serverless-plugin-module-registry 1.0.9 → 1.0.10

package/dist/service.js

@@ -0,0 +1,1178 @@
+/*
+ * Module Registry Service Functions
+ * -------------------------------------------
+ * Service layer for querying module registry data from DynamoDB.
+ * These functions can be imported directly from the plugin package.
+ * 
+ * Usage:
+ * import { listAllModules, getModuleFeatures } from 'serverless-plugin-module-registry'
+ */
+
+import { DynamoDBClient, QueryCommand, ScanCommand, PutItemCommand, UpdateItemCommand, DeleteItemCommand } from '@aws-sdk/client-dynamodb'
+import { unmarshall, marshall } from '@aws-sdk/util-dynamodb'
+import { nanoid } from 'nanoid'
+
+// Self-contained feature ID utilities (to avoid import issues in generated service)
+const generateFeatureId = () => nanoid(8)
+const validateFeatureId = (featureId) => {
+  if (featureId.length !== 8) return false
+  if (!/^[A-Za-z0-9_-]+$/.test(featureId)) return false
+  return true
+}
+
+const TABLE_NAME = 'placeholder-table-name'
+const GSI1_NAME = 'GSI1'
+
+// Validate table name at runtime
+if (TABLE_NAME === 'placeholder-table-name') {
+  console.warn('[module-registry] Warning: TABLE_NAME not properly injected during build. Service functions may fail at runtime.')
+}
+
+// Client configuration with retry logic and connection pooling
+const client = new DynamoDBClient({
+  maxAttempts: 3,
+  retryMode: 'adaptive',
+  // Enable connection pooling for better performance
+  maxSockets: 50,
+  requestHandler: {
+    requestTimeout: 30000, // 30 seconds
+    httpsAgent: {
+      keepAlive: true,
+      maxSockets: 50
+    }
+  }
+})
+
+// Simple in-memory cache for frequently accessed data
+const cache = new Map()
+const CACHE_TTL = 5 * 60 * 1000 // 5 minutes
+
+/**
+ * Simple caching utility
+ */
+const withCache = (key, ttl = CACHE_TTL) => {
+  return {
+    get: () => {
+      const cached = cache.get(key)
+      if (cached && Date.now() < cached.expires) {
+        return cached.value
+      }
+      cache.delete(key)
+      return null
+    },
+    set: (value) => {
+      cache.set(key, {
+        value,
+        expires: Date.now() + ttl
+      })
+    }
+  }
+}
+
+/**
+ * Creates a structured logger for module registry operations
+ * @param {string} context - The operation context (e.g., 'listAllModules')
+ * @returns {Object} Logger with info, warn, error methods
+ */
+export const createModuleRegistryLogger = (context) => {
+  const prefix = `[module-registry:${context}]`
+
+  return {
+    info: (message, data) => console.log(prefix, message, data ? JSON.stringify(data) : ''),
+    warn: (message, data) => console.warn(prefix, message, data ? JSON.stringify(data) : ''),
+    error: (message, error) => console.error(prefix, message, error?.message || error)
+  }
+}
+
+/**
+ * Sanitize feature name to only allow lowercase letters, numbers, and hyphens [a-z0-9-]
+ * Converts underscores and spaces to hyphens
+ * @param {string} featureName - The feature name to sanitize
+ * @returns {string} - Sanitized feature name
+ * @throws {Error} - If feature name is invalid after sanitization
+ */
+const sanitizeFeatureName = (featureName) => {
+  if (!featureName || typeof featureName !== 'string') {
+    throw new Error('Feature name is required and must be a string')
+  }
+  
+  // Convert to lowercase, replace underscores and spaces with hyphens, then keep only [a-z0-9-] characters
+  const sanitized = featureName.toLowerCase()
+    .replace(/[_\s]+/g, '-')  // Replace underscores and spaces with hyphens
+    .replace(/[^a-z0-9-]/g, '')  // Keep only letters, numbers, and hyphens
+    .replace(/--+/g, '-')  // Replace multiple consecutive hyphens with single hyphen
+    .replace(/^-+|-+$/g, '')  // Remove leading and trailing hyphens
+  
+  if (sanitized.length === 0) {
+    throw new Error('Feature name must contain at least one alphanumeric character [a-z0-9-]')
+  }
+  
+  return sanitized
+}
+
+/**
+ * Validates and sanitizes input parameters
+ * @param {Object} params - Parameters to validate
+ * @param {Array} required - Required parameter names
+ * @throws {Error} If validation fails
+ */
+const validateParams = (params, required) => {
+  for (const param of required) {
+    if (!params[param] || (typeof params[param] === 'string' && params[param].trim() === '')) {
+      throw new Error(`${param} is required and cannot be empty`)
+    }
+  }
+
+  // Sanitize string parameters to prevent injection
+  const sanitized = {}
+  for (const [key, value] of Object.entries(params)) {
+    if (typeof value === 'string') {
+      // Basic sanitization - remove potentially dangerous characters
+      let sanitizedValue = value.replace(/[<>\"']/g, '').trim()
+      
+      // Apply feature name sanitization for featureName parameters
+      if (key === 'featureName') {
+        sanitizedValue = sanitizeFeatureName(sanitizedValue)
+      }
+      
+      sanitized[key] = sanitizedValue
+    } else {
+      sanitized[key] = value
+    }
+  }
+
+  return sanitized
+}
+
+/**
+ * Wraps DynamoDB operations with error handling and retry logic
+ * @param {Function} operation - The DynamoDB operation to execute
+ * @param {string} operationName - Name for logging
+ * @returns {Promise} Operation result
+ */
+const withErrorHandling = async (operation, operationName) => {
+  const logger = createModuleRegistryLogger(operationName)
+
+  try {
+    const startTime = Date.now()
+    const result = await operation()
+    const duration = Date.now() - startTime
+    return result
+
+  } catch (error) {
+    logger.error(`Operation failed`, error)
+
+    // Provide user-friendly error messages
+    if (error.name === 'ResourceNotFoundException') {
+      throw new Error(`Module registry table not found. Please ensure the plugin is properly deployed.`)
+    } else if (error.name === 'ValidationException') {
+      throw new Error(`Invalid request parameters: ${error.message}`)
+    } else if (error.name === 'ProvisionedThroughputExceededException') {
+      throw new Error(`Registry service is temporarily overloaded. Please try again in a moment.`)
+    } else if (error.name === 'ThrottlingException') {
+      throw new Error(`Request rate exceeded. Please try again in a moment.`)
+    } else {
+      throw new Error(`Registry service error: ${error.message}`)
+    }
+  }
+}
+/**
+ * Lists all deployed modules with basic metadata
+ * @returns {Promise<Array>} Array of module objects with clean data (no DDB internals)
+ */
+export const listAllModules = async () => {
+  return withErrorHandling(async () => {
+    // Check cache first
+    const cacheKey = 'listAllModules'
+    const cached = withCache(cacheKey)
+    const cachedResult = cached.get()
+    if (cachedResult) {
+      return cachedResult
+    }
+
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      IndexName: GSI1_NAME,
+      KeyConditionExpression: 'gsi1pk = :pk',
+      FilterExpression: 'itemType = :itemType',
+      ExpressionAttributeValues: {
+        ':pk': { S: 'MODULES' },
+        ':itemType': { S: 'module' }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items) {
+      return []
+    }
+
+    // Transform DDB items to clean module objects
+    const modules = response.Items.map(item => {
+      const data = unmarshall(item)
+
+      return {
+        moduleName: data.moduleName,
+        description: data.description,
+        version: data.version,
+        maintainer: data.maintainer,
+        tags: data.tags || [],
+        apiGatewayId: data.apiGatewayId,
+        lastUpdated: data.lastUpdated
+      }
+    })
+
+    // Cache the result
+    cached.set(modules)
+
+    return modules
+  }, 'listAllModules')
+}
+
+/**
+ * Gets all features for a specific module
+ * @param {string} moduleName - The module name (e.g., 'sign')
+ * @returns {Promise<Array>} Array of feature objects with endpoints
+ */
+export const getModuleFeatures = async (moduleName) => {
+  const params = validateParams({ moduleName }, ['moduleName'])
+
+  return withErrorHandling(async () => {
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      KeyConditionExpression: 'pk = :pk AND begins_with(sk, :skPrefix)',
+      FilterExpression: 'itemType = :itemType',
+      ExpressionAttributeValues: {
+        ':pk': { S: `MODULE#${params.moduleName}` },
+        ':skPrefix': { S: 'FEATURE#' },
+        ':itemType': { S: 'feature' }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items) {
+      return []
+    }
+
+    // Transform DDB items to clean feature objects
+    const features = response.Items.map(item => {
+      const data = unmarshall(item)
+
+      return {
+        featureName: data.featureName,
+        featureId: data.featureId, // Include featureId for ABAC tag generation
+        description: data.description,
+        version: data.version,
+        endpoints: data.endpoints || [],
+        customPolicies: data.customPolicies || [],
+        endpointCount: (data.endpoints || []).length,
+        lastUpdated: data.lastUpdated
+      }
+    })
+
+    return features
+  }, 'getModuleFeatures')
+}
+
+/**
+ * Gets detailed information about a specific feature
+ * @param {string} moduleName - The module name  
+ * @param {string} featureId - The feature ID (featureId is KING!)
+ * @returns {Promise<Object|null>} Feature details with endpoints and policies
+ */
+export const getFeatureDetails = async (moduleName, featureId) => {
+  const params = validateParams({ moduleName, featureId }, ['moduleName', 'featureId'])
+
+  return withErrorHandling(async () => {
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      KeyConditionExpression: 'pk = :pk AND sk = :sk',
+      ExpressionAttributeValues: {
+        ':pk': { S: `MODULE#${params.moduleName}` },
+        ':sk': { S: `FEATURE#${params.featureId}` }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items || response.Items.length === 0) {
+      return null
+    }
+
+    // Transform DDB item to clean feature object
+    return unmarshall(response.Items[0])
+  }, 'getFeatureDetails')
+}
+
+
+/**
+ * Gets module metadata (basic info without features)
+ * @param {string} moduleName - The module name
+ * @returns {Promise<Object|null>} Module metadata or null if not found
+ */
+export const getModuleMetadata = async (moduleName) => {
+  const params = validateParams({ moduleName }, ['moduleName'])
+
+  return withErrorHandling(async () => {
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      KeyConditionExpression: 'pk = :pk AND sk = :sk',
+      ExpressionAttributeValues: {
+        ':pk': { S: `MODULE#${params.moduleName}` },
+        ':sk': { S: 'MODULE' }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items || response.Items.length === 0) {
+      return null
+    }
+
+    // Transform DDB item to clean module object
+    const data = unmarshall(response.Items[0])
+
+    const moduleMetadata = {
+      moduleName: data.moduleName,
+      description: data.description,
+      version: data.version,
+      maintainer: data.maintainer,
+      tags: data.tags || [],
+      apiGatewayId: data.apiGatewayId,
+      lastUpdated: data.lastUpdated
+    }
+
+    return moduleMetadata
+  }, 'getModuleMetadata')
+}
+
+/**
+ * Gets feature details by featureId only (without knowing module name)
+ * Uses GSI2 to lookup feature directly by featureId
+ * @param {string} featureId - The unique feature identifier
+ * @returns {Promise<Object|null>} Feature details or null if not found
+ */
+export const getFeatureById = async (featureId) => {
+  const params = validateParams({ featureId }, ['featureId'])
+
+  return withErrorHandling(async () => {
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      IndexName: 'GSI2',
+      KeyConditionExpression: 'gsi2pk = :gsi2pk AND gsi2sk = :gsi2sk',
+      ExpressionAttributeValues: {
+        ':gsi2pk': { S: 'FEATURES' },
+        ':gsi2sk': { S: `FEATURE#${params.featureId}` }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items || response.Items.length === 0) {
+      return null
+    }
+
+    // Transform DDB item to clean feature object
+    const data = unmarshall(response.Items[0])
+
+    return {
+      moduleName: data.moduleName,
+      featureName: data.featureName,
+      featureId: data.featureId,
+      description: data.description,
+      version: data.version,
+      endpoints: data.endpoints || [],
+      customPolicies: data.customPolicies || [],
+      customFeature: data.customFeature || false,
+      endpointCount: (data.endpoints || []).length,
+      policyCount: (data.customPolicies || []).length,
+      lastUpdated: data.lastUpdated
+    }
+  }, 'getFeatureById')
+}
+
+/**
+ * Gets endpoint summary across all modules for discovery
+ * @returns {Promise<Array>} Array of endpoints with module/feature context
+ */
+export const getAllEndpoints = async () => {
+  return withErrorHandling(async () => {
+    const command = new ScanCommand({
+      TableName: TABLE_NAME,
+      FilterExpression: 'itemType = :itemType',
+      ExpressionAttributeValues: {
+        ':itemType': { S: 'feature' }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items) {
+      return []
+    }
+
+    // Transform to flat endpoint list with context
+    const endpoints = []
+
+    for (const item of response.Items) {
+      const data = unmarshall(item)
+
+      if (data.endpoints && Array.isArray(data.endpoints)) {
+        for (const endpoint of data.endpoints) {
+          endpoints.push({
+            endpoint,
+            moduleName: data.moduleName,
+            featureName: data.featureName,
+            featureDescription: data.description,
+            version: data.version,
+            customFeature: data.customFeature || false
+          })
+        }
+      }
+    }
+
+    return endpoints
+  }, 'getAllEndpoints')
+}
+
+/**
+ * Gets endpoint summary from non-custom features only
+ * @returns {Promise<Array>} Array of endpoints from regular (non-custom) features
+ */
+export const getNonCustomEndpoints = async () => {
+  return withErrorHandling(async () => {
+    const command = new ScanCommand({
+      TableName: TABLE_NAME,
+      FilterExpression: 'itemType = :itemType AND (attribute_not_exists(customFeature) OR customFeature = :customFeature)',
+      ExpressionAttributeValues: {
+        ':itemType': { S: 'feature' },
+        ':customFeature': { BOOL: false }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items) {
+      return []
+    }
+
+    // Transform to flat endpoint list with context
+    const endpoints = []
+
+    for (const item of response.Items) {
+      const data = unmarshall(item)
+
+      if (data.endpoints && Array.isArray(data.endpoints)) {
+        for (const endpoint of data.endpoints) {
+          endpoints.push({
+            endpoint,
+            moduleName: data.moduleName,
+            featureName: data.featureName,
+            featureDescription: data.description,
+            version: data.version,
+            customFeature: false
+          })
+        }
+      }
+    }
+
+    return endpoints
+  }, 'getNonCustomEndpoints')
+}
+
+/**
+ * Creates a new custom feature in the module registry
+ * @param {Object} featureData - The feature data
+ * @param {string} featureData.moduleName - The module name
+ * @param {string} featureData.featureName - The feature name
+ * @param {string} featureData.description - Feature description
+ * @param {string} featureData.version - Feature version (defaults to '1.0.0')
+ * @param {Array} featureData.endpoints - Array of endpoints
+ * @param {Array} featureData.customPolicies - Array of custom policies
+ * @param {string} featureData.tenantId - Required tenant ID for tenant-specific custom features
+ * @param {string} featureData.policyArn - Optional policy ARN for the feature
+ * @param {string} featureData.policyName - Optional policy name for the feature
+ * @returns {Promise<Object>} Created feature object
+ */
+export const createCustomFeature = async (featureData) => {
+  const params = validateParams(featureData, ['moduleName', 'featureName', 'description', 'tenantId'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('createCustomFeature')
+    
+    // Use tenant-isolated partition key for custom features
+    const tenantModulePk = `TENANT#${params.tenantId}#MODULE#${params.moduleName}`
+    
+    // Generate feature ID if not provided
+    const featureId = params.featureId || generateFeatureId()
+    
+    // Validate feature ID
+    if (!validateFeatureId(featureId)) {
+      throw new Error(`Invalid feature ID: ${featureId} for feature: ${params.featureName}`)
+    }
+
+    // Prepare the feature item with tenant-isolated keys
+    const featureItem = {
+      pk: tenantModulePk,
+      sk: `FEATURE#${featureId}`,
+      gsi1pk: `TENANT#${params.tenantId}`, // For querying all tenant's custom features
+      gsi1sk: `MODULE#${params.moduleName}#FEATURE#${featureId}`,
+      itemType: 'feature',
+      moduleName: params.moduleName,
+      featureName: params.featureName,
+      featureId: featureId,
+      description: params.description,
+      version: params.version || '1.0.0',
+      endpoints: params.endpoints || [],
+      customPolicies: params.customPolicies || [],
+      customFeature: true, // Mark as custom feature
+      tenantId: params.tenantId, // Always required for custom features
+      lastUpdated: new Date().toISOString()
+    }
+    
+    if (params.policyArn) {
+      featureItem.policyArn = params.policyArn
+    }
+    
+    if (params.policyName) {
+      featureItem.policyName = params.policyName
+    }
+
+    logger.info(`Creating tenant-isolated custom feature ${params.featureName} in module ${params.moduleName} for tenant ${params.tenantId}`)
+
+    // Use PutItem to create the feature with tenant-isolated key
+    const command = new PutItemCommand({
+      TableName: TABLE_NAME,
+      Item: marshall(featureItem, { removeUndefinedValues: true }),
+      ConditionExpression: 'attribute_not_exists(pk)', // Prevent overwriting existing features
+    })
+
+    await client.send(command)
+
+    logger.info(`Tenant-isolated custom feature ${params.featureName} created successfully for tenant ${params.tenantId}`)
+
+    // Return clean feature object (without DDB internals)
+    return {
+      moduleName: featureItem.moduleName,
+      featureName: featureItem.featureName,
+      featureId: featureItem.featureId,
+      description: featureItem.description,
+      version: featureItem.version,
+      endpoints: featureItem.endpoints,
+      customPolicies: featureItem.customPolicies,
+      customFeature: featureItem.customFeature,
+      tenantId: featureItem.tenantId,
+      endpointCount: featureItem.endpoints.length,
+      lastUpdated: featureItem.lastUpdated,
+      ...(featureItem.policyArn && { policyArn: featureItem.policyArn }),
+      ...(featureItem.policyName && { policyName: featureItem.policyName })
+    }
+  }, 'createCustomFeature')
+}
+
+/**
+ * Creates a new regular (non-custom) feature in the module registry
+ * @param {Object} featureData - The feature data
+ * @param {string} featureData.moduleName - The module name
+ * @param {string} featureData.featureName - The feature name
+ * @param {string} featureData.description - Feature description
+ * @param {string} featureData.version - Feature version (defaults to '1.0.0')
+ * @param {Array} featureData.endpoints - Array of endpoints
+ * @param {Array} featureData.customPolicies - Array of custom policies
+ * @param {string} featureData.policyArn - Optional policy ARN for the feature
+ * @param {string} featureData.policyName - Optional policy name for the feature
+ * @returns {Promise<Object>} Created feature object
+ */
+export const createFeature = async (featureData) => {
+  const params = validateParams(featureData, ['moduleName', 'featureName', 'description'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('createFeature')
+    
+    // Generate feature ID if not provided
+    const featureId = params.featureId || generateFeatureId()
+    
+    // Validate feature ID
+    if (!validateFeatureId(featureId)) {
+      throw new Error(`Invalid feature ID: ${featureId} for feature: ${params.featureName}`)
+    }
+
+    // Prepare the feature item
+    const featureItem = {
+      pk: `MODULE#${params.moduleName}`,
+      sk: `FEATURE#${featureId}`,
+      gsi1pk: `MODULE#${params.moduleName}`,
+      gsi1sk: `FEATURE#${featureId}`,
+      itemType: 'feature',
+      moduleName: params.moduleName,
+      featureName: params.featureName,
+      featureId: featureId,
+      description: params.description,
+      version: params.version || '1.0.0',
+      endpoints: params.endpoints || [],
+      customPolicies: params.customPolicies || [],
+      customFeature: false, // Mark as regular feature
+      lastUpdated: new Date().toISOString()
+    }
+
+    // Add optional fields if provided
+    if (params.policyArn) {
+      featureItem.policyArn = params.policyArn
+    }
+    
+    if (params.policyName) {
+      featureItem.policyName = params.policyName
+    }
+
+    logger.info(`Creating feature ${params.featureName} in module ${params.moduleName}`)
+
+    // Use PutItem to create the feature
+    const command = new PutItemCommand({
+      TableName: TABLE_NAME,
+      Item: marshall(featureItem, { removeUndefinedValues: true }),
+      ConditionExpression: 'attribute_not_exists(pk)', // Prevent overwriting existing features
+    })
+
+    await client.send(command)
+
+    logger.info(`Feature ${params.featureName} created successfully`)
+
+    // Return clean feature object (without DDB internals)
+    return {
+      moduleName: featureItem.moduleName,
+      featureName: featureItem.featureName,
+      featureId: featureItem.featureId,
+      description: featureItem.description,
+      version: featureItem.version,
+      endpoints: featureItem.endpoints,
+      customPolicies: featureItem.customPolicies,
+      customFeature: featureItem.customFeature,
+      endpointCount: featureItem.endpoints.length,
+      lastUpdated: featureItem.lastUpdated,
+      ...(featureItem.policyArn && { policyArn: featureItem.policyArn }),
+      ...(featureItem.policyName && { policyName: featureItem.policyName })
+    }
+  }, 'createFeature')
+}
+
+/**
+ * Updates a custom feature in the module registry
+ * @param {string} moduleName - The module name
+ * @param {string} featureId - The feature ID (featureId is KING!)
+ * @param {Object} updates - Fields to update
+ * @param {string} updates.description - Updated description
+ * @param {Array} updates.endpoints - Updated endpoints array
+ * @param {Array} updates.customPolicies - Updated custom policies
+ * @param {string} tenantId - Required tenant ID for tenant-isolated custom features
+ * @returns {Promise<Object>} Updated feature object
+ */
+export const updateCustomFeature = async (moduleName, featureId, updates, tenantId) => {
+  const params = validateParams({ moduleName, featureId, tenantId }, ['moduleName', 'featureId', 'tenantId'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('updateCustomFeature')
+    
+    const allowedUpdates = ['description', 'endpoints', 'customPolicies']
+    const filteredUpdates = {}
+    
+    for (const [key, value] of Object.entries(updates)) {
+      if (allowedUpdates.includes(key)) {
+        filteredUpdates[key] = value
+      }
+    }
+    
+    if (Object.keys(filteredUpdates).length === 0) {
+      throw new Error(`No valid fields to update. Allowed fields: ${allowedUpdates.join(', ')}`)
+    }
+    
+    // Add lastUpdated timestamp
+    filteredUpdates.lastUpdated = new Date().toISOString()
+    
+    logger.info(`Updating tenant-isolated custom feature ${params.featureId} in module ${params.moduleName} for tenant ${params.tenantId}`)
+    
+    const expressionParts = []
+    const expressionAttributeNames = {}
+    const expressionAttributeValues = {}
+    
+    for (const [key, value] of Object.entries(filteredUpdates)) {
+      expressionParts.push(`#${key} = :${key}`)
+      expressionAttributeNames[`#${key}`] = key
+      expressionAttributeValues[`:${key}`] = value
+    }
+    
+    // Condition to ensure it exists, is a custom feature, and belongs to the tenant
+    const conditionExpression = 'attribute_exists(pk) AND customFeature = :customFeature AND tenantId = :tenantId'
+    expressionAttributeValues[':customFeature'] = true
+    expressionAttributeValues[':tenantId'] = params.tenantId
+    
+    // Use tenant-isolated partition key
+    const tenantModulePk = `TENANT#${params.tenantId}#MODULE#${params.moduleName}`
+    
+    const command = new UpdateItemCommand({
+      TableName: TABLE_NAME,
+      Key: marshall({
+        pk: tenantModulePk,
+        sk: `FEATURE#${params.featureId}`
+      }),
+      UpdateExpression: `SET ${expressionParts.join(', ')}`,
+      ExpressionAttributeNames: expressionAttributeNames,
+      ExpressionAttributeValues: marshall(expressionAttributeValues),
+      ConditionExpression: conditionExpression,
+      ReturnValues: 'ALL_NEW'
+    })
+    
+    const { Attributes } = await client.send(command)
+    
+    logger.info(`Tenant-isolated custom feature ${params.featureId} updated successfully for tenant ${params.tenantId}`)
+    
+    // Return clean feature object (without DDB internals)
+    const updatedFeature = unmarshall(Attributes)
+    return {
+      moduleName: updatedFeature.moduleName,
+      featureName: updatedFeature.featureName,
+      description: updatedFeature.description,
+      version: updatedFeature.version,
+      endpoints: updatedFeature.endpoints,
+      customPolicies: updatedFeature.customPolicies,
+      customFeature: updatedFeature.customFeature,
+      tenantId: updatedFeature.tenantId,
+      endpointCount: updatedFeature.endpoints.length,
+      lastUpdated: updatedFeature.lastUpdated,
+      ...(updatedFeature.policyArn && { policyArn: updatedFeature.policyArn }),
+      ...(updatedFeature.policyName && { policyName: updatedFeature.policyName })
+    }
+  }, 'updateCustomFeature')
+}
+
+/**
+ * Deletes a custom feature from the module registry
+ * @param {string} moduleName - The module name
+ * @param {string} featureId - The feature ID (featureId is KING!)
+ * @param {string} tenantId - Required tenant ID for tenant-isolated custom features
+ * @returns {Promise<boolean>} True if deleted successfully
+ */
+export const deleteCustomFeature = async (moduleName, featureId, tenantId) => {
+  const params = validateParams({ moduleName, featureId, tenantId }, ['moduleName', 'featureId', 'tenantId'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('deleteCustomFeature')
+    
+    logger.info(`Deleting tenant-isolated custom feature ${params.featureId} from module ${params.moduleName} for tenant ${params.tenantId}`)
+    
+    // Condition to ensure it exists, is a custom feature, and belongs to the tenant
+    const conditionExpression = 'attribute_exists(pk) AND customFeature = :customFeature AND tenantId = :tenantId'
+    const expressionAttributeValues = {
+      ':customFeature': true,
+      ':tenantId': params.tenantId
+    }
+    
+    // Use tenant-isolated partition key
+    const tenantModulePk = `TENANT#${params.tenantId}#MODULE#${params.moduleName}`
+    
+    const command = new DeleteItemCommand({
+      TableName: TABLE_NAME,
+      Key: marshall({
+        pk: tenantModulePk,
+        sk: `FEATURE#${params.featureId}`
+      }),
+      ConditionExpression: conditionExpression,
+      ExpressionAttributeValues: marshall(expressionAttributeValues)
+    })
+    
+    await client.send(command)
+    
+    logger.info(`Tenant-isolated custom feature ${params.featureId} deleted successfully for tenant ${params.tenantId}`)
+    return true
+  }, 'deleteCustomFeature')
+}
+
+/**
+ * Lists custom features for a specific tenant using efficient GSI query
+ * @param {string} tenantId - The tenant ID
+ * @returns {Promise<Array>} Array of custom features for the tenant
+ */
+export const listCustomFeaturesByTenant = async (tenantId) => {
+  const params = validateParams({ tenantId }, ['tenantId'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('listCustomFeaturesByTenant')
+    
+    logger.info(`Listing tenant-isolated custom features for tenant ${params.tenantId}`)
+    
+    // Use GSI1 for efficient tenant-specific query
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      IndexName: GSI1_NAME,
+      KeyConditionExpression: 'gsi1pk = :tenantPk',
+      FilterExpression: 'itemType = :itemType AND customFeature = :customFeature',
+      ExpressionAttributeValues: {
+        ':tenantPk': { S: `TENANT#${params.tenantId}` },
+        ':itemType': { S: 'feature' },
+        ':customFeature': { BOOL: true }
+      }
+    })
+    
+    const response = await client.send(command)
+    
+    if (!response.Items) {
+      return []
+    }
+    
+    // Transform to clean feature objects
+    const customFeatures = response.Items.map(item => {
+      const data = unmarshall(item)
+      
+      return {
+        moduleName: data.moduleName,
+        featureName: data.featureName,
+        description: data.description,
+        version: data.version,
+        endpoints: data.endpoints || [],
+        customPolicies: data.customPolicies || [],
+        customFeature: data.customFeature,
+        tenantId: data.tenantId,
+        endpointCount: (data.endpoints || []).length,
+        lastUpdated: data.lastUpdated,
+        ...(data.policyArn && { policyArn: data.policyArn }),
+        ...(data.policyName && { policyName: data.policyName })
+      }
+    })
+    
+    logger.info(`Found ${customFeatures.length} tenant-isolated custom features for tenant ${params.tenantId}`)
+    return customFeatures
+  }, 'listCustomFeaturesByTenant')
+}
+
+/**
+ * Gets detailed information about a specific tenant custom feature
+ * @param {string} moduleName - The module name
+ * @param {string} featureId - The feature ID (featureId is KING!)
+ * @param {string} tenantId - The tenant ID
+ * @returns {Promise<Object|null>} Tenant custom feature details or null if not found
+ */
+export const getTenantCustomFeature = async (moduleName, featureId, tenantId) => {
+  const params = validateParams({ moduleName, featureId, tenantId }, ['moduleName', 'featureId', 'tenantId'])
+
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('getTenantCustomFeature')
+    
+    logger.info(`Getting tenant-isolated custom feature ${params.featureId} from module ${params.moduleName} for tenant ${params.tenantId}`)
+    
+    // Use tenant-isolated partition key
+    const tenantModulePk = `TENANT#${params.tenantId}#MODULE#${params.moduleName}`
+    
+    const command = new QueryCommand({
+      TableName: TABLE_NAME,
+      KeyConditionExpression: 'pk = :pk AND sk = :sk',
+      ExpressionAttributeValues: {
+        ':pk': { S: tenantModulePk },
+        ':sk': { S: `FEATURE#${params.featureId}` }
+      }
+    })
+
+    const response = await client.send(command)
+
+    if (!response.Items || response.Items.length === 0) {
+      logger.info(`Tenant custom feature ${params.featureId} not found for tenant ${params.tenantId}`)
+      return null
+    }
+
+    // Transform DDB item to clean feature object
+    const data = unmarshall(response.Items[0])
+    
+    return {
+      moduleName: data.moduleName,
+      featureName: data.featureName,
+      description: data.description,
+      version: data.version,
+      endpoints: data.endpoints || [],
+      customPolicies: data.customPolicies || [],
+      customFeature: data.customFeature,
+      tenantId: data.tenantId,
+      endpointCount: (data.endpoints || []).length,
+      lastUpdated: data.lastUpdated,
+      ...(data.policyArn && { policyArn: data.policyArn }),
+      ...(data.policyName && { policyName: data.policyName })
+    }
+  }, 'getTenantCustomFeature')
+}
+
+// =============================================================================
+// ABAC (Attribute-Based Access Control) Functions
+// =============================================================================
+
+/**
+ * Converts an endpoint string to API Gateway ARN format
+ * @param {string} endpoint - Endpoint in format "METHOD - /path/pattern"
+ * @param {string} region - AWS region (defaults to *)
+ * @param {string} accountId - AWS account ID (defaults to *)
+ * @param {string} apiId - API Gateway ID (defaults to *)
+ * @returns {string} API Gateway ARN
+ */
+const endpointToArn = (endpoint, region = '*', accountId = '*', apiId = '*') => {
+  // Parse endpoint format: "POST /admin/tenants" or "POST admin/tenants"
+  const trimmedEndpoint = endpoint.trim()
+  const spaceIndex = trimmedEndpoint.indexOf(' ')
+  if (spaceIndex === -1) {
+    throw new Error(`Invalid endpoint format: ${endpoint}. Expected "METHOD path"`)
+  }
+  
+  const method = trimmedEndpoint.substring(0, spaceIndex).trim().toUpperCase()
+  let path = trimmedEndpoint.substring(spaceIndex + 1).trim()
+  
+  // Normalize path to ensure it starts with /
+  if (!path.startsWith('/')) {
+    path = `/${path}`
+  }
+  
+  // Convert path parameters from {param} to * for ARN matching
+  const arnPath = path.replace(/\{[^}]+\}/g, '*')
+  
+  return `arn:aws:execute-api:${region}:${accountId}:${apiId}/*/${method}${arnPath}`
+}
+
+/**
+ * Creates an ABAC condition for feature access
+ * @param {string} moduleName - Module name (e.g., 'tenants')
+ * @param {string} featureName - Feature name (e.g., 'criar-tenant')
+ * @returns {Object} IAM condition object
+ */
+const createAbacCondition = (moduleName, featureName) => {
+  return {
+    StringLike: {
+      [`aws:PrincipalTag/${moduleName}Features`]: `*${featureName}*`
+    }
+  }
+}
+
+/**
+ * Generates a single module-level managed policy with ABAC conditions
+ * @param {string} moduleName - The module name (e.g., 'tenants')
+ * @param {Object} options - Generation options
+ * @param {string} options.region - AWS region for ARN generation (defaults to *)
+ * @param {string} options.accountId - AWS account ID for ARN generation (defaults to *)
+ * @param {string} options.apiId - API Gateway ID for ARN generation (defaults to *)
+ * @returns {Promise<Object>} Complete IAM policy document with ABAC conditions
+ */
+export const generateModuleAbacPolicy = async (moduleName, options = {}) => {
+  const params = validateParams({ moduleName }, ['moduleName'])
+  const { region = '*', accountId = '*', apiId = '*', selectedFeatures } = options
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('generateModuleAbacPolicy')
+    
+    logger.info(`Generating ABAC policy for module ${params.moduleName}`)
+    
+    // Use provided features if available, otherwise query the database
+    let features
+    if (selectedFeatures && Array.isArray(selectedFeatures)) {
+      // Load full feature details for each selected feature to get endpoints
+      logger.info(`Loading full details for ${selectedFeatures.length} selected features`)
+      
+      features = await Promise.all(
+        selectedFeatures.map(async (sf) => {
+          const featureDetails = await getFeatureDetails(sf.moduleName, sf.featureId)
+          if (!featureDetails) {
+            throw new Error(`Feature '${sf.featureId}' not found in module '${sf.moduleName}'. Make sure the feature exists in the registry.`)
+          }
+          
+          return {
+            featureName: featureDetails.featureName,
+            moduleName: featureDetails.moduleName || sf.moduleName,
+            endpoints: featureDetails.endpoints || [],
+            customPolicies: featureDetails.customPolicies || []
+          }
+        })
+      )
+      
+      logger.info(`Loaded feature details for ${features.length} features`)
+    } else {
+      // Get all features for this module (both regular and custom) from database
+      features = await getModuleFeatures(params.moduleName)
+      logger.info(`Retrieved ${features?.length || 0} features from database`)
+    }
+    
+    if (!features || features.length === 0) {
+      logger.warn(`No features found for module ${params.moduleName}`)
+      return {
+        Version: '2012-10-17',
+        Statement: []
+      }
+    }
+    
+    // Generate policy statements for each feature
+    const statements = features.map(feature => {
+      // Sanitize both module name and feature name for AWS IAM SID requirements (alphanumeric only)
+      const moduleNameSafeId = params.moduleName.replace(/[^a-zA-Z0-9]/g, '')
+      const featureNameSafeId = feature.featureName.replace(/[^a-zA-Z0-9]/g, '')
+      
+      // Collect all actions (API Gateway + custom policies)
+      const actions = ['execute-api:Invoke']
+      const resources = []
+      
+      // Add API Gateway resources from endpoints
+      if (feature.endpoints && feature.endpoints.length > 0) {
+        feature.endpoints.forEach(endpoint => {
+          resources.push(endpointToArn(endpoint, region, accountId, apiId))
+        })
+      }
+      
+      // Add custom policy actions and resources
+      if (feature.customPolicies && feature.customPolicies.length > 0) {
+        feature.customPolicies.forEach(policy => {
+          if (policy.Action) {
+            const policyActions = Array.isArray(policy.Action) ? policy.Action : [policy.Action]
+            actions.push(...policyActions)
+          }
+          if (policy.Resource) {
+            const policyResources = Array.isArray(policy.Resource) ? policy.Resource : [policy.Resource]
+            resources.push(...policyResources)
+          }
+        })
+      }
+      
+      // Remove duplicates
+      const uniqueActions = [...new Set(actions)]
+      const uniqueResources = [...new Set(resources)]
+      
+      // If no resources defined, default to all
+      if (uniqueResources.length === 0) {
+        uniqueResources.push('*')
+      }
+      
+      return {
+        Sid: `${moduleNameSafeId}${featureNameSafeId}Access`,
+        Effect: 'Allow',
+        Action: uniqueActions,
+        Resource: uniqueResources,
+        Condition: createAbacCondition(params.moduleName, feature.featureName)
+      }
+    })
+    
+    const policyDocument = {
+      Version: '2012-10-17',
+      Statement: statements
+    }
+    
+    logger.info(`Generated ABAC policy for module ${params.moduleName} with ${statements.length} feature statements`)
+    
+    return policyDocument
+  }, 'generateModuleAbacPolicy')
+}
+
+/**
+ * Generates ABAC policy documents for all modules
+ * @param {Object} options - Generation options
+ * @param {string} options.region - AWS region for ARN generation
+ * @param {string} options.accountId - AWS account ID for ARN generation  
+ * @param {string} options.apiId - API Gateway ID for ARN generation
+ * @returns {Promise<Object>} Object with module names as keys and policy documents as values
+ */
+export const generateAllModuleAbacPolicies = async (options = {}) => {
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('generateAllModuleAbacPolicies')
+    
+    logger.info('Generating ABAC policies for all modules')
+    
+    // Get all modules
+    const modules = await listAllModules()
+    
+    if (!modules || modules.length === 0) {
+      logger.warn('No modules found')
+      return {}
+    }
+    
+    // Generate policy for each module
+    const moduleAbacPolicies = {}
+    
+    for (const module of modules) {
+      logger.info(`Processing module: ${module.moduleName}`)
+      moduleAbacPolicies[module.moduleName] = await generateModuleAbacPolicy(module.moduleName, options)
+    }
+    
+    logger.info(`Generated ABAC policies for ${Object.keys(moduleAbacPolicies).length} modules`)
+    
+    return moduleAbacPolicies
+  }, 'generateAllModuleAbacPolicies')
+}
+
+/**
+ * Creates resource tags for a role based on selected features
+ * @param {Array} selectedFeatures - Array of feature objects with moduleName and featureId
+ * @returns {Promise<Array>} Array of AWS resource tags for IAM role
+ */
+export const generateAbacTags = async (selectedFeatures) => {
+  const params = validateParams({ selectedFeatures }, ['selectedFeatures'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('generateAbacTags')
+    
+    if (!Array.isArray(params.selectedFeatures)) {
+      throw new Error('selectedFeatures must be an array')
+    }
+    
+    logger.info(`Generating ABAC tags for ${params.selectedFeatures.length} selected features`)
+    
+    // Group features by module
+    const featuresByModule = {}
+    
+    params.selectedFeatures.forEach(feature => {
+      if (!feature.moduleName || !feature.featureId) {
+        logger.warn('Skipping invalid feature - missing moduleName or featureId', feature)
+        return
+      }
+      
+      if (!featuresByModule[feature.moduleName]) {
+        featuresByModule[feature.moduleName] = []
+      }
+      
+      featuresByModule[feature.moduleName].push(feature.featureId)
+    })
+    
+    // Convert to AWS tags format - using short featureIds for IAM compliance
+    const tags = Object.entries(featuresByModule).map(([moduleName, featureIds]) => ({
+      Key: `${moduleName}Features`,
+      Value: featureIds.join(':')
+    }))
+    logger.info(`ABAC tags: ${JSON.stringify(tags)}`)
+    logger.info(`Generated ${tags.length} ABAC tags for modules: ${Object.keys(featuresByModule).join(', ')}`)
+    
+    return tags
+  }, 'generateAbacTags')
+}
+
+/**
+ * Gets required managed policy ARNs for a set of selected features
+ * @param {Array} selectedFeatures - Array of feature objects with moduleName and featureName
+ * @param {string} accountId - AWS account ID for ARN generation
+ * @param {string} service - Service name (e.g., 'api')
+ * @param {string} stage - Stage name (e.g., 'live')
+ * @returns {Promise<Array>} Array of managed policy ARNs needed for the selected features
+ */
+export const getRequiredModulePolicyArns = async (selectedFeatures, accountId, service, stage) => {
+  const params = validateParams({ selectedFeatures, accountId, service, stage }, ['selectedFeatures', 'accountId', 'service', 'stage'])
+  
+  return withErrorHandling(async () => {
+    const logger = createModuleRegistryLogger('getRequiredModulePolicyArns')
+    
+    if (!Array.isArray(params.selectedFeatures)) {
+      throw new Error('selectedFeatures must be an array')
+    }
+    
+    logger.info(`Getting required module policy ARNs for ${params.selectedFeatures.length} selected features`)
+    
+    // Get unique module names from selected features
+    const moduleNames = [...new Set(params.selectedFeatures.map(f => f.moduleName).filter(Boolean))]
+    
+    // Generate module-specific ABAC policy ARNs
+    const policyArns = moduleNames.map(moduleName => 
+      `arn:aws:iam::${params.accountId}:policy/${params.service}-${moduleName}-${params.stage}-abac`
+    )
+    
+    logger.info(`Required module-specific ABAC policy ARNs for modules [${moduleNames.join(', ')}]: ${JSON.stringify(policyArns)}`)
+    
+    return policyArns
+  }, 'getRequiredModulePolicyArns')
+}
+