fix(backend): add composite index on user_sources

Add (user_id, enabled) index for the enabled() query path. Co-authored-by: Ona <no-reply@ona.com>
fix(backend): set updatedAt explicitly in all mutations
2026-03-22 18:11:17 +00:00 · 2026-03-16 01:25:10 +00:00 · 2026-03-16 01:24:24 +00:00 · 2026-03-16 01:19:26 +00:00
25 changed files with 249 additions and 1611 deletions
--- a/.ona/automations.yaml
+++ b/.ona/automations.yaml
@@ -6,14 +6,3 @@ services:
      - postDevcontainerStart
    commands:
      start: cd apps/aelis-client && ./scripts/run-dev-server.sh
-
-  drizzle-studio:
-    name: Drizzle Studio
-    description: Drizzle Studio database browser for aelis-backend
-    triggeredBy:
-      - manual
-    commands:
-      start: |
-        FORWARD_URL=$(gitpod environment port open 4983 --name drizzle-studio-server | sed 's|https://||')
-        echo "Drizzle Studio: https://local.drizzle.studio/?host=${FORWARD_URL}&port=443"
-        cd apps/aelis-backend && bunx drizzle-kit studio --host 0.0.0.0 --port 4983
--- a/apps/aelis-backend/auth.ts
+++ b/apps/aelis-backend/auth.ts
@@ -2,7 +2,6 @@
 // Run: bunx --bun auth@latest generate --config auth.ts --output src/db/auth-schema.ts
 import { betterAuth } from "better-auth"
 import { drizzleAdapter } from "better-auth/adapters/drizzle"
-import { admin } from "better-auth/plugins"
 import { SQL } from "bun"
 import { drizzle } from "drizzle-orm/bun-sql"

@@ -14,7 +13,6 @@ export const auth = betterAuth({
 	emailAndPassword: {
 		enabled: true,
 	},
-	plugins: [admin()],
 })

 export default auth
--- a/apps/aelis-backend/package.json
+++ b/apps/aelis-backend/package.json
@@ -9,10 +9,8 @@
 		"test": "bun test src/",
 		"db:generate": "bunx drizzle-kit generate",
 		"db:generate-auth": "bunx --bun auth@latest generate --config auth.ts --output src/db/auth-schema.ts -y",
-		"db:push": "bunx drizzle-kit push",
 		"db:migrate": "bunx drizzle-kit migrate",
-		"db:studio": "bunx drizzle-kit studio",
-		"create-admin": "bun run src/scripts/create-admin.ts"
+		"db:studio": "bunx drizzle-kit studio"
 	},
 	"dependencies": {
 		"@aelis/core": "workspace:*",
--- a/apps/aelis-backend/src/admin/http.test.ts
+++ b/apps/aelis-backend/src/admin/http.test.ts
@@ -1,195 +0,0 @@
-import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
-
-import { describe, expect, mock, test } from "bun:test"
-import { Hono } from "hono"
-
-import type { AdminMiddleware } from "../auth/admin-middleware.ts"
-import type { AuthSession, AuthUser } from "../auth/session.ts"
-import type { Database } from "../db/index.ts"
-import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
-
-import { UserSessionManager } from "../session/user-session-manager.ts"
-import { registerAdminHttpHandlers } from "./http.ts"
-
-let mockEnabledSourceIds: string[] = []
-
-mock.module("../sources/user-sources.ts", () => ({
-	sources: (_db: Database, _userId: string) => ({
-		async enabled() {
-			const now = new Date()
-			return mockEnabledSourceIds.map((sourceId) => ({
-				id: crypto.randomUUID(),
-				userId: _userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}))
-		},
-		async find(sourceId: string) {
-			const now = new Date()
-			return {
-				id: crypto.randomUUID(),
-				userId: _userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}
-		},
-	}),
-}))
-
-function createStubSource(id: string): FeedSource {
-	return {
-		id,
-		async listActions(): Promise<Record<string, ActionDefinition>> {
-			return {}
-		},
-		async executeAction(): Promise<unknown> {
-			return undefined
-		},
-		async fetchContext(): Promise<readonly ContextEntry[] | null> {
-			return null
-		},
-		async fetchItems(): Promise<FeedItem[]> {
-			return []
-		},
-	}
-}
-
-function createStubProvider(sourceId: string): FeedSourceProvider {
-	return {
-		sourceId,
-		async feedSourceForUser() {
-			return createStubSource(sourceId)
-		},
-	}
-}
-
-/** Passthrough admin middleware for testing (assumes admin). */
-function passthroughAdminMiddleware(): AdminMiddleware {
-	const now = new Date()
-	return async (c, next) => {
-		c.set("user", {
-			id: "admin-1",
-			name: "Admin",
-			email: "admin@test.com",
-			emailVerified: true,
-			image: null,
-			createdAt: now,
-			updatedAt: now,
-			role: "admin",
-			banned: false,
-			banReason: null,
-			banExpires: null,
-		} as AuthUser)
-		c.set("session", { id: "sess-1" } as AuthSession)
-		await next()
-	}
-}
-
-const fakeDb = {} as Database
-
-function createApp(providers: FeedSourceProvider[]) {
-	mockEnabledSourceIds = providers.map((p) => p.sourceId)
-	const sessionManager = new UserSessionManager({ db: fakeDb, providers })
-	const app = new Hono()
-	registerAdminHttpHandlers(app, {
-		sessionManager,
-		adminMiddleware: passthroughAdminMiddleware(),
-		db: fakeDb,
-	})
-	return { app, sessionManager }
-}
-
-const validWeatherConfig = {
-	credentials: {
-		privateKey: "pk-123",
-		keyId: "key-456",
-		teamId: "team-789",
-		serviceId: "svc-abc",
-	},
-}
-
-describe("PUT /api/admin/:sourceId/config", () => {
-	test("returns 404 for unknown provider", async () => {
-		const { app } = createApp([createStubProvider("aelis.location")])
-
-		const res = await app.request("/api/admin/aelis.nonexistent/config", {
-			method: "PUT",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ key: "value" }),
-		})
-
-		expect(res.status).toBe(404)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("not found")
-	})
-
-	test("returns 404 for provider without runtime config support", async () => {
-		const { app } = createApp([createStubProvider("aelis.location")])
-
-		const res = await app.request("/api/admin/aelis.location/config", {
-			method: "PUT",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ key: "value" }),
-		})
-
-		expect(res.status).toBe(404)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("not found")
-	})
-
-	test("returns 400 for invalid JSON body", async () => {
-		const { app } = createApp([createStubProvider("aelis.weather")])
-
-		const res = await app.request("/api/admin/aelis.weather/config", {
-			method: "PUT",
-			headers: { "Content-Type": "application/json" },
-			body: "not json",
-		})
-
-		expect(res.status).toBe(400)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("Invalid JSON")
-	})
-
-	test("returns 400 when weather config fails validation", async () => {
-		const { app } = createApp([createStubProvider("aelis.weather")])
-
-		const res = await app.request("/api/admin/aelis.weather/config", {
-			method: "PUT",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ credentials: { privateKey: 123 } }),
-		})
-
-		expect(res.status).toBe(400)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toBeDefined()
-	})
-
-	test("returns 204 and applies valid weather config", async () => {
-		const { app, sessionManager } = createApp([createStubProvider("aelis.weather")])
-
-		const originalProvider = sessionManager.getProvider("aelis.weather")
-
-		const res = await app.request("/api/admin/aelis.weather/config", {
-			method: "PUT",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(validWeatherConfig),
-		})
-
-		expect(res.status).toBe(204)
-
-		// Provider was replaced with a new instance
-		const provider = sessionManager.getProvider("aelis.weather")
-		expect(provider).toBeDefined()
-		expect(provider!.sourceId).toBe("aelis.weather")
-		expect(provider).not.toBe(originalProvider)
-	})
-})
--- a/apps/aelis-backend/src/admin/http.ts
+++ b/apps/aelis-backend/src/admin/http.ts
@@ -1,86 +0,0 @@
-import type { Context, Hono } from "hono"
-
-import { type } from "arktype"
-import { createMiddleware } from "hono/factory"
-
-import type { AdminMiddleware } from "../auth/admin-middleware.ts"
-import type { Database } from "../db/index.ts"
-import type { UserSessionManager } from "../session/index.ts"
-
-import { WeatherSourceProvider } from "../weather/provider.ts"
-
-type Env = {
-	Variables: {
-		sessionManager: UserSessionManager
-		db: Database
-	}
-}
-
-interface AdminHttpHandlersDeps {
-	sessionManager: UserSessionManager
-	adminMiddleware: AdminMiddleware
-	db: Database
-}
-
-export function registerAdminHttpHandlers(
-	app: Hono,
-	{ sessionManager, adminMiddleware, db }: AdminHttpHandlersDeps,
-) {
-	const inject = createMiddleware<Env>(async (c, next) => {
-		c.set("sessionManager", sessionManager)
-		c.set("db", db)
-		await next()
-	})
-
-	app.put("/api/admin/:sourceId/config", inject, adminMiddleware, handleUpdateProviderConfig)
-}
-
-const WeatherKitSourceProviderConfig = type({
-	credentials: {
-		privateKey: "string",
-		keyId: "string",
-		teamId: "string",
-		serviceId: "string",
-	},
-})
-
-async function handleUpdateProviderConfig(c: Context<Env>) {
-	const sourceId = c.req.param("sourceId")
-	if (!sourceId) {
-		return c.body(null, 404)
-	}
-
-	const sessionManager = c.get("sessionManager")
-
-	let body: unknown
-	try {
-		body = await c.req.json()
-	} catch {
-		return c.json({ error: "Invalid JSON" }, 400)
-	}
-
-	switch (sourceId) {
-		case "aelis.weather": {
-			const parsed = WeatherKitSourceProviderConfig(body)
-			if (parsed instanceof type.errors) {
-				return c.json({ error: parsed.summary }, 400)
-			}
-
-			const updated = new WeatherSourceProvider({
-				credentials: parsed.credentials,
-			})
-
-			try {
-				await sessionManager.replaceProvider(updated)
-			} catch (err) {
-				console.error(`[admin] replaceProvider("${sourceId}") failed:`, err)
-				return c.json({ error: "Failed to apply config" }, 500)
-			}
-
-			return c.body(null, 204)
-		}
-
-		default:
-			return c.json({ error: `Provider "${sourceId}" not found` }, 404)
-	}
-}
--- a/apps/aelis-backend/src/auth/admin-middleware.test.ts
+++ b/apps/aelis-backend/src/auth/admin-middleware.test.ts
@@ -1,95 +0,0 @@
-import { Hono } from "hono"
-import { describe, expect, test } from "bun:test"
-
-import type { Auth } from "./index.ts"
-import type { AuthSession, AuthUser } from "./session.ts"
-
-import { createRequireAdmin } from "./admin-middleware.ts"
-
-function makeUser(role: string | null): AuthUser {
-	const now = new Date()
-	return {
-		id: "user-1",
-		name: "Test User",
-		email: "test@example.com",
-		emailVerified: true,
-		image: null,
-		createdAt: now,
-		updatedAt: now,
-		role,
-		banned: false,
-		banReason: null,
-		banExpires: null,
-	}
-}
-
-function makeSession(): AuthSession {
-	const now = new Date()
-	return {
-		id: "sess-1",
-		userId: "user-1",
-		token: "tok-1",
-		expiresAt: new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000),
-		ipAddress: "127.0.0.1",
-		userAgent: "test",
-		createdAt: now,
-		updatedAt: now,
-	}
-}
-
-function mockAuth(sessionResult: { user: AuthUser; session: AuthSession } | null): Auth {
-	return {
-		api: {
-			getSession: async () => sessionResult,
-		},
-	} as unknown as Auth
-}
-
-function createApp(auth: Auth) {
-	const app = new Hono()
-	const middleware = createRequireAdmin(auth)
-	app.get("/api/admin/test", middleware, (c) => c.json({ ok: true }))
-	return app
-}
-
-describe("createRequireAdmin", () => {
-	test("returns 401 when no session", async () => {
-		const app = createApp(mockAuth(null))
-
-		const res = await app.request("/api/admin/test")
-
-		expect(res.status).toBe(401)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toBe("Unauthorized")
-	})
-
-	test("returns 403 when user is not admin", async () => {
-		const app = createApp(mockAuth({ user: makeUser("user"), session: makeSession() }))
-
-		const res = await app.request("/api/admin/test")
-
-		expect(res.status).toBe(403)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toBe("Forbidden")
-	})
-
-	test("returns 403 when role is null", async () => {
-		const app = createApp(mockAuth({ user: makeUser(null), session: makeSession() }))
-
-		const res = await app.request("/api/admin/test")
-
-		expect(res.status).toBe(403)
-	})
-
-	test("allows admin users through and sets context", async () => {
-		const user = makeUser("admin")
-		const session = makeSession()
-		const app = createApp(mockAuth({ user, session }))
-
-		const res = await app.request("/api/admin/test")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { ok: boolean }
-		expect(body.ok).toBe(true)
-	})
-})
--- a/apps/aelis-backend/src/auth/admin-middleware.ts
+++ b/apps/aelis-backend/src/auth/admin-middleware.ts
@@ -1,28 +0,0 @@
-import type { Context, MiddlewareHandler, Next } from "hono"
-
-import type { Auth } from "./index.ts"
-import type { AuthSessionEnv } from "./session-middleware.ts"
-
-export type AdminMiddleware = MiddlewareHandler<AuthSessionEnv>
-
-/**
- * Creates a middleware that requires a valid session with admin role.
- * Returns 401 if not authenticated, 403 if not admin.
- */
-export function createRequireAdmin(auth: Auth): AdminMiddleware {
-	return async (c: Context, next: Next): Promise<Response | void> => {
-		const session = await auth.api.getSession({ headers: c.req.raw.headers })
-
-		if (!session) {
-			return c.json({ error: "Unauthorized" }, 401)
-		}
-
-		if (session.user.role !== "admin") {
-			return c.json({ error: "Forbidden" }, 403)
-		}
-
-		c.set("user", session.user)
-		c.set("session", session.session)
-		await next()
-	}
-}
--- a/apps/aelis-backend/src/auth/index.ts
+++ b/apps/aelis-backend/src/auth/index.ts
@@ -1,16 +1,10 @@
 import { betterAuth } from "better-auth"
 import { drizzleAdapter } from "better-auth/adapters/drizzle"
-import { admin } from "better-auth/plugins"

 import type { Database } from "../db/index.ts"
-
 import * as schema from "../db/schema.ts"

 export function createAuth(db: Database) {
-	if (!process.env.BETTER_AUTH_SECRET) {
-		throw new Error("BETTER_AUTH_SECRET is not set")
-	}
-
 	return betterAuth({
 		database: drizzleAdapter(db, {
 			provider: "pg",
@@ -19,7 +13,6 @@ export function createAuth(db: Database) {
 		emailAndPassword: {
 			enabled: true,
 		},
-		plugins: [admin()],
 	})
 }

--- a/apps/aelis-backend/src/auth/session-middleware.ts
+++ b/apps/aelis-backend/src/auth/session-middleware.ts
@@ -57,7 +57,9 @@ export function createRequireSession(auth: Auth): AuthSessionMiddleware {
 * Creates a function to get session from headers. Useful for WebSocket upgrade validation.
 */
 export function createGetSessionFromHeaders(auth: Auth) {
-	return async (headers: Headers): Promise<{ user: AuthUser; session: AuthSession } | null> => {
+	return async (
+		headers: Headers,
+	): Promise<{ user: AuthUser; session: AuthSession } | null> => {
 		const session = await auth.api.getSession({ headers })
 		return session
 	}
@@ -84,10 +86,6 @@ export function mockAuthSessionMiddleware(userId?: string): AuthSessionMiddlewar
 			image: null,
 			createdAt: now,
 			updatedAt: now,
-			role: "admin",
-			banned: false,
-			banReason: null,
-			banExpires: null,
 		}

 		const session: AuthSession = {
--- a/apps/aelis-backend/src/db/auth-schema.ts
+++ b/apps/aelis-backend/src/db/auth-schema.ts
@@ -1,96 +1,91 @@
-import { relations } from "drizzle-orm"
-import { pgTable, text, timestamp, boolean, index } from "drizzle-orm/pg-core"
+import { relations } from "drizzle-orm";
+import { pgTable, text, timestamp, boolean, index } from "drizzle-orm/pg-core";

 export const user = pgTable("user", {
-	id: text("id").primaryKey(),
-	name: text("name").notNull(),
-	email: text("email").notNull().unique(),
-	emailVerified: boolean("email_verified").default(false).notNull(),
-	image: text("image"),
-	createdAt: timestamp("created_at").notNull(),
-	updatedAt: timestamp("updated_at")
-		.$onUpdate(() => new Date())
-		.notNull(),
-	role: text("role"),
-	banned: boolean("banned").default(false),
-	banReason: text("ban_reason"),
-	banExpires: timestamp("ban_expires"),
-})
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").default(false).notNull(),
+  image: text("image"),
+  createdAt: timestamp("created_at").notNull(),
+  updatedAt: timestamp("updated_at")
+    .$onUpdate(() => new Date())
+    .notNull(),
+});

 export const session = pgTable(
-	"session",
-	{
-		id: text("id").primaryKey(),
-		expiresAt: timestamp("expires_at").notNull(),
-		token: text("token").notNull().unique(),
-		createdAt: timestamp("created_at").notNull(),
-		updatedAt: timestamp("updated_at")
-			.$onUpdate(() => new Date())
-			.notNull(),
-		ipAddress: text("ip_address"),
-		userAgent: text("user_agent"),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-		impersonatedBy: text("impersonated_by"),
-	},
-	(table) => [index("session_userId_idx").on(table.userId)],
-)
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: timestamp("created_at").notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [index("session_userId_idx").on(table.userId)],
+);

 export const account = pgTable(
-	"account",
-	{
-		id: text("id").primaryKey(),
-		accountId: text("account_id").notNull(),
-		providerId: text("provider_id").notNull(),
-		userId: text("user_id")
-			.notNull()
-			.references(() => user.id, { onDelete: "cascade" }),
-		accessToken: text("access_token"),
-		refreshToken: text("refresh_token"),
-		idToken: text("id_token"),
-		accessTokenExpiresAt: timestamp("access_token_expires_at"),
-		refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-		scope: text("scope"),
-		password: text("password"),
-		createdAt: timestamp("created_at").notNull(),
-		updatedAt: timestamp("updated_at")
-			.$onUpdate(() => new Date())
-			.notNull(),
-	},
-	(table) => [index("account_userId_idx").on(table.userId)],
-)
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: timestamp("access_token_expires_at"),
+    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: timestamp("created_at").notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => new Date())
+      .notNull(),
+  },
+  (table) => [index("account_userId_idx").on(table.userId)],
+);

 export const verification = pgTable(
-	"verification",
-	{
-		id: text("id").primaryKey(),
-		identifier: text("identifier").notNull(),
-		value: text("value").notNull(),
-		expiresAt: timestamp("expires_at").notNull(),
-		createdAt: timestamp("created_at").notNull(),
-		updatedAt: timestamp("updated_at")
-			.$onUpdate(() => new Date())
-			.notNull(),
-	},
-	(table) => [index("verification_identifier_idx").on(table.identifier)],
-)
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => new Date())
+      .notNull(),
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)],
+);

 export const userRelations = relations(user, ({ many }) => ({
-	sessions: many(session),
-	accounts: many(account),
-}))
+  sessions: many(session),
+  accounts: many(account),
+}));

 export const sessionRelations = relations(session, ({ one }) => ({
-	user: one(user, {
-		fields: [session.userId],
-		references: [user.id],
-	}),
-}))
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
+}));

 export const accountRelations = relations(account, ({ one }) => ({
-	user: one(user, {
-		fields: [account.userId],
-		references: [user.id],
-	}),
-}))
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
+}));
--- a/apps/aelis-backend/src/engine/http.test.ts
+++ b/apps/aelis-backend/src/engine/http.test.ts
@@ -1,11 +1,9 @@
 import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"

 import { contextKey } from "@aelis/core"
-import { describe, expect, mock, spyOn, test } from "bun:test"
+import { describe, expect, spyOn, test } from "bun:test"
 import { Hono } from "hono"

-import type { Database } from "../db/index.ts"
-
 import { mockAuthSessionMiddleware } from "../auth/session-middleware.ts"
 import { UserSessionManager } from "../session/index.ts"
 import { registerFeedHttpHandlers } from "./http.ts"
@@ -52,45 +50,9 @@ function buildTestApp(sessionManager: UserSessionManager, userId?: string) {
 	return app
 }

-let mockEnabledSourceIds: string[] = []
-
-mock.module("../sources/user-sources.ts", () => ({
-	sources: (_db: Database, _userId: string) => ({
-		async enabled() {
-			const now = new Date()
-			return mockEnabledSourceIds.map((sourceId) => ({
-				id: crypto.randomUUID(),
-				userId: _userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}))
-		},
-		async find(sourceId: string) {
-			const now = new Date()
-			return {
-				id: crypto.randomUUID(),
-				userId: _userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}
-		},
-	}),
-}))
-
-const fakeDb = {} as Database
-
 describe("GET /api/feed", () => {
 	test("returns 401 without auth", async () => {
-		mockEnabledSourceIds = []
-		const manager = new UserSessionManager({ db: fakeDb, providers: [] })
+		const manager = new UserSessionManager({ providers: [] })
 		const app = buildTestApp(manager)

 		const res = await app.request("/api/feed")
@@ -109,17 +71,8 @@ describe("GET /api/feed", () => {
 				data: { value: 42 },
 			},
 		]
-		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [
-				{
-					sourceId: "test",
-					async feedSourceForUser() {
-						return createStubSource("test", items)
-					},
-				},
-			],
+			providers: [async () => createStubSource("test", items)],
 		})
 		const app = buildTestApp(manager, "user-1")

@@ -151,17 +104,8 @@ describe("GET /api/feed", () => {
 				data: { fresh: true },
 			},
 		]
-		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [
-				{
-					sourceId: "test",
-					async feedSourceForUser() {
-						return createStubSource("test", items)
-					},
-				},
-			],
+			providers: [async () => createStubSource("test", items)],
 		})
 		const app = buildTestApp(manager, "user-1")

@@ -192,18 +136,7 @@ describe("GET /api/feed", () => {
 				throw new Error("connection timeout")
 			},
 		}
-		mockEnabledSourceIds = ["failing"]
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [
-				{
-					sourceId: "failing",
-					async feedSourceForUser() {
-						return failingSource
-					},
-				},
-			],
-		})
+		const manager = new UserSessionManager({ providers: [async () => failingSource] })
 		const app = buildTestApp(manager, "user-1")

 		const res = await app.request("/api/feed")
@@ -217,15 +150,10 @@ describe("GET /api/feed", () => {
 	})

 	test("returns 503 when all providers fail", async () => {
-		mockEnabledSourceIds = ["test"]
 		const manager = new UserSessionManager({
-			db: fakeDb,
 			providers: [
-				{
-					sourceId: "test",
-					async feedSourceForUser() {
-						throw new Error("provider down")
-					},
+				async () => {
+					throw new Error("provider down")
 				},
 			],
 		})
@@ -252,17 +180,8 @@ describe("GET /api/context", () => {
 	const mockUserId = "k7Gx2mPqRvNwYs9TdLfA4bHcJeUo1iZn"

 	async function buildContextApp(userId?: string) {
-		mockEnabledSourceIds = ["weather"]
 		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [
-				{
-					sourceId: "weather",
-					async feedSourceForUser() {
-						return createStubSource("weather", [], contextEntries)
-					},
-				},
-			],
+			providers: [async () => createStubSource("weather", [], contextEntries)],
 		})
 		const app = buildTestApp(manager, userId)
 		const session = await manager.getOrCreate(mockUserId)
@@ -270,8 +189,7 @@ describe("GET /api/context", () => {
 	}

 	test("returns 401 without auth", async () => {
-		mockEnabledSourceIds = []
-		const manager = new UserSessionManager({ db: fakeDb, providers: [] })
+		const manager = new UserSessionManager({ providers: [] })
 		const app = buildTestApp(manager)

 		const res = await app.request('/api/context?key=["aelis.weather","weather"]')
--- a/apps/aelis-backend/src/location/provider.ts
+++ b/apps/aelis-backend/src/location/provider.ts
@@ -1,11 +1,25 @@
 import { LocationSource } from "@aelis/source-location"

+import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"

-export class LocationSourceProvider implements FeedSourceProvider {
-	readonly sourceId = "aelis.location"
+import { SourceDisabledError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
+
+export class LocationSourceProvider implements FeedSourceProvider {
+	private readonly db: Database
+
+	constructor(db: Database) {
+		this.db = db
+	}
+
+	async feedSourceForUser(userId: string): Promise<LocationSource> {
+		const row = await sources(this.db, userId).find("aelis.location")
+
+		if (!row || !row.enabled) {
+			throw new SourceDisabledError("aelis.location", userId)
+		}

-	async feedSourceForUser(_userId: string, _config: unknown): Promise<LocationSource> {
 		return new LocationSource()
 	}
 }
--- a/apps/aelis-backend/src/scripts/create-admin.ts
+++ b/apps/aelis-backend/src/scripts/create-admin.ts
@@ -1,63 +0,0 @@
-/**
- * Creates an admin user account via Better Auth's server-side API.
- *
- * Usage:
- *   bun run src/scripts/create-admin.ts --name "Admin" --email admin@example.com --password secret123
- *
- * Requires DATABASE_URL and BETTER_AUTH_SECRET to be set (reads .env automatically).
- */
-
-import { parseArgs } from "util"
-
-import { createAuth } from "../auth/index.ts"
-import { createDatabase } from "../db/index.ts"
-
-function parseCliArgs(): { name: string; email: string; password: string } {
-	const { values } = parseArgs({
-		args: Bun.argv.slice(2),
-		options: {
-			name: { type: "string" },
-			email: { type: "string" },
-			password: { type: "string" },
-		},
-		strict: true,
-	})
-
-	if (!values.name || !values.email || !values.password) {
-		console.error(
-			"Usage: bun run src/scripts/create-admin.ts --name <name> --email <email> --password <password>",
-		)
-		process.exit(1)
-	}
-
-	return { name: values.name, email: values.email, password: values.password }
-}
-
-async function main() {
-	const { name, email, password } = parseCliArgs()
-
-	const databaseUrl = process.env.DATABASE_URL
-	if (!databaseUrl) {
-		console.error("DATABASE_URL is not set")
-		process.exit(1)
-	}
-
-	const { db, close } = createDatabase(databaseUrl)
-
-	try {
-		const auth = createAuth(db)
-
-		const result = await auth.api.createUser({
-			body: { name, email, password, role: "admin" },
-		})
-
-		console.log(`Admin account created: ${result.user.id} (${result.user.email})`)
-	} finally {
-		await close()
-	}
-}
-
-main().catch((err) => {
-	console.error("Failed to create admin account:", err)
-	process.exit(1)
-})
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -1,7 +1,5 @@
 import { Hono } from "hono"

-import { registerAdminHttpHandlers } from "./admin/http.ts"
-import { createRequireAdmin } from "./auth/admin-middleware.ts"
 import { registerAuthHandlers } from "./auth/http.ts"
 import { createAuth } from "./auth/index.ts"
 import { createRequireSession } from "./auth/session-middleware.ts"
@@ -32,10 +30,10 @@ function main() {
 	}

 	const sessionManager = new UserSessionManager({
-		db,
 		providers: [
-			new LocationSourceProvider(),
+			new LocationSourceProvider(db),
 			new WeatherSourceProvider({
+				db,
 				credentials: {
 					privateKey: process.env.WEATHERKIT_PRIVATE_KEY!,
 					keyId: process.env.WEATHERKIT_KEY_ID!,
@@ -52,7 +50,6 @@ function main() {
 	app.get("/health", (c) => c.json({ status: "ok" }))

 	const authSessionMiddleware = createRequireSession(auth)
-	const adminMiddleware = createRequireAdmin(auth)

 	registerAuthHandlers(app, auth)

@@ -61,7 +58,6 @@ function main() {
 		authSessionMiddleware,
 	})
 	registerLocationHttpHandlers(app, { sessionManager, authSessionMiddleware })
-	registerAdminHttpHandlers(app, { sessionManager, adminMiddleware, db })

 	process.on("SIGTERM", async () => {
 		await closeDb()
--- a/apps/aelis-backend/src/session/feed-source-provider.ts
+++ b/apps/aelis-backend/src/session/feed-source-provider.ts
@@ -1,7 +1,9 @@
 import type { FeedSource } from "@aelis/core"

 export interface FeedSourceProvider {
-	/** The source ID this provider is responsible for (e.g., "aelis.location"). */
-	readonly sourceId: string
-	feedSourceForUser(userId: string, config: unknown): Promise<FeedSource>
+	feedSourceForUser(userId: string): Promise<FeedSource>
 }
+
+export type FeedSourceProviderFn = (userId: string) => Promise<FeedSource>
+
+export type FeedSourceProviderInput = FeedSourceProvider | FeedSourceProviderFn
--- a/apps/aelis-backend/src/session/index.ts
+++ b/apps/aelis-backend/src/session/index.ts
@@ -1,3 +1,7 @@
-export type { FeedSourceProvider } from "./feed-source-provider.ts"
+export type {
+	FeedSourceProvider,
+	FeedSourceProviderFn,
+	FeedSourceProviderInput,
+} from "./feed-source-provider.ts"
 export { UserSession } from "./user-session.ts"
 export { UserSessionManager } from "./user-session-manager.ts"
--- a/apps/aelis-backend/src/session/user-session-manager.test.ts
+++ b/apps/aelis-backend/src/session/user-session-manager.test.ts
@@ -1,127 +1,15 @@
-import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
-
 import { LocationSource } from "@aelis/source-location"
 import { WeatherSource } from "@aelis/source-weatherkit"
-import { beforeEach, describe, expect, mock, spyOn, test } from "bun:test"
-
-import type { Database } from "../db/index.ts"
-import type { FeedSourceProvider } from "./feed-source-provider.ts"
+import { describe, expect, mock, spyOn, test } from "bun:test"

 import { UserSessionManager } from "./user-session-manager.ts"

-/**
- * Per-user enabled source IDs used by the mocked `sources` module.
- * Tests configure this before calling getOrCreate.
- * Key = userId (or "*" for a default), value = array of enabled sourceIds.
- */
-const enabledByUser = new Map<string, string[]>()
-
-/** Set which sourceIds are enabled for all users. */
-function setEnabledSources(sourceIds: string[]) {
-	enabledByUser.clear()
-	enabledByUser.set("*", sourceIds)
-}
-
-/** Set which sourceIds are enabled for a specific user. */
-function setEnabledSourcesForUser(userId: string, sourceIds: string[]) {
-	enabledByUser.set(userId, sourceIds)
-}
-
-function getEnabledSourceIds(userId: string): string[] {
-	return enabledByUser.get(userId) ?? enabledByUser.get("*") ?? []
-}
-
-/**
- * Controls what `find()` returns in the mock. When `undefined` (the default),
- * `find()` returns a standard enabled row. Set to a specific value (including
- * `null`) to override the return value for all `find()` calls.
- */
-let mockFindResult: unknown | undefined
-
-// Mock the sources module so UserSessionManager's DB query returns controlled data.
-mock.module("../sources/user-sources.ts", () => ({
-	sources: (_db: Database, userId: string) => ({
-		async enabled() {
-			const now = new Date()
-			return getEnabledSourceIds(userId).map((sourceId) => ({
-				id: crypto.randomUUID(),
-				userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}))
-		},
-		async find(sourceId: string) {
-			if (mockFindResult !== undefined) return mockFindResult
-			const now = new Date()
-			return {
-				id: crypto.randomUUID(),
-				userId,
-				sourceId,
-				enabled: true,
-				config: {},
-				credentials: null,
-				createdAt: now,
-				updatedAt: now,
-			}
-		},
-	}),
-}))
-
-const fakeDb = {} as Database
-
-function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
-	return {
-		id,
-		async listActions(): Promise<Record<string, ActionDefinition>> {
-			return {}
-		},
-		async executeAction(): Promise<unknown> {
-			return undefined
-		},
-		async fetchContext(): Promise<readonly ContextEntry[] | null> {
-			return null
-		},
-		async fetchItems() {
-			return items
-		},
-	}
-}
-
-function createStubProvider(
-	sourceId: string,
-	factory: (userId: string, config: Record<string, unknown>) => Promise<FeedSource> = async () =>
-		createStubSource(sourceId),
-): FeedSourceProvider {
-	return { sourceId, feedSourceForUser: factory }
-}
-
-const locationProvider: FeedSourceProvider = {
-	sourceId: "aelis.location",
-	async feedSourceForUser() {
-		return new LocationSource()
-	},
-}
-
-const weatherProvider: FeedSourceProvider = {
-	sourceId: "aelis.weather",
-	async feedSourceForUser() {
-		return new WeatherSource({ client: { fetch: async () => ({}) as never } })
-	},
-}
-
-beforeEach(() => {
-	enabledByUser.clear()
-	mockFindResult = undefined
-})
+const mockWeatherProvider = async () =>
+	new WeatherSource({ client: { fetch: async () => ({}) as never } })

 describe("UserSessionManager", () => {
 	test("getOrCreate creates session on first call", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session = await manager.getOrCreate("user-1")

@@ -130,8 +18,7 @@ describe("UserSessionManager", () => {
 	})

 	test("getOrCreate returns same session for same user", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-1")
@@ -140,8 +27,7 @@ describe("UserSessionManager", () => {
 	})

 	test("getOrCreate returns different sessions for different users", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-2")
@@ -150,8 +36,7 @@ describe("UserSessionManager", () => {
 	})

 	test("each user gets independent source instances", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session1 = await manager.getOrCreate("user-1")
 		const session2 = await manager.getOrCreate("user-2")
@@ -163,8 +48,7 @@ describe("UserSessionManager", () => {
 	})

 	test("remove destroys session and allows re-creation", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session1 = await manager.getOrCreate("user-1")
 		manager.remove("user-1")
@@ -174,17 +58,33 @@ describe("UserSessionManager", () => {
 	})

 	test("remove is no-op for unknown user", () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		expect(() => manager.remove("unknown")).not.toThrow()
 	})

-	test("registers multiple providers", async () => {
-		setEnabledSources(["aelis.location", "aelis.weather"])
+	test("accepts function providers", async () => {
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })
+
+		const session = await manager.getOrCreate("user-1")
+		const result = await session.engine.refresh()
+
+		expect(result.errors).toHaveLength(0)
+	})
+
+	test("accepts object providers", async () => {
 		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [locationProvider, weatherProvider],
+			providers: [async () => new LocationSource(), mockWeatherProvider],
+		})
+
+		const session = await manager.getOrCreate("user-1")
+
+		expect(session.getSource("aelis.weather")).toBeDefined()
+	})
+
+	test("accepts mixed providers", async () => {
+		const manager = new UserSessionManager({
+			providers: [async () => new LocationSource(), mockWeatherProvider],
 		})

 		const session = await manager.getOrCreate("user-1")
@@ -194,8 +94,7 @@ describe("UserSessionManager", () => {
 	})

 	test("refresh returns feed result through session", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session = await manager.getOrCreate("user-1")
 		const result = await session.engine.refresh()
@@ -207,8 +106,7 @@ describe("UserSessionManager", () => {
 	})

 	test("location update via executeAction works", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })

 		const session = await manager.getOrCreate("user-1")
 		await session.engine.executeAction("aelis.location", "update-location", {
@@ -223,8 +121,7 @@ describe("UserSessionManager", () => {
 	})

 	test("subscribe receives updates after location push", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })
 		const callback = mock()

 		const session = await manager.getOrCreate("user-1")
@@ -244,8 +141,7 @@ describe("UserSessionManager", () => {
 	})

 	test("remove stops reactive updates", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
+		const manager = new UserSessionManager({ providers: [async () => new LocationSource()] })
 		const callback = mock()

 		const session = await manager.getOrCreate("user-1")
@@ -268,17 +164,13 @@ describe("UserSessionManager", () => {
 	})

 	test("creates session with successful providers when some fail", async () => {
-		setEnabledSources(["aelis.location", "aelis.failing"])
-		const failingProvider: FeedSourceProvider = {
-			sourceId: "aelis.failing",
-			async feedSourceForUser() {
-				throw new Error("provider failed")
-			},
-		}
-
 		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [locationProvider, failingProvider],
+			providers: [
+				async () => new LocationSource(),
+				async () => {
+					throw new Error("provider failed")
+				},
+			],
 		})

 		const spy = spyOn(console, "error").mockImplementation(() => {})
@@ -293,21 +185,13 @@ describe("UserSessionManager", () => {
 	})

 	test("throws AggregateError when all providers fail", async () => {
-		setEnabledSources(["aelis.fail-1", "aelis.fail-2"])
 		const manager = new UserSessionManager({
-			db: fakeDb,
 			providers: [
-				{
-					sourceId: "aelis.fail-1",
-					async feedSourceForUser() {
-						throw new Error("first failed")
-					},
+				async () => {
+					throw new Error("first failed")
 				},
-				{
-					sourceId: "aelis.fail-2",
-					async feedSourceForUser() {
-						throw new Error("second failed")
-					},
+				async () => {
+					throw new Error("second failed")
 				},
 			],
 		})
@@ -316,18 +200,14 @@ describe("UserSessionManager", () => {
 	})

 	test("concurrent getOrCreate for same user returns same session", async () => {
-		setEnabledSources(["aelis.location"])
 		let callCount = 0
 		const manager = new UserSessionManager({
-			db: fakeDb,
 			providers: [
-				{
-					sourceId: "aelis.location",
-					async feedSourceForUser() {
-						callCount++
-						await new Promise((resolve) => setTimeout(resolve, 10))
-						return new LocationSource()
-					},
+				async () => {
+					callCount++
+					// Simulate async work to widen the race window
+					await new Promise((resolve) => setTimeout(resolve, 10))
+					return new LocationSource()
 				},
 			],
 		})
@@ -342,21 +222,16 @@ describe("UserSessionManager", () => {
 	})

 	test("remove during in-flight getOrCreate prevents session from being stored", async () => {
-		setEnabledSources(["aelis.location"])
 		let resolveProvider: () => void
 		const providerGate = new Promise<void>((r) => {
 			resolveProvider = r
 		})

 		const manager = new UserSessionManager({
-			db: fakeDb,
 			providers: [
-				{
-					sourceId: "aelis.location",
-					async feedSourceForUser() {
-						await providerGate
-						return new LocationSource()
-					},
+				async () => {
+					await providerGate
+					return new LocationSource()
 				},
 			],
 		})
@@ -376,308 +251,4 @@ describe("UserSessionManager", () => {
 		expect(freshSession).toBeDefined()
 		expect(freshSession.engine).toBeDefined()
 	})
-
-	test("only invokes providers for sources enabled for the user", async () => {
-		setEnabledSources(["aelis.location"])
-		const locationFactory = mock(async () => createStubSource("aelis.location"))
-		const weatherFactory = mock(async () => createStubSource("aelis.weather"))
-
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [
-				{ sourceId: "aelis.location", feedSourceForUser: locationFactory },
-				{ sourceId: "aelis.weather", feedSourceForUser: weatherFactory },
-			],
-		})
-
-		const session = await manager.getOrCreate("user-1")
-
-		expect(locationFactory).toHaveBeenCalledTimes(1)
-		expect(weatherFactory).not.toHaveBeenCalled()
-		expect(session.getSource("aelis.location")).toBeDefined()
-		expect(session.getSource("aelis.weather")).toBeUndefined()
-	})
-
-	test("creates empty session when no sources are enabled", async () => {
-		setEnabledSources([])
-		const factory = mock(async () => createStubSource("aelis.location"))
-
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [{ sourceId: "aelis.location", feedSourceForUser: factory }],
-		})
-
-		const session = await manager.getOrCreate("user-1")
-
-		expect(factory).not.toHaveBeenCalled()
-		expect(session).toBeDefined()
-		expect(session.getSource("aelis.location")).toBeUndefined()
-	})
-
-	test("per-user enabled sources are respected", async () => {
-		enabledByUser.clear()
-		setEnabledSourcesForUser("user-1", ["aelis.location"])
-		setEnabledSourcesForUser("user-2", ["aelis.weather"])
-
-		const manager = new UserSessionManager({
-			db: fakeDb,
-			providers: [createStubProvider("aelis.location"), createStubProvider("aelis.weather")],
-		})
-
-		const session1 = await manager.getOrCreate("user-1")
-		const session2 = await manager.getOrCreate("user-2")
-
-		expect(session1.getSource("aelis.location")).toBeDefined()
-		expect(session1.getSource("aelis.weather")).toBeUndefined()
-		expect(session2.getSource("aelis.location")).toBeUndefined()
-		expect(session2.getSource("aelis.weather")).toBeDefined()
-	})
-})
-
-describe("UserSessionManager.replaceProvider", () => {
-	test("replaces source in all active sessions", async () => {
-		setEnabledSources(["test"])
-		const itemsV1: FeedItem[] = [
-			{
-				id: "v1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 1 },
-			},
-		]
-		const itemsV2: FeedItem[] = [
-			{
-				id: "v2",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 2 },
-			},
-		]
-
-		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
-
-		const session1 = await manager.getOrCreate("user-1")
-		const session2 = await manager.getOrCreate("user-2")
-
-		// Verify v1 items
-		const feed1 = await session1.feed()
-		expect(feed1.items[0]!.data.version).toBe(1)
-
-		// Replace provider
-		const providerV2 = createStubProvider("test", async () => createStubSource("test", itemsV2))
-		await manager.replaceProvider(providerV2)
-
-		// Both sessions should now serve v2 items
-		const feed1After = await session1.feed()
-		const feed2After = await session2.feed()
-		expect(feed1After.items[0]!.data.version).toBe(2)
-		expect(feed2After.items[0]!.data.version).toBe(2)
-	})
-
-	test("throws for unknown provider sourceId", async () => {
-		setEnabledSources(["aelis.location"])
-		const manager = new UserSessionManager({ db: fakeDb, providers: [locationProvider] })
-
-		const unknownProvider = createStubProvider("aelis.unknown")
-
-		await expect(manager.replaceProvider(unknownProvider)).rejects.toThrow(
-			"no existing provider with that sourceId",
-		)
-	})
-
-	test("keeps existing source when new provider fails for a user", async () => {
-		setEnabledSources(["test"])
-		const providerV1 = createStubProvider("test", async () => createStubSource("test"))
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
-
-		const session = await manager.getOrCreate("user-1")
-		expect(session.getSource("test")).toBeDefined()
-
-		const spy = spyOn(console, "error").mockImplementation(() => {})
-
-		const failingProvider = createStubProvider("test", async () => {
-			throw new Error("source disabled")
-		})
-		await manager.replaceProvider(failingProvider)
-
-		expect(session.getSource("test")).toBeDefined()
-		expect(spy).toHaveBeenCalled()
-
-		spy.mockRestore()
-	})
-
-	test("new sessions use the replaced provider", async () => {
-		setEnabledSources(["test"])
-		const itemsV1: FeedItem[] = [
-			{
-				id: "v1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 1 },
-			},
-		]
-		const itemsV2: FeedItem[] = [
-			{
-				id: "v2",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 2 },
-			},
-		]
-
-		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
-
-		const providerV2 = createStubProvider("test", async () => createStubSource("test", itemsV2))
-		await manager.replaceProvider(providerV2)
-
-		// New session should use v2
-		const session = await manager.getOrCreate("user-new")
-		const feed = await session.feed()
-		expect(feed.items[0]!.data.version).toBe(2)
-	})
-
-	test("does not affect other providers' sources", async () => {
-		setEnabledSources(["source-a", "source-b"])
-		const providerA = createStubProvider("source-a", async () =>
-			createStubSource("source-a", [
-				{
-					id: "a-1",
-					sourceId: "source-a",
-					type: "test",
-					timestamp: new Date(),
-					data: { from: "a" },
-				},
-			]),
-		)
-		const providerB = createStubProvider("source-b", async () =>
-			createStubSource("source-b", [
-				{
-					id: "b-1",
-					sourceId: "source-b",
-					type: "test",
-					timestamp: new Date(),
-					data: { from: "b" },
-				},
-			]),
-		)
-
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerA, providerB] })
-		const session = await manager.getOrCreate("user-1")
-
-		// Replace only source-a
-		const providerA2 = createStubProvider("source-a", async () =>
-			createStubSource("source-a", [
-				{
-					id: "a-2",
-					sourceId: "source-a",
-					type: "test",
-					timestamp: new Date(),
-					data: { from: "a-new" },
-				},
-			]),
-		)
-		await manager.replaceProvider(providerA2)
-
-		// source-b should be unaffected
-		expect(session.getSource("source-b")).toBeDefined()
-		const feed = await session.feed()
-		const ids = feed.items.map((i) => i.id).sort()
-		expect(ids).toEqual(["a-2", "b-1"])
-	})
-
-	test("updates sessions that are still being created", async () => {
-		setEnabledSources(["test"])
-		const itemsV1: FeedItem[] = [
-			{
-				id: "v1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 1 },
-			},
-		]
-		const itemsV2: FeedItem[] = [
-			{
-				id: "v2",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 2 },
-			},
-		]
-
-		let resolveCreation: () => void
-		const creationGate = new Promise<void>((r) => {
-			resolveCreation = r
-		})
-
-		const providerV1 = createStubProvider("test", async () => {
-			await creationGate
-			return createStubSource("test", itemsV1)
-		})
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
-
-		// Start session creation but don't let it finish yet
-		const sessionPromise = manager.getOrCreate("user-1")
-
-		// Replace provider while session is still pending
-		const providerV2 = createStubProvider("test", async () => createStubSource("test", itemsV2))
-		const replacePromise = manager.replaceProvider(providerV2)
-
-		// Let the original creation finish
-		resolveCreation!()
-
-		const session = await sessionPromise
-		await replacePromise
-
-		// Session should have been updated to v2
-		const feed = await session.feed()
-		expect(feed.items[0]!.data.version).toBe(2)
-	})
-
-	test("skips source replacement when source was disabled between creation and replace", async () => {
-		setEnabledSources(["test"])
-		const itemsV1: FeedItem[] = [
-			{
-				id: "v1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 1 },
-			},
-		]
-
-		const providerV1 = createStubProvider("test", async () => createStubSource("test", itemsV1))
-		const manager = new UserSessionManager({ db: fakeDb, providers: [providerV1] })
-
-		const session = await manager.getOrCreate("user-1")
-		const feedBefore = await session.feed()
-		expect(feedBefore.items[0]!.data.version).toBe(1)
-
-		// Simulate the source being disabled/deleted between session creation and replace
-		mockFindResult = null
-
-		const providerV2 = createStubProvider("test", async () =>
-			createStubSource("test", [
-				{
-					id: "v2",
-					sourceId: "test",
-					type: "test",
-					timestamp: new Date(),
-					data: { version: 2 },
-				},
-			]),
-		)
-		await manager.replaceProvider(providerV2)
-
-		// Session should still have v1 — the replace was skipped
-		const feedAfter = await session.feed()
-		expect(feedAfter.items[0]!.data.version).toBe(1)
-	})
 })
--- a/apps/aelis-backend/src/session/user-session-manager.ts
+++ b/apps/aelis-backend/src/session/user-session-manager.ts
@@ -1,37 +1,26 @@
 import type { FeedSource } from "@aelis/core"

-import type { Database } from "../db/index.ts"
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
-import type { FeedSourceProvider } from "./feed-source-provider.ts"
+import type { FeedSourceProviderInput } from "./feed-source-provider.ts"

-import { sources } from "../sources/user-sources.ts"
 import { UserSession } from "./user-session.ts"

 export interface UserSessionManagerConfig {
-	db: Database
-	providers: FeedSourceProvider[]
+	providers: FeedSourceProviderInput[]
 	feedEnhancer?: FeedEnhancer | null
 }

 export class UserSessionManager {
 	private sessions = new Map<string, UserSession>()
 	private pending = new Map<string, Promise<UserSession>>()
-	private readonly db: Database
-	private readonly providers = new Map<string, FeedSourceProvider>()
+	private readonly providers: FeedSourceProviderInput[]
 	private readonly feedEnhancer: FeedEnhancer | null

 	constructor(config: UserSessionManagerConfig) {
-		this.db = config.db
-		for (const provider of config.providers) {
-			this.providers.set(provider.sourceId, provider)
-		}
+		this.providers = config.providers
 		this.feedEnhancer = config.feedEnhancer ?? null
 	}

-	getProvider(sourceId: string): FeedSourceProvider | undefined {
-		return this.providers.get(sourceId)
-	}
-
 	async getOrCreate(userId: string): Promise<UserSession> {
 		const existing = this.sessions.get(userId)
 		if (existing) return existing
@@ -66,97 +55,25 @@ export class UserSessionManager {
 		this.pending.delete(userId)
 	}

-	/**
-	 * Replaces a provider and updates all active sessions.
-	 * The new provider must have the same sourceId as an existing one.
-	 * For each active session, queries the user's source config from the DB
-	 * and re-resolves the source. If the provider fails for a user, the
-	 * existing source is kept.
-	 */
-	async replaceProvider(provider: FeedSourceProvider): Promise<void> {
-		if (!this.providers.has(provider.sourceId)) {
-			throw new Error(
-				`Cannot replace provider "${provider.sourceId}": no existing provider with that sourceId`,
-			)
-		}
-
-		this.providers.set(provider.sourceId, provider)
-
-		const updates: Promise<void>[] = []
-
-		for (const [, session] of this.sessions) {
-			updates.push(this.refreshSessionSource(session, provider))
-		}
-
-		// Also update sessions that are currently being created so they
-		// don't land in this.sessions with a stale source.
-		for (const [, pendingPromise] of this.pending) {
-			updates.push(
-				pendingPromise
-					.then((session) => this.refreshSessionSource(session, provider))
-					.catch(() => {
-						// Session creation itself failed — nothing to update.
-					}),
-			)
-		}
-
-		await Promise.all(updates)
-	}
-
-	/**
-	 * Re-resolves a single source for a session by querying the user's config
-	 * from the DB and calling the provider. If the provider fails, the existing
-	 * source is kept.
-	 */
-	private async refreshSessionSource(
-		session: UserSession,
-		provider: FeedSourceProvider,
-	): Promise<void> {
-		if (!session.hasSource(provider.sourceId)) return
-
-		try {
-			const row = await sources(this.db, session.userId).find(provider.sourceId)
-			if (!row?.enabled) return
-
-			const newSource = await provider.feedSourceForUser(session.userId, row.config ?? {})
-			session.replaceSource(provider.sourceId, newSource)
-		} catch (err) {
-			console.error(
-				`[UserSessionManager] refreshSource("${provider.sourceId}") failed for user ${session.userId}:`,
-				err,
-			)
-		}
-	}
-
 	private async createSession(userId: string): Promise<UserSession> {
-		const enabledRows = await sources(this.db, userId).enabled()
+		const results = await Promise.allSettled(
+			this.providers.map((p) =>
+				typeof p === "function" ? p(userId) : p.feedSourceForUser(userId),
+			),
+		)

-		const promises: Promise<FeedSource>[] = []
-		for (const row of enabledRows) {
-			const provider = this.providers.get(row.sourceId)
-			if (provider) {
-				promises.push(provider.feedSourceForUser(userId, row.config ?? {}))
-			}
-		}
-
-		if (promises.length === 0) {
-			return new UserSession(userId, [], this.feedEnhancer)
-		}
-
-		const results = await Promise.allSettled(promises)
-
-		const feedSources: FeedSource[] = []
+		const sources: FeedSource[] = []
 		const errors: unknown[] = []

 		for (const result of results) {
 			if (result.status === "fulfilled") {
-				feedSources.push(result.value)
+				sources.push(result.value)
 			} else {
 				errors.push(result.reason)
 			}
 		}

-		if (feedSources.length === 0 && errors.length > 0) {
+		if (sources.length === 0 && errors.length > 0) {
 			throw new AggregateError(errors, "All feed source providers failed")
 		}

@@ -164,6 +81,6 @@ export class UserSessionManager {
 			console.error("[UserSessionManager] Feed source provider failed:", error)
 		}

-		return new UserSession(userId, feedSources, this.feedEnhancer)
+		return new UserSession(sources, this.feedEnhancer)
 	}
 }
--- a/apps/aelis-backend/src/session/user-session.test.ts
+++ b/apps/aelis-backend/src/session/user-session.test.ts
@@ -1,7 +1,7 @@
 import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"

 import { LocationSource } from "@aelis/source-location"
-import { describe, expect, spyOn, test } from "bun:test"
+import { describe, expect, test } from "bun:test"

 import { UserSession } from "./user-session.ts"

@@ -25,10 +25,7 @@ function createStubSource(id: string, items: FeedItem[] = []): FeedSource {

 describe("UserSession", () => {
 	test("registers sources and starts engine", async () => {
-		const session = new UserSession("test-user", [
-			createStubSource("test-a"),
-			createStubSource("test-b"),
-		])
+		const session = new UserSession([createStubSource("test-a"), createStubSource("test-b")])

 		const result = await session.engine.refresh()

@@ -37,7 +34,7 @@ describe("UserSession", () => {

 	test("getSource returns registered source", () => {
 		const location = new LocationSource()
-		const session = new UserSession("test-user", [location])
+		const session = new UserSession([location])

 		const result = session.getSource<LocationSource>("aelis.location")

@@ -45,13 +42,13 @@ describe("UserSession", () => {
 	})

 	test("getSource returns undefined for unknown source", () => {
-		const session = new UserSession("test-user", [createStubSource("test")])
+		const session = new UserSession([createStubSource("test")])

 		expect(session.getSource("unknown")).toBeUndefined()
 	})

 	test("destroy stops engine and clears sources", () => {
-		const session = new UserSession("test-user", [createStubSource("test")])
+		const session = new UserSession([createStubSource("test")])

 		session.destroy()

@@ -60,7 +57,7 @@ describe("UserSession", () => {

 	test("engine.executeAction routes to correct source", async () => {
 		const location = new LocationSource()
-		const session = new UserSession("test-user", [location])
+		const session = new UserSession([location])

 		await session.engine.executeAction("aelis.location", "update-location", {
 			lat: 51.5,
@@ -85,7 +82,7 @@ describe("UserSession.feed", () => {
 				data: { value: 42 },
 			},
 		]
-		const session = new UserSession("test-user", [createStubSource("test", items)])
+		const session = new UserSession([createStubSource("test", items)])

 		const result = await session.feed()

@@ -106,7 +103,7 @@ describe("UserSession.feed", () => {
 		const enhancer = async (feedItems: FeedItem[]) =>
 			feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))

-		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
+		const session = new UserSession([createStubSource("test", items)], enhancer)

 		const result = await session.feed()

@@ -130,7 +127,7 @@ describe("UserSession.feed", () => {
 			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 		}

-		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
+		const session = new UserSession([createStubSource("test", items)], enhancer)

 		const result1 = await session.feed()
 		expect(result1.items[0]!.data.enhanced).toBe(true)
@@ -165,7 +162,7 @@ describe("UserSession.feed", () => {
 			}))
 		}

-		const session = new UserSession("test-user", [source], enhancer)
+		const session = new UserSession([source], enhancer)

 		// First feed triggers refresh + enhancement
 		const result1 = await session.feed()
@@ -208,7 +205,7 @@ describe("UserSession.feed", () => {
 			throw new Error("enhancement exploded")
 		}

-		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
+		const session = new UserSession([createStubSource("test", items)], enhancer)

 		const result = await session.feed()

@@ -217,178 +214,3 @@ describe("UserSession.feed", () => {
 		expect(result.items[0]!.data.value).toBe(42)
 	})
 })
-
-describe("UserSession.replaceSource", () => {
-	test("replaces source and invalidates feed cache", async () => {
-		const itemsA: FeedItem[] = [
-			{
-				id: "a-1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date("2025-01-01T00:00:00.000Z"),
-				data: { from: "a" },
-			},
-		]
-		const itemsB: FeedItem[] = [
-			{
-				id: "b-1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date("2025-01-01T00:00:00.000Z"),
-				data: { from: "b" },
-			},
-		]
-
-		const sourceA = createStubSource("test", itemsA)
-		const session = new UserSession("test-user", [sourceA])
-
-		const result1 = await session.feed()
-		expect(result1.items).toHaveLength(1)
-		expect(result1.items[0]!.data.from).toBe("a")
-
-		const sourceB = createStubSource("test", itemsB)
-		session.replaceSource("test", sourceB)
-
-		const result2 = await session.feed()
-		expect(result2.items).toHaveLength(1)
-		expect(result2.items[0]!.data.from).toBe("b")
-	})
-
-	test("getSource returns new source after replace", () => {
-		const sourceA = createStubSource("test")
-		const session = new UserSession("test-user", [sourceA])
-
-		const sourceB = createStubSource("test")
-		session.replaceSource("test", sourceB)
-
-		expect(session.getSource("test")).toBe(sourceB)
-		expect(session.getSource("test")).not.toBe(sourceA)
-	})
-
-	test("throws when replacing a source that is not registered", () => {
-		const session = new UserSession("test-user", [createStubSource("test")])
-
-		expect(() => session.replaceSource("nonexistent", createStubSource("other"))).toThrow(
-			'Cannot replace source "nonexistent": not registered',
-		)
-	})
-
-	test("other sources are unaffected by replace", async () => {
-		const sourceA = createStubSource("source-a", [
-			{
-				id: "a-1",
-				sourceId: "source-a",
-				type: "test",
-				timestamp: new Date(),
-				data: { from: "a" },
-			},
-		])
-		const sourceB = createStubSource("source-b", [
-			{
-				id: "b-1",
-				sourceId: "source-b",
-				type: "test",
-				timestamp: new Date(),
-				data: { from: "b" },
-			},
-		])
-		const session = new UserSession("test-user", [sourceA, sourceB])
-
-		const replacement = createStubSource("source-a", [
-			{
-				id: "a-2",
-				sourceId: "source-a",
-				type: "test",
-				timestamp: new Date(),
-				data: { from: "a-new" },
-			},
-		])
-		session.replaceSource("source-a", replacement)
-
-		const result = await session.feed()
-		expect(result.items).toHaveLength(2)
-
-		const ids = result.items.map((i) => i.id).sort()
-		expect(ids).toEqual(["a-2", "b-1"])
-	})
-
-	test("invalidates enhancement cache on replace", async () => {
-		const items: FeedItem[] = [
-			{
-				id: "item-1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 1 },
-			},
-		]
-		let enhanceCount = 0
-		const enhancer = async (feedItems: FeedItem[]) => {
-			enhanceCount++
-			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
-		}
-
-		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
-
-		await session.feed()
-		expect(enhanceCount).toBe(1)
-
-		const newItems: FeedItem[] = [
-			{
-				id: "item-2",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: { version: 2 },
-			},
-		]
-		session.replaceSource("test", createStubSource("test", newItems))
-
-		const result = await session.feed()
-		expect(enhanceCount).toBe(2)
-		expect(result.items[0]!.id).toBe("item-2")
-		expect(result.items[0]!.data.enhanced).toBe(true)
-	})
-})
-
-describe("UserSession.removeSource", () => {
-	test("removes source from engine and sources map", () => {
-		const session = new UserSession("test-user", [
-			createStubSource("test-a"),
-			createStubSource("test-b"),
-		])
-
-		session.removeSource("test-a")
-
-		expect(session.getSource("test-a")).toBeUndefined()
-		expect(session.getSource("test-b")).toBeDefined()
-	})
-
-	test("invalidates feed cache on remove", async () => {
-		const items: FeedItem[] = [
-			{
-				id: "item-1",
-				sourceId: "test",
-				type: "test",
-				timestamp: new Date(),
-				data: {},
-			},
-		]
-		const session = new UserSession("test-user", [createStubSource("test", items)])
-
-		const result1 = await session.feed()
-		expect(result1.items).toHaveLength(1)
-
-		session.removeSource("test")
-
-		const result2 = await session.feed()
-		expect(result2.items).toHaveLength(0)
-	})
-
-	test("is a no-op for unknown source", () => {
-		const session = new UserSession("test-user", [createStubSource("test")])
-
-		expect(() => session.removeSource("unknown")).not.toThrow()
-		expect(session.getSource("test")).toBeDefined()
-	})
-})
--- a/apps/aelis-backend/src/session/user-session.ts
+++ b/apps/aelis-backend/src/session/user-session.ts
@@ -3,7 +3,6 @@ import { FeedEngine, type FeedItem, type FeedResult, type FeedSource } from "@ae
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"

 export class UserSession {
-	readonly userId: string
 	readonly engine: FeedEngine
 	private sources = new Map<string, FeedSource>()
 	private readonly enhancer: FeedEnhancer | null
@@ -13,8 +12,7 @@ export class UserSession {
 	private enhancingPromise: Promise<void> | null = null
 	private unsubscribe: (() => void) | null = null

-	constructor(userId: string, sources: FeedSource[], enhancer?: FeedEnhancer | null) {
-		this.userId = userId
+	constructor(sources: FeedSource[], enhancer?: FeedEnhancer | null) {
 		this.engine = new FeedEngine()
 		this.enhancer = enhancer ?? null
 		for (const source of sources) {
@@ -69,63 +67,6 @@ export class UserSession {
 		return this.sources.get(sourceId) as T | undefined
 	}

-	hasSource(sourceId: string): boolean {
-		return this.sources.has(sourceId)
-	}
-
-	/**
-	 * Replaces a source in the engine and invalidates all caches.
-	 * Stops and restarts the engine to re-establish reactive subscriptions.
-	 */
-	replaceSource(oldSourceId: string, newSource: FeedSource): void {
-		if (!this.sources.has(oldSourceId)) {
-			throw new Error(`Cannot replace source "${oldSourceId}": not registered`)
-		}
-
-		const wasStarted = this.engine.isStarted()
-
-		if (wasStarted) {
-			this.engine.stop()
-		}
-
-		this.engine.unregister(oldSourceId)
-		this.sources.delete(oldSourceId)
-
-		this.engine.register(newSource)
-		this.sources.set(newSource.id, newSource)
-
-		this.invalidateEnhancement()
-		this.enhancingPromise = null
-
-		if (wasStarted) {
-			this.engine.start()
-		}
-	}
-
-	/**
-	 * Removes a source from the engine and invalidates all caches.
-	 * Stops and restarts the engine to clean up reactive subscriptions.
-	 */
-	removeSource(sourceId: string): void {
-		if (!this.sources.has(sourceId)) return
-
-		const wasStarted = this.engine.isStarted()
-
-		if (wasStarted) {
-			this.engine.stop()
-		}
-
-		this.engine.unregister(sourceId)
-		this.sources.delete(sourceId)
-
-		this.invalidateEnhancement()
-		this.enhancingPromise = null
-
-		if (wasStarted) {
-			this.engine.start()
-		}
-	}
-
 	destroy(): void {
 		this.unsubscribe?.()
 		this.unsubscribe = null
--- a/apps/aelis-backend/src/sources/errors.ts
+++ b/apps/aelis-backend/src/sources/errors.ts
@@ -1,3 +1,21 @@
+/**
+ * Thrown by a FeedSourceProvider when the source is not enabled for a user.
+ *
+ * UserSessionManager's Promise.allSettled handles this gracefully —
+ * the source is excluded from the session without crashing.
+ */
+export class SourceDisabledError extends Error {
+	readonly sourceId: string
+	readonly userId: string
+
+	constructor(sourceId: string, userId: string) {
+		super(`Source "${sourceId}" is not enabled for user "${userId}"`)
+		this.name = "SourceDisabledError"
+		this.sourceId = sourceId
+		this.userId = userId
+	}
+}
+
 /**
 * Thrown when an operation targets a user source that doesn't exist.
 */
--- a/apps/aelis-backend/src/tfl/provider.ts
+++ b/apps/aelis-backend/src/tfl/provider.ts
@@ -1,30 +1,41 @@
 import { TflSource, type ITflApi, type TflLineId } from "@aelis/source-tfl"
 import { type } from "arktype"

+import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"

+import { SourceDisabledError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
+
 export type TflSourceProviderOptions =
-	| { apiKey: string; client?: never }
-	| { apiKey?: never; client: ITflApi }
+	| { db: Database; apiKey: string; client?: never }
+	| { db: Database; apiKey?: never; client: ITflApi }

 const tflConfig = type({
 	"lines?": "string[]",
 })

 export class TflSourceProvider implements FeedSourceProvider {
-	readonly sourceId = "aelis.tfl"
+	private readonly db: Database
 	private readonly apiKey: string | undefined
 	private readonly client: ITflApi | undefined

 	constructor(options: TflSourceProviderOptions) {
+		this.db = options.db
 		this.apiKey = "apiKey" in options ? options.apiKey : undefined
 		this.client = "client" in options ? options.client : undefined
 	}

-	async feedSourceForUser(_userId: string, config: unknown): Promise<TflSource> {
-		const parsed = tflConfig(config)
+	async feedSourceForUser(userId: string): Promise<TflSource> {
+		const row = await sources(this.db, userId).find("aelis.tfl")
+
+		if (!row || !row.enabled) {
+			throw new SourceDisabledError("aelis.tfl", userId)
+		}
+
+		const parsed = tflConfig(row.config ?? {})
 		if (parsed instanceof type.errors) {
-			throw new Error(`Invalid TFL config: ${parsed.summary}`)
+			throw new Error(`Invalid TFL config for user ${userId}: ${parsed.summary}`)
 		}

 		return new TflSource({
--- a/apps/aelis-backend/src/weather/provider.ts
+++ b/apps/aelis-backend/src/weather/provider.ts
@@ -1,9 +1,14 @@
 import { WeatherSource, type WeatherSourceOptions } from "@aelis/source-weatherkit"
 import { type } from "arktype"

+import type { Database } from "../db/index.ts"
 import type { FeedSourceProvider } from "../session/feed-source-provider.ts"

+import { SourceDisabledError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
+
 export interface WeatherSourceProviderOptions {
+	db: Database
 	credentials: WeatherSourceOptions["credentials"]
 	client?: WeatherSourceOptions["client"]
 }
@@ -15,19 +20,26 @@ const weatherConfig = type({
 })

 export class WeatherSourceProvider implements FeedSourceProvider {
-	readonly sourceId = "aelis.weather"
+	private readonly db: Database
 	private readonly credentials: WeatherSourceOptions["credentials"]
 	private readonly client: WeatherSourceOptions["client"]

 	constructor(options: WeatherSourceProviderOptions) {
+		this.db = options.db
 		this.credentials = options.credentials
 		this.client = options.client
 	}

-	async feedSourceForUser(_userId: string, config: unknown): Promise<WeatherSource> {
-		const parsed = weatherConfig(config)
+	async feedSourceForUser(userId: string): Promise<WeatherSource> {
+		const row = await sources(this.db, userId).find("aelis.weather")
+
+		if (!row || !row.enabled) {
+			throw new SourceDisabledError("aelis.weather", userId)
+		}
+
+		const parsed = weatherConfig(row.config ?? {})
 		if (parsed instanceof type.errors) {
-			throw new Error(`Invalid weather config: ${parsed.summary}`)
+			throw new Error(`Invalid weather config for user ${userId}: ${parsed.summary}`)
 		}

 		return new WeatherSource({
--- a/packages/aelis-core/src/feed-engine.test.ts
+++ b/packages/aelis-core/src/feed-engine.test.ts
@@ -180,31 +180,6 @@ describe("FeedEngine", () => {

 			expect(engine.refresh()).resolves.toBeDefined()
 		})
-
-		test("register invalidates feed cache", async () => {
-			const location = createLocationSource()
-			const engine = new FeedEngine().register(location)
-
-			await engine.refresh()
-			expect(engine.lastFeed()).not.toBeNull()
-
-			engine.register(createWeatherSource())
-
-			expect(engine.lastFeed()).toBeNull()
-		})
-
-		test("unregister invalidates feed cache", async () => {
-			const location = createLocationSource()
-			const weather = createWeatherSource()
-			const engine = new FeedEngine().register(location).register(weather)
-
-			await engine.refresh()
-			expect(engine.lastFeed()).not.toBeNull()
-
-			engine.unregister("weather")
-
-			expect(engine.lastFeed()).toBeNull()
-		})
 	})

 	describe("graph validation", () => {
@@ -959,54 +934,4 @@ describe("FeedEngine", () => {
 			engine.stop()
 		})
 	})
-
-	describe("invalidateCache", () => {
-		test("clears cached result", async () => {
-			const location = createLocationSource()
-			const engine = new FeedEngine().register(location)
-
-			await engine.refresh()
-			expect(engine.lastFeed()).not.toBeNull()
-
-			engine.invalidateCache()
-
-			expect(engine.lastFeed()).toBeNull()
-		})
-
-		test("is safe to call when no cache exists", () => {
-			const engine = new FeedEngine()
-
-			expect(() => engine.invalidateCache()).not.toThrow()
-			expect(engine.lastFeed()).toBeNull()
-		})
-	})
-
-	describe("isStarted", () => {
-		test("returns false before start", () => {
-			const engine = new FeedEngine()
-
-			expect(engine.isStarted()).toBe(false)
-		})
-
-		test("returns true after start", () => {
-			const location = createLocationSource()
-			const engine = new FeedEngine().register(location)
-
-			engine.start()
-
-			expect(engine.isStarted()).toBe(true)
-
-			engine.stop()
-		})
-
-		test("returns false after stop", () => {
-			const location = createLocationSource()
-			const engine = new FeedEngine().register(location)
-
-			engine.start()
-			engine.stop()
-
-			expect(engine.isStarted()).toBe(false)
-		})
-	})
 })
--- a/packages/aelis-core/src/feed-engine.ts
+++ b/packages/aelis-core/src/feed-engine.ts
@@ -97,33 +97,23 @@ export class FeedEngine<TItems extends FeedItem = FeedItem> {
 	}

 	/**
-	 * Registers a FeedSource. Invalidates the cached graph and feed cache.
+	 * Registers a FeedSource. Invalidates the cached graph.
 	 */
 	register<TItem extends FeedItem>(source: FeedSource<TItem>): FeedEngine<TItems | TItem> {
 		this.sources.set(source.id, source)
 		this.graph = null
-		this.invalidateCache()
 		return this as FeedEngine<TItems | TItem>
 	}

 	/**
-	 * Unregisters a FeedSource by ID. Invalidates the cached graph and feed cache.
+	 * Unregisters a FeedSource by ID. Invalidates the cached graph.
 	 */
 	unregister(sourceId: string): this {
 		this.sources.delete(sourceId)
 		this.graph = null
-		this.invalidateCache()
 		return this
 	}

-	/**
-	 * Clears the cached feed result so the next access triggers a fresh refresh.
-	 */
-	invalidateCache(): void {
-		this.cachedResult = null
-		this.cachedAt = null
-	}
-
 	/**
 	 * Registers a post-processor. Processors run in registration order
 	 * after items are collected, on every update path.
@@ -259,13 +249,6 @@ export class FeedEngine<TItems extends FeedItem = FeedItem> {
 		this.cleanups = []
 	}

-	/**
-	 * Returns whether the engine is currently running reactive subscriptions.
-	 */
-	isStarted(): boolean {
-		return this.started
-	}
-
 	/**
 	 * Returns the current accumulated context.
 	 */