@friggframework/core 2.0.0-next.56 → 2.0.0-next.57

package/credential/repositories/credential-repository-documentdb.js

@@ -106,7 +106,7 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
             const updateDocument = {
                 userId: existing.userId,
                 externalId: existing.externalId,
-                authIsValid: authIsValid,
+                authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
                 data: mergedData,
                 updatedAt: now,
             };
@@ -143,7 +143,7 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
         }
 
         const plainDocument = {
-            userId: identifiers.userId,
+            userId: toObjectId(identifiers.userId),
             externalId: identifiers.externalId,
             authIsValid: details.authIsValid,
             data: { ...oauthData },
@@ -245,7 +245,7 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
             if (idObj) filter._id = idObj;
         }
         if (identifiers.userId) {
-            filter.userId = identifiers.userId;
+            filter.userId = toObjectId(identifiers.userId);
         }
         if (identifiers.externalId !== undefined) {
             filter.externalId = identifiers.externalId;

package/credential/repositories/credential-repository-mongo.js

@@ -121,7 +121,7 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
                 data: {
                     userId: existing.userId,
                     externalId: existing.externalId,
-                    authIsValid: authIsValid,
+                    authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
                     data: mergedData,
                 },
             });

package/credential/repositories/credential-repository-postgres.js

@@ -111,7 +111,8 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         if (!identifiers)
             throw new Error('identifiers required to upsert credential');
 
-        if (!identifiers.userId) {
+        // Support both userId (preferred) and user (legacy) for backward compatibility
+        if (!identifiers.userId && !identifiers.user) {
             throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
@@ -138,7 +139,7 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
                 data: {
                     userId: this._convertId(existing.userId),
                     externalId: existing.externalId,
-                    authIsValid: authIsValid,
+                    authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
                     data: mergedData,
                 },
             });
@@ -154,7 +155,8 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
         const created = await this.prisma.credential.create({
             data: {
-                userId: this._convertId(identifiers.userId),
+                // Use userId from where clause (supports both userId and user fields)
+                userId: where.userId,
                 externalId,
                 authIsValid: authIsValid,
                 data: oauthData,
@@ -257,8 +259,11 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         const where = {};
 
         if (identifiers.id) where.id = this._convertId(identifiers.id);
+        // Support both userId (preferred) and user (legacy) for backward compatibility
         if (identifiers.userId)
             where.userId = this._convertId(identifiers.userId);
+        else if (identifiers.user)
+            where.userId = this._convertId(identifiers.user);
         if (identifiers.externalId) where.externalId = identifiers.externalId;
 
         return where;

package/database/index.js

@@ -12,13 +12,14 @@
  * etc.
  */
 
-const { mongoose } = require('./mongoose');
-const { IndividualUser } = require('./models/IndividualUser');
-const { OrganizationUser } = require('./models/OrganizationUser');
-const { UserModel } = require('./models/UserModel');
-const { WebsocketConnection } = require('./models/WebsocketConnection');
+// Lazy-load mongoose to avoid importing mongodb when using PostgreSQL only
+let _mongoose = null;
+let _IndividualUser = null;
+let _OrganizationUser = null;
+let _UserModel = null;
+let _WebsocketConnection = null;
 
-// Prisma exports
+// Prisma exports (always available)
 const { prisma } = require('./prisma');
 const { TokenRepository } = require('../token/repositories/token-repository');
 const {
@@ -26,12 +27,38 @@ const {
 } = require('../websocket/repositories/websocket-connection-repository');
 
 module.exports = {
-    mongoose,
-    IndividualUser,
-    OrganizationUser,
-    UserModel,
-    WebsocketConnection,
-    // Prisma
+    // Lazy-loaded mongoose exports (only load when accessed)
+    get mongoose() {
+        if (!_mongoose) {
+            _mongoose = require('./mongoose').mongoose;
+        }
+        return _mongoose;
+    },
+    get IndividualUser() {
+        if (!_IndividualUser) {
+            _IndividualUser = require('./models/IndividualUser').IndividualUser;
+        }
+        return _IndividualUser;
+    },
+    get OrganizationUser() {
+        if (!_OrganizationUser) {
+            _OrganizationUser = require('./models/OrganizationUser').OrganizationUser;
+        }
+        return _OrganizationUser;
+    },
+    get UserModel() {
+        if (!_UserModel) {
+            _UserModel = require('./models/UserModel').UserModel;
+        }
+        return _UserModel;
+    },
+    get WebsocketConnection() {
+        if (!_WebsocketConnection) {
+            _WebsocketConnection = require('./models/WebsocketConnection').WebsocketConnection;
+        }
+        return _WebsocketConnection;
+    },
+    // Prisma (always available)
     prisma,
     TokenRepository,
     WebsocketConnectionRepository,

package/database/utils/prisma-runner.js

@@ -373,6 +373,76 @@ async function runPrismaDbPush(verbose = false, nonInteractive = false) {
     });
 }
 
+/**
+ * Runs Prisma migrate resolve to mark a migration as applied or rolled back
+ * @param {string} migrationName - Name of the migration to resolve (e.g., '20251112195422_update_user_unique_constraints')
+ * @param {'applied'|'rolled-back'} action - Whether to mark as applied or rolled back
+ * @param {boolean} verbose - Enable verbose output
+ * @returns {Promise<Object>} { success: boolean, output?: string, error?: string }
+ */
+async function runPrismaMigrateResolve(migrationName, action = 'applied', verbose = false) {
+    return new Promise((resolve) => {
+        try {
+            const schemaPath = getPrismaSchemaPath('postgresql');
+
+            // Get Prisma binary path (checks multiple locations)
+            const prismaBin = getPrismaBinaryPath();
+
+            // Determine args based on whether we're using direct binary or npx
+            const isDirectBinary = prismaBin !== 'npx prisma';
+            const args = isDirectBinary
+                ? ['migrate', 'resolve', `--${action}`, migrationName, '--schema', schemaPath]
+                : ['prisma', 'migrate', 'resolve', `--${action}`, migrationName, '--schema', schemaPath];
+
+            if (verbose) {
+                const displayCmd = isDirectBinary
+                    ? `${prismaBin} ${args.join(' ')}`
+                    : `npx ${args.join(' ')}`;
+                console.log(chalk.gray(`Running: ${displayCmd}`));
+            }
+
+            // Execute the command (prismaBin might be 'node /path/to/index.js' or 'npx prisma')
+            const [executable, ...executableArgs] = prismaBin.split(' ');
+            const fullArgs = [...executableArgs, ...args];
+
+            const proc = spawn(executable, fullArgs, {
+                stdio: 'inherit',
+                env: {
+                    ...process.env,
+                    PRISMA_HIDE_UPDATE_MESSAGE: '1'
+                }
+            });
+
+            proc.on('error', (error) => {
+                resolve({
+                    success: false,
+                    error: error.message
+                });
+            });
+
+            proc.on('close', (code) => {
+                if (code === 0) {
+                    resolve({
+                        success: true,
+                        output: `Migration ${migrationName} marked as ${action}`
+                    });
+                } else {
+                    resolve({
+                        success: false,
+                        error: `Resolve process exited with code ${code}`
+                    });
+                }
+            });
+
+        } catch (error) {
+            resolve({
+                success: false,
+                error: error.message
+            });
+        }
+    });
+}
+
 /**
  * Determines migration command based on STAGE environment variable
  * @param {string} stage - Stage from CLI option or environment
@@ -401,6 +471,7 @@ module.exports = {
     runPrismaGenerate,
     checkDatabaseState,
     runPrismaMigrate,
+    runPrismaMigrateResolve,
     runPrismaDbPush,
     getMigrationCommand
 };

package/handlers/backend-utils.js

@@ -92,13 +92,16 @@ const loadIntegrationForWebhook = async (integrationId) => {
         integrationId
     );
 
-    return await getIntegrationInstance.execute(
+    const instance = await getIntegrationInstance.execute(
         integrationId,
         integrationRecord.userId
     );
+
+    return instance;
 };
 
 const loadIntegrationForProcess = async (processId, integrationClass) => {
+
     const { processRepository, integrationRepository, moduleRepository } =
         initializeRepositories();
 
@@ -122,10 +125,12 @@ const loadIntegrationForProcess = async (processId, integrationClass) => {
         throw new Error(`Process not found: ${processId}`);
     }
 
-    return await getIntegrationInstance.execute(
+    const instance = await getIntegrationInstance.execute(
         process.integrationId,
         process.userId
     );
+
+    return instance;
 };
 
 const createQueueWorker = (integrationClass) => {
@@ -133,18 +138,19 @@ const createQueueWorker = (integrationClass) => {
         async _run(params, context) {
             try {
                 let integrationInstance;
-                if (
-                    params.event === 'ON_WEBHOOK' &&
-                    params.data?.integrationId
-                ) {
-                    integrationInstance = await loadIntegrationForWebhook(
-                        params.data.integrationId
-                    );
-                } else if (params.data?.processId) {
+
+                // Prioritize processId first (for sync handler compatibility),
+                // then integrationId (for ANY event type that needs hydration),
+                // fallback to unhydrated instance
+                if (params.data?.processId) {
                     integrationInstance = await loadIntegrationForProcess(
                         params.data.processId,
                         integrationClass
                     );
+                } else if (params.data?.integrationId) {
+                    integrationInstance = await loadIntegrationForWebhook(
+                        params.data.integrationId
+                    );
                 } else {
                     // Instantiates a DRY integration class without database records.
                     // There will be cases where we need to use helpers that the api modules can export.

package/handlers/routers/db-migration.js

@@ -235,6 +235,77 @@ router.get(
     })
 );
 
+/**
+ * POST /db-migrate/resolve
+ *
+ * Resolve a failed migration by marking it as applied or rolled back
+ *
+ * Request body:
+ * {
+ *   migrationName: string (e.g., '20251112195422_update_user_unique_constraints'),
+ *   action: 'applied' | 'rolled-back',
+ *   stage: string (optional, defaults to STAGE env var or 'production')
+ * }
+ *
+ * Response (200 OK):
+ * {
+ *   success: true,
+ *   message: string,
+ *   migrationName: string,
+ *   action: string
+ * }
+ */
+router.post(
+    '/db-migrate/resolve',
+    catchAsyncError(async (req, res) => {
+        const { migrationName, action = 'applied' } = req.body;
+
+        console.log(`Migration resolve request: migration=${migrationName}, action=${action}`);
+
+        // Validation
+        if (!migrationName) {
+            return res.status(400).json({
+                success: false,
+                error: 'migrationName is required'
+            });
+        }
+
+        if (!['applied', 'rolled-back'].includes(action)) {
+            return res.status(400).json({
+                success: false,
+                error: 'action must be either "applied" or "rolled-back"'
+            });
+        }
+
+        try {
+            // Import prismaRunner here to avoid circular dependencies
+            const prismaRunner = require('../../database/utils/prisma-runner');
+
+            const result = await prismaRunner.runPrismaMigrateResolve(migrationName, action, true);
+
+            if (!result.success) {
+                return res.status(500).json({
+                    success: false,
+                    error: `Failed to resolve migration: ${result.error}`
+                });
+            }
+
+            res.status(200).json({
+                success: true,
+                message: `Migration ${migrationName} marked as ${action}`,
+                migrationName,
+                action
+            });
+        } catch (error) {
+            console.error('Migration resolve failed:', error);
+            return res.status(500).json({
+                success: false,
+                error: error.message
+            });
+        }
+    })
+);
+
 // Minimal Lambda handler (avoids app-handler-helpers which loads core/index.js → user/**)
 const serverlessHttp = require('serverless-http');
 const express = require('express');
@@ -244,7 +315,7 @@ const app = express();
 app.use(cors());
 app.use(express.json());
 app.use(router);
-app.use((err, req, res, next) => {
+app.use((err, _req, res, _next) => {
     console.error('Migration Router Error:', err);
     res.status(500).json({ message: 'Internal Server Error' });
 });

package/integrations/integration-base.js

@@ -203,22 +203,53 @@ class IntegrationBase {
 
     /**
      * Returns the modules as object with keys as module names.
+     * Uses the keys from Definition.modules to attach modules correctly.
+     * 
+     * Example:
+     *   Definition.modules = { attio: {...}, quo: { definition: { getName: () => 'quo-attio' } } }
+     *   Module with getName()='quo-attio' gets attached as this.quo (not this['quo-attio'])
+     * 
      * @private
      * @param {Array} integrationModules - Array of module instances
      * @returns {Object} The modules object
      */
     _appendModules(integrationModules) {
         const modules = {};
+
+        // Build reverse mapping: definition.getName() → referenceKey
+        // e.g., 'quo-attio' → 'quo', 'attio' → 'attio'
+        const moduleNameToKey = {};
+        if (this.constructor.Definition?.modules) {
+            for (const [key, moduleConfig] of Object.entries(this.constructor.Definition.modules)) {
+                const definition = moduleConfig.definition;
+                if (definition) {
+                    // Use getName() if available, fallback to moduleName
+                    const definitionName = typeof definition.getName === 'function'
+                        ? definition.getName()
+                        : definition.moduleName;
+                    if (definitionName) {
+                        moduleNameToKey[definitionName] = key;
+                    }
+                }
+            }
+        }
+
         for (const module of integrationModules) {
-            const key =
+            const moduleName =
                 typeof module.getName === 'function'
                     ? module.getName()
                     : module.name;
+
+            // Use the reference key from Definition.modules if available,
+            // otherwise fall back to moduleName
+            const key = moduleNameToKey[moduleName] || moduleName;
+
             if (key) {
                 modules[key] = module;
                 this[key] = module;
             }
         }
+
         return modules;
     }
 
@@ -333,7 +364,6 @@ class IntegrationBase {
         return {};
     }
     async loadUserActions({ actionType } = {}) {
-        console.log('loadUserActions called with actionType:', actionType);
         const userActions = {};
         for (const [key, event] of Object.entries(this.events)) {
             if (event.type === constantsToBeMigrated.types.USER_ACTION) {
@@ -389,7 +419,6 @@ class IntegrationBase {
 
     async onWebhook({ data }) {
         // Default: no-op, integrations override this
-        console.log('Webhook received:', data);
     }
 
     async queueWebhook(data) {

package/integrations/integration-router.js

@@ -601,11 +601,10 @@ function setEntityRoutes(router, authenticateUser, useCases) {
     router.route('/api/entities/:entityId/test-auth').get(
         catchAsyncError(async (req, res) => {
             const user = await authenticateUser.execute(req);
-            const userId = user.getId();
             const params = checkRequiredParams(req.params, ['entityId']);
             const testAuthResponse = await testModuleAuth.execute(
                 params.entityId,
-                userId
+                user // Pass User object for proper validation
             );
 
             if (!testAuthResponse) {
@@ -614,7 +613,7 @@ function setEntityRoutes(router, authenticateUser, useCases) {
                     errors: [
                         {
                             title: 'Authentication Error',
-                            message: `There was an error with your ${module.getName()} Entity.  Please reconnect/re-authenticate, or reach out to Support for assistance.`,
+                            message: `There was an error with your Entity. Please reconnect/re-authenticate, or reach out to Support for assistance.`,
                             timestamp: Date.now(),
                         },
                     ],
@@ -628,9 +627,8 @@ function setEntityRoutes(router, authenticateUser, useCases) {
     router.route('/api/entities/:entityId').get(
         catchAsyncError(async (req, res) => {
             const user = await authenticateUser.execute(req);
-            const userId = user.getId();
             const params = checkRequiredParams(req.params, ['entityId']);
-            const module = await getModule.execute(params.entityId, userId);
+            const module = await getModule.execute(params.entityId, user); // Pass User object
 
             res.json(module);
         })
@@ -639,12 +637,11 @@ function setEntityRoutes(router, authenticateUser, useCases) {
     router.route('/api/entities/:entityId/options').post(
         catchAsyncError(async (req, res) => {
             const user = await authenticateUser.execute(req);
-            const userId = user.getId();
             const params = checkRequiredParams(req.params, ['entityId']);
 
             const entityOptions = await getEntityOptionsById.execute(
                 params.entityId,
-                userId
+                user // Pass User object
             );
 
             res.json(entityOptions);
@@ -654,11 +651,10 @@ function setEntityRoutes(router, authenticateUser, useCases) {
     router.route('/api/entities/:entityId/options/refresh').post(
         catchAsyncError(async (req, res) => {
             const user = await authenticateUser.execute(req);
-            const userId = user.getId();
             const params = checkRequiredParams(req.params, ['entityId']);
             const updatedOptions = await refreshEntityOptions.execute(
                 params.entityId,
-                userId,
+                user, // Pass User object
                 req.body
             );
 

package/modules/use-cases/get-entity-options-by-id.js

@@ -12,11 +12,18 @@ class GetEntityOptionsById {
     }
 
     /**
-     * Retrieve a Module instance for a given user and entity/module type.
-     * @param {string} userId
-     * @param {string} entityId
+     * Retrieve entity options for a given entity
+     *
+     * @param {string|number} entityId - Entity ID to retrieve options for
+     * @param {string|number|import('../../user/user').User} userIdOrUser - User ID or User object for validation
+     * @returns {Promise<Object>} Entity options
      */
-    async execute(entityId, userId) {
+    async execute(entityId, userIdOrUser) {
+        // Support both userId (backward compatible) and User object (new pattern)
+        const userId = typeof userIdOrUser === 'object' && userIdOrUser?.getId
+            ? userIdOrUser.getId()
+            : userIdOrUser;
+
         const entity = await this.moduleRepository.findEntityById(
             entityId,
             userId
@@ -26,7 +33,12 @@ class GetEntityOptionsById {
             throw new Error(`Entity ${entityId} not found`);
         }
 
-        if (entity.userId !== userId) {
+        // Validate entity ownership
+        const isOwned = typeof userIdOrUser === 'object' && userIdOrUser?.ownsUserId
+            ? userIdOrUser.ownsUserId(entity.userId)
+            : entity.userId?.toString() === userId?.toString();
+
+        if (!isOwned) {
             throw new Error(
                 `Entity ${entityId} does not belong to user ${userId}`
             );

package/modules/use-cases/get-module.js

@@ -6,7 +6,19 @@ class GetModule {
         this.moduleDefinitions = moduleDefinitions;
     }
 
-    async execute(entityId, userId) {
+    /**
+     * Get module instance for an entity
+     *
+     * @param {string|number} entityId - Entity ID to retrieve
+     * @param {string|number|import('../../user/user').User} userIdOrUser - User ID or User object for validation
+     * @returns {Promise<Object>} Module details
+     */
+    async execute(entityId, userIdOrUser) {
+        // Support both userId (backward compatible) and User object (new pattern)
+        const userId = typeof userIdOrUser === 'object' && userIdOrUser?.getId
+            ? userIdOrUser.getId()
+            : userIdOrUser;
+
         const entity = await this.moduleRepository.findEntityById(
             entityId,
             userId
@@ -16,7 +28,14 @@ class GetModule {
             throw new Error(`Entity ${entityId} not found`);
         }
 
-        if (entity.userId !== userId) {
+        // Validate entity ownership
+        // If User object provided, use ownsUserId to check linked users
+        // Otherwise fall back to simple equality check
+        const isOwned = typeof userIdOrUser === 'object' && userIdOrUser?.ownsUserId
+            ? userIdOrUser.ownsUserId(entity.userId)
+            : entity.userId?.toString() === userId?.toString();
+
+        if (!isOwned) {
             throw new Error(
                 `Entity ${entityId} does not belong to user ${userId}`
             );

package/modules/use-cases/process-authorization-callback.js

@@ -100,9 +100,20 @@ class ProcessAuthorizationCallback {
     async findOrCreateEntity(entityDetails, moduleName, credentialId) {
         const { identifiers, details } = entityDetails;
 
+        // Support both 'user' and 'userId' field names from module definitions
+        // Some modules use 'user' (legacy), others use 'userId' (newer pattern)
+        const userId = identifiers.user || identifiers.userId;
+
+        if (!userId) {
+            throw new Error(
+                `Module definition for ${moduleName} must return 'user' or 'userId' in identifiers from getEntityDetails(). ` +
+                    `Without userId, entity lookup would match across all users (security issue).`
+            );
+        }
+
         const existingEntity = await this.moduleRepository.findEntity({
             externalId: identifiers.externalId,
-            user: identifiers.user,
+            user: userId,
             moduleName: moduleName,
         });
 

package/modules/use-cases/refresh-entity-options.js

@@ -12,11 +12,19 @@ class RefreshEntityOptions {
     }
 
     /**
-     * Retrieve a Module instance for a given user and entity/module type.
-     * @param {string} userId
-     * @param {string} entityId
+     * Refresh entity options for a given entity
+     *
+     * @param {string|number} entityId - Entity ID to refresh
+     * @param {string|number|import('../../user/user').User} userIdOrUser - User ID or User object for validation
+     * @param {Object} options - Refresh options
+     * @returns {Promise<Object>} Updated entity options
      */
-    async execute(entityId, userId, options) {
+    async execute(entityId, userIdOrUser, options) {
+        // Support both userId (backward compatible) and User object (new pattern)
+        const userId = typeof userIdOrUser === 'object' && userIdOrUser?.getId
+            ? userIdOrUser.getId()
+            : userIdOrUser;
+
         const entity = await this.moduleRepository.findEntityById(
             entityId,
             userId
@@ -26,7 +34,12 @@ class RefreshEntityOptions {
             throw new Error(`Entity ${entityId} not found`);
         }
 
-        if (entity.userId !== userId) {
+        // Validate entity ownership
+        const isOwned = typeof userIdOrUser === 'object' && userIdOrUser?.ownsUserId
+            ? userIdOrUser.ownsUserId(entity.userId)
+            : entity.userId?.toString() === userId?.toString();
+
+        if (!isOwned) {
             throw new Error(
                 `Entity ${entityId} does not belong to user ${userId}`
             );

package/modules/use-cases/test-module-auth.js

@@ -11,7 +11,19 @@ class TestModuleAuth {
         this.moduleDefinitions = moduleDefinitions;
     }
 
-    async execute(entityId, userId) {
+    /**
+     * Test authentication for a module entity
+     *
+     * @param {string|number} entityId - Entity ID to test
+     * @param {string|number|import('../../user/user').User} userIdOrUser - User ID or User object for validation
+     * @returns {Promise<boolean>} Authentication test result
+     */
+    async execute(entityId, userIdOrUser) {
+        // Support both userId (backward compatible) and User object (new pattern)
+        const userId = typeof userIdOrUser === 'object' && userIdOrUser?.getId
+            ? userIdOrUser.getId()
+            : userIdOrUser;
+
         const entity = await this.moduleRepository.findEntityById(
             entityId,
             userId
@@ -21,7 +33,12 @@ class TestModuleAuth {
             throw new Error(`Entity ${entityId} not found`);
         }
 
-        if (entity.userId !== userId) {
+        // Validate entity ownership
+        const isOwned = typeof userIdOrUser === 'object' && userIdOrUser?.ownsUserId
+            ? userIdOrUser.ownsUserId(entity.userId)
+            : entity.userId?.toString() === userId?.toString();
+
+        if (!isOwned) {
             throw new Error(
                 `Entity ${entityId} does not belong to user ${userId}`
             );

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@friggframework/core",
     "prettier": "@friggframework/prettier-config",
-    "version": "2.0.0-next.56",
+    "version": "2.0.0-next.57",
     "dependencies": {
         "@aws-sdk/client-apigatewaymanagementapi": "^3.588.0",
         "@aws-sdk/client-kms": "^3.588.0",
@@ -38,9 +38,9 @@
         }
     },
     "devDependencies": {
-        "@friggframework/eslint-config": "2.0.0-next.56",
-        "@friggframework/prettier-config": "2.0.0-next.56",
-        "@friggframework/test": "2.0.0-next.56",
+        "@friggframework/eslint-config": "2.0.0-next.57",
+        "@friggframework/prettier-config": "2.0.0-next.57",
+        "@friggframework/test": "2.0.0-next.57",
         "@prisma/client": "^6.17.0",
         "@types/lodash": "4.17.15",
         "@typescript-eslint/eslint-plugin": "^8.0.0",
@@ -80,5 +80,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "5551318d5c45913810a6b03a5ea19c72b5c4cb2f"
+    "gitHead": "d09ee09decef14a8cdbf657494ac0dc9bf0b4014"
 }

package/prisma-postgresql/migrations/20251112195422_update_user_unique_constraints/migration.sql

@@ -21,49 +21,5 @@ ALTER TABLE "Credential" DROP COLUMN "subType";
 -- AlterTable
 ALTER TABLE "Entity" DROP COLUMN "subType";
 
--- CreateTable
-CREATE TABLE "Process" (
-    "id" SERIAL NOT NULL,
-    "userId" INTEGER NOT NULL,
-    "integrationId" INTEGER NOT NULL,
-    "name" TEXT NOT NULL,
-    "type" TEXT NOT NULL,
-    "state" TEXT NOT NULL,
-    "context" JSONB NOT NULL DEFAULT '{}',
-    "results" JSONB NOT NULL DEFAULT '{}',
-    "parentProcessId" INTEGER,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "Process_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE INDEX "Process_userId_idx" ON "Process"("userId");
-
--- CreateIndex
-CREATE INDEX "Process_integrationId_idx" ON "Process"("integrationId");
-
--- CreateIndex
-CREATE INDEX "Process_type_idx" ON "Process"("type");
-
--- CreateIndex
-CREATE INDEX "Process_state_idx" ON "Process"("state");
-
--- CreateIndex
-CREATE INDEX "Process_name_idx" ON "Process"("name");
-
--- CreateIndex
-CREATE INDEX "Process_parentProcessId_idx" ON "Process"("parentProcessId");
-
 -- CreateIndex
 CREATE UNIQUE INDEX "User_username_appUserId_key" ON "User"("username", "appUserId");
-
--- AddForeignKey
-ALTER TABLE "Process" ADD CONSTRAINT "Process_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "Process" ADD CONSTRAINT "Process_integrationId_fkey" FOREIGN KEY ("integrationId") REFERENCES "Integration"("id") ON DELETE CASCADE ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "Process" ADD CONSTRAINT "Process_parentProcessId_fkey" FOREIGN KEY ("parentProcessId") REFERENCES "Process"("id") ON DELETE SET NULL ON UPDATE CASCADE;

package/queues/queuer-util.js

@@ -4,7 +4,6 @@ const { SQSClient, SendMessageCommand, SendMessageBatchCommand } = require('@aws
 const awsConfigOptions = () => {
     const config = {};
     if (process.env.IS_OFFLINE) {
-        console.log('Running in offline mode');
         config.credentials = {
             accessKeyId: 'test-aws-key',
             secretAccessKey: 'test-aws-secret',
@@ -21,7 +20,6 @@ const sqs = new SQSClient(awsConfigOptions());
 
 const QueuerUtil = {
     send: async (message, queueUrl) => {
-        console.log(`Enqueuing message to SQS queue ${queueUrl}`);
         const command = new SendMessageCommand({
             MessageBody: JSON.stringify(message),
             QueueUrl: queueUrl,
@@ -30,9 +28,6 @@ const QueuerUtil = {
     },
 
     batchSend: async (entries = [], queueUrl) => {
-        console.log(
-            `Enqueuing ${entries.length} entries on SQS to queue ${queueUrl}`
-        );
         const buffer = [];
         const batchSize = 10;
 
@@ -43,7 +38,6 @@ const QueuerUtil = {
             });
             // Sends 10, then purges the buffer
             if (buffer.length === batchSize) {
-                console.log('Buffer at 10, sending batch');
                 const command = new SendMessageBatchCommand({
                     Entries: buffer,
                     QueueUrl: queueUrl,
@@ -53,11 +47,9 @@ const QueuerUtil = {
                 buffer.splice(0, buffer.length);
             }
         }
-        console.log('Buffer at end, sending final batch');
 
         // If any remaining entries under 10 are left in the buffer, send and return
         if (buffer.length > 0) {
-            console.log(buffer);
             const command = new SendMessageBatchCommand({
                 Entries: buffer,
                 QueueUrl: queueUrl,

package/user/repositories/user-repository-documentdb.js

@@ -427,6 +427,26 @@ class UserRepositoryDocumentDB extends UserRepositoryInterface {
         const date = new Date(value);
         return isNaN(date.getTime()) ? undefined : date;
     }
+
+    /**
+     * Link an individual user to an organization user
+     * @param {string} individualUserId - Individual user ID (MongoDB ObjectId string)
+     * @param {string} organizationUserId - Organization user ID (MongoDB ObjectId string)
+     * @returns {Promise<Object>} Updated individual user object
+     */
+    async linkIndividualToOrganization(individualUserId, organizationUserId) {
+        const doc = await updateOne(
+            this.prisma,
+            'User',
+            { _id: toObjectId(individualUserId), type: 'INDIVIDUAL' },
+            { $set: { organizationId: toObjectId(organizationUserId) } }
+        );
+        const decrypted = await this.encryptionService.decryptFields(
+            'User',
+            doc
+        );
+        return this._mapUser(decrypted);
+    }
 }
 
 module.exports = { UserRepositoryDocumentDB };

package/user/repositories/user-repository-interface.js

@@ -193,6 +193,20 @@ class UserRepositoryInterface {
     async deleteUser(userId) {
         throw new Error('Method deleteUser must be implemented by subclass');
     }
+
+    /**
+     * Link an individual user to an organization user
+     *
+     * @param {string|number} individualUserId - Individual user ID
+     * @param {string|number} organizationUserId - Organization user ID
+     * @returns {Promise<Object>} Updated individual user object
+     * @abstract
+     */
+    async linkIndividualToOrganization(individualUserId, organizationUserId) {
+        throw new Error(
+            'Method linkIndividualToOrganization must be implemented by subclass'
+        );
+    }
 }
 
 module.exports = { UserRepositoryInterface };

package/user/repositories/user-repository-mongo.js

@@ -287,6 +287,24 @@ class UserRepositoryMongo extends UserRepositoryInterface {
             throw error;
         }
     }
+
+    /**
+     * Link an individual user to an organization user
+     * @param {string} individualUserId - Individual user ID (MongoDB ObjectId string)
+     * @param {string} organizationUserId - Organization user ID (MongoDB ObjectId string)
+     * @returns {Promise<Object>} Updated individual user object
+     */
+    async linkIndividualToOrganization(individualUserId, organizationUserId) {
+        return await this.prisma.user.update({
+            where: {
+                id: individualUserId,
+                type: 'INDIVIDUAL',
+            },
+            data: {
+                organizationId: organizationUserId,
+            },
+        });
+    }
 }
 
 module.exports = { UserRepositoryMongo };

package/user/repositories/user-repository-postgres.js

@@ -346,6 +346,28 @@ class UserRepositoryPostgres extends UserRepositoryInterface {
             throw error;
         }
     }
+
+    /**
+     * Link an individual user to an organization user
+     * @param {string} individualUserId - Individual user ID (string from application layer)
+     * @param {string} organizationUserId - Organization user ID (string from application layer)
+     * @returns {Promise<Object>} Updated individual user with string IDs
+     */
+    async linkIndividualToOrganization(individualUserId, organizationUserId) {
+        const intIndividualId = this._convertId(individualUserId);
+        const intOrganizationId = this._convertId(organizationUserId);
+
+        const user = await this.prisma.user.update({
+            where: {
+                id: intIndividualId,
+                type: 'INDIVIDUAL',
+            },
+            data: {
+                organizationId: intOrganizationId,
+            },
+        });
+        return this._convertUserIds(user);
+    }
 }
 
 module.exports = { UserRepositoryPostgres };

package/user/use-cases/get-user-from-x-frigg-headers.js

@@ -53,7 +53,7 @@ class GetUserFromXFriggHeaders {
                 );
         }
 
-        // VALIDATION: If both IDs provided and both users exist, verify they match
+        // VALIDATION/AUTO-LINKING: If both IDs provided and both users exist, handle mismatch
         if (
             appUserId &&
             appOrgId &&
@@ -66,31 +66,57 @@ class GetUserFromXFriggHeaders {
             const expectedOrgId = organizationUserData.id?.toString();
 
             if (individualOrgId !== expectedOrgId) {
-                throw Boom.badRequest(
-                    'User ID mismatch: x-frigg-appUserId and x-frigg-appOrgId refer to different users. ' +
-                        'Provide only one identifier or ensure they belong to the same user.'
+                // Default behavior: Auto-link disconnected users
+                // Opt-in strict mode: Throw error on mismatch
+                if (this.userConfig.strictUserValidation) {
+                    throw Boom.badRequest(
+                        'User ID mismatch: x-frigg-appUserId and x-frigg-appOrgId refer to different users. ' +
+                            'Provide only one identifier or ensure they belong to the same user.'
+                    );
+                }
+
+                // Auto-link the users
+                individualUserData = await this.userRepository.linkIndividualToOrganization(
+                    individualUserData.id,
+                    organizationUserData.id
                 );
             }
         }
 
-        // Auto-create user if not found
-        if (!individualUserData && !organizationUserData) {
-            if (appUserId) {
-                individualUserData =
-                    await this.userRepository.createIndividualUser({
-                        appUserId,
-                        username: `app-user-${appUserId}`,
-                        email: `${appUserId}@app.local`,
-                    });
-            } else {
-                organizationUserData =
-                    await this.userRepository.createOrganizationUser({
-                        appOrgId,
-                    });
+        // Auto-create users independently if they don't exist and are required
+        if (
+            !individualUserData &&
+            appUserId &&
+            this.userConfig.individualUserRequired !== false
+        ) {
+            individualUserData =
+                await this.userRepository.createIndividualUser({
+                    appUserId,
+                    username: `app-user-${appUserId}`,
+                    email: `${appUserId}@app.local`,
+                });
+        }
+
+        if (
+            !organizationUserData &&
+            appOrgId &&
+            this.userConfig.organizationUserRequired
+        ) {
+            organizationUserData =
+                await this.userRepository.createOrganizationUser({
+                    appOrgId,
+                });
+
+            // Link individual user to newly created org user if individual exists
+            if (individualUserData && organizationUserData) {
+                individualUserData = await this.userRepository.linkIndividualToOrganization(
+                    individualUserData.id,
+                    organizationUserData.id
+                );
             }
         }
 
-        return new User(
+        const user = new User(
             individualUserData,
             organizationUserData,
             this.userConfig.usePassword,
@@ -98,9 +124,9 @@ class GetUserFromXFriggHeaders {
             this.userConfig.individualUserRequired,
             this.userConfig.organizationUserRequired
         );
+
+        return user;
     }
 }
 
 module.exports = { GetUserFromXFriggHeaders };
-
-

package/user/user.js

@@ -88,6 +88,38 @@ class User {
     getAppOrgId() {
         return this.organizationUser?.appOrgId || null;
     }
+
+    /**
+     * Checks if a given userId belongs to this user (either primary or linked).
+     * When primary is 'organization', entities owned by the linked individual user
+     * should still be accessible to the organization.
+     *
+     * @param {string|number} userId - The userId to check
+     * @returns {boolean} True if the userId belongs to this user or their linked user
+     */
+    ownsUserId(userId) {
+        const userIdStr = userId?.toString();
+        const primaryId = this.getPrimaryUser()?.id?.toString();
+        const individualId = this.individualUser?.id?.toString();
+        const organizationId = this.organizationUser?.id?.toString();
+
+        // Check if userId matches primary user
+        if (userIdStr === primaryId) {
+            return true;
+        }
+
+        // When primary is 'organization', also check linked individual user
+        if (this.config.primary === 'organization' && userIdStr === individualId) {
+            return true;
+        }
+
+        // When primary is 'individual', also check linked organization user if required
+        if (this.config.primary === 'individual' && this.config.organizationUserRequired && userIdStr === organizationId) {
+            return true;
+        }
+
+        return false;
+    }
 }
 
 module.exports = { User };