npm - @friggframework/core - Versions diffs - 2.0.0-next.6 → 2.0.0-next.61 - Mend

@friggframework/core 2.0.0-next.6 → 2.0.0-next.61

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (286) hide show

package/CLAUDE.md +694 -0
package/README.md +959 -50
package/application/commands/README.md +451 -0
package/application/commands/credential-commands.js +245 -0
package/application/commands/entity-commands.js +336 -0
package/application/commands/integration-commands.js +210 -0
package/application/commands/user-commands.js +283 -0
package/application/index.js +69 -0
package/core/CLAUDE.md +690 -0
package/core/Worker.js +8 -21
package/core/create-handler.js +14 -7
package/credential/repositories/credential-repository-documentdb.js +304 -0
package/credential/repositories/credential-repository-factory.js +54 -0
package/credential/repositories/credential-repository-interface.js +98 -0
package/credential/repositories/credential-repository-mongo.js +269 -0
package/credential/repositories/credential-repository-postgres.js +291 -0
package/credential/repositories/credential-repository.js +302 -0
package/credential/use-cases/get-credential-for-user.js +25 -0
package/credential/use-cases/update-authentication-status.js +15 -0
package/database/MONGODB_TRANSACTION_FIX.md +198 -0
package/database/adapters/lambda-invoker.js +97 -0
package/database/config.js +154 -0
package/database/documentdb-encryption-service.js +330 -0
package/database/documentdb-utils.js +136 -0
package/database/encryption/README.md +839 -0
package/database/encryption/documentdb-encryption-service.md +3575 -0
package/database/encryption/encryption-schema-registry.js +268 -0
package/database/encryption/field-encryption-service.js +226 -0
package/database/encryption/logger.js +79 -0
package/database/encryption/prisma-encryption-extension.js +222 -0
package/database/index.js +61 -21
package/database/models/WebsocketConnection.js +16 -10
package/database/models/readme.md +1 -0
package/database/prisma.js +182 -0
package/database/repositories/health-check-repository-documentdb.js +134 -0
package/database/repositories/health-check-repository-factory.js +48 -0
package/database/repositories/health-check-repository-interface.js +82 -0
package/database/repositories/health-check-repository-mongodb.js +89 -0
package/database/repositories/health-check-repository-postgres.js +82 -0
package/database/repositories/health-check-repository.js +108 -0
package/database/repositories/migration-status-repository-s3.js +137 -0
package/database/use-cases/check-database-health-use-case.js +29 -0
package/database/use-cases/check-database-state-use-case.js +81 -0
package/database/use-cases/check-encryption-health-use-case.js +83 -0
package/database/use-cases/get-database-state-via-worker-use-case.js +61 -0
package/database/use-cases/get-migration-status-use-case.js +93 -0
package/database/use-cases/run-database-migration-use-case.js +139 -0
package/database/use-cases/test-encryption-use-case.js +253 -0
package/database/use-cases/trigger-database-migration-use-case.js +157 -0
package/database/utils/mongodb-collection-utils.js +91 -0
package/database/utils/mongodb-schema-init.js +106 -0
package/database/utils/prisma-runner.js +477 -0
package/database/utils/prisma-schema-parser.js +182 -0
package/docs/PROCESS_MANAGEMENT_QUEUE_SPEC.md +517 -0
package/encrypt/Cryptor.js +34 -168
package/encrypt/index.js +1 -2
package/encrypt/test-encrypt.js +0 -2
package/errors/client-safe-error.js +26 -0
package/errors/fetch-error.js +2 -1
package/errors/index.js +2 -0
package/generated/prisma-mongodb/client.d.ts +1 -0
package/generated/prisma-mongodb/client.js +4 -0
package/generated/prisma-mongodb/default.d.ts +1 -0
package/generated/prisma-mongodb/default.js +4 -0
package/generated/prisma-mongodb/edge.d.ts +1 -0
package/generated/prisma-mongodb/edge.js +334 -0
package/generated/prisma-mongodb/index-browser.js +316 -0
package/generated/prisma-mongodb/index.d.ts +22903 -0
package/generated/prisma-mongodb/index.js +359 -0
package/generated/prisma-mongodb/package.json +183 -0
package/generated/prisma-mongodb/query-engine-debian-openssl-3.0.x +0 -0
package/generated/prisma-mongodb/query-engine-rhel-openssl-3.0.x +0 -0
package/generated/prisma-mongodb/runtime/binary.d.ts +1 -0
package/generated/prisma-mongodb/runtime/binary.js +289 -0
package/generated/prisma-mongodb/runtime/edge-esm.js +34 -0
package/generated/prisma-mongodb/runtime/edge.js +34 -0
package/generated/prisma-mongodb/runtime/index-browser.d.ts +370 -0
package/generated/prisma-mongodb/runtime/index-browser.js +16 -0
package/generated/prisma-mongodb/runtime/library.d.ts +3977 -0
package/generated/prisma-mongodb/runtime/react-native.js +83 -0
package/generated/prisma-mongodb/runtime/wasm-compiler-edge.js +84 -0
package/generated/prisma-mongodb/runtime/wasm-engine-edge.js +36 -0
package/generated/prisma-mongodb/schema.prisma +360 -0
package/generated/prisma-mongodb/wasm-edge-light-loader.mjs +4 -0
package/generated/prisma-mongodb/wasm-worker-loader.mjs +4 -0
package/generated/prisma-mongodb/wasm.d.ts +1 -0
package/generated/prisma-mongodb/wasm.js +341 -0
package/generated/prisma-postgresql/client.d.ts +1 -0
package/generated/prisma-postgresql/client.js +4 -0
package/generated/prisma-postgresql/default.d.ts +1 -0
package/generated/prisma-postgresql/default.js +4 -0
package/generated/prisma-postgresql/edge.d.ts +1 -0
package/generated/prisma-postgresql/edge.js +356 -0
package/generated/prisma-postgresql/index-browser.js +338 -0
package/generated/prisma-postgresql/index.d.ts +25077 -0
package/generated/prisma-postgresql/index.js +381 -0
package/generated/prisma-postgresql/package.json +183 -0
package/generated/prisma-postgresql/query-engine-debian-openssl-3.0.x +0 -0
package/generated/prisma-postgresql/query-engine-rhel-openssl-3.0.x +0 -0
package/generated/prisma-postgresql/query_engine_bg.js +2 -0
package/generated/prisma-postgresql/query_engine_bg.wasm +0 -0
package/generated/prisma-postgresql/runtime/binary.d.ts +1 -0
package/generated/prisma-postgresql/runtime/binary.js +289 -0
package/generated/prisma-postgresql/runtime/edge-esm.js +34 -0
package/generated/prisma-postgresql/runtime/edge.js +34 -0
package/generated/prisma-postgresql/runtime/index-browser.d.ts +370 -0
package/generated/prisma-postgresql/runtime/index-browser.js +16 -0
package/generated/prisma-postgresql/runtime/library.d.ts +3977 -0
package/generated/prisma-postgresql/runtime/react-native.js +83 -0
package/generated/prisma-postgresql/runtime/wasm-compiler-edge.js +84 -0
package/generated/prisma-postgresql/runtime/wasm-engine-edge.js +36 -0
package/generated/prisma-postgresql/schema.prisma +343 -0
package/generated/prisma-postgresql/wasm-edge-light-loader.mjs +4 -0
package/generated/prisma-postgresql/wasm-worker-loader.mjs +4 -0
package/generated/prisma-postgresql/wasm.d.ts +1 -0
package/generated/prisma-postgresql/wasm.js +363 -0
package/handlers/WEBHOOKS.md +653 -0
package/handlers/app-definition-loader.js +38 -0
package/handlers/app-handler-helpers.js +56 -0
package/handlers/backend-utils.js +186 -0
package/handlers/database-migration-handler.js +227 -0
package/handlers/integration-event-dispatcher.js +54 -0
package/handlers/routers/HEALTHCHECK.md +342 -0
package/handlers/routers/auth.js +15 -0
package/handlers/routers/db-migration.handler.js +29 -0
package/handlers/routers/db-migration.js +326 -0
package/handlers/routers/health.js +516 -0
package/handlers/routers/integration-defined-routers.js +45 -0
package/handlers/routers/integration-webhook-routers.js +67 -0
package/handlers/routers/user.js +63 -0
package/handlers/routers/websocket.js +57 -0
package/handlers/use-cases/check-external-apis-health-use-case.js +81 -0
package/handlers/use-cases/check-integrations-health-use-case.js +44 -0
package/handlers/workers/db-migration.js +352 -0
package/handlers/workers/integration-defined-workers.js +27 -0
package/index.js +77 -22
package/integrations/WEBHOOK-QUICKSTART.md +151 -0
package/integrations/index.js +12 -10
package/integrations/integration-base.js +326 -55
package/integrations/integration-router.js +374 -179
package/integrations/options.js +1 -1
package/integrations/repositories/integration-mapping-repository-documentdb.js +280 -0
package/integrations/repositories/integration-mapping-repository-factory.js +57 -0
package/integrations/repositories/integration-mapping-repository-interface.js +106 -0
package/integrations/repositories/integration-mapping-repository-mongo.js +161 -0
package/integrations/repositories/integration-mapping-repository-postgres.js +227 -0
package/integrations/repositories/integration-mapping-repository.js +156 -0
package/integrations/repositories/integration-repository-documentdb.js +210 -0
package/integrations/repositories/integration-repository-factory.js +51 -0
package/integrations/repositories/integration-repository-interface.js +127 -0
package/integrations/repositories/integration-repository-mongo.js +303 -0
package/integrations/repositories/integration-repository-postgres.js +352 -0
package/integrations/repositories/process-repository-documentdb.js +243 -0
package/integrations/repositories/process-repository-factory.js +53 -0
package/integrations/repositories/process-repository-interface.js +90 -0
package/integrations/repositories/process-repository-mongo.js +190 -0
package/integrations/repositories/process-repository-postgres.js +217 -0
package/integrations/tests/doubles/config-capturing-integration.js +81 -0
package/integrations/tests/doubles/dummy-integration-class.js +105 -0
package/integrations/tests/doubles/test-integration-repository.js +99 -0
package/integrations/use-cases/create-integration.js +83 -0
package/integrations/use-cases/create-process.js +128 -0
package/integrations/use-cases/delete-integration-for-user.js +101 -0
package/integrations/use-cases/find-integration-context-by-external-entity-id.js +72 -0
package/integrations/use-cases/get-integration-for-user.js +78 -0
package/integrations/use-cases/get-integration-instance-by-definition.js +67 -0
package/integrations/use-cases/get-integration-instance.js +83 -0
package/integrations/use-cases/get-integrations-for-user.js +88 -0
package/integrations/use-cases/get-possible-integrations.js +27 -0
package/integrations/use-cases/get-process.js +87 -0
package/integrations/use-cases/index.js +19 -0
package/integrations/use-cases/load-integration-context.js +71 -0
package/integrations/use-cases/update-integration-messages.js +44 -0
package/integrations/use-cases/update-integration-status.js +32 -0
package/integrations/use-cases/update-integration.js +92 -0
package/integrations/use-cases/update-process-metrics.js +201 -0
package/integrations/use-cases/update-process-state.js +119 -0
package/integrations/utils/map-integration-dto.js +37 -0
package/jest-global-setup-noop.js +3 -0
package/jest-global-teardown-noop.js +3 -0
package/logs/logger.js +0 -4
package/{module-plugin → modules}/entity.js +1 -1
package/{module-plugin → modules}/index.js +0 -8
package/modules/module-factory.js +56 -0
package/modules/module.js +221 -0
package/modules/repositories/module-repository-documentdb.js +307 -0
package/modules/repositories/module-repository-factory.js +40 -0
package/modules/repositories/module-repository-interface.js +129 -0
package/modules/repositories/module-repository-mongo.js +377 -0
package/modules/repositories/module-repository-postgres.js +426 -0
package/modules/repositories/module-repository.js +316 -0
package/modules/requester/api-key.js +52 -0
package/{module-plugin → modules}/requester/requester.js +1 -0
package/{module-plugin → modules}/test/mock-api/api.js +8 -3
package/{module-plugin → modules}/test/mock-api/definition.js +12 -8
package/modules/tests/doubles/test-module-factory.js +16 -0
package/modules/tests/doubles/test-module-repository.js +39 -0
package/modules/use-cases/get-entities-for-user.js +32 -0
package/modules/use-cases/get-entity-options-by-id.js +71 -0
package/modules/use-cases/get-entity-options-by-type.js +34 -0
package/modules/use-cases/get-module-instance-from-type.js +31 -0
package/modules/use-cases/get-module.js +74 -0
package/modules/use-cases/process-authorization-callback.js +133 -0
package/modules/use-cases/refresh-entity-options.js +72 -0
package/modules/use-cases/test-module-auth.js +72 -0
package/modules/utils/map-module-dto.js +18 -0
package/package.json +82 -50
package/prisma-mongodb/schema.prisma +360 -0
package/prisma-postgresql/migrations/20250930193005_init/migration.sql +315 -0
package/prisma-postgresql/migrations/20251006135218_init/migration.sql +9 -0
package/prisma-postgresql/migrations/20251010000000_remove_unused_entity_reference_map/migration.sql +3 -0
package/prisma-postgresql/migrations/20251112195422_update_user_unique_constraints/migration.sql +25 -0
package/prisma-postgresql/migrations/migration_lock.toml +3 -0
package/prisma-postgresql/schema.prisma +343 -0
package/queues/queuer-util.js +27 -22
package/syncs/manager.js +468 -443
package/syncs/repositories/sync-repository-documentdb.js +240 -0
package/syncs/repositories/sync-repository-factory.js +43 -0
package/syncs/repositories/sync-repository-interface.js +109 -0
package/syncs/repositories/sync-repository-mongo.js +239 -0
package/syncs/repositories/sync-repository-postgres.js +319 -0
package/syncs/sync.js +0 -1
package/token/repositories/token-repository-documentdb.js +137 -0
package/token/repositories/token-repository-factory.js +40 -0
package/token/repositories/token-repository-interface.js +131 -0
package/token/repositories/token-repository-mongo.js +219 -0
package/token/repositories/token-repository-postgres.js +264 -0
package/token/repositories/token-repository.js +219 -0
package/types/core/index.d.ts +2 -2
package/types/integrations/index.d.ts +2 -6
package/types/module-plugin/index.d.ts +5 -59
package/types/syncs/index.d.ts +0 -2
package/user/repositories/user-repository-documentdb.js +441 -0
package/user/repositories/user-repository-factory.js +52 -0
package/user/repositories/user-repository-interface.js +201 -0
package/user/repositories/user-repository-mongo.js +308 -0
package/user/repositories/user-repository-postgres.js +360 -0
package/user/tests/doubles/test-user-repository.js +72 -0
package/user/use-cases/authenticate-user.js +127 -0
package/user/use-cases/authenticate-with-shared-secret.js +48 -0
package/user/use-cases/create-individual-user.js +61 -0
package/user/use-cases/create-organization-user.js +47 -0
package/user/use-cases/create-token-for-user-id.js +30 -0
package/user/use-cases/get-user-from-adopter-jwt.js +149 -0
package/user/use-cases/get-user-from-bearer-token.js +77 -0
package/user/use-cases/get-user-from-x-frigg-headers.js +132 -0
package/user/use-cases/login-user.js +122 -0
package/user/user.js +125 -0
package/utils/backend-path.js +38 -0
package/utils/index.js +6 -0
package/websocket/repositories/websocket-connection-repository-documentdb.js +119 -0
package/websocket/repositories/websocket-connection-repository-factory.js +44 -0
package/websocket/repositories/websocket-connection-repository-interface.js +106 -0
package/websocket/repositories/websocket-connection-repository-mongo.js +156 -0
package/websocket/repositories/websocket-connection-repository-postgres.js +196 -0
package/websocket/repositories/websocket-connection-repository.js +161 -0
package/database/models/State.js +0 -9
package/database/models/Token.js +0 -70
package/database/mongo.js +0 -45
package/encrypt/Cryptor.test.js +0 -32
package/encrypt/encrypt.js +0 -132
package/encrypt/encrypt.test.js +0 -1069
package/errors/base-error.test.js +0 -32
package/errors/fetch-error.test.js +0 -79
package/errors/halt-error.test.js +0 -11
package/errors/validation-errors.test.js +0 -120
package/integrations/create-frigg-backend.js +0 -31
package/integrations/integration-factory.js +0 -251
package/integrations/integration-mapping.js +0 -43
package/integrations/integration-model.js +0 -46
package/integrations/integration-user.js +0 -144
package/integrations/test/integration-base.test.js +0 -144
package/lambda/TimeoutCatcher.test.js +0 -68
package/logs/logger.test.js +0 -76
package/module-plugin/auther.js +0 -393
package/module-plugin/credential.js +0 -22
package/module-plugin/entity-manager.js +0 -70
package/module-plugin/manager.js +0 -169
package/module-plugin/module-factory.js +0 -61
package/module-plugin/requester/api-key.js +0 -36
package/module-plugin/requester/requester.test.js +0 -28
package/module-plugin/test/auther.test.js +0 -97
/package/{module-plugin → modules}/ModuleConstants.js +0 -0
/package/{module-plugin → modules}/requester/basic.js +0 -0
/package/{module-plugin → modules}/requester/oauth-2.js +0 -0
/package/{module-plugin → modules}/test/mock-api/mocks/hubspot.js +0 -0

package/database/encryption/encryption-schema-registry.js ADDED Viewed

@@ -0,0 +1,268 @@
+/**
+ * Encryption Schema Registry
+ *
+ * Centralized registry defining which fields require encryption for each Prisma model.
+ * Database-agnostic, works identically for MongoDB and PostgreSQL.
+ * Extensible by integration developers via appDefinition.
+ *
+ * Field path format: 'fieldName' or 'parent.child.field' for nested JSON.
+ */
+const { logger } = require('./logger');
+/**
+ * Core encryption schema (immutable - cannot be overridden by custom schemas)
+ */
+const CORE_ENCRYPTION_SCHEMA = {
+    Credential: {
+        fields: [
+            'data.access_token',
+            'data.refresh_token',
+            'data.id_token',
+            'data.api_key',
+            'data.apiKey',
+            'data.API_KEY_VALUE',
+            'data.password',
+            'data.client_secret',
+        ],
+    },
+    IntegrationMapping: {
+        fields: ['mapping'],
+    },
+    User: {
+        fields: ['hashword'],
+    },
+    Token: {
+        fields: ['token'],
+    },
+};
+let customSchema = {};
+/**
+ * Validates a custom encryption schema
+ * @returns {{valid: boolean, errors: string[]}}
+ */
+function validateCustomSchema(schema) {
+    const errors = [];
+    if (!schema || typeof schema !== 'object') {
+        errors.push('Custom schema must be an object');
+        return { valid: false, errors };
+    }
+    for (const [modelName, config] of Object.entries(schema)) {
+        if (typeof modelName !== 'string' || !modelName) {
+            errors.push(`Invalid model name: ${modelName}`);
+            continue;
+        }
+        if (!config || typeof config !== 'object') {
+            errors.push(`Model "${modelName}" must have a config object`);
+            continue;
+        }
+        if (!Array.isArray(config.fields)) {
+            errors.push(`Model "${modelName}" must have a "fields" array`);
+            continue;
+        }
+        for (const fieldPath of config.fields) {
+            if (typeof fieldPath !== 'string' || !fieldPath) {
+                errors.push(`Model "${modelName}" has invalid field path: ${fieldPath}`);
+            }
+            // Check if trying to override core fields
+            const coreFields = CORE_ENCRYPTION_SCHEMA[modelName]?.fields || [];
+            if (coreFields.includes(fieldPath)) {
+                errors.push(
+                    `Cannot override core encrypted field "${fieldPath}" in model "${modelName}"`
+                );
+            }
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Registers a custom encryption schema from integration developer.
+ * Merges with core schema, prevents overriding core fields.
+ * @throws {Error} If schema validation fails
+ */
+function registerCustomSchema(schema) {
+    if (!schema || Object.keys(schema).length === 0) {
+        return; // Nothing to register
+    }
+    const validation = validateCustomSchema(schema);
+    if (!validation.valid) {
+        throw new Error(
+            `Invalid custom encryption schema:\n- ${validation.errors.join('\n- ')}`
+        );
+    }
+    customSchema = { ...schema };
+    logger.info(
+        `Registered custom encryption schema for models: ${Object.keys(customSchema).join(', ')}`
+    );
+}
+/**
+ * Extracts credential field paths from module definitions
+ * @param {Array} moduleDefinitions - Array of module definition objects
+ * @returns {Array<string>} Array of field paths with data. prefix
+ */
+function extractCredentialFieldsFromModules(moduleDefinitions) {
+    const fields = [];
+    for (const moduleDef of moduleDefinitions) {
+        if (!moduleDef?.encryption?.credentialFields) {
+            continue;
+        }
+        const credentialFields = moduleDef.encryption.credentialFields;
+        if (!Array.isArray(credentialFields) || credentialFields.length === 0) {
+            continue;
+        }
+        for (const field of credentialFields) {
+            const prefixedField = field.startsWith('data.') ? field : `data.${field}`;
+            fields.push(prefixedField);
+        }
+    }
+    return [...new Set(fields)];
+}
+/**
+ * Loads and registers encryption schemas from API module definitions.
+ * Each module can declare credentialFields to encrypt in its encryption config.
+ *
+ * @param {Array} integrations - Array of integration classes with modules
+ */
+function loadModuleEncryptionSchemas(integrations) {
+    if (!integrations) {
+        throw new Error('integrations parameter is required');
+    }
+    if (!Array.isArray(integrations)) {
+        throw new Error('integrations must be an array');
+    }
+    if (integrations.length === 0) {
+        return;
+    }
+    const { getModulesDefinitionFromIntegrationClasses } = require('../integrations/utils/map-integration-dto');
+    const moduleDefinitions = getModulesDefinitionFromIntegrationClasses(integrations);
+    const credentialFields = extractCredentialFieldsFromModules(moduleDefinitions);
+    if (credentialFields.length === 0) {
+        return;
+    }
+    const moduleSchema = {
+        Credential: {
+            fields: credentialFields
+        }
+    };
+    logger.info(
+        `Registering module-level encryption for ${credentialFields.length} credential fields`
+    );
+    registerCustomSchema(moduleSchema);
+}
+/**
+ * Loads and registers custom encryption schema from appDefinition.
+ * Gracefully handles cases where appDefinition is not available.
+ *
+ * This ensures that custom encryption schemas defined in the backend's index.js
+ * are registered before any repositories attempt to encrypt data.
+ *
+ * Used by both Prisma (MongoDB/PostgreSQL) and DocumentDB encryption services.
+ */
+function loadCustomEncryptionSchema() {
+    try {
+        // Lazy require to avoid circular dependency issues
+        const path = require('node:path');
+        const { findNearestBackendPackageJson } = require('../../utils');
+        const backendPackagePath = findNearestBackendPackageJson();
+        if (!backendPackagePath) {
+            return; // No backend found, skip custom schema
+        }
+        const backendDir = path.dirname(backendPackagePath);
+        const backendIndexPath = path.join(backendDir, 'index.js');
+        const backendModule = require(backendIndexPath);
+        const appDefinition = backendModule?.Definition;
+        if (!appDefinition) {
+            return; // No app definition found
+        }
+        // Load app-level custom schema
+        const customSchema = appDefinition.encryption?.schema;
+        if (customSchema && Object.keys(customSchema).length > 0) {
+            registerCustomSchema(customSchema);
+        }
+        // Load module-level encryption schemas from integrations
+        const integrations = appDefinition.integrations;
+        if (integrations && Array.isArray(integrations)) {
+            loadModuleEncryptionSchemas(integrations);
+        }
+    } catch (error) {
+        // Silently ignore errors - custom schema is optional
+        // This handles cases like:
+        // - Backend package.json not found (tests, standalone usage)
+        // - No appDefinition defined
+        // - No custom encryption schema specified
+        logger.debug('Could not load custom encryption schema:', error.message);
+    }
+}
+function getEncryptedFields(modelName) {
+    const coreFields = CORE_ENCRYPTION_SCHEMA[modelName]?.fields || [];
+    const customFields = customSchema[modelName]?.fields || [];
+    const allFields = [...coreFields, ...customFields];
+    return [...new Set(allFields)];
+}
+function hasEncryptedFields(modelName) {
+    return getEncryptedFields(modelName).length > 0;
+}
+function getEncryptedModels() {
+    const coreModels = Object.keys(CORE_ENCRYPTION_SCHEMA);
+    const customModels = Object.keys(customSchema);
+    return [...new Set([...coreModels, ...customModels])];
+}
+function resetCustomSchema() {
+    customSchema = {};
+}
+module.exports = {
+    CORE_ENCRYPTION_SCHEMA,
+    getEncryptedFields,
+    hasEncryptedFields,
+    getEncryptedModels,
+    registerCustomSchema,
+    loadCustomEncryptionSchema,
+    loadModuleEncryptionSchemas,
+    extractCredentialFieldsFromModules,
+    validateCustomSchema,
+    resetCustomSchema,
+};

package/database/encryption/field-encryption-service.js ADDED Viewed

@@ -0,0 +1,226 @@
+/**
+ * Field Encryption Service
+ *
+ * Infrastructure layer service that orchestrates field-level encryption/decryption.
+ * Handles nested JSON paths (e.g., 'data.access_token') and bulk operations.
+ */
+class FieldEncryptionService {
+    constructor({ cryptor, schema }) {
+        if (!cryptor) {
+            throw new Error('Cryptor instance required');
+        }
+        if (!schema || typeof schema.getEncryptedFields !== 'function') {
+            throw new Error('Schema with getEncryptedFields method required');
+        }
+        this.cryptor = cryptor;
+        this.schema = schema;
+    }
+    async encryptFields(modelName, document) {
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+        const fields = this.schema.getEncryptedFields(modelName);
+        if (fields.length === 0) {
+            return document;
+        }
+        const encrypted = this._deepClone(document);
+        // Parallelize encryption of multiple fields
+        const encryptionPromises = fields.map(async (fieldPath) => {
+            const value = this._getNestedValue(encrypted, fieldPath);
+            if (this._shouldEncrypt(value)) {
+                const serializedValue = this._serializeForEncryption(value);
+                const encryptedValue = await this.cryptor.encrypt(serializedValue);
+                return { fieldPath, encryptedValue };
+            }
+            return null;
+        });
+        const results = await Promise.all(encryptionPromises);
+        // Apply encrypted values
+        for (const result of results) {
+            if (result) {
+                this._setNestedValue(encrypted, result.fieldPath, result.encryptedValue);
+            }
+        }
+        return encrypted;
+    }
+    async decryptFields(modelName, document) {
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+        const fields = this.schema.getEncryptedFields(modelName);
+        if (fields.length === 0) {
+            return document;
+        }
+        const decrypted = this._deepClone(document);
+        // Parallelize decryption of multiple fields
+        const decryptionPromises = fields.map(async (fieldPath) => {
+            const value = this._getNestedValue(decrypted, fieldPath);
+            if (this._isEncrypted(value)) {
+                const decryptedValue = await this.cryptor.decrypt(value);
+                const deserializedValue = this._deserializeAfterDecryption(decryptedValue);
+                return { fieldPath, decryptedValue: deserializedValue };
+            }
+            return null;
+        });
+        const results = await Promise.all(decryptionPromises);
+        // Apply decrypted values
+        for (const result of results) {
+            if (result) {
+                this._setNestedValue(decrypted, result.fieldPath, result.decryptedValue);
+            }
+        }
+        return decrypted;
+    }
+    async encryptFieldsInBulk(modelName, documents) {
+        if (!Array.isArray(documents)) {
+            return documents;
+        }
+        return Promise.all(
+            documents.map((doc) => this.encryptFields(modelName, doc))
+        );
+    }
+    async decryptFieldsInBulk(modelName, documents) {
+        if (!Array.isArray(documents)) {
+            return documents;
+        }
+        return Promise.all(
+            documents.map((doc) => this.decryptFields(modelName, doc))
+        );
+    }
+    _shouldEncrypt(value) {
+        return (
+            value !== null &&
+            value !== undefined &&
+            value !== '' &&
+            !this._isEncrypted(value)
+        );
+    }
+    _isEncrypted(value) {
+        if (typeof value !== 'string') {
+            return false;
+        }
+        const parts = value.split(':');
+        return parts.length >= 4;
+    }
+    _getNestedValue(obj, path) {
+        if (!obj || !path) {
+            return undefined;
+        }
+        return path.split('.').reduce((current, key) => {
+            return current?.[key];
+        }, obj);
+    }
+    _setNestedValue(obj, path, value) {
+        if (!obj || !path) {
+            return;
+        }
+        const keys = path.split('.');
+        const lastKey = keys.pop();
+        const target = keys.reduce((current, key) => {
+            if (!current[key] || typeof current[key] !== 'object') {
+                current[key] = {};
+            }
+            return current[key];
+        }, obj);
+        target[lastKey] = value;
+    }
+    _deepClone(obj) {
+        // Use structuredClone (Node.js 17+) for better performance
+        // Falls back to custom implementation for older Node versions
+        if (typeof structuredClone !== 'undefined') {
+            try {
+                return structuredClone(obj);
+            } catch {
+                // Fall through to custom implementation
+            }
+        }
+        // Custom fallback for older environments
+        if (obj === null || typeof obj !== 'object') {
+            return obj;
+        }
+        if (obj instanceof Date) {
+            return new Date(obj.getTime());
+        }
+        if (Array.isArray(obj)) {
+            return obj.map((item) => this._deepClone(item));
+        }
+        const cloned = {};
+        for (const key in obj) {
+            if (obj.hasOwnProperty(key)) {
+                cloned[key] = this._deepClone(obj[key]);
+            }
+        }
+        return cloned;
+    }
+    /**
+     * Serialize a value for encryption
+     * Objects/arrays are JSON stringified, primitives are converted to strings
+     * @private
+     */
+    _serializeForEncryption(value) {
+        if (typeof value === 'object' && value !== null) {
+            // JSON.stringify for objects and arrays
+            return JSON.stringify(value);
+        }
+        // For primitives (string, number, boolean), convert to string
+        return String(value);
+    }
+    /**
+     * Deserialize a value after decryption
+     * Attempts to parse as JSON, returns string if parsing fails
+     * @private
+     */
+    _deserializeAfterDecryption(value) {
+        if (typeof value !== 'string') {
+            return value;
+        }
+        // Try to parse as JSON
+        try {
+            return JSON.parse(value);
+        } catch {
+            // Not valid JSON, return as-is (likely was a plain string field)
+            return value;
+        }
+    }
+}
+module.exports = { FieldEncryptionService };

package/database/encryption/logger.js ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Encryption Logger
+ *
+ * Centralized logging for encryption operations.
+ * Prevents sensitive data leakage in production logs.
+ */
+const LOG_LEVELS = {
+    DEBUG: 0,
+    INFO: 1,
+    WARN: 2,
+    ERROR: 3,
+};
+class EncryptionLogger {
+    constructor() {
+        this.minLevel = this._getMinLevel();
+    }
+    _getMinLevel() {
+        const level = process.env.FRIGG_LOG_LEVEL || 'INFO';
+        return LOG_LEVELS[level.toUpperCase()] ?? LOG_LEVELS.INFO;
+    }
+    _shouldLog(level) {
+        return LOG_LEVELS[level] >= this.minLevel;
+    }
+    _sanitize(message) {
+        // Remove potential key material or encrypted data from logs
+        if (typeof message === 'string') {
+            // Truncate long base64 strings that might be keys or encrypted data
+            return message.replace(/([A-Za-z0-9+/=]{50,})/g, (match) =>
+                `${match.substring(0, 10)}...[${match.length} chars]`
+            );
+        }
+        return message;
+    }
+    debug(message, ...args) {
+        if (this._shouldLog('DEBUG')) {
+            console.log(`[Frigg Debug]`, this._sanitize(message), ...args);
+        }
+    }
+    info(message, ...args) {
+        if (this._shouldLog('INFO')) {
+            console.log(`[Frigg]`, this._sanitize(message), ...args);
+        }
+    }
+    warn(message, ...args) {
+        if (this._shouldLog('WARN')) {
+            console.warn(`[Frigg]`, this._sanitize(message), ...args);
+        }
+    }
+    error(message, error) {
+        if (this._shouldLog('ERROR')) {
+            const sanitizedMessage = this._sanitize(message);
+            // In production, don't log stack traces with sensitive paths
+            const isProduction = process.env.STAGE === 'production';
+            if (error && !isProduction) {
+                console.error(`[Frigg]`, sanitizedMessage, error);
+            } else if (error) {
+                console.error(`[Frigg]`, sanitizedMessage, error.message);
+            } else {
+                console.error(`[Frigg]`, sanitizedMessage);
+            }
+        }
+    }
+}
+// Singleton instance
+const logger = new EncryptionLogger();
+module.exports = { logger };