nanogpt-community
diff --git a/‎api-docs.md‎
Lines changed: 28 additions & 7 deletions b/‎api-docs.md‎
Lines changed: 28 additions & 7 deletions
diff --git a/‎src/lib/api.ts‎
Lines changed: 17 additions & 3 deletions b/‎src/lib/api.ts‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎src/lib/components/ui/share-button/share-button.svelte‎
Lines changed: 1 addition & 1 deletion b/‎src/lib/components/ui/share-button/share-button.svelte‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/lib/db/queries/user-keys.ts‎
Lines changed: 49 additions & 1 deletion b/‎src/lib/db/queries/user-keys.ts‎
Lines changed: 49 additions & 1 deletion
diff --git a/‎src/lib/db/queries/user-settings.ts‎
Lines changed: 73 additions & 24 deletions b/‎src/lib/db/queries/user-settings.ts‎
Lines changed: 73 additions & 24 deletions
diff --git a/‎src/lib/utils/providers.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/lib/utils/providers.ts‎
Lines changed: 1 addition & 1 deletion
@@ -326,6 +326,8 @@ curl -X POST "http://localhost:3432/api/stt" \
 Proxies requests to NanoGPT Video Generation API.
 
 **Authentication**: Session
+
+**Note**: You may also supply a direct NanoGPT key via `x-api-key` or `Authorization: Bearer <nanogpt_key>`. The server key is not used for unauthenticated requests.
 
 **Request Body**:
 ```json
@@ -355,6 +357,8 @@ curl -X POST "http://localhost:3432/api/video/generate" \
 Check the status of a video generation task.
 
 **Authentication**: Session
+
+**Note**: You may also supply a direct NanoGPT key via `x-api-key` or `Authorization: Bearer <nanogpt_key>`. The server key is not used for unauthenticated requests.
 
 **Query Parameters**:
 - `runId`: (Required) The run ID returned by the generate endpoint.
@@ -1873,9 +1877,12 @@ Get user settings.
   "theme": "string | null",
   "themePrimaryColor": "string | null",
   "themeAccentColor": "string | null",
+  "karakeepUrl": "string | null",
+  "hasKarakeepApiKey": "boolean",
   ...
 }
 ```
+**Note**: Secret values such as `karakeepApiKey` are never returned by this endpoint.
 
 **CURL Example**:
 ```bash
@@ -1895,13 +1902,16 @@ Update user settings.
   "timezone": "string (optional, IANA timezone)",
   "privacyMode": "boolean (optional)",
   "contextMemoryEnabled": "boolean (optional)",
+  "karakeepUrl": "string | null (optional)",
+  "karakeepApiKey": "string | null (optional, write-only)",
   "theme": "string (optional, theme id or null)",
   "suggestedPromptsEnabled": "boolean (optional)",
   "themePrimaryColor": "string (optional, #RRGGBB)",
   "themeAccentColor": "string (optional, #RRGGBB)",
   ...
 }
 ```
+**Response**: Same as `GET /api/db/user-settings`. Secret values are omitted from responses.
 
 **CURL Example**:
 ```bash
@@ -1916,24 +1926,34 @@ curl -X POST "http://localhost:3432/api/db/user-settings" \
 ### User Provider Keys
 
 #### GET `/api/db/user-keys`
-Get API keys configured by the user for different providers.
+Get provider key status for the current user without returning the underlying secret.
 
 **Authentication**: Session or API Key
 
 **Query Parameters**:
-- `provider`: (Optional) Get key for a specific provider (e.g., "nanogpt", "openai").
+- `provider`: (Optional) Get status for a specific provider (e.g., "nanogpt", "openai").
 
 **Response**:
 ```json
 // Single provider
-"sk-..." 
+{
+  "hasKey": true,
+  "source": "user"
+}
 
 // All providers
 {
-  "nanogpt": "sk-...",
-  "openai": "sk-..."
+  "nanogpt": {
+    "hasKey": true,
+    "source": "server"
+  },
+  "openai": {
+    "hasKey": false,
+    "source": null
+  }
 }
 ```
+**Note**: This endpoint never returns raw or encrypted provider keys.
 
 **CURL Example**:
 ```bash
@@ -1961,9 +1981,10 @@ Set an API key for a provider.
 **Response**:
 ```json
 {
-  "userId": "string",
+  "ok": true,
   "provider": "string",
-  "createdAt": "date"
+  "createdAt": "date",
+  "updatedAt": "date"
 }
 ```
 
 
@@ -4,9 +4,10 @@
  * using local SQLite + Drizzle backend via SvelteKit API routes
  */
 
+import type { Provider } from '$lib/types';
+
 // Re-export types from database schema
 export type {
-	UserSettings,
 	UserKey,
 	UserEnabledModel,
 	UserRule,
@@ -23,13 +24,26 @@ export type {
 	ProjectMember,
 } from '$lib/db/schema';
 
+type DbUserSettings = import('$lib/db/schema').UserSettings;
+
+export type UserSettings = Omit<DbUserSettings, 'karakeepApiKey'> & {
+	hasKarakeepApiKey: boolean;
+};
+
+export type UserKeyStatus = {
+	hasKey: boolean;
+	source: 'user' | 'server' | null;
+};
+
+export type UserKeysByProvider = Record<Provider, UserKeyStatus>;
+
 // Type aliases for backwards compatibility with Convex patterns
 export type Doc<T extends keyof DocTypes> = DocTypes[T];
 export type Id<T extends keyof DocTypes> = string;
 
 interface DocTypes {
-	user_settings: import('$lib/db/schema').UserSettings;
-	user_keys: import('$lib/db/schema').UserKey;
+	user_settings: UserSettings;
+	user_keys: UserKeyStatus;
 	user_enabled_models: import('$lib/db/schema').UserEnabledModel;
 	user_rules: import('$lib/db/schema').UserRule;
 	conversations: import('$lib/db/schema').Conversation;
 
@@ -39,7 +39,7 @@
 	let karakeepMessage = $state('');
 
 	const hasKarakeepConfig = $derived(
-		Boolean(settingsQuery.data?.karakeepUrl && settingsQuery.data?.karakeepApiKey)
+		Boolean(settingsQuery.data?.karakeepUrl && settingsQuery.data?.hasKarakeepApiKey)
 	);
 
 	const popover = new Popover({
 
@@ -4,14 +4,32 @@ import { eq, and } from 'drizzle-orm';
 import type { Provider } from '$lib/types';
 import { encryptApiKey, decryptApiKey, isEncrypted } from '$lib/encryption';
 
+export type UserKeyStatus = {
+	hasKey: boolean;
+	source: 'user' | 'server' | null;
+};
+
+const providers = ['nanogpt', 'huggingface', 'openai', 'anthropic'] as const;
+
+function resolveUserKeyStatus(provider: string, hasUserKey: boolean): UserKeyStatus {
+	if (hasUserKey) {
+		return { hasKey: true, source: 'user' };
+	}
+
+	if (provider === 'nanogpt' && process.env.NANOGPT_API_KEY) {
+		return { hasKey: true, source: 'server' };
+	}
+
+	return { hasKey: false, source: null };
+}
+
 export async function getAllUserKeys(
     userId: string
 ): Promise<Record<Provider, string | undefined>> {
     const allKeys = await db.query.userKeys.findMany({
         where: eq(userKeys.userId, userId),
     });
 
-    const providers = ['nanogpt', 'huggingface', 'openai', 'anthropic'] as const;
     return providers.reduce(
         (acc, key) => {
             acc[key] = allKeys.find((item) => item.provider === key)?.key;
@@ -21,6 +39,36 @@ export async function getAllUserKeys(
     );
 }
 
+export async function getAllUserKeyStatuses(userId: string): Promise<Record<Provider, UserKeyStatus>> {
+	const allKeys = await db.query.userKeys.findMany({
+		where: eq(userKeys.userId, userId),
+		columns: {
+			provider: true,
+			key: true,
+		},
+	});
+
+	return providers.reduce(
+		(acc, provider) => {
+			const hasUserKey = Boolean(allKeys.find((item) => item.provider === provider)?.key);
+			acc[provider] = resolveUserKeyStatus(provider, hasUserKey);
+			return acc;
+		},
+		{} as Record<Provider, UserKeyStatus>
+	);
+}
+
+export async function getUserKeyStatus(userId: string, provider: string): Promise<UserKeyStatus> {
+	const result = await db.query.userKeys.findFirst({
+		where: and(eq(userKeys.userId, userId), eq(userKeys.provider, provider)),
+		columns: {
+			key: true,
+		},
+	});
+
+	return resolveUserKeyStatus(provider, Boolean(result?.key));
+}
+
 export async function getUserKey(userId: string, provider: string): Promise<string | null> {
     const result = await db.query.userKeys.findFirst({
         where: and(eq(userKeys.userId, userId), eq(userKeys.provider, provider)),
 
@@ -1,61 +1,110 @@
 import { db, generateId } from '../index';
 import { userSettings, type UserSettings, type NewUserSettings } from '../schema';
 import { eq } from 'drizzle-orm';
+import { decryptApiKey, encryptApiKey, isEncrypted } from '$lib/encryption';
+
+type UserSettingsUpdate = Partial<
+	Omit<NewUserSettings, 'id' | 'userId' | 'createdAt' | 'updatedAt'>
+>;
+
+export type PublicUserSettings = Omit<UserSettings, 'karakeepApiKey'> & {
+	hasKarakeepApiKey: boolean;
+};
+
+function decryptUserSettingsSecrets(settings: UserSettings): UserSettings {
+	if (!settings.karakeepApiKey) {
+		return settings;
+	}
+
+	return {
+		...settings,
+		karakeepApiKey: isEncrypted(settings.karakeepApiKey)
+			? decryptApiKey(settings.karakeepApiKey)
+			: settings.karakeepApiKey,
+	};
+}
+
+function prepareUserSettingsWrite(data: UserSettingsUpdate): UserSettingsUpdate {
+	if (!('karakeepApiKey' in data)) {
+		return data;
+	}
+
+	const { karakeepApiKey, ...rest } = data;
+
+	return {
+		...rest,
+		karakeepApiKey:
+			typeof karakeepApiKey === 'string' && karakeepApiKey.length > 0
+				? encryptApiKey(karakeepApiKey)
+				: karakeepApiKey,
+	};
+}
+
+export function toPublicUserSettings(settings: UserSettings): PublicUserSettings {
+	const { karakeepApiKey, ...rest } = settings;
+
+	return {
+		...rest,
+		hasKarakeepApiKey: Boolean(karakeepApiKey),
+	};
+}
 
 export async function getUserSettings(userId: string): Promise<UserSettings | null> {
 	const result = await db.query.userSettings.findFirst({
 		where: eq(userSettings.userId, userId),
 	});
-	return result ?? null;
+	return result ? decryptUserSettingsSecrets(result) : null;
 }
 
 export async function createUserSettings(
 	userId: string,
-	data?: Partial<Omit<NewUserSettings, 'id' | 'userId' | 'createdAt' | 'updatedAt'>>
+	data?: UserSettingsUpdate
 ): Promise<UserSettings> {
 	const now = new Date();
+	const preparedData = prepareUserSettingsWrite(data ?? {});
 	const [result] = await db
 		.insert(userSettings)
 		.values({
 			id: generateId(),
 			userId,
-			timezone: data?.timezone ?? 'UTC',
-			privacyMode: data?.privacyMode ?? false,
-			contextMemoryEnabled: data?.contextMemoryEnabled ?? false,
-			persistentMemoryEnabled: data?.persistentMemoryEnabled ?? false,
-			youtubeTranscriptsEnabled: data?.youtubeTranscriptsEnabled ?? false,
-			webScrapingEnabled: data?.webScrapingEnabled ?? false,
-			mcpEnabled: data?.mcpEnabled ?? false,
-			followUpQuestionsEnabled: data?.followUpQuestionsEnabled ?? true,
-			suggestedPromptsEnabled: data?.suggestedPromptsEnabled ?? true,
-				freeMessagesUsed: data?.freeMessagesUsed ?? 0,
-				karakeepUrl: data?.karakeepUrl ?? null,
-				karakeepApiKey: data?.karakeepApiKey ?? null,
-				theme: data?.theme ?? null,
-				themePrimaryColor: data?.themePrimaryColor ?? null,
-				themeAccentColor: data?.themeAccentColor ?? null,
-				titleModelId: data?.titleModelId ?? null,
-				followUpModelId: data?.followUpModelId ?? null,
-				createdAt: now,
+			timezone: preparedData.timezone ?? 'UTC',
+			privacyMode: preparedData.privacyMode ?? false,
+			contextMemoryEnabled: preparedData.contextMemoryEnabled ?? false,
+			persistentMemoryEnabled: preparedData.persistentMemoryEnabled ?? false,
+			youtubeTranscriptsEnabled: preparedData.youtubeTranscriptsEnabled ?? false,
+			webScrapingEnabled: preparedData.webScrapingEnabled ?? false,
+			mcpEnabled: preparedData.mcpEnabled ?? false,
+			followUpQuestionsEnabled: preparedData.followUpQuestionsEnabled ?? true,
+			suggestedPromptsEnabled: preparedData.suggestedPromptsEnabled ?? true,
+			freeMessagesUsed: preparedData.freeMessagesUsed ?? 0,
+			karakeepUrl: preparedData.karakeepUrl ?? null,
+			karakeepApiKey: preparedData.karakeepApiKey ?? null,
+			theme: preparedData.theme ?? null,
+			themePrimaryColor: preparedData.themePrimaryColor ?? null,
+			themeAccentColor: preparedData.themeAccentColor ?? null,
+			titleModelId: preparedData.titleModelId ?? null,
+			followUpModelId: preparedData.followUpModelId ?? null,
+			createdAt: now,
 			updatedAt: now,
 		})
 		.returning();
-	return result!;
+	return decryptUserSettingsSecrets(result!);
 }
 
 export async function updateUserSettings(
 	userId: string,
-	data: Partial<Omit<NewUserSettings, 'id' | 'userId' | 'createdAt' | 'updatedAt'>>
+	data: UserSettingsUpdate
 ): Promise<UserSettings | null> {
+	const preparedData = prepareUserSettingsWrite(data);
 	const [result] = await db
 		.update(userSettings)
 		.set({
-			...data,
+			...preparedData,
 			updatedAt: new Date(),
 		})
 		.where(eq(userSettings.userId, userId))
 		.returning();
-	return result ?? null;
+	return result ? decryptUserSettingsSecrets(result) : null;
 }
 
 export async function incrementFreeMessageCount(userId: string): Promise<void> {
 
@@ -28,7 +28,7 @@ export type NanoGPTConnectionData = {
 };
 
 export const NanoGPT = {
-	getApiKey: async (_key: string): Promise<Result<NanoGPTConnectionData, string>> => {
+	getApiKey: async (): Promise<Result<NanoGPTConnectionData, string>> => {
 		return await ResultAsync.fromPromise(
 			(async () => {
 				const [balanceRes, usageRes] = await Promise.all([