Save encrypted .cer, .key, and metadata to FIEL_STORAGE_PATH alongside
the existing DB storage. Each file has separate .iv and .tag sidecar files.
Filesystem failure is non-blocking (logs warning, DB remains primary).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename Tenant.schemaName to databaseName across all services
- Add Subscription and Payment models to Prisma schema
- Update FielCredential to per-component IV/tag encryption columns
- Switch FIEL encryption key from JWT_SECRET to FIEL_ENCRYPTION_KEY
- Add Subscription and Payment shared types
- Update JWTPayload to use databaseName
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual SOAP authentication with the official nodecfdi library
which properly handles WS-Security signatures for SAT web services.
- Add sat-client.service.ts using Fiel.create() for authentication
- Update sat.service.ts to use new client
- Update fiel.service.ts to return raw certificate data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Each piece of data was being encrypted with a different IV, but only
the first IV was saved. Now using encryptFielCredentials/decryptFielCredentials
helper functions that encrypt all data together with a single IV/tag.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The @nodecfdi/credentials library returns date values that aren't
JavaScript Date objects, causing getTime() to fail.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat-crypto.service.ts with AES-256-GCM encryption for secure
credential storage using JWT_SECRET as key derivation source
- Add fiel.service.ts with complete FIEL lifecycle management:
- Upload and validate FIEL credentials (.cer/.key files)
- Verify certificate is FIEL (not CSD) and not expired
- Store encrypted credentials in database
- Retrieve and decrypt credentials for SAT sync operations
- Install @nodecfdi/credentials for FIEL/CSD handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
