@friggframework/core 2.0.0-next.53 → 2.0.0-next.55

package/CLAUDE.md

@@ -27,7 +27,7 @@ This file provides guidance to Claude Code when working with the Frigg Framework
 `@friggframework/core` is the foundational package of the Frigg Framework, providing:
 
 - **IntegrationBase**: Base class all integrations extend
-- **Database Layer**: Multi-database support (MongoDB, PostgreSQL) with Prisma ORM
+- **Database Layer**: Multi-database support (MongoDB, DocumentDB, PostgreSQL) with Prisma ORM
 - **Encryption**: Transparent field-level encryption with AWS KMS or AES
 - **User Management**: Individual and organizational user support
 - **Module System**: API module loading and credential management
@@ -256,6 +256,7 @@ class MyIntegration extends IntegrationBase {
 - `health-check-repository.js` - Database health monitoring
 - `token-repository.js` - Authentication tokens
 - `websocket-connection-repository.js` - WebSocket connections
+- DocumentDB-enabled adapters mirror the MongoDB APIs but execute raw commands (`$runCommandRaw`, `$aggregateRaw`) for compatibility; encrypted models (e.g., credentials) still delegate reads to Prisma so the encryption extension can decrypt secrets transparently.
 
 **Use Cases**:
 - `check-database-health-use-case.js` - Database health checks

package/application/commands/credential-commands.js

@@ -56,7 +56,7 @@ function createCredentialCommands() {
                 }
 
                 const credentialData = {
-                    identifiers: { user: userId, externalId },
+                    identifiers: { userId, externalId },
                     details: {
                         access_token,
                         authIsValid,

package/application/commands/integration-commands.js

@@ -38,7 +38,7 @@ function mapErrorToResponse(error) {
     };
 }
 
-function createIntegrationCommands({ integrationClass } = {}) {
+function createIntegrationCommands({ integrationClass }) {
     if (!integrationClass) {
         throw new Error('integrationClass is required');
     }

package/application/index.js

@@ -23,7 +23,7 @@ const {
  * const user = await commands.createUser({ username: 'user@example.com' });
  * const credential = await commands.createCredential({ userId: user.id, ... });
  */
-function createFriggCommands({ integrationClass } = {}) {
+function createFriggCommands({ integrationClass }) {
     // All commands use Frigg's default repositories and use cases
     const integrationCommands = createIntegrationCommands({ integrationClass });
 

package/core/create-handler.js

@@ -39,6 +39,18 @@ const createHandler = (optionByName = {}) => {
 
             // Don't leak implementation details to end users.
             if (isUserFacingResponse) {
+                // Allow client-safe errors to pass through with their actual message
+                if (error.isClientSafe === true) {
+                    const statusCode = error.statusCode || 400;
+                    return {
+                        statusCode,
+                        body: JSON.stringify({
+                            error: error.message,
+                        }),
+                    };
+                }
+
+                // Hide other errors with generic message
                 return {
                     statusCode: 500,
                     body: JSON.stringify({

package/credential/repositories/credential-repository-documentdb.js

@@ -0,0 +1,304 @@
+const { prisma } = require('../../database/prisma');
+const {
+    toObjectId,
+    fromObjectId,
+    findOne,
+    insertOne,
+    updateOne,
+    deleteOne,
+} = require('../../database/documentdb-utils');
+const {
+    CredentialRepositoryInterface,
+} = require('./credential-repository-interface');
+const {
+    DocumentDBEncryptionService,
+} = require('../../database/documentdb-encryption-service');
+
+/**
+ * Credential repository for DocumentDB.
+ * Uses DocumentDBEncryptionService for field-level encryption.
+ *
+ * Encrypted fields:
+ * - Credential.data.access_token
+ * - Credential.data.refresh_token
+ * - Credential.data.id_token
+ *
+ * SECURITY CRITICAL: All OAuth credentials must be encrypted at rest.
+ *
+ * @see DocumentDBEncryptionService
+ * @see encryption-schema-registry.js
+ */
+class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
+    constructor() {
+        super();
+        this.prisma = prisma;
+        this.encryptionService = new DocumentDBEncryptionService();
+    }
+
+    async findCredentialById(id) {
+        const objectId = toObjectId(id);
+        if (!objectId) return null;
+        const doc = await findOne(this.prisma, 'Credential', { _id: objectId });
+        if (!doc) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            doc
+        );
+        return this._mapCredentialById(decryptedCredential);
+    }
+
+    async updateAuthenticationStatus(credentialId, authIsValid) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: false, modifiedCount: 0 };
+        const result = await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: { authIsValid, updatedAt: new Date() },
+            }
+        );
+        const modified = result?.nModified ?? result?.n ?? 0;
+        return { acknowledged: true, modifiedCount: modified };
+    }
+
+    async deleteCredentialById(credentialId) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: true, deletedCount: 0 };
+        const result = await deleteOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const deleted = result?.n ?? 0;
+        return { acknowledged: true, deletedCount: deleted };
+    }
+
+    async upsertCredential(credentialDetails) {
+        const { identifiers, details } = credentialDetails;
+        if (!identifiers)
+            throw new Error('identifiers required to upsert credential');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
+        }
+        if (!identifiers.externalId) {
+            throw new Error(
+                'externalId required in identifiers to prevent credential collision. When multiple credentials exist for the same user, both userId and externalId are needed to uniquely identify which credential to update.'
+            );
+        }
+
+        const filter = this._buildIdentifierFilter(identifiers);
+        const existing = await findOne(this.prisma, 'Credential', filter);
+        const now = new Date();
+
+        const { authIsValid, ...oauthData } = details || {};
+
+        if (existing) {
+            const decryptedExisting =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    existing
+                );
+            const mergedData = {
+                ...(decryptedExisting.data || {}),
+                ...oauthData,
+            };
+
+            const updateDocument = {
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
+                data: mergedData,
+                updatedAt: now,
+            };
+
+            const encryptedUpdate = await this.encryptionService.encryptFields(
+                'Credential',
+                { data: updateDocument.data }
+            );
+
+            await updateOne(
+                this.prisma,
+                'Credential',
+                { _id: existing._id },
+                {
+                    $set: {
+                        userId: updateDocument.userId,
+                        externalId: updateDocument.externalId,
+                        authIsValid: updateDocument.authIsValid,
+                        data: encryptedUpdate.data,
+                        updatedAt: updateDocument.updatedAt,
+                    },
+                }
+            );
+
+            const updated = await findOne(this.prisma, 'Credential', {
+                _id: existing._id,
+            });
+            const decryptedCredential =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    updated
+                );
+            return this._mapCredential(decryptedCredential);
+        }
+
+        const plainDocument = {
+            userId: identifiers.userId,
+            externalId: identifiers.externalId,
+            authIsValid: details.authIsValid,
+            data: { ...oauthData },
+            createdAt: now,
+            updatedAt: now,
+        };
+
+        const encryptedDocument = await this.encryptionService.encryptFields(
+            'Credential',
+            plainDocument
+        );
+
+        const insertedId = await insertOne(
+            this.prisma,
+            'Credential',
+            encryptedDocument
+        );
+
+        const created = await findOne(this.prisma, 'Credential', {
+            _id: insertedId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            created
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async findCredential(filter) {
+        const query = this._buildFilter(filter);
+        const credential = await findOne(this.prisma, 'Credential', query);
+        if (!credential) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            credential
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async updateCredential(credentialId, updates) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return null;
+        const existing = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        if (!existing) return null;
+
+        const { authIsValid, ...oauthData } = updates || {};
+
+        const decryptedExisting = await this.encryptionService.decryptFields(
+            'Credential',
+            existing
+        );
+        const mergedData = { ...(decryptedExisting.data || {}), ...oauthData };
+
+        const updateDocument = {
+            userId: existing.userId,
+            externalId: existing.externalId,
+            authIsValid: authIsValid,
+            data: mergedData,
+            updatedAt: new Date(),
+        };
+
+        const encryptedUpdate = await this.encryptionService.encryptFields(
+            'Credential',
+            { data: updateDocument.data }
+        );
+
+        await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: {
+                    userId: updateDocument.userId,
+                    externalId: updateDocument.externalId,
+                    authIsValid: updateDocument.authIsValid,
+                    data: encryptedUpdate.data,
+                    updatedAt: updateDocument.updatedAt,
+                },
+            }
+        );
+
+        const updated = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            updated
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    _buildIdentifierFilter(identifiers) {
+        const filter = {};
+        if (identifiers._id || identifiers.id) {
+            const idObj = toObjectId(identifiers._id || identifiers.id);
+            if (idObj) filter._id = idObj;
+        }
+        if (identifiers.userId) {
+            filter.userId = identifiers.userId;
+        }
+        if (identifiers.externalId !== undefined) {
+            filter.externalId = identifiers.externalId;
+        }
+        return filter;
+    }
+
+    _buildFilter(filter) {
+        const query = {};
+        if (!filter) return query;
+        if (filter.credentialId || filter.id) {
+            const idObj = toObjectId(filter.credentialId || filter.id);
+            if (idObj) query._id = idObj;
+        }
+        if (filter.userId !== undefined) {
+            query.userId = filter.userId;
+        }
+        if (filter.externalId !== undefined) {
+            query.externalId = filter.externalId;
+        }
+        return query;
+    }
+
+    /**
+     * Map credential document to application format
+     * Matches MongoDB repository format
+     * @private
+     */
+    _mapCredential(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+
+    _mapCredentialById(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+}
+
+module.exports = { CredentialRepositoryDocumentDB };

package/credential/repositories/credential-repository-factory.js

@@ -2,6 +2,9 @@ const { CredentialRepositoryMongo } = require('./credential-repository-mongo');
 const {
     CredentialRepositoryPostgres,
 } = require('./credential-repository-postgres');
+const {
+    CredentialRepositoryDocumentDB,
+} = require('./credential-repository-documentdb');
 const config = require('../../database/config');
 
 /**
@@ -32,9 +35,12 @@ function createCredentialRepository() {
         case 'postgresql':
             return new CredentialRepositoryPostgres();
 
+        case 'documentdb':
+            return new CredentialRepositoryDocumentDB();
+
         default:
             throw new Error(
-                `Unsupported database type: ${dbType}. Supported values: 'mongodb', 'postgresql'`
+                `Unsupported database type: ${dbType}. Supported values: 'mongodb', 'documentdb', 'postgresql'`
             );
     }
 }
@@ -44,4 +50,5 @@ module.exports = {
     // Export adapters for direct testing
     CredentialRepositoryMongo,
     CredentialRepositoryPostgres,
+    CredentialRepositoryDocumentDB,
 };

package/credential/repositories/credential-repository-mongo.js

@@ -38,9 +38,7 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
         const data = credential.data || {};
 
         return {
-            _id: credential.id,
             id: credential.id,
-            user: credential.userId,
             userId: credential.userId,
             externalId: credential.externalId,
             authIsValid: credential.authIsValid,
@@ -80,7 +78,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             return { acknowledged: true, deletedCount: 1 };
         } catch (error) {
             if (error.code === 'P2025') {
-                // Record not found
                 return { acknowledged: true, deletedCount: 0 };
             }
             throw error;
@@ -99,49 +96,32 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
         if (!identifiers)
             throw new Error('identifiers required to upsert credential');
 
-        if (!identifiers.user && !identifiers.userId) {
-            throw new Error('user or userId required in identifiers');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
             throw new Error(
                 'externalId required in identifiers to prevent credential collision. ' +
-                'When multiple credentials exist for the same user, both userId and externalId ' +
-                'are needed to uniquely identify which credential to update.'
+                    'When multiple credentials exist for the same user, both userId and externalId ' +
+                    'are needed to uniquely identify which credential to update.'
             );
         }
 
-        // Build where clause from identifiers
         const where = this._convertIdentifiersToWhere(identifiers);
 
-        // Separate schema fields from dynamic OAuth data
-        const {
-            user,
-            userId,
-            externalId,
-            authIsValid,
-            
-            ...oauthData
-        } = details;
-
-        // Find existing credential
+        const { authIsValid, ...oauthData } = details;
+
         const existing = await this.prisma.credential.findFirst({ where });
 
         if (existing) {
-            // Update existing - merge OAuth data into existing data JSON
             const mergedData = { ...(existing.data || {}), ...oauthData };
 
             const updated = await this.prisma.credential.update({
                 where: { id: existing.id },
                 data: {
-                    userId: userId || user || existing.userId,
-                    externalId:
-                        externalId !== undefined
-                            ? externalId
-                            : existing.externalId,
-                    authIsValid:
-                        authIsValid !== undefined
-                            ? authIsValid
-                            : existing.authIsValid,
+                    userId: existing.userId,
+                    externalId: existing.externalId,
+                    authIsValid: authIsValid,
                     data: mergedData,
                 },
             });
@@ -155,13 +135,11 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             };
         }
 
-        // Create new credential
         const created = await this.prisma.credential.create({
             data: {
-                userId: userId || user,
-                externalId,
+                userId: identifiers.userId,
+                externalId: identifiers.externalId,
                 authIsValid: authIsValid,
-                
                 data: oauthData,
             },
         });
@@ -205,7 +183,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             authIsValid: credential.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -219,7 +196,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
      * @returns {Promise<Object|null>} Updated credential object or null if not found
      */
     async updateCredential(credentialId, updates) {
-        // Get existing credential to merge OAuth data
         const existing = await this.prisma.credential.findUnique({
             where: { id: credentialId },
         });
@@ -228,27 +204,16 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Separate schema fields from OAuth data
-        const {
-            user,
-            userId,
-            externalId,
-            authIsValid,
-            
-            ...oauthData
-        } = updates;
-
-        // Merge OAuth data with existing
+        const { authIsValid, ...oauthData } = updates;
+
         const mergedData = { ...(existing.data || {}), ...oauthData };
 
         const updated = await this.prisma.credential.update({
             where: { id: credentialId },
             data: {
-                userId: userId || user || existing.userId,
-                externalId:
-                    externalId !== undefined ? externalId : existing.externalId,
-                authIsValid:
-                    authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
                 data: mergedData,
             },
         });
@@ -262,7 +227,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             authIsValid: updated.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -278,7 +242,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
 
         if (identifiers._id) where.id = identifiers._id;
         if (identifiers.id) where.id = identifiers.id;
-        if (identifiers.user) where.userId = identifiers.user;
         if (identifiers.userId) where.userId = identifiers.userId;
         if (identifiers.externalId) where.externalId = identifiers.externalId;
 
@@ -296,7 +259,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
 
         if (filter.credentialId) where.id = filter.credentialId;
         if (filter.id) where.id = filter.id;
-        if (filter.user) where.userId = filter.user;
         if (filter.userId) where.userId = filter.userId;
         if (filter.externalId) where.externalId = filter.externalId;