fix(backend): reject unknown fields in source config

Add "+": "reject" to all arktype schemas so undeclared
keys return 400. Sources without a configSchema now
reject the config field entirely at the HTTP layer.

Co-authored-by: Ona <no-reply@ona.com>

apps/aelis-backend/package.json

@@ -25,9 +25,11 @@
 		"arktype": "^2.1.29",
 		"better-auth": "^1",
 		"drizzle-orm": "^0.45.1",
-		"hono": "^4"
+		"hono": "^4",
+		"lodash.merge": "^4.6.2"
 	},
 	"devDependencies": {
+		"@types/lodash.merge": "^4.6.9",
 		"drizzle-kit": "^0.31.9"
 	}
 }

apps/aelis-backend/src/admin/http.test.ts

@@ -0,0 +1,195 @@
+import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
+
+import { describe, expect, mock, test } from "bun:test"
+import { Hono } from "hono"
+
+import type { AdminMiddleware } from "../auth/admin-middleware.ts"
+import type { AuthSession, AuthUser } from "../auth/session.ts"
+import type { Database } from "../db/index.ts"
+import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
+
+import { UserSessionManager } from "../session/user-session-manager.ts"
+import { registerAdminHttpHandlers } from "./http.ts"
+
+let mockEnabledSourceIds: string[] = []
+
+mock.module("../sources/user-sources.ts", () => ({
+	sources: (_db: Database, _userId: string) => ({
+		async enabled() {
+			const now = new Date()
+			return mockEnabledSourceIds.map((sourceId) => ({
+				id: crypto.randomUUID(),
+				userId: _userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}))
+		},
+		async find(sourceId: string) {
+			const now = new Date()
+			return {
+				id: crypto.randomUUID(),
+				userId: _userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}
+		},
+	}),
+}))
+
+function createStubSource(id: string): FeedSource {
+	return {
+		id,
+		async listActions(): Promise<Record<string, ActionDefinition>> {
+			return {}
+		},
+		async executeAction(): Promise<unknown> {
+			return undefined
+		},
+		async fetchContext(): Promise<readonly ContextEntry[] | null> {
+			return null
+		},
+		async fetchItems(): Promise<FeedItem[]> {
+			return []
+		},
+	}
+}
+
+function createStubProvider(sourceId: string): FeedSourceProvider {
+	return {
+		sourceId,
+		async feedSourceForUser() {
+			return createStubSource(sourceId)
+		},
+	}
+}
+
+/** Passthrough admin middleware for testing (assumes admin). */
+function passthroughAdminMiddleware(): AdminMiddleware {
+	const now = new Date()
+	return async (c, next) => {
+		c.set("user", {
+			id: "admin-1",
+			name: "Admin",
+			email: "admin@test.com",
+			emailVerified: true,
+			image: null,
+			createdAt: now,
+			updatedAt: now,
+			role: "admin",
+			banned: false,
+			banReason: null,
+			banExpires: null,
+		} as AuthUser)
+		c.set("session", { id: "sess-1" } as AuthSession)
+		await next()
+	}
+}
+
+const fakeDb = {} as Database
+
+function createApp(providers: FeedSourceProvider[]) {
+	mockEnabledSourceIds = providers.map((p) => p.sourceId)
+	const sessionManager = new UserSessionManager({ db: fakeDb, providers })
+	const app = new Hono()
+	registerAdminHttpHandlers(app, {
+		sessionManager,
+		adminMiddleware: passthroughAdminMiddleware(),
+		db: fakeDb,
+	})
+	return { app, sessionManager }
+}
+
+const validWeatherConfig = {
+	credentials: {
+		privateKey: "pk-123",
+		keyId: "key-456",
+		teamId: "team-789",
+		serviceId: "svc-abc",
+	},
+}
+
+describe("PUT /api/admin/:sourceId/config", () => {
+	test("returns 404 for unknown provider", async () => {
+		const { app } = createApp([createStubProvider("aelis.location")])
+
+		const res = await app.request("/api/admin/aelis.nonexistent/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ key: "value" }),
+		})
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 404 for provider without runtime config support", async () => {
+		const { app } = createApp([createStubProvider("aelis.location")])
+
+		const res = await app.request("/api/admin/aelis.location/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ key: "value" }),
+		})
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 400 for invalid JSON body", async () => {
+		const { app } = createApp([createStubProvider("aelis.weather")])
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: "not json",
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("Invalid JSON")
+	})
+
+	test("returns 400 when weather config fails validation", async () => {
+		const { app } = createApp([createStubProvider("aelis.weather")])
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ credentials: { privateKey: 123 } }),
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBeDefined()
+	})
+
+	test("returns 204 and applies valid weather config", async () => {
+		const { app, sessionManager } = createApp([createStubProvider("aelis.weather")])
+
+		const originalProvider = sessionManager.getProvider("aelis.weather")
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify(validWeatherConfig),
+		})
+
+		expect(res.status).toBe(204)
+
+		// Provider was replaced with a new instance
+		const provider = sessionManager.getProvider("aelis.weather")
+		expect(provider).toBeDefined()
+		expect(provider!.sourceId).toBe("aelis.weather")
+		expect(provider).not.toBe(originalProvider)
+	})
+})

apps/aelis-backend/src/admin/http.ts

@@ -0,0 +1,86 @@
+import type { Context, Hono } from "hono"
+
+import { type } from "arktype"
+import { createMiddleware } from "hono/factory"
+
+import type { AdminMiddleware } from "../auth/admin-middleware.ts"
+import type { Database } from "../db/index.ts"
+import type { UserSessionManager } from "../session/index.ts"
+
+import { WeatherSourceProvider } from "../weather/provider.ts"
+
+type Env = {
+	Variables: {
+		sessionManager: UserSessionManager
+		db: Database
+	}
+}
+
+interface AdminHttpHandlersDeps {
+	sessionManager: UserSessionManager
+	adminMiddleware: AdminMiddleware
+	db: Database
+}
+
+export function registerAdminHttpHandlers(
+	app: Hono,
+	{ sessionManager, adminMiddleware, db }: AdminHttpHandlersDeps,
+) {
+	const inject = createMiddleware<Env>(async (c, next) => {
+		c.set("sessionManager", sessionManager)
+		c.set("db", db)
+		await next()
+	})
+
+	app.put("/api/admin/:sourceId/config", inject, adminMiddleware, handleUpdateProviderConfig)
+}
+
+const WeatherKitSourceProviderConfig = type({
+	credentials: {
+		privateKey: "string",
+		keyId: "string",
+		teamId: "string",
+		serviceId: "string",
+	},
+})
+
+async function handleUpdateProviderConfig(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	switch (sourceId) {
+		case "aelis.weather": {
+			const parsed = WeatherKitSourceProviderConfig(body)
+			if (parsed instanceof type.errors) {
+				return c.json({ error: parsed.summary }, 400)
+			}
+
+			const updated = new WeatherSourceProvider({
+				credentials: parsed.credentials,
+			})
+
+			try {
+				await sessionManager.replaceProvider(updated)
+			} catch (err) {
+				console.error(`[admin] replaceProvider("${sourceId}") failed:`, err)
+				return c.json({ error: "Failed to apply config" }, 500)
+			}
+
+			return c.body(null, 204)
+		}
+
+		default:
+			return c.json({ error: `Provider "${sourceId}" not found` }, 404)
+	}
+}

apps/aelis-backend/src/auth/admin-middleware.test.ts

@@ -0,0 +1,95 @@
+import { Hono } from "hono"
+import { describe, expect, test } from "bun:test"
+
+import type { Auth } from "./index.ts"
+import type { AuthSession, AuthUser } from "./session.ts"
+
+import { createRequireAdmin } from "./admin-middleware.ts"
+
+function makeUser(role: string | null): AuthUser {
+	const now = new Date()
+	return {
+		id: "user-1",
+		name: "Test User",
+		email: "test@example.com",
+		emailVerified: true,
+		image: null,
+		createdAt: now,
+		updatedAt: now,
+		role,
+		banned: false,
+		banReason: null,
+		banExpires: null,
+	}
+}
+
+function makeSession(): AuthSession {
+	const now = new Date()
+	return {
+		id: "sess-1",
+		userId: "user-1",
+		token: "tok-1",
+		expiresAt: new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000),
+		ipAddress: "127.0.0.1",
+		userAgent: "test",
+		createdAt: now,
+		updatedAt: now,
+	}
+}
+
+function mockAuth(sessionResult: { user: AuthUser; session: AuthSession } | null): Auth {
+	return {
+		api: {
+			getSession: async () => sessionResult,
+		},
+	} as unknown as Auth
+}
+
+function createApp(auth: Auth) {
+	const app = new Hono()
+	const middleware = createRequireAdmin(auth)
+	app.get("/api/admin/test", middleware, (c) => c.json({ ok: true }))
+	return app
+}
+
+describe("createRequireAdmin", () => {
+	test("returns 401 when no session", async () => {
+		const app = createApp(mockAuth(null))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(401)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBe("Unauthorized")
+	})
+
+	test("returns 403 when user is not admin", async () => {
+		const app = createApp(mockAuth({ user: makeUser("user"), session: makeSession() }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(403)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBe("Forbidden")
+	})
+
+	test("returns 403 when role is null", async () => {
+		const app = createApp(mockAuth({ user: makeUser(null), session: makeSession() }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(403)
+	})
+
+	test("allows admin users through and sets context", async () => {
+		const user = makeUser("admin")
+		const session = makeSession()
+		const app = createApp(mockAuth({ user, session }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(200)
+		const body = (await res.json()) as { ok: boolean }
+		expect(body.ok).toBe(true)
+	})
+})

apps/aelis-backend/src/auth/admin-middleware.ts

@@ -0,0 +1,28 @@
+import type { Context, MiddlewareHandler, Next } from "hono"
+
+import type { Auth } from "./index.ts"
+import type { AuthSessionEnv } from "./session-middleware.ts"
+
+export type AdminMiddleware = MiddlewareHandler<AuthSessionEnv>
+
+/**
+ * Creates a middleware that requires a valid session with admin role.
+ * Returns 401 if not authenticated, 403 if not admin.
+ */
+export function createRequireAdmin(auth: Auth): AdminMiddleware {
+	return async (c: Context, next: Next): Promise<Response | void> => {
+		const session = await auth.api.getSession({ headers: c.req.raw.headers })
+
+		if (!session) {
+			return c.json({ error: "Unauthorized" }, 401)
+		}
+
+		if (session.user.role !== "admin") {
+			return c.json({ error: "Forbidden" }, 403)
+		}
+
+		c.set("user", session.user)
+		c.set("session", session.session)
+		await next()
+	}
+}

apps/aelis-backend/src/engine/http.test.ts

@@ -1,9 +1,11 @@
 import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
 
 import { contextKey } from "@aelis/core"
-import { describe, expect, spyOn, test } from "bun:test"
+import { describe, expect, mock, spyOn, test } from "bun:test"
 import { Hono } from "hono"
 
+import type { Database } from "../db/index.ts"
+
 import { mockAuthSessionMiddleware } from "../auth/session-middleware.ts"
 import { UserSessionManager } from "../session/index.ts"
 import { registerFeedHttpHandlers } from "./http.ts"
@@ -50,9 +52,45 @@ function buildTestApp(sessionManager: UserSessionManager, userId?: string) {
 	return app
 }
 
+let mockEnabledSourceIds: string[] = []
+
+mock.module("../sources/user-sources.ts", () => ({
+	sources: (_db: Database, _userId: string) => ({
+		async enabled() {
+			const now = new Date()
+			return mockEnabledSourceIds.map((sourceId) => ({
+				id: crypto.randomUUID(),
+				userId: _userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}))
+		},
+		async find(sourceId: string) {
+			const now = new Date()
+			return {
+				id: crypto.randomUUID(),
+				userId: _userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}
+		},
+	}),
+}))
+
+const fakeDb = {} as Database
+
 describe("GET /api/feed", () => {
 	test("returns 401 without auth", async () => {
-		const manager = new UserSessionManager({ providers: [] })
+		mockEnabledSourceIds = []
+		const manager = new UserSessionManager({ db: fakeDb, providers: [] })
 		const app = buildTestApp(manager)
 
 		const res = await app.request("/api/feed")
@@ -71,7 +109,9 @@ describe("GET /api/feed", () => {
 				data: { value: 42 },
 			},
 		]
+		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "test",
@@ -111,7 +151,9 @@ describe("GET /api/feed", () => {
 				data: { fresh: true },
 			},
 		]
+		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "test",
@@ -150,7 +192,9 @@ describe("GET /api/feed", () => {
 				throw new Error("connection timeout")
 			},
 		}
+		mockEnabledSourceIds = ["failing"]
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "failing",
@@ -173,7 +217,9 @@ describe("GET /api/feed", () => {
 	})
 
 	test("returns 503 when all providers fail", async () => {
+		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "test",
@@ -206,7 +252,9 @@ describe("GET /api/context", () => {
 	const mockUserId = "k7Gx2mPqRvNwYs9TdLfA4bHcJeUo1iZn"
 
 	async function buildContextApp(userId?: string) {
+		mockEnabledSourceIds = ["weather"]
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "weather",
@@ -222,7 +270,8 @@ describe("GET /api/context", () => {
 	}
 
 	test("returns 401 without auth", async () => {
-		const manager = new UserSessionManager({ providers: [] })
+		mockEnabledSourceIds = []
+		const manager = new UserSessionManager({ db: fakeDb, providers: [] })
 		const app = buildTestApp(manager)
 
 		const res = await app.request('/api/context?key=["aelis.weather","weather"]')

apps/aelis-backend/src/location/provider.ts

@@ -1,26 +1,11 @@
 import { LocationSource } from "@aelis/source-location"
 
-import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
 
-import { SourceDisabledError } from "../sources/errors.ts"
-import { sources } from "../sources/user-sources.ts"
-
 export class LocationSourceProvider implements FeedSourceProvider {
 	readonly sourceId = "aelis.location"
-	private readonly db: Database
-
-	constructor(db: Database) {
-		this.db = db
-	}
-
-	async feedSourceForUser(userId: string): Promise<LocationSource> {
-		const row = await sources(this.db, userId).find("aelis.location")
-
-		if (!row || !row.enabled) {
-			throw new SourceDisabledError("aelis.location", userId)
-		}
 
+	async feedSourceForUser(_userId: string, _config: unknown): Promise<LocationSource> {
 		return new LocationSource()
 	}
 }

apps/aelis-backend/src/server.ts

@@ -1,5 +1,7 @@
 import { Hono } from "hono"
 
+import { registerAdminHttpHandlers } from "./admin/http.ts"
+import { createRequireAdmin } from "./auth/admin-middleware.ts"
 import { registerAuthHandlers } from "./auth/http.ts"
 import { createAuth } from "./auth/index.ts"
 import { createRequireSession } from "./auth/session-middleware.ts"
@@ -10,6 +12,7 @@ import { createLlmClient } from "./enhancement/llm-client.ts"
 import { registerLocationHttpHandlers } from "./location/http.ts"
 import { LocationSourceProvider } from "./location/provider.ts"
 import { UserSessionManager } from "./session/index.ts"
+import { registerSourcesHttpHandlers } from "./sources/http.ts"
 import { WeatherSourceProvider } from "./weather/provider.ts"
 
 function main() {
@@ -30,10 +33,10 @@ function main() {
 	}
 
 	const sessionManager = new UserSessionManager({
+		db,
 		providers: [
-			new LocationSourceProvider(db),
+			new LocationSourceProvider(),
 			new WeatherSourceProvider({
-				db,
 				credentials: {
 					privateKey: process.env.WEATHERKIT_PRIVATE_KEY!,
 					keyId: process.env.WEATHERKIT_KEY_ID!,
@@ -50,6 +53,7 @@ function main() {
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
 	const authSessionMiddleware = createRequireSession(auth)
+	const adminMiddleware = createRequireAdmin(auth)
 
 	registerAuthHandlers(app, auth)
 
@@ -58,6 +62,8 @@ function main() {
 		authSessionMiddleware,
 	})
 	registerLocationHttpHandlers(app, { sessionManager, authSessionMiddleware })
+	registerSourcesHttpHandlers(app, { sessionManager, authSessionMiddleware })
+	registerAdminHttpHandlers(app, { sessionManager, adminMiddleware, db })
 
 	process.on("SIGTERM", async () => {
 		await closeDb()

apps/aelis-backend/src/session/feed-source-provider.ts

@@ -1,7 +1,12 @@
 import type { FeedSource } from "@aelis/core"
+import type { type } from "arktype"
+
+export type ConfigSchema = ReturnType<typeof type>
 
 export interface FeedSourceProvider {
 	/** The source ID this provider is responsible for (e.g., "aelis.location"). */
 	readonly sourceId: string
-	feedSourceForUser(userId: string): Promise<FeedSource>
+	/** Arktype schema for validating user-provided config. Omit if the source has no config. */
+	readonly configSchema?: ConfigSchema
+	feedSourceForUser(userId: string, config: unknown): Promise<FeedSource>
 }

apps/aelis-backend/src/session/user-session-manager.test.ts

@@ -2,12 +2,77 @@ import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aeli
 
 import { LocationSource } from "@aelis/source-location"
 import { WeatherSource } from "@aelis/source-weatherkit"
-import { describe, expect, mock, spyOn, test } from "bun:test"
+import { beforeEach, describe, expect, mock, spyOn, test } from "bun:test"
 
+import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
 import { UserSessionManager } from "./user-session-manager.ts"
 
+/**
+ * Per-user enabled source IDs used by the mocked `sources` module.
+ * Tests configure this before calling getOrCreate.
+ * Key = userId (or "*" for a default), value = array of enabled sourceIds.
+ */
+const enabledByUser = new Map<string, string[]>()
+
+/** Set which sourceIds are enabled for all users. */
+function setEnabledSources(sourceIds: string[]) {
+	enabledByUser.clear()
+	enabledByUser.set("*", sourceIds)
+}
+
+/** Set which sourceIds are enabled for a specific user. */
+function setEnabledSourcesForUser(userId: string, sourceIds: string[]) {
+	enabledByUser.set(userId, sourceIds)
+}
+
+function getEnabledSourceIds(userId: string): string[] {
+	return enabledByUser.get(userId) ?? enabledByUser.get("*") ?? []
+}
+
+/**
+ * Controls what `find()` returns in the mock. When `undefined` (the default),
+ * `find()` returns a standard enabled row. Set to a specific value (including
+ * `null`) to override the return value for all `find()` calls.
+ */
+let mockFindResult: unknown | undefined
+
+// Mock the sources module so UserSessionManager's DB query returns controlled data.
+mock.module("../sources/user-sources.ts", () => ({
+	sources: (_db: Database, userId: string) => ({
+		async enabled() {
+			const now = new Date()
+			return getEnabledSourceIds(userId).map((sourceId) => ({
+				id: crypto.randomUUID(),
+				userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}))
+		},
+		async find(sourceId: string) {
+			if (mockFindResult !== undefined) return mockFindResult
+			const now = new Date()
+			return {
+				id: crypto.randomUUID(),
+				userId,
+				sourceId,
+				enabled: true,
+				config: {},
+				credentials: null,
+				createdAt: now,
+				updatedAt: now,
+			}
+		},
+	}),
+}))
+
+const fakeDb = {} as Database
+
 function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 	return {
 		id,
@@ -28,7 +93,8 @@ function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 
 function createStubProvider(
 	sourceId: string,
-	factory: (userId: string) => Promise<FeedSource> = async () => createStubSource(sourceId),
+	factory: (userId: string, config: Record<string, unknown>) => Promise<FeedSource> = async () =>
+		createStubSource(sourceId),
 ): FeedSourceProvider {
 	return { sourceId, feedSourceForUser: factory }
 }
@@ -47,9 +113,15 @@ const weatherProvider: FeedSourceProvider = {
 	},
 }
 
+beforeEach(() => {
+	enabledByUser.clear()
+	mockFindResult = undefined
+})
+
 describe("UserSessionManager", () => {
 	test("getOrCreate creates session on first call", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session = await manager.getOrCreate("user-1")
 
@@ -58,7 +130,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("getOrCreate returns same session for same user", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-1")
@@ -67,7 +140,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("getOrCreate returns different sessions for different users", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-2")
@@ -76,7 +150,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("each user gets independent source instances", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-2")
@@ -88,7 +163,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("remove destroys session and allows re-creation", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session1 = await manager.getOrCreate("user-1")
 		manager.remove("user-1")
@@ -98,13 +174,16 @@ describe("UserSessionManager", () => {
 	})
 
 	test("remove is no-op for unknown user", () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		expect(() => manager.remove("unknown")).not.toThrow()
 	})
 
 	test("registers multiple providers", async () => {
+		setEnabledSources(["aelis.location", "aelis.weather"])
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [locationProvider, weatherProvider],
 		})
 
@@ -115,7 +194,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("refresh returns feed result through session", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session = await manager.getOrCreate("user-1")
 		const result = await session.engine.refresh()
@@ -127,7 +207,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("location update via executeAction works", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const session = await manager.getOrCreate("user-1")
 		await session.engine.executeAction("aelis.location", "update-location", {
@@ -142,7 +223,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("subscribe receives updates after location push", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 		const callback = mock()
 
 		const session = await manager.getOrCreate("user-1")
@@ -162,7 +244,8 @@ describe("UserSessionManager", () => {
 	})
 
 	test("remove stops reactive updates", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 		const callback = mock()
 
 		const session = await manager.getOrCreate("user-1")
@@ -185,6 +268,7 @@ describe("UserSessionManager", () => {
 	})
 
 	test("creates session with successful providers when some fail", async () => {
+		setEnabledSources(["aelis.location", "aelis.failing"])
 		const failingProvider: FeedSourceProvider = {
 			sourceId: "aelis.failing",
 			async feedSourceForUser() {
@@ -193,6 +277,7 @@ describe("UserSessionManager", () => {
 		}
 
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [locationProvider, failingProvider],
 		})
 
@@ -208,7 +293,9 @@ describe("UserSessionManager", () => {
 	})
 
 	test("throws AggregateError when all providers fail", async () => {
+		setEnabledSources(["aelis.fail-1", "aelis.fail-2"])
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "aelis.fail-1",
@@ -229,8 +316,10 @@ describe("UserSessionManager", () => {
 	})
 
 	test("concurrent getOrCreate for same user returns same session", async () => {
+		setEnabledSources(["aelis.location"])
 		let callCount = 0
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "aelis.location",
@@ -253,12 +342,14 @@ describe("UserSessionManager", () => {
 	})
 
 	test("remove during in-flight getOrCreate prevents session from being stored", async () => {
+		setEnabledSources(["aelis.location"])
 		let resolveProvider: () => void
 		const providerGate = new Promise<void>((r) => {
 			resolveProvider = r
 		})
 
 		const manager = new UserSessionManager({
+			db: fakeDb,
 			providers: [
 				{
 					sourceId: "aelis.location",
@@ -285,10 +376,67 @@ describe("UserSessionManager", () => {
 		expect(freshSession).toBeDefined()
 		expect(freshSession.engine).toBeDefined()
 	})
+
+	test("only invokes providers for sources enabled for the user", async () => {
+		setEnabledSources(["aelis.location"])
+		const locationFactory = mock(async () => createStubSource("aelis.location"))
+		const weatherFactory = mock(async () => createStubSource("aelis.weather"))
+
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [
+				{ sourceId: "aelis.location", feedSourceForUser: locationFactory },
+				{ sourceId: "aelis.weather", feedSourceForUser: weatherFactory },
+			],
+		})
+
+		const session = await manager.getOrCreate("user-1")
+
+		expect(locationFactory).toHaveBeenCalledTimes(1)
+		expect(weatherFactory).not.toHaveBeenCalled()
+		expect(session.getSource("aelis.location")).toBeDefined()
+		expect(session.getSource("aelis.weather")).toBeUndefined()
+	})
+
+	test("creates empty session when no sources are enabled", async () => {
+		setEnabledSources([])
+		const factory = mock(async () => createStubSource("aelis.location"))
+
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [{ sourceId: "aelis.location", feedSourceForUser: factory }],
+		})
+
+		const session = await manager.getOrCreate("user-1")
+
+		expect(factory).not.toHaveBeenCalled()
+		expect(session).toBeDefined()
+		expect(session.getSource("aelis.location")).toBeUndefined()
+	})
+
+	test("per-user enabled sources are respected", async () => {
+		enabledByUser.clear()
+		setEnabledSourcesForUser("user-1", ["aelis.location"])
+		setEnabledSourcesForUser("user-2", ["aelis.weather"])
+
+		const manager = new UserSessionManager({
+			db: fakeDb,
+			providers: [createStubProvider("aelis.location"), createStubProvider("aelis.weather")],
+		})
+
+		const session1 = await manager.getOrCreate("user-1")
+		const session2 = await manager.getOrCreate("user-2")
+
+		expect(session1.getSource("aelis.location")).toBeDefined()
+		expect(session1.getSource("aelis.weather")).toBeUndefined()
+		expect(session2.getSource("aelis.location")).toBeUndefined()
+		expect(session2.getSource("aelis.weather")).toBeDefined()
+	})
 })
 
 describe("UserSessionManager.replaceProvider", () => {
 	test("replaces source in all active sessions", async () => {
+		setEnabledSources(["test"])
 		const itemsV1: FeedItem[] = [
 			{
 				id: "v1",
@@ -309,7 +457,7 @@ describe("UserSessionManager.replaceProvider", () => {
 		]
 
 		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
-		const manager = new UserSessionManager({ providers: [providerV1] })
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
 
 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-2")
@@ -330,7 +478,8 @@ describe("UserSessionManager.replaceProvider", () => {
 	})
 
 	test("throws for unknown provider sourceId", async () => {
-		const manager = new UserSessionManager({ providers: [locationProvider] })
+		setEnabledSources(["aelis.location"])
+		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
 
 		const unknownProvider = createStubProvider("aelis.unknown")
 
@@ -339,9 +488,10 @@ describe("UserSessionManager.replaceProvider", () => {
 		)
 	})
 
-	test("removes source from session when new provider fails for a user", async () => {
+	test("keeps existing source when new provider fails for a user", async () => {
+		setEnabledSources(["test"])
 		const providerV1 = createStubProvider("test", async () => createStubSource("test"))
-		const manager = new UserSessionManager({ providers: [providerV1] })
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
 
 		const session = await manager.getOrCreate("user-1")
 		expect(session.getSource("test")).toBeDefined()
@@ -353,13 +503,14 @@ describe("UserSessionManager.replaceProvider", () => {
 		})
 		await manager.replaceProvider(failingProvider)
 
-		expect(session.getSource("test")).toBeUndefined()
+		expect(session.getSource("test")).toBeDefined()
 		expect(spy).toHaveBeenCalled()
 
 		spy.mockRestore()
 	})
 
 	test("new sessions use the replaced provider", async () => {
+		setEnabledSources(["test"])
 		const itemsV1: FeedItem[] = [
 			{
 				id: "v1",
@@ -380,7 +531,7 @@ describe("UserSessionManager.replaceProvider", () => {
 		]
 
 		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
-		const manager = new UserSessionManager({ providers: [providerV1] })
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
 
 		const providerV2 = createStubProvider("test", async () => createStubSource("test", itemsV2))
 		await manager.replaceProvider(providerV2)
@@ -392,6 +543,7 @@ describe("UserSessionManager.replaceProvider", () => {
 	})
 
 	test("does not affect other providers' sources", async () => {
+		setEnabledSources(["source-a", "source-b"])
 		const providerA = createStubProvider("source-a", async () =>
 			createStubSource("source-a", [
 				{
@@ -415,7 +567,7 @@ describe("UserSessionManager.replaceProvider", () => {
 			]),
 		)
 
-		const manager = new UserSessionManager({ providers: [providerA, providerB] })
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerA, providerB] })
 		const session = await manager.getOrCreate("user-1")
 
 		// Replace only source-a
@@ -440,6 +592,7 @@ describe("UserSessionManager.replaceProvider", () => {
 	})
 
 	test("updates sessions that are still being created", async () => {
+		setEnabledSources(["test"])
 		const itemsV1: FeedItem[] = [
 			{
 				id: "v1",
@@ -468,7 +621,7 @@ describe("UserSessionManager.replaceProvider", () => {
 			await creationGate
 			return createStubSource("test", itemsV1)
 		})
-		const manager = new UserSessionManager({ providers: [providerV1] })
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
 
 		// Start session creation but don't let it finish yet
 		const sessionPromise = manager.getOrCreate("user-1")
@@ -487,4 +640,44 @@ describe("UserSessionManager.replaceProvider", () => {
 		const feed = await session.feed()
 		expect(feed.items[0]!.data.version).toBe(2)
 	})
+
+	test("skips source replacement when source was disabled between creation and replace", async () => {
+		setEnabledSources(["test"])
+		const itemsV1: FeedItem[] = [
+			{
+				id: "v1",
+				sourceId: "test",
+				type: "test",
+				timestamp: new Date(),
+				data: { version: 1 },
+			},
+		]
+
+		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
+		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
+
+		const session = await manager.getOrCreate("user-1")
+		const feedBefore = await session.feed()
+		expect(feedBefore.items[0]!.data.version).toBe(1)
+
+		// Simulate the source being disabled/deleted between session creation and replace
+		mockFindResult = null
+
+		const providerV2 = createStubProvider("test", async () =>
+			createStubSource("test", [
+				{
+					id: "v2",
+					sourceId: "test",
+					type: "test",
+					timestamp: new Date(),
+					data: { version: 2 },
+				},
+			]),
+		)
+		await manager.replaceProvider(providerV2)
+
+		// Session should still have v1 — the replace was skipped
+		const feedAfter = await session.feed()
+		expect(feedAfter.items[0]!.data.version).toBe(1)
+	})
 })

apps/aelis-backend/src/session/user-session-manager.ts

@@ -1,31 +1,46 @@
 import type { FeedSource } from "@aelis/core"
 
+import { type } from "arktype"
+import merge from "lodash.merge"
+
+import type { Database } from "../db/index.ts"
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
+import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
 import { UserSession } from "./user-session.ts"
 
 export interface UserSessionManagerConfig {
+	db: Database
 	providers: FeedSourceProvider[]
 	feedEnhancer?: FeedEnhancer | null
 }
 
 export class UserSessionManager {
-	private sessions = new Map<string, { userId: string; session: UserSession }>()
+	private sessions = new Map<string, UserSession>()
 	private pending = new Map<string, Promise<UserSession>>()
+	private readonly db: Database
 	private readonly providers = new Map<string, FeedSourceProvider>()
 	private readonly feedEnhancer: FeedEnhancer | null
+	private readonly db: Database
 
 	constructor(config: UserSessionManagerConfig) {
+		this.db = config.db
 		for (const provider of config.providers) {
 			this.providers.set(provider.sourceId, provider)
 		}
 		this.feedEnhancer = config.feedEnhancer ?? null
+		this.db = config.db
+	}
+
+	getProvider(sourceId: string): FeedSourceProvider | undefined {
+		return this.providers.get(sourceId)
 	}
 
 	async getOrCreate(userId: string): Promise<UserSession> {
 		const existing = this.sessions.get(userId)
-		if (existing) return existing.session
+		if (existing) return existing
 
 		const inflight = this.pending.get(userId)
 		if (inflight) return inflight
@@ -40,7 +55,7 @@ export class UserSessionManager {
 				session.destroy()
 				throw new Error(`Session for user ${userId} was removed during creation`)
 			}
-			this.sessions.set(userId, { userId, session })
+			this.sessions.set(userId, session)
 			return session
 		} finally {
 			this.pending.delete(userId)
@@ -48,20 +63,130 @@ export class UserSessionManager {
 	}
 
 	remove(userId: string): void {
-		const entry = this.sessions.get(userId)
-		if (entry) {
-			entry.session.destroy()
+		const session = this.sessions.get(userId)
+		if (session) {
+			session.destroy()
 			this.sessions.delete(userId)
 		}
 		// Cancel any in-flight creation so getOrCreate won't store the session
 		this.pending.delete(userId)
 	}
 
+	/**
+	 * Merges, validates, and persists a user's source config and/or enabled
+	 * state, then invalidates the cached session.
+	 *
+	 * @throws {SourceNotFoundError} if the source row doesn't exist
+	 * @throws {InvalidSourceConfigError} if the merged config fails schema validation
+	 */
+	async updateSourceConfig(
+		userId: string,
+		sourceId: string,
+		update: { enabled?: boolean; config?: unknown },
+	): Promise<void> {
+		const provider = this.providers.get(sourceId)
+		if (!provider) {
+			throw new SourceNotFoundError(sourceId, userId)
+		}
+
+		// Nothing to update
+		if (update.enabled === undefined && update.config === undefined) {
+			// Still validate existence — updateConfig would throw, but
+			// we can avoid the DB write entirely.
+			if (!(await sources(this.db, userId).find(sourceId))) {
+				throw new SourceNotFoundError(sourceId, userId)
+			}
+			return
+		}
+
+		// When config is provided, fetch existing to deep-merge before validating.
+		// NOTE: find + updateConfig is not atomic. A concurrent update could
+		// read stale config. Use SELECT FOR UPDATE or atomic jsonb merge if
+		// this becomes a problem.
+		let mergedConfig: Record<string, unknown> | undefined
+		if (update.config !== undefined && provider.configSchema) {
+			const existing = await sources(this.db, userId).find(sourceId)
+			const existingConfig = (existing?.config ?? {}) as Record<string, unknown>
+			mergedConfig = merge({}, existingConfig, update.config)
+
+			const validated = provider.configSchema(mergedConfig)
+			if (validated instanceof type.errors) {
+				throw new InvalidSourceConfigError(sourceId, validated.summary)
+			}
+		}
+
+		// Throws SourceNotFoundError if the row doesn't exist
+		await sources(this.db, userId).updateConfig(sourceId, {
+			enabled: update.enabled,
+			config: mergedConfig,
+		})
+
+		// Refresh the specific source in the active session instead of
+		// destroying the entire session.
+		const session = this.sessions.get(userId)
+		if (session) {
+			if (update.enabled === false) {
+				session.removeSource(sourceId)
+			} else {
+				const source = await provider.feedSourceForUser(userId, mergedConfig ?? {})
+				session.replaceSource(sourceId, source)
+			}
+		}
+	}
+
+	/**
+	 * Validates, persists, and upserts a user's source config, then
+	 * refreshes the cached session. Unlike updateSourceConfig, this
+	 * inserts a new row if one doesn't exist and fully replaces config
+	 * (no merge).
+	 *
+	 * @throws {SourceNotFoundError} if the sourceId has no registered provider
+	 * @throws {InvalidSourceConfigError} if config fails schema validation
+	 */
+	async upsertSourceConfig(
+		userId: string,
+		sourceId: string,
+		data: { enabled: boolean; config?: unknown },
+	): Promise<void> {
+		const provider = this.providers.get(sourceId)
+		if (!provider) {
+			throw new SourceNotFoundError(sourceId, userId)
+		}
+
+		if (provider.configSchema && data.config !== undefined) {
+			const validated = provider.configSchema(data.config)
+			if (validated instanceof type.errors) {
+				throw new InvalidSourceConfigError(sourceId, validated.summary)
+			}
+		}
+
+		const config = data.config ?? {}
+		await sources(this.db, userId).upsertConfig(sourceId, {
+			enabled: data.enabled,
+			config,
+		})
+
+		const session = this.sessions.get(userId)
+		if (session) {
+			if (!data.enabled) {
+				session.removeSource(sourceId)
+			} else {
+				const source = await provider.feedSourceForUser(userId, config)
+				if (session.hasSource(sourceId)) {
+					session.replaceSource(sourceId, source)
+				} else {
+					session.addSource(source)
+				}
+			}
+		}
+	}
+
 	/**
 	 * Replaces a provider and updates all active sessions.
 	 * The new provider must have the same sourceId as an existing one.
-	 * For each active session, resolves a new source from the provider.
-	 * If the provider fails for a user, the old source is removed from that session.
+	 * For each active session, queries the user's source config from the DB
+	 * and re-resolves the source. If the provider fails for a user, the
+	 * existing source is kept.
 	 */
 	async replaceProvider(provider: FeedSourceProvider): Promise<void> {
 		if (!this.providers.has(provider.sourceId)) {
@@ -74,16 +199,16 @@ export class UserSessionManager {
 
 		const updates: Promise<void>[] = []
 
-		for (const [, { userId, session }] of this.sessions) {
-			updates.push(this.updateSessionSource(provider, userId, session))
+		for (const [, session] of this.sessions) {
+			updates.push(this.refreshSessionSource(session, provider))
 		}
 
 		// Also update sessions that are currently being created so they
 		// don't land in this.sessions with a stale source.
-		for (const [userId, pendingPromise] of this.pending) {
+		for (const [, pendingPromise] of this.pending) {
 			updates.push(
 				pendingPromise
-					.then((session) => this.updateSessionSource(provider, userId, session))
+					.then((session) => this.refreshSessionSource(session, provider))
 					.catch(() => {
 						// Session creation itself failed — nothing to update.
 					}),
@@ -93,40 +218,60 @@ export class UserSessionManager {
 		await Promise.all(updates)
 	}
 
-	private async updateSessionSource(
-		provider: FeedSourceProvider,
-		userId: string,
+	/**
+	 * Re-resolves a single source for a session by querying the user's config
+	 * from the DB and calling the provider. If the provider fails, the existing
+	 * source is kept.
+	 */
+	private async refreshSessionSource(
 		session: UserSession,
+		provider: FeedSourceProvider,
 	): Promise<void> {
+		if (!session.hasSource(provider.sourceId)) return
+
 		try {
-			const newSource = await provider.feedSourceForUser(userId)
+			const row = await sources(this.db, session.userId).find(provider.sourceId)
+			if (!row?.enabled) return
+
+			const newSource = await provider.feedSourceForUser(session.userId, row.config ?? {})
 			session.replaceSource(provider.sourceId, newSource)
 		} catch (err) {
 			console.error(
-				`[UserSessionManager] replaceProvider("${provider.sourceId}") failed for user ${userId}:`,
+				`[UserSessionManager] refreshSource("${provider.sourceId}") failed for user ${session.userId}:`,
 				err,
 			)
-			session.removeSource(provider.sourceId)
 		}
 	}
 
 	private async createSession(userId: string): Promise<UserSession> {
-		const results = await Promise.allSettled(
-			Array.from(this.providers.values()).map((p) => p.feedSourceForUser(userId)),
-		)
+		const enabledRows = await sources(this.db, userId).enabled()
 
-		const sources: FeedSource[] = []
+		const promises: Promise<FeedSource>[] = []
+		for (const row of enabledRows) {
+			const provider = this.providers.get(row.sourceId)
+			if (provider) {
+				promises.push(provider.feedSourceForUser(userId, row.config ?? {}))
+			}
+		}
+
+		if (promises.length === 0) {
+			return new UserSession(userId, [], this.feedEnhancer)
+		}
+
+		const results = await Promise.allSettled(promises)
+
+		const feedSources: FeedSource[] = []
 		const errors: unknown[] = []
 
 		for (const result of results) {
 			if (result.status === "fulfilled") {
-				sources.push(result.value)
+				feedSources.push(result.value)
 			} else {
 				errors.push(result.reason)
 			}
 		}
 
-		if (sources.length === 0 && errors.length > 0) {
+		if (feedSources.length === 0 && errors.length > 0) {
 			throw new AggregateError(errors, "All feed source providers failed")
 		}
 
@@ -134,6 +279,6 @@ export class UserSessionManager {
 			console.error("[UserSessionManager] Feed source provider failed:", error)
 		}
 
-		return new UserSession(sources, this.feedEnhancer)
+		return new UserSession(userId, feedSources, this.feedEnhancer)
 	}
 }

apps/aelis-backend/src/session/user-session.test.ts

@@ -1,7 +1,7 @@
 import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
 
 import { LocationSource } from "@aelis/source-location"
-import { describe, expect, test } from "bun:test"
+import { describe, expect, spyOn, test } from "bun:test"
 
 import { UserSession } from "./user-session.ts"
 
@@ -25,7 +25,10 @@ function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 
 describe("UserSession", () => {
 	test("registers sources and starts engine", async () => {
-		const session = new UserSession([createStubSource("test-a"), createStubSource("test-b")])
+		const session = new UserSession("test-user", [
+			createStubSource("test-a"),
+			createStubSource("test-b"),
+		])
 
 		const result = await session.engine.refresh()
 
@@ -34,7 +37,7 @@ describe("UserSession", () => {
 
 	test("getSource returns registered source", () => {
 		const location = new LocationSource()
-		const session = new UserSession([location])
+		const session = new UserSession("test-user", [location])
 
 		const result = session.getSource<LocationSource>("aelis.location")
 
@@ -42,13 +45,13 @@ describe("UserSession", () => {
 	})
 
 	test("getSource returns undefined for unknown source", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(session.getSource("unknown")).toBeUndefined()
 	})
 
 	test("destroy stops engine and clears sources", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		session.destroy()
 
@@ -57,7 +60,7 @@ describe("UserSession", () => {
 
 	test("engine.executeAction routes to correct source", async () => {
 		const location = new LocationSource()
-		const session = new UserSession([location])
+		const session = new UserSession("test-user", [location])
 
 		await session.engine.executeAction("aelis.location", "update-location", {
 			lat: 51.5,
@@ -82,7 +85,7 @@ describe("UserSession.feed", () => {
 				data: { value: 42 },
 			},
 		]
-		const session = new UserSession([createStubSource("test", items)])
+		const session = new UserSession("test-user", [createStubSource("test", items)])
 
 		const result = await session.feed()
 
@@ -103,7 +106,7 @@ describe("UserSession.feed", () => {
 		const enhancer = async (feedItems: FeedItem[]) =>
 			feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result = await session.feed()
 
@@ -127,7 +130,7 @@ describe("UserSession.feed", () => {
 			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result1 = await session.feed()
 		expect(result1.items[0]!.data.enhanced).toBe(true)
@@ -162,7 +165,7 @@ describe("UserSession.feed", () => {
 			}))
 		}
 
-		const session = new UserSession([source], enhancer)
+		const session = new UserSession("test-user", [source], enhancer)
 
 		// First feed triggers refresh + enhancement
 		const result1 = await session.feed()
@@ -205,7 +208,7 @@ describe("UserSession.feed", () => {
 			throw new Error("enhancement exploded")
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result = await session.feed()
 
@@ -237,7 +240,7 @@ describe("UserSession.replaceSource", () => {
 		]
 
 		const sourceA = createStubSource("test", itemsA)
-		const session = new UserSession([sourceA])
+		const session = new UserSession("test-user", [sourceA])
 
 		const result1 = await session.feed()
 		expect(result1.items).toHaveLength(1)
@@ -253,7 +256,7 @@ describe("UserSession.replaceSource", () => {
 
 	test("getSource returns new source after replace", () => {
 		const sourceA = createStubSource("test")
-		const session = new UserSession([sourceA])
+		const session = new UserSession("test-user", [sourceA])
 
 		const sourceB = createStubSource("test")
 		session.replaceSource("test", sourceB)
@@ -263,7 +266,7 @@ describe("UserSession.replaceSource", () => {
 	})
 
 	test("throws when replacing a source that is not registered", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(() => session.replaceSource("nonexistent", createStubSource("other"))).toThrow(
 			'Cannot replace source "nonexistent": not registered',
@@ -289,7 +292,7 @@ describe("UserSession.replaceSource", () => {
 				data: { from: "b" },
 			},
 		])
-		const session = new UserSession([sourceA, sourceB])
+		const session = new UserSession("test-user", [sourceA, sourceB])
 
 		const replacement = createStubSource("source-a", [
 			{
@@ -325,7 +328,7 @@ describe("UserSession.replaceSource", () => {
 			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		await session.feed()
 		expect(enhanceCount).toBe(1)
@@ -350,7 +353,10 @@ describe("UserSession.replaceSource", () => {
 
 describe("UserSession.removeSource", () => {
 	test("removes source from engine and sources map", () => {
-		const session = new UserSession([createStubSource("test-a"), createStubSource("test-b")])
+		const session = new UserSession("test-user", [
+			createStubSource("test-a"),
+			createStubSource("test-b"),
+		])
 
 		session.removeSource("test-a")
 
@@ -368,7 +374,7 @@ describe("UserSession.removeSource", () => {
 				data: {},
 			},
 		]
-		const session = new UserSession([createStubSource("test", items)])
+		const session = new UserSession("test-user", [createStubSource("test", items)])
 
 		const result1 = await session.feed()
 		expect(result1.items).toHaveLength(1)
@@ -380,7 +386,7 @@ describe("UserSession.removeSource", () => {
 	})
 
 	test("is a no-op for unknown source", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(() => session.removeSource("unknown")).not.toThrow()
 		expect(session.getSource("test")).toBeDefined()

apps/aelis-backend/src/session/user-session.ts

@@ -3,6 +3,7 @@ import { FeedEngine, type FeedItem, type FeedResult, type FeedSource } from "@ae
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
 
 export class UserSession {
+	readonly userId: string
 	readonly engine: FeedEngine
 	private sources = new Map<string, FeedSource>()
 	private readonly enhancer: FeedEnhancer | null
@@ -12,7 +13,8 @@ export class UserSession {
 	private enhancingPromise: Promise<void> | null = null
 	private unsubscribe: (() => void) | null = null
 
-	constructor(sources: FeedSource[], enhancer?: FeedEnhancer | null) {
+	constructor(userId: string, sources: FeedSource[], enhancer?: FeedEnhancer | null) {
+		this.userId = userId
 		this.engine = new FeedEngine()
 		this.enhancer = enhancer ?? null
 		for (const source of sources) {
@@ -67,6 +69,36 @@ export class UserSession {
 		return this.sources.get(sourceId) as T | undefined
 	}
 
+	hasSource(sourceId: string): boolean {
+		return this.sources.has(sourceId)
+	}
+
+	/**
+	 * Registers a new source in the engine and invalidates all caches.
+	 * Stops and restarts the engine to establish reactive subscriptions.
+	 */
+	addSource(source: FeedSource): void {
+		if (this.sources.has(source.id)) {
+			throw new Error(`Cannot add source "${source.id}": already registered`)
+		}
+
+		const wasStarted = this.engine.isStarted()
+
+		if (wasStarted) {
+			this.engine.stop()
+		}
+
+		this.engine.register(source)
+		this.sources.set(source.id, source)
+
+		this.invalidateEnhancement()
+		this.enhancingPromise = null
+
+		if (wasStarted) {
+			this.engine.start()
+		}
+	}
+
 	/**
 	 * Replaces a source in the engine and invalidates all caches.
 	 * Stops and restarts the engine to re-establish reactive subscriptions.

apps/aelis-backend/src/sources/errors.ts

@@ -1,21 +1,3 @@
-/**
- * Thrown by a FeedSourceProvider when the source is not enabled for a user.
- *
- * UserSessionManager's Promise.allSettled handles this gracefully —
- * the source is excluded from the session without crashing.
- */
-export class SourceDisabledError extends Error {
-	readonly sourceId: string
-	readonly userId: string
-
-	constructor(sourceId: string, userId: string) {
-		super(`Source "${sourceId}" is not enabled for user "${userId}"`)
-		this.name = "SourceDisabledError"
-		this.sourceId = sourceId
-		this.userId = userId
-	}
-}
-
 /**
  * Thrown when an operation targets a user source that doesn't exist.
  */
@@ -30,3 +12,15 @@ export class SourceNotFoundError extends Error {
 		this.userId = userId
 	}
 }
+
+/**
+ * Thrown when a source config update fails schema validation.
+ */
+export class InvalidSourceConfigError extends Error {
+	readonly sourceId: string
+
+	constructor(sourceId: string, summary: string) {
+		super(summary)
+		this.sourceId = sourceId
+	}
+}

apps/aelis-backend/src/sources/http.test.ts

@@ -0,0 +1,640 @@
+import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
+
+import { describe, expect, mock, spyOn, test } from "bun:test"
+import { Hono } from "hono"
+
+import type { Database } from "../db/index.ts"
+import type { ConfigSchema, FeedSourceProvider } from "../session/feed-source-provider.ts"
+
+import { mockAuthSessionMiddleware } from "../auth/session-middleware.ts"
+import { UserSessionManager } from "../session/user-session-manager.ts"
+import { tflConfig } from "../tfl/provider.ts"
+import { weatherConfig } from "../weather/provider.ts"
+import { SourceNotFoundError } from "./errors.ts"
+import { registerSourcesHttpHandlers } from "./http.ts"
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function createStubSource(id: string): FeedSource {
+	return {
+		id,
+		async listActions(): Promise<Record<string, ActionDefinition>> {
+			return {}
+		},
+		async executeAction(): Promise<unknown> {
+			return undefined
+		},
+		async fetchContext(): Promise<readonly ContextEntry[] | null> {
+			return null
+		},
+		async fetchItems(): Promise<FeedItem[]> {
+			return []
+		},
+	}
+}
+
+function createStubProvider(sourceId: string, configSchema?: ConfigSchema): FeedSourceProvider {
+	return {
+		sourceId,
+		configSchema,
+		async feedSourceForUser() {
+			return createStubSource(sourceId)
+		},
+	}
+}
+
+const MOCK_USER_ID = "k7Gx2mPqRvNwYs9TdLfA4bHcJeUo1iZn"
+
+type SourceRow = {
+	userId: string
+	sourceId: string
+	enabled: boolean
+	config: Record<string, unknown>
+}
+
+function createInMemoryStore() {
+	const rows = new Map<string, SourceRow>()
+
+	function key(userId: string, sourceId: string) {
+		return `${userId}:${sourceId}`
+	}
+
+	return {
+		rows,
+		seed(userId: string, sourceId: string, data: Partial<SourceRow> = {}) {
+			rows.set(key(userId, sourceId), {
+				userId,
+				sourceId,
+				enabled: data.enabled ?? true,
+				config: data.config ?? {},
+			})
+		},
+		forUser(userId: string) {
+			return {
+				async enabled() {
+					return [...rows.values()].filter((r) => r.userId === userId && r.enabled)
+				},
+				async find(sourceId: string) {
+					return rows.get(key(userId, sourceId))
+				},
+				async updateConfig(sourceId: string, update: { enabled?: boolean; config?: unknown }) {
+					const existing = rows.get(key(userId, sourceId))
+					if (!existing) {
+						throw new SourceNotFoundError(sourceId, userId)
+					}
+					if (update.enabled !== undefined) {
+						existing.enabled = update.enabled
+					}
+					if (update.config !== undefined) {
+						existing.config = update.config as Record<string, unknown>
+					}
+				},
+				async upsertConfig(sourceId: string, data: { enabled: boolean; config: unknown }) {
+					const existing = rows.get(key(userId, sourceId))
+					if (existing) {
+						existing.enabled = data.enabled
+						existing.config = data.config as Record<string, unknown>
+					} else {
+						rows.set(key(userId, sourceId), {
+							userId,
+							sourceId,
+							enabled: data.enabled,
+							config: (data.config ?? {}) as Record<string, unknown>,
+						})
+					}
+				},
+			}
+		},
+	}
+}
+
+let activeStore: ReturnType<typeof createInMemoryStore>
+
+mock.module("../sources/user-sources.ts", () => ({
+	sources(_db: unknown, userId: string) {
+		return activeStore.forUser(userId)
+	},
+}))
+
+const fakeDb = {} as Database
+
+function createApp(providers: FeedSourceProvider[], userId?: string) {
+	const sessionManager = new UserSessionManager({ providers, db: fakeDb })
+	const app = new Hono()
+	registerSourcesHttpHandlers(app, {
+		sessionManager,
+		authSessionMiddleware: mockAuthSessionMiddleware(userId),
+	})
+	return { app, sessionManager }
+}
+
+function patch(app: Hono, sourceId: string, body: unknown) {
+	return app.request(`/api/sources/${sourceId}`, {
+		method: "PATCH",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	})
+}
+
+function put(app: Hono, sourceId: string, body: unknown) {
+	return app.request(`/api/sources/${sourceId}`, {
+		method: "PUT",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	})
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("PATCH /api/sources/:sourceId", () => {
+	test("returns 401 without auth", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)])
+
+		const res = await patch(app, "aelis.weather", { enabled: true })
+
+		expect(res.status).toBe(401)
+	})
+
+	test("returns 404 for unknown source", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "unknown.source", { enabled: true })
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 404 when user has no existing row for source", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", { enabled: true })
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 204 when body is empty object (no-op) on existing source", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {})
+
+		expect(res.status).toBe(204)
+	})
+
+	test("returns 404 when body is empty object on nonexistent user source", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {})
+
+		expect(res.status).toBe(404)
+	})
+
+	test("returns 400 for invalid JSON body", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await app.request("/api/sources/aelis.weather", {
+			method: "PATCH",
+			headers: { "Content-Type": "application/json" },
+			body: "not json",
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("Invalid JSON")
+	})
+
+	test("returns 400 when request body contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			enabled: true,
+			unknownField: "hello",
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when weather config contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			config: { units: "metric", unknownField: "hello" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when weather config fails validation", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			config: { units: "invalid" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 204 and updates enabled", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+		})
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", { enabled: false })
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
+		expect(row!.enabled).toBe(false)
+		expect(row!.config).toEqual({ units: "metric" })
+	})
+
+	test("returns 204 and updates config", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			config: { units: "metric" },
+		})
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			config: { units: "imperial" },
+		})
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
+		expect(row!.config).toEqual({ units: "imperial" })
+	})
+
+	test("preserves config when only updating enabled", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.tfl", {
+			enabled: true,
+			config: { lines: ["bakerloo"] },
+		})
+		const { app } = createApp([createStubProvider("aelis.tfl", tflConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.tfl", { enabled: false })
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.tfl`)
+		expect(row!.enabled).toBe(false)
+		expect(row!.config).toEqual({ lines: ["bakerloo"] })
+	})
+
+	test("deep-merges config on update", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			config: { units: "metric", hourlyLimit: 12 },
+		})
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			config: { dailyLimit: 5 },
+		})
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
+		expect(row!.config).toEqual({
+			units: "metric",
+			hourlyLimit: 12,
+			dailyLimit: 5,
+		})
+	})
+
+	test("refreshes source in active session after config update", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			config: { units: "metric" },
+		})
+		const { app, sessionManager } = createApp(
+			[createStubProvider("aelis.weather", weatherConfig)],
+			MOCK_USER_ID,
+		)
+
+		const session = await sessionManager.getOrCreate(MOCK_USER_ID)
+		const replaceSpy = spyOn(session, "replaceSource")
+
+		const res = await patch(app, "aelis.weather", {
+			config: { units: "imperial" },
+		})
+
+		expect(res.status).toBe(204)
+		expect(replaceSpy).toHaveBeenCalled()
+		replaceSpy.mockRestore()
+	})
+
+	test("removes source from session when disabled", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+		})
+		const { app, sessionManager } = createApp(
+			[createStubProvider("aelis.weather", weatherConfig)],
+			MOCK_USER_ID,
+		)
+
+		const session = await sessionManager.getOrCreate(MOCK_USER_ID)
+		const removeSpy = spyOn(session, "removeSource")
+
+		const res = await patch(app, "aelis.weather", { enabled: false })
+
+		expect(res.status).toBe(204)
+		expect(removeSpy).toHaveBeenCalledWith("aelis.weather")
+		removeSpy.mockRestore()
+	})
+
+	test("returns 400 when config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.location", {
+			config: { something: "value" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when empty config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.location", {
+			config: {},
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("updates enabled on location source", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location", { enabled: true })
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.location", { enabled: false })
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.location`)
+		expect(row!.enabled).toBe(false)
+	})
+})
+
+// ---------------------------------------------------------------------------
+// PUT /api/sources/:sourceId
+// ---------------------------------------------------------------------------
+
+describe("PUT /api/sources/:sourceId", () => {
+	test("returns 401 without auth", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)])
+
+		const res = await put(app, "aelis.weather", { enabled: true, config: {} })
+
+		expect(res.status).toBe(401)
+	})
+
+	test("returns 404 for unknown source", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "unknown.source", { enabled: true, config: {} })
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 400 for invalid JSON", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await app.request("/api/sources/aelis.weather", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: "not json",
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("Invalid JSON")
+	})
+
+	test("returns 400 when enabled is missing", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", { config: {} })
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when config is missing", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", { enabled: true })
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when request body contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+			unknownField: "hello",
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when weather config contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric", unknownField: "hello" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when config fails schema validation", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "invalid" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 204 and inserts when row does not exist", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+		})
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
+		expect(row).toBeDefined()
+		expect(row!.enabled).toBe(true)
+		expect(row!.config).toEqual({ units: "metric" })
+	})
+
+	test("returns 204 and fully replaces existing row", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric", hourlyLimit: 12 },
+		})
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: false,
+			config: { units: "imperial" },
+		})
+
+		expect(res.status).toBe(204)
+		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.weather`)
+		expect(row!.enabled).toBe(false)
+		// hourlyLimit should be gone — full replace, not merge
+		expect(row!.config).toEqual({ units: "imperial" })
+	})
+
+	test("refreshes source in active session after upsert", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			config: { units: "metric" },
+		})
+		const { app, sessionManager } = createApp(
+			[createStubProvider("aelis.weather", weatherConfig)],
+			MOCK_USER_ID,
+		)
+
+		const session = await sessionManager.getOrCreate(MOCK_USER_ID)
+		const replaceSpy = spyOn(session, "replaceSource")
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "imperial" },
+		})
+
+		expect(res.status).toBe(204)
+		expect(replaceSpy).toHaveBeenCalled()
+		replaceSpy.mockRestore()
+	})
+
+	test("removes source from session when disabled via upsert", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+		})
+		const { app, sessionManager } = createApp(
+			[createStubProvider("aelis.weather", weatherConfig)],
+			MOCK_USER_ID,
+		)
+
+		const session = await sessionManager.getOrCreate(MOCK_USER_ID)
+		const removeSpy = spyOn(session, "removeSource")
+
+		const res = await put(app, "aelis.weather", {
+			enabled: false,
+			config: { units: "metric" },
+		})
+
+		expect(res.status).toBe(204)
+		expect(removeSpy).toHaveBeenCalledWith("aelis.weather")
+		removeSpy.mockRestore()
+	})
+
+	test("adds source to active session when inserting a new source", async () => {
+		activeStore = createInMemoryStore()
+		// Seed a different source so the session can be created
+		activeStore.seed(MOCK_USER_ID, "aelis.location", { enabled: true })
+		const { app, sessionManager } = createApp(
+			[createStubProvider("aelis.location"), createStubProvider("aelis.weather", weatherConfig)],
+			MOCK_USER_ID,
+		)
+
+		// Create session — only has aelis.location
+		const session = await sessionManager.getOrCreate(MOCK_USER_ID)
+		expect(session.hasSource("aelis.weather")).toBe(false)
+
+		// PUT a new source that didn't exist before
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+		})
+
+		expect(res.status).toBe(204)
+		expect(session.hasSource("aelis.weather")).toBe(true)
+	})
+
+	test("returns 400 when config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.location", {
+			enabled: true,
+			config: { something: "value" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when empty config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.location", {
+			enabled: true,
+			config: {},
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 204 without config field for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.location", {
+			enabled: true,
+		})
+
+		expect(res.status).toBe(204)
+	})
+})

apps/aelis-backend/src/sources/http.ts

@@ -0,0 +1,152 @@
+import type { Context, Hono } from "hono"
+
+import { type } from "arktype"
+import { createMiddleware } from "hono/factory"
+
+import type { AuthSessionMiddleware } from "../auth/session-middleware.ts"
+import type { UserSessionManager } from "../session/index.ts"
+
+import { InvalidSourceConfigError, SourceNotFoundError } from "./errors.ts"
+
+type Env = {
+	Variables: {
+		sessionManager: UserSessionManager
+	}
+}
+
+interface SourcesHttpHandlersDeps {
+	sessionManager: UserSessionManager
+	authSessionMiddleware: AuthSessionMiddleware
+}
+
+const UpdateSourceConfigRequestBody = type({
+	"+": "reject",
+	"enabled?": "boolean",
+	"config?": "unknown",
+})
+
+const ReplaceSourceConfigRequestBody = type({
+	"+": "reject",
+	enabled: "boolean",
+	config: "unknown",
+})
+
+const ReplaceSourceConfigNoConfigRequestBody = type({
+	"+": "reject",
+	enabled: "boolean",
+})
+
+export function registerSourcesHttpHandlers(
+	app: Hono,
+	{ sessionManager, authSessionMiddleware }: SourcesHttpHandlersDeps,
+) {
+	const inject = createMiddleware<Env>(async (c, next) => {
+		c.set("sessionManager", sessionManager)
+		await next()
+	})
+
+	app.patch("/api/sources/:sourceId", inject, authSessionMiddleware, handleUpdateSource)
+	app.put("/api/sources/:sourceId", inject, authSessionMiddleware, handleReplaceSource)
+}
+
+async function handleUpdateSource(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+
+	// Validate source exists as a registered provider
+	const provider = sessionManager.getProvider(sourceId)
+	if (!provider) {
+		return c.json({ error: `Source "${sourceId}" not found` }, 404)
+	}
+
+	// Parse request body
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	const parsed = UpdateSourceConfigRequestBody(body)
+	if (parsed instanceof type.errors) {
+		return c.json({ error: parsed.summary }, 400)
+	}
+
+	if (!provider.configSchema && "config" in parsed) {
+		return c.json({ error: `Source "${sourceId}" does not accept config` }, 400)
+	}
+
+	const { enabled, config: newConfig } = parsed
+	const user = c.get("user")!
+
+	try {
+		await sessionManager.updateSourceConfig(user.id, sourceId, {
+			enabled,
+			config: newConfig,
+		})
+	} catch (err) {
+		if (err instanceof SourceNotFoundError) {
+			return c.json({ error: err.message }, 404)
+		}
+		if (err instanceof InvalidSourceConfigError) {
+			return c.json({ error: err.message }, 400)
+		}
+		throw err
+	}
+
+	return c.body(null, 204)
+}
+
+async function handleReplaceSource(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+
+	const provider = sessionManager.getProvider(sourceId)
+	if (!provider) {
+		return c.json({ error: `Source "${sourceId}" not found` }, 404)
+	}
+
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	const schema = provider.configSchema
+		? ReplaceSourceConfigRequestBody
+		: ReplaceSourceConfigNoConfigRequestBody
+	const parsed = schema(body)
+	if (parsed instanceof type.errors) {
+		return c.json({ error: parsed.summary }, 400)
+	}
+
+	const { enabled } = parsed
+	const config = "config" in parsed ? parsed.config : undefined
+	const user = c.get("user")!
+
+	try {
+		await sessionManager.upsertSourceConfig(user.id, sourceId, {
+			enabled,
+			config,
+		})
+	} catch (err) {
+		if (err instanceof SourceNotFoundError) {
+			return c.json({ error: err.message }, 404)
+		}
+		if (err instanceof InvalidSourceConfigError) {
+			return c.json({ error: err.message }, 400)
+		}
+		throw err
+	}
+
+	return c.body(null, 204)
+}

apps/aelis-backend/src/sources/user-sources.ts

@@ -52,14 +52,46 @@ export function sources(db: Database, userId: string) {
 			}
 		},
 
-		/** Creates or updates the config for a source. */
-		async upsertConfig(sourceId: string, config: Record<string, unknown>) {
+		/** Updates an existing user source row. Throws if the row doesn't exist. */
+		async updateConfig(sourceId: string, update: { enabled?: boolean; config?: unknown }) {
+			const set: Record<string, unknown> = { updatedAt: new Date() }
+			if (update.enabled !== undefined) {
+				set.enabled = update.enabled
+			}
+			if (update.config !== undefined) {
+				set.config = update.config
+			}
+			const rows = await db
+				.update(userSources)
+				.set(set)
+				.where(and(eq(userSources.userId, userId), eq(userSources.sourceId, sourceId)))
+				.returning({ id: userSources.id })
+
+			if (rows.length === 0) {
+				throw new SourceNotFoundError(sourceId, userId)
+			}
+		},
+
+		/** Inserts a new user source row or fully replaces enabled/config on an existing one. */
+		async upsertConfig(sourceId: string, data: { enabled: boolean; config: unknown }) {
+			const now = new Date()
 			await db
 				.insert(userSources)
-				.values({ userId, sourceId, config })
+				.values({
+					userId,
+					sourceId,
+					enabled: data.enabled,
+					config: data.config,
+					createdAt: now,
+					updatedAt: now,
+				})
 				.onConflictDoUpdate({
 					target: [userSources.userId, userSources.sourceId],
-					set: { config, updatedAt: new Date() },
+					set: {
+						enabled: data.enabled,
+						config: data.config,
+						updatedAt: now,
+					},
 				})
 		},
 

apps/aelis-backend/src/tfl/provider.ts

@@ -1,42 +1,32 @@
 import { TflSource, type ITflApi, type TflLineId } from "@aelis/source-tfl"
 import { type } from "arktype"
 
-import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
 
-import { SourceDisabledError } from "../sources/errors.ts"
-import { sources } from "../sources/user-sources.ts"
-
 export type TflSourceProviderOptions =
-	| { db: Database; apiKey: string; client?: never }
-	| { db: Database; apiKey?: never; client: ITflApi }
+	| { apiKey: string; client?: never }
+	| { apiKey?: never; client: ITflApi }
 
-const tflConfig = type({
+export const tflConfig = type({
+	"+": "reject",
 	"lines?": "string[]",
 })
 
 export class TflSourceProvider implements FeedSourceProvider {
 	readonly sourceId = "aelis.tfl"
-	private readonly db: Database
+	readonly configSchema = tflConfig
 	private readonly apiKey: string | undefined
 	private readonly client: ITflApi | undefined
 
 	constructor(options: TflSourceProviderOptions) {
-		this.db = options.db
 		this.apiKey = "apiKey" in options ? options.apiKey : undefined
 		this.client = "client" in options ? options.client : undefined
 	}
 
-	async feedSourceForUser(userId: string): Promise<TflSource> {
-		const row = await sources(this.db, userId).find("aelis.tfl")
-
-		if (!row || !row.enabled) {
-			throw new SourceDisabledError("aelis.tfl", userId)
-		}
-
-		const parsed = tflConfig(row.config ?? {})
+	async feedSourceForUser(_userId: string, config: unknown): Promise<TflSource> {
+		const parsed = tflConfig(config)
 		if (parsed instanceof type.errors) {
-			throw new Error(`Invalid TFL config for user ${userId}: ${parsed.summary}`)
+			throw new Error(`Invalid TFL config: ${parsed.summary}`)
 		}
 
 		return new TflSource({

apps/aelis-backend/src/weather/provider.ts

@@ -1,19 +1,15 @@
 import { WeatherSource, type WeatherSourceOptions } from "@aelis/source-weatherkit"
 import { type } from "arktype"
 
-import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
 
-import { SourceDisabledError } from "../sources/errors.ts"
-import { sources } from "../sources/user-sources.ts"
-
 export interface WeatherSourceProviderOptions {
-	db: Database
 	credentials: WeatherSourceOptions["credentials"]
 	client?: WeatherSourceOptions["client"]
 }
 
-const weatherConfig = type({
+export const weatherConfig = type({
+	"+": "reject",
 	"units?": "'metric' | 'imperial'",
 	"hourlyLimit?": "number",
 	"dailyLimit?": "number",
@@ -21,26 +17,19 @@ const weatherConfig = type({
 
 export class WeatherSourceProvider implements FeedSourceProvider {
 	readonly sourceId = "aelis.weather"
-	private readonly db: Database
+	readonly configSchema = weatherConfig
 	private readonly credentials: WeatherSourceOptions["credentials"]
 	private readonly client: WeatherSourceOptions["client"]
 
 	constructor(options: WeatherSourceProviderOptions) {
-		this.db = options.db
 		this.credentials = options.credentials
 		this.client = options.client
 	}
 
-	async feedSourceForUser(userId: string): Promise<WeatherSource> {
-		const row = await sources(this.db, userId).find("aelis.weather")
-
-		if (!row || !row.enabled) {
-			throw new SourceDisabledError("aelis.weather", userId)
-		}
-
-		const parsed = weatherConfig(row.config ?? {})
+	async feedSourceForUser(_userId: string, config: unknown): Promise<WeatherSource> {
+		const parsed = weatherConfig(config)
 		if (parsed instanceof type.errors) {
-			throw new Error(`Invalid weather config for user ${userId}: ${parsed.summary}`)
+			throw new Error(`Invalid weather config: ${parsed.summary}`)
 		}
 
 		return new WeatherSource({

bun.lock

@@ -30,8 +30,10 @@
         "better-auth": "^1",
         "drizzle-orm": "^0.45.1",
         "hono": "^4",
+        "lodash.merge": "^4.6.2",
       },
       "devDependencies": {
+        "@types/lodash.merge": "^4.6.9",
         "drizzle-kit": "^0.31.9",
       },
     },
@@ -1246,6 +1248,10 @@
 
     "@types/json5": ["@types/json5@0.0.29", "", {}, "sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ=="],
 
+    "@types/lodash": ["@types/lodash@4.17.24", "", {}, "sha512-gIW7lQLZbue7lRSWEFql49QJJWThrTFFeIMJdp3eH4tKoxm1OvEPg02rm4wCCSHS0cL3/Fizimb35b7k8atwsQ=="],
+
+    "@types/lodash.merge": ["@types/lodash.merge@4.6.9", "", { "dependencies": { "@types/lodash": "*" } }, "sha512-23sHDPmzd59kUgWyKGiOMO2Qb9YtqRO/x4IhkgNUiPQ1+5MUVqi6bCZeq9nBJ17msjIMbEIO5u+XW4Kz6aGUhQ=="],
+
     "@types/mdast": ["@types/mdast@4.0.4", "", { "dependencies": { "@types/unist": "*" } }, "sha512-kGaNbPh1k7AFzgpud/gMdvIm5xuECykRR+JnWKQno9TAXVa6WIVCGTPvYGekIDL4uwCZQSYbUxNBSb1aUo79oA=="],
 
     "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],