Modern Architecture • Agentic Multi-Agent Search • Configurable Providers • Open-Source
TripSage AI is a travel planning platform that combines the power of modern AI agents with rich AI SDK v6 tools and all-in-one travel services.
generateText + Output.object for deterministic parsing and type-safe validation@supabase/ssr), encrypted BYOK secrets in Vault with RLS-gated access"server-only" imports and dynamic execution.nvmrc) with pnpm 11.x (see package.json#packageManager)# Clone the repository
git clone https://github.com/BjornMelin/tripsage-ai.git
cd tripsage-ai
# Activate the project-pinned pnpm and install dependencies
corepack enable
corepack install
pnpm install
cp .env.local.example .env.local # Configure environment
# Start development server (includes API routes)
pnpm dev # Next.js app + API routes (port 3000)
# Frontend access
open http://localhost:3000
Single-runtime, server-first stack optimized for edge deployment:
@supabase/ssr), Realtime channels, Storage buckets# Frontend / API (single app at root)
corepack enable
corepack install
pnpm install
pnpm dev # Next.js dev server (includes API routes)
pnpm type-check
pnpm biome:fix # Format/lint (CI enforces clean diffs)
pnpm test # Vitest
pnpm exec playwright install chromium # one-time browser install (fresh machine)
pnpm test:e2e:chromium # Playwright (Chromium-only; recommended local default)
pnpm test:e2e # Playwright (all configured browsers)
# Supabase tooling (optional)
make supa.link PROJECT_REF=...
make supa.db.push
If pnpm is not already on your PATH, run corepack enable once to install the pnpm shim, or use corepack pnpm ... for one-off commands. The canonical package-manager version lives in package.json#packageManager; corepack install downloads that exact version for this project. Use pnpm ci in CI/CD for clean, frozen installs. pnpm-specific supply-chain settings such as minimumReleaseAge, allowBuilds, trustPolicy, and blockExoticSubdeps live in pnpm-workspace.yaml.
Server-side tracing is registered via src/instrumentation.ts using @vercel/otel. Client-side tracing is initialized via TelemetryProvider (mounted from src/app/layout.tsx) and exports browser spans with OTLP/HTTP.
Local tracing (Collector + Jaeger):
docker compose up -d otel-collector jaeger
open http://localhost:16686
Enable browser tracing (optional):
# Either is accepted (client normalizes to `/v1/traces`)
NEXT_PUBLIC_OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
# or
NEXT_PUBLIC_OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318/v1/traces
# (also accepted)
NEXT_PUBLIC_OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318/v1/traces/
To disable browser tracing in production, leave NEXT_PUBLIC_OTEL_EXPORTER_OTLP_ENDPOINT unset.
Run pnpm biome:fix before committing. CI runs pnpm biome:fix and then checks for a clean working tree with git diff --exit-code, so any formatting changes produced locally will fail CI if not committed.
tripsage-ai/
├── src/ # Next.js 16 + AI SDK v6 source code
├── public/ # Static assets
├── e2e/ # Playwright E2E tests
├── supabase/ # Supabase migrations/config
├── docker/ # OTEL/Jaeger compose
├── .github/ # CI/CD
├── package.json # Node.js dependencies
└── Makefile # Supabase ops shortcuts
convertToModelMessages, streamText, toUIMessageStreamResponse, and Zod v4 validation.@supabase/ssr only; no auth-helpers.Redis.fromEnv, QStash SDK).console.log in server code.Production deploys use the Vercel CLI workflow in docs/runbooks/deployment-vercel.md:
pnpm deploy:check-env
vercel pull --yes --environment=production
vercel build --prod
vercel deploy --prebuilt --prod --skip-domain --archive=tgz --yes
pnpm deploy:smoke -- --url "$DEPLOYMENT_URL"
vercel promote "$DEPLOYMENT_URL" --yes --timeout=5m
Docker compose files in docker/ are local observability/dev helpers, not the
production deploy authority.
scripts/verify-production-env.mjs is the deploy-time source of truth. It
validates core app origins, Supabase SSR/Vault, Upstash Redis/QStash, security
secrets, BYOK health checks, and feature-aware provider groups for Stripe,
Resend, Amadeus, Duffel, Expedia, analytics, and AI providers.
For local setup, start from .env.local.example. For production, run
pnpm deploy:check-env before vercel build.
GET /api/health # Public runtime health
POST /api/chat # AI SDK v6 UI message stream
POST /api/flights/search # Flight search
GET /api/trips/suggestions # AI-powered trip suggestions
POST /api/keys/validate # BYOK provider validation
GET /api/health/byok # Operator-only BYOK health probe
The authoritative route catalog is docs/api/api-reference.md. Trip CRUD, collaboration, and itinerary mutations use Server Actions rather than internal REST routes.
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!)
// authorize realtime with access token via RealtimeAuthProvider in app
const channel = supabase.channel(`user:${userId}`, { config: { private: true } })
channel.on('broadcast', { event: 'chat:message' }, ({ payload }) => console.log(payload))
channel.subscribe()
We welcome contributions! See the Development Guide for the full workflow, code standards, and testing details.
TripSage AI is optimized for high performance and global scalability:
# Performance testing via load testing tools
pnpm test --grep performance
# Or use external load testing
autocannon -c 100 -d 30 http://localhost:3000/api/health
Zero-trust architecture with defense-in-depth security:
"server-only" and run with dynamic = "force-dynamic" to ensure secrets processed per-requestpnpm deps:audit and pnpm audit --audit-level high, with pnpm audit available for local/manual checks# Security verification (ensure no hardcoded secrets)
git grep -i "fallback-secret\|development-only" . # Should return empty
# Dependency audit
pnpm audit
# Run security-focused tests
pnpm test --grep security
/api/keys/validate verifies BYOK provider keys
server-side without exposing secret material./api/health/byok uses BYOK_HEALTHCHECK_KEY and
reports provider readiness without returning Vault values.pnpm deploy:smoke -- --url "$DEPLOYMENT_URL"
checks health, security headers, auth guards, BYOK health when configured,
and QStash-protected jobs before promotion.This project is licensed under the MIT License - see the LICENSE file for details.
Built by Bjorn Melin as an exploration of AI-driven travel planning.
$ claude mcp add tripsage-ai \
-- python -m otcore.mcp_server <graph>