(sourceId, userId)
+					}
+				},
 			}
 		},
 	}
@@ -142,6 +149,30 @@ function get(app: Hono, sourceId: string) {
 	return app.request(`/api/sources/${sourceId}`, { method: "GET" })
 }
 
+const TEST_ENCRYPTION_KEY = "/bv1nbzC4ozZkT/pcv5oQfl+JAMuMZDUSVDesG2dur8="
+
+function createAppWithEncryptor(providers: FeedSourceProvider[], userId?: string) {
+	const sessionManager = new UserSessionManager({
+		providers,
+		db: fakeDb,
+		credentialEncryptor: new CredentialEncryptor(TEST_ENCRYPTION_KEY),
+	})
+	const app = new Hono()
+	registerSourcesHttpHandlers(app, {
+		sessionManager,
+		authSessionMiddleware: mockAuthSessionMiddleware(userId),
+	})
+	return { app, sessionManager }
+}
+
+function putCredentials(app: Hono, sourceId: string, body: unknown) {
+	return app.request(`/api/sources/${sourceId}/credentials`, {
+		method: "PUT",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	})
+}
+
 function put(app: Hono, sourceId: string, body: unknown) {
 	return app.request(`/api/sources/${sourceId}`, {
 		method: "PUT",
@@ -708,3 +739,86 @@ describe("PUT /api/sources/:sourceId", () => {
 		expect(res.status).toBe(204)
 	})
 })
+
+describe("PUT /api/sources/:sourceId/credentials", () => {
+	test("returns 401 without auth", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createAppWithEncryptor([createStubProvider("aelis.location")])
+
+		const res = await putCredentials(app, "aelis.location", { token: "x" })
+
+		expect(res.status).toBe(401)
+	})
+
+	test("returns 404 for unknown source", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createAppWithEncryptor([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await putCredentials(app, "unknown.source", { token: "x" })
+
+		expect(res.status).toBe(404)
+	})
+
+	test("returns 400 for invalid JSON", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createAppWithEncryptor([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await app.request("/api/sources/aelis.location/credentials", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: "not-json",
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBe("Invalid JSON")
+	})
+
+	test("returns 204 and persists credentials", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createAppWithEncryptor([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await putCredentials(app, "aelis.location", { token: "secret" })
+
+		expect(res.status).toBe(204)
+	})
+
+	test("returns 400 when provider throws InvalidSourceCredentialsError", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "test.creds")
+		let callCount = 0
+		const provider: FeedSourceProvider = {
+			sourceId: "test.creds",
+			async feedSourceForUser(_userId: string, _config: unknown, _credentials: unknown) {
+				callCount++
+				if (callCount > 1) {
+					throw new InvalidSourceCredentialsError("test.creds", "invalid token format")
+				}
+				return createStubSource("test.creds")
+			},
+		}
+		const { app, sessionManager } = createAppWithEncryptor([provider], MOCK_USER_ID)
+
+		await sessionManager.getOrCreate(MOCK_USER_ID)
+
+		const res = await putCredentials(app, "test.creds", { token: "bad" })
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("invalid token format")
+	})
+
+	test("returns 503 when credential encryption is not configured", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await putCredentials(app, "aelis.location", { token: "x" })
+
+		expect(res.status).toBe(503)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not configured")
+	})
+})

apps/aelis-backend/src/sources/http.ts

@@ -6,7 +6,12 @@ import { createMiddleware } from "hono/factory"
 import type { AuthSessionMiddleware } from "../auth/session-middleware.ts"
 import type { UserSessionManager } from "../session/index.ts"
 
-import { InvalidSourceConfigError, SourceNotFoundError } from "./errors.ts"
+import {
+	CredentialStorageUnavailableError,
+	InvalidSourceConfigError,
+	InvalidSourceCredentialsError,
+	SourceNotFoundError,
+} from "./errors.ts"
 
 type Env = {
 	Variables: {
@@ -48,6 +53,12 @@ export function registerSourcesHttpHandlers(
 	app.get("/api/sources/:sourceId", inject, authSessionMiddleware, handleGetSource)
 	app.patch("/api/sources/:sourceId", inject, authSessionMiddleware, handleUpdateSource)
 	app.put("/api/sources/:sourceId", inject, authSessionMiddleware, handleReplaceSource)
+	app.put(
+		"/api/sources/:sourceId/credentials",
+		inject,
+		authSessionMiddleware,
+		handleUpdateCredentials,
+	)
 }
 
 async function handleGetSource(c: Context<Env>) {
@@ -171,3 +182,43 @@ async function handleReplaceSource(c: Context<Env>) {
 
 	return c.body(null, 204)
 }
+
+async function handleUpdateCredentials(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+
+	const provider = sessionManager.getProvider(sourceId)
+	if (!provider) {
+		return c.json({ error: `Source "${sourceId}" not found` }, 404)
+	}
+
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	const user = c.get("user")!
+
+	try {
+		await sessionManager.updateSourceCredentials(user.id, sourceId, body)
+	} catch (err) {
+		if (err instanceof SourceNotFoundError) {
+			return c.json({ error: err.message }, 404)
+		}
+		if (err instanceof InvalidSourceCredentialsError) {
+			return c.json({ error: err.message }, 400)
+		}
+		if (err instanceof CredentialStorageUnavailableError) {
+			return c.json({ error: err.message }, 503)
+		}
+		throw err
+	}
+
+	return c.body(null, 204)
+}

apps/aelis-backend/src/tfl/provider.ts

@@ -23,7 +23,11 @@ export class TflSourceProvider implements FeedSourceProvider {
 		this.client = "client" in options ? options.client : undefined
 	}
 
-	async feedSourceForUser(_userId: string, config: unknown): Promise<TflSource> {
+	async feedSourceForUser(
+		_userId: string,
+		config: unknown,
+		_credentials: unknown,
+	): Promise<TflSource> {
 		const parsed = tflConfig(config)
 		if (parsed instanceof type.errors) {
 			throw new Error(`Invalid TFL config: ${parsed.summary}`)

apps/aelis-backend/src/weather/provider.ts

@@ -26,7 +26,11 @@ export class WeatherSourceProvider implements FeedSourceProvider {
 		this.client = options.client
 	}
 
-	async feedSourceForUser(_userId: string, config: unknown): Promise<WeatherSource> {
+	async feedSourceForUser(
+		_userId: string,
+		config: unknown,
+		_credentials: unknown,
+	): Promise<WeatherSource> {
 		const parsed = weatherConfig(config)
 		if (parsed instanceof type.errors) {
 			throw new Error(`Invalid weather config: ${parsed.summary}`)

apps/aelis-client/package.json

@@ -55,6 +55,6 @@
 		"eas-cli": "^18.0.1",
 		"eslint": "^9.25.0",
 		"eslint-config-expo": "~10.0.0",
-		"typescript": "~5.9.2"
+		"typescript": "^6"
 	}
 }

apps/waitlist-website/package.json

@@ -30,7 +30,7 @@
 		"@types/react": "^19.2.7",
 		"@types/react-dom": "^19.2.3",
 		"tailwindcss": "^4.1.13",
-		"typescript": "^5.9.2",
+		"typescript": "^6",
 		"vite": "^7.1.7",
 		"vite-tsconfig-paths": "^5.1.4"
 	}

apps/waitlist-website/tsconfig.json

@@ -1,18 +1,16 @@
 {
 	"include": ["**/*", "**/.server/**/*", "**/.client/**/*", ".react-router/types/**/*"],
 	"compilerOptions": {
-		"lib": ["DOM", "DOM.Iterable", "ES2022"],
+		"lib": ["DOM", "ES2022"],
 		"types": ["node", "vite/client"],
 		"target": "ES2022",
 		"module": "ES2022",
 		"moduleResolution": "bundler",
 		"jsx": "react-jsx",
 		"rootDirs": [".", "./.react-router/types"],
-		"baseUrl": ".",
 		"paths": {
 			"~/*": ["./app/*"]
 		},
-		"esModuleInterop": true,
 		"verbatimModuleSyntax": true,
 		"noEmit": true,
 		"resolveJsonModule": true,

bun.lock

@@ -8,11 +8,12 @@
         "@json-render/core": "^0.12.1",
         "@nym.sh/jrx": "^0.2.0",
         "@types/bun": "latest",
+        "@typescript/native-preview": "^7.0.0-dev.20260412.1",
         "oxfmt": "^0.24.0",
         "oxlint": "^1.39.0",
       },
       "peerDependencies": {
-        "typescript": "^5",
+        "typescript": "^6",
       },
     },
     "apps/admin-dashboard": {
@@ -41,7 +42,7 @@
         "@types/react": "^19.2.5",
         "@types/react-dom": "^19.2.3",
         "@vitejs/plugin-react": "^5.1.1",
-        "typescript": "~5.9.3",
+        "typescript": "^6",
         "vite": "^7.2.4",
       },
     },
@@ -111,7 +112,7 @@
         "eas-cli": "^18.0.1",
         "eslint": "^9.25.0",
         "eslint-config-expo": "~10.0.0",
-        "typescript": "~5.9.2",
+        "typescript": "^6",
       },
     },
     "apps/waitlist-website": {
@@ -138,7 +139,7 @@
         "@types/react": "^19.2.7",
         "@types/react-dom": "^19.2.3",
         "tailwindcss": "^4.1.13",
-        "typescript": "^5.9.2",
+        "typescript": "^6",
         "vite": "^7.1.7",
         "vite-tsconfig-paths": "^5.1.4",
       },
@@ -1452,6 +1453,22 @@
 
     "@typescript-eslint/visitor-keys": ["@typescript-eslint/visitor-keys@8.57.0", "", { "dependencies": { "@typescript-eslint/types": "8.57.0", "eslint-visitor-keys": "^5.0.0" } }, "sha512-zm6xx8UT/Xy2oSr2ZXD0pZo7Jx2XsCoID2IUh9YSTFRu7z+WdwYTRk6LhUftm1crwqbuoF6I8zAFeCMw0YjwDg=="],
 
+    "@typescript/native-preview": ["@typescript/native-preview@7.0.0-dev.20260412.1", "", { "optionalDependencies": { "@typescript/native-preview-darwin-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-darwin-x64": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-arm": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-linux-x64": "7.0.0-dev.20260412.1", "@typescript/native-preview-win32-arm64": "7.0.0-dev.20260412.1", "@typescript/native-preview-win32-x64": "7.0.0-dev.20260412.1" }, "bin": { "tsgo": "bin/tsgo.js" } }, "sha512-tDw3XZt2BkjAlt/MJmnFGmbe9lgKmc5wezmrMoBIEvJcqz+/KVpVBVvjbkZoaiABnJmuG3G3b6IUFrEveTw6UQ=="],
+
+    "@typescript/native-preview-darwin-arm64": ["@typescript/native-preview-darwin-arm64@7.0.0-dev.20260412.1", "", { "os": "darwin", "cpu": "arm64" }, "sha512-sSkFG+hjtRWffg6FddF3dEkk7N3TRMEqfiUpixwcWhXgyocMdPw8wutTvQRBxQdgxeL9y01M2SO8A8YPPiEgVg=="],
+
+    "@typescript/native-preview-darwin-x64": ["@typescript/native-preview-darwin-x64@7.0.0-dev.20260412.1", "", { "os": "darwin", "cpu": "x64" }, "sha512-m2BTeaLkrHEEDg0D9snigddy01qTY+wgx+W+GpXAfx36PPvW4xWuGXNVWfSaB8bqAC9C8NeLnT/C9/G/rJ5v2w=="],
+
+    "@typescript/native-preview-linux-arm": ["@typescript/native-preview-linux-arm@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "arm" }, "sha512-wDLekbfsfmKMWORg7CTnEnpKj8oXpU/6AEBrtVN9CEUCiQAe6yH878nZHhJNzWQXHtrtFf3lY49Yplqmdxja3w=="],
+
+    "@typescript/native-preview-linux-arm64": ["@typescript/native-preview-linux-arm64@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-JAdsG6MlVV1hoAUKPy8zxAL7xLeNxz8JgCbLCJVqW8EyH29R9FD4cFTqr7CSIRTNUEDzDTrgnXUyoRtDe1gr+w=="],
+
+    "@typescript/native-preview-linux-x64": ["@typescript/native-preview-linux-x64@7.0.0-dev.20260412.1", "", { "os": "linux", "cpu": "x64" }, "sha512-gYgppiQIqid3jZ7D8THh4k3Q+4bwidrQH6SL9Xgbk1qfP6/jwv8twuPqDOfZ+cK2OD55lQHp15fOh2lMNAC40Q=="],
+
+    "@typescript/native-preview-win32-arm64": ["@typescript/native-preview-win32-arm64@7.0.0-dev.20260412.1", "", { "os": "win32", "cpu": "arm64" }, "sha512-TOh7rH5H3jisHJqRXJSjmUGMzcbNBocS/hufhXPQIv+g3pdG5IKZoSnv3SV62I5d12FFDSS5KQon5MQPnOKAHg=="],
+
+    "@typescript/native-preview-win32-x64": ["@typescript/native-preview-win32-x64@7.0.0-dev.20260412.1", "", { "os": "win32", "cpu": "x64" }, "sha512-u+70wL89wspN1wKoX6FVNUATRGCG3BpleByP3H/UqOZvlwuMm8N7Gy8hEbM0U8bDyAuyP/daUfTBVkqXjjv9mA=="],
+
     "@ungap/structured-clone": ["@ungap/structured-clone@1.3.0", "", {}, "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g=="],
 
     "@unrs/resolver-binding-android-arm-eabi": ["@unrs/resolver-binding-android-arm-eabi@1.11.1", "", { "os": "android", "cpu": "arm" }, "sha512-ppLRUgHVaGRWUx0R0Ut06Mjo9gBaBkg3v/8AxusGLhsIotbBLuRk51rAzqLC8gq6NyyAojEXglNjzf6R948DNw=="],
@@ -3428,7 +3445,7 @@
 
     "typed-array-length": ["typed-array-length@1.0.7", "", { "dependencies": { "call-bind": "^1.0.7", "for-each": "^0.3.3", "gopd": "^1.0.1", "is-typed-array": "^1.1.13", "possible-typed-array-names": "^1.0.0", "reflect.getprototypeof": "^1.0.6" } }, "sha512-3KS2b+kL7fsuk/eJZ7EQdnEmQoaho/r6KUef7hxvltNA5DR8NAUM+8wJMbJyZ4G9/7i3v5zPBIMN5aybAh2/Jg=="],
 
-    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+    "typescript": ["typescript@6.0.2", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ=="],
 
     "ua-parser-js": ["ua-parser-js@1.0.41", "", { "bin": { "ua-parser-js": "script/cli.js" } }, "sha512-LbBDqdIC5s8iROCUjMbW1f5dJQTEFB1+KO9ogbvlb3nm9n4YHa5p4KTvFPWvh2Hs8gZMBuiB1/8+pdfe/tDPug=="],
 
@@ -3904,8 +3921,6 @@
 
     "accepts/negotiator": ["negotiator@0.6.3", "", {}, "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="],
 
-    "aelis-client/@tanstack/react-query": ["@tanstack/react-query@5.90.21", "", { "dependencies": { "@tanstack/query-core": "5.90.20" }, "peerDependencies": { "react": "^18 || ^19" } }, "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg=="],
-
     "aelis-client/@types/react": ["@types/react@19.1.17", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-Qec1E3mhALmaspIrhWt9jkQMNdw6bReVu64mjvhbhq2NFPftLPVr+l1SZgmw/66WwBNpDh7ao5AT6gF5v41PFA=="],
 
     "aelis-client/react": ["react@19.1.0", "", {}, "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg=="],
@@ -4544,8 +4559,6 @@
 
     "@typescript-eslint/typescript-estree/minimatch/brace-expansion": ["brace-expansion@5.0.4", "", { "dependencies": { "balanced-match": "^4.0.2" } }, "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg=="],
 
-    "aelis-client/@tanstack/react-query/@tanstack/query-core": ["@tanstack/query-core@5.90.20", "", {}, "sha512-OMD2HLpNouXEfZJWcKeVKUgQ5n+n3A2JFmBaScpNDUqSrQSjiveC7dKMe53uJUg1nDG16ttFPz2xfilz6i2uVg=="],
-
     "aelis-client/react-dom/scheduler": ["scheduler@0.26.0", "", {}, "sha512-NlHwttCI/l5gCPR3D1nNXtWABUmBwvZpEQiD4IXSbIDq8BzLIK/7Ir5gTFSGZDUu37K5cMNp0hFtzO38sC7gWA=="],
 
     "better-opn/open/define-lazy-prop": ["define-lazy-prop@2.0.0", "", {}, "sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og=="],

package.json

@@ -17,10 +17,11 @@
 		"@json-render/core": "^0.12.1",
 		"@nym.sh/jrx": "^0.2.0",
 		"@types/bun": "latest",
+		"@typescript/native-preview": "^7.0.0-dev.20260412.1",
 		"oxfmt": "^0.24.0",
 		"oxlint": "^1.39.0"
 	},
 	"peerDependencies": {
-		"typescript": "^5"
+		"typescript": "^6"
 	}
 }

tsconfig.json

@@ -1,6 +1,5 @@
 {
 	"compilerOptions": {
-		// Environment setup & latest features
 		"lib": ["ESNext"],
 		"target": "ESNext",
 		"module": "Preserve",
@@ -8,20 +7,19 @@
 		"jsx": "react-jsx",
 		"allowJs": true,
 
-		// Bundler mode
 		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"verbatimModuleSyntax": true,
 		"noEmit": true,
 
-		// Best practices
+		"types": ["bun"],
+
 		"strict": true,
 		"skipLibCheck": true,
 		"noFallthroughCasesInSwitch": true,
 		"noUncheckedIndexedAccess": true,
 		"noImplicitOverride": true,
 
-		// Some stricter flags (disabled by default)
 		"noUnusedLocals": false,
 		"noUnusedParameters": false,
 		"noPropertyAccessFromIndexSignature": false