chore(deps): update AI SDK v6, React 19.2.3, tRPC 11.8 (#2144)

Author: koistya

.github/workflows/main.yml

@@ -34,7 +34,7 @@ jobs:
     name: "Build"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # Configure Bun and install dependencies
       - uses: oven-sh/setup-bun@v2
         with:
@@ -74,7 +74,7 @@ jobs:
       - run: docker save api:${{ github.sha }} | gzip > api-image.tar.gz
 
       # Upload build artifacts
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v6
         with:
           name: "build"
           path: "apps/web/dist\napps/app/dist\napps/api/dist\napi-image.tar.gz\n"

.vscode/settings.json

@@ -101,11 +101,13 @@
     "signup",
     "sourcemap",
     "swapi",
+    "tanstack",
     "tarkus",
     "trpc",
     "tslib",
     "typechecking",
     "vite",
+    "vitepress",
     "vitest",
     "webflow"
   ]

README.md

@@ -172,6 +172,8 @@ bun wrangler secret put RESEND_API_KEY
 bun wrangler secret put OPENAI_API_KEY
 ```
 
+Note: run these commands from the target app directory or pass `--config apps/<app>/wrangler.jsonc`.
+
 **Note:** The `RESEND_EMAIL_FROM` is configured in `wrangler.jsonc` as it's not sensitive.
 
 ### 2. Build and Deploy

apps/api/dev.ts

@@ -5,13 +5,17 @@
  */
 
 import { Hono } from "hono";
+import { logger } from "hono/logger";
+import { requestId } from "hono/request-id";
+import { secureHeaders } from "hono/secure-headers";
 import { parseArgs } from "node:util";
 import { getPlatformProxy } from "wrangler";
 import api from "./index.js";
 import { createAuth } from "./lib/auth.js";
 import type { AppContext } from "./lib/context.js";
 import { createDb } from "./lib/db.js";
 import type { Env } from "./lib/env.js";
+import { errorHandler, notFoundHandler } from "./lib/middleware.js";
 
 const { values: args } = parseArgs({
   args: Bun.argv.slice(2),
@@ -27,6 +31,15 @@ type CloudflareEnv = {
 
 const app = new Hono<AppContext>();
 
+// Error and 404 handlers (must be on top-level app)
+app.onError(errorHandler);
+app.notFound(notFoundHandler);
+
+// Standard middleware
+app.use(secureHeaders());
+app.use(requestId());
+app.use(logger());
+
 // persist:true maintains state across restarts in .wrangler directory
 const cf = await getPlatformProxy<CloudflareEnv>({
   configPath: "./wrangler.jsonc",
@@ -37,7 +50,7 @@ const cf = await getPlatformProxy<CloudflareEnv>({
 // Inject context with two database connections:
 // - db: Hyperdrive caching for read-heavy queries
 // - dbDirect: No cache for writes and transactions
-app.use("*", async (c, next) => {
+app.use(async (c, next) => {
   const db = createDb(cf.env.HYPERDRIVE_CACHED);
   const dbDirect = createDb(cf.env.HYPERDRIVE_DIRECT);
 

apps/api/lib/ai.ts

@@ -1,27 +1,26 @@
 import type { OpenAIProvider } from "@ai-sdk/openai";
 import { createOpenAI } from "@ai-sdk/openai";
-import type { Env } from "./env";
+import type { TRPCContext } from "./context";
 
-// Request-scoped cache key
-const OPENAI_CACHE_KEY = Symbol("openai");
+type OpenAIContext = Pick<TRPCContext, "env" | "cache">;
+
+// Request-scoped cache key for the provider instance.
+const OPENAI_PROVIDER = Symbol("openaiProvider");
 
 /**
- * Returns an OpenAI provider instance with request-scoped caching.
- * Uses the tRPC context cache to avoid recreating the provider multiple times
- * within the same request while ensuring environment isolation.
+ * Returns a request-scoped OpenAI provider instance.
+ * Pass the tRPC context to reuse the provider within a single request.
  */
-export function getOpenAI(env: Env, cache?: Map<string | symbol, unknown>) {
-  // Use request-scoped cache if available (from tRPC context)
-  if (cache?.has(OPENAI_CACHE_KEY)) {
-    return cache.get(OPENAI_CACHE_KEY) as OpenAIProvider;
+export function getOpenAI(ctx: OpenAIContext): OpenAIProvider {
+  if (ctx.cache.has(OPENAI_PROVIDER)) {
+    return ctx.cache.get(OPENAI_PROVIDER) as OpenAIProvider;
   }
 
   const provider = createOpenAI({
-    apiKey: env.OPENAI_API_KEY,
+    apiKey: ctx.env.OPENAI_API_KEY,
   });
 
-  // Cache for this request only
-  cache?.set(OPENAI_CACHE_KEY, provider);
+  ctx.cache.set(OPENAI_PROVIDER, provider);
 
   return provider;
 }

apps/api/lib/auth.ts

@@ -181,3 +181,8 @@ export function createAuth(
 }
 
 export type Auth = ReturnType<typeof betterAuth>;
+
+// Base session types from Better Auth - plugin-specific fields added at runtime
+type SessionResponse = Auth["$Infer"]["Session"];
+export type AuthUser = SessionResponse["user"];
+export type AuthSession = SessionResponse["session"];

apps/api/lib/context.ts

@@ -1,9 +1,8 @@
 import type { DatabaseSchema } from "@repo/db";
 import type { CreateHTTPContextOptions } from "@trpc/server/adapters/standalone";
-import type { Session, User } from "better-auth/types";
 import type { PostgresJsDatabase } from "drizzle-orm/postgres-js";
 import type { Resend } from "resend";
-import type { Auth } from "./auth.js";
+import type { Auth, AuthSession, AuthUser } from "./auth.js";
 import type { Env } from "./env.js";
 
 /**
@@ -42,10 +41,10 @@ export type TRPCContext = {
   dbDirect: PostgresJsDatabase<DatabaseSchema>;
 
   /** Authenticated user session (null if not authenticated) */
-  session: Session | null;
+  session: AuthSession | null;
 
   /** Authenticated user data (null if not authenticated) */
-  user: User | null;
+  user: AuthUser | null;
 
   /** Request-scoped cache for storing computed values during request lifecycle */
   cache: Map<string | symbol, unknown>;
@@ -79,7 +78,7 @@ export type AppContext = {
     dbDirect: PostgresJsDatabase<DatabaseSchema>;
     auth: Auth;
     resend?: Resend;
-    session: Session | null;
-    user: User | null;
+    session: AuthSession | null;
+    user: AuthUser | null;
   };
 };

apps/api/lib/middleware.ts

@@ -0,0 +1,44 @@
+/**
+ * @file Shared Hono middleware for both production and development entrypoints.
+ */
+
+import type { Context, ErrorHandler, NotFoundHandler } from "hono";
+import { HTTPException } from "hono/http-exception";
+
+/**
+ * Global error handler for top-level Hono apps.
+ *
+ * Handles HTTPException specially (returns its response),
+ * logs unexpected errors and returns a generic 500.
+ */
+export const errorHandler: ErrorHandler = (err, c) => {
+  if (err instanceof HTTPException) {
+    // getResponse() is not context-aware; merge headers from middleware
+    const res = err.getResponse();
+    const headers = new Headers(res.headers);
+    c.res.headers.forEach((v, k) => headers.set(k, v));
+    return new Response(res.body, {
+      status: res.status,
+      statusText: res.statusText,
+      headers,
+    });
+  }
+  console.error(`[${c.req.method}] ${c.req.path}:`, err);
+  return c.json({ error: "Internal Server Error" }, 500);
+};
+
+/**
+ * 404 handler for unmatched routes.
+ *
+ * Must be registered on top-level app (notFound on mounted sub-apps is ignored).
+ */
+export const notFoundHandler: NotFoundHandler = (c) => {
+  return c.json({ error: "Not Found", path: c.req.path }, 404);
+};
+
+/**
+ * Request ID generator using Cloudflare Ray ID when available.
+ */
+export function requestIdGenerator(c: Context): string {
+  return c.req.header("cf-ray") ?? crypto.randomUUID();
+}

apps/api/lib/trpc.ts

@@ -1,4 +1,4 @@
-import { initTRPC, TRPCError } from "@trpc/server";
+import { initTRPC, TRPCError, type TRPCProcedureBuilder } from "@trpc/server";
 import { flattenError, ZodError } from "zod";
 import type { TRPCContext } from "./context.js";
 
@@ -18,18 +18,49 @@ const t = initTRPC.context<TRPCContext>().create({
 export const router = t.router;
 export const publicProcedure = t.procedure;
 
-export const protectedProcedure = t.procedure.use(({ ctx, next }) => {
-  if (!ctx.session || !ctx.user) {
-    throw new TRPCError({
-      code: "UNAUTHORIZED",
-      message: "Authentication required",
+// Derive type from publicProcedure to stay in sync with initTRPC config.
+// Explicit annotation required to avoid TS2742 (non-portable inferred type).
+type ProtectedProcedure =
+  typeof publicProcedure extends TRPCProcedureBuilder<
+    infer TContext,
+    infer TMeta,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    infer TContextOverrides,
+    infer TInputIn,
+    infer TInputOut,
+    infer TOutputIn,
+    infer TOutputOut,
+    infer TCaller
+  >
+    ? TRPCProcedureBuilder<
+        TContext,
+        TMeta,
+        {
+          session: NonNullable<TRPCContext["session"]>;
+          user: NonNullable<TRPCContext["user"]>;
+        },
+        TInputIn,
+        TInputOut,
+        TOutputIn,
+        TOutputOut,
+        TCaller
+      >
+    : never;
+
+export const protectedProcedure: ProtectedProcedure = t.procedure.use(
+  ({ ctx, next }) => {
+    if (!ctx.session || !ctx.user) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Authentication required",
+      });
+    }
+    return next({
+      ctx: {
+        ...ctx,
+        session: ctx.session,
+        user: ctx.user,
+      },
     });
-  }
-  return next({
-    ctx: {
-      ...ctx,
-      session: ctx.session,
-      user: ctx.user,
-    },
-  });
-});
+  },
+);