fix(core): auto-disable Integration when credentials are invalidated

[d-klotz]

Summary

When OAuth2Requester.refreshAuth fails and Module.markCredentialsInvalid flips Credential.authIsValid to false, Integration.status was left as ENABLED. The queue worker only short-circuits on DISABLED, so every subsequent webhook kept getting processed, failed again, and re-entered the error loop -- producing 94k+ error lines/day for Attio integrations with dead tokens.

This PR uses Frigg's existing Delegate pattern to propagate the failure upward:

• Module fires a new CREDENTIAL_INVALIDATED event from markCredentialsInvalid (best-effort try/catch so it never alters refreshAuth's documented return false contract)
• IntegrationBase catches the event in a new receiveNotification method and calls updateIntegrationStatus.execute(this.id, 'ERROR')
• The delegate wire (module.delegate = this) is installed in IntegrationBase._appendModules, covering all 7 code paths that construct Integration instances (HTTP reads, queue workers, create/update/delete flows)
• Queue worker (backend-utils.js) now discards on both DISABLED and ERROR statuses (previously only DISABLED)

Status semantics (per Frigg team lead feedback)

Status	Meaning	Who sets it	Queue worker	Re-auth clears it
ENABLED	Active, processing webhooks	Initial state + Gap C re-auth	Processes	n/a
DISABLED	User intentionally paused	User action only	Discards	Yes (Reconnect = opt-in)
ERROR	Credentials dead (system)	This PR (auto-flip)	Discards	Yes (new creds fix it)

This is Gap B of 3 from the Attio dead-token RCA:

• Gap A (refresh short-circuit when refresh_token is null): PR fix(core): narrow OAuth2Requester isRefreshable when refresh is impossible #575
• Gap B (auto-set ERROR on invalid auth + queue worker discard): this PR
• Gap C (restore Integration on re-auth): PR fix(core): restore Integration status to ENABLED on successful re-auth #574

Recovery is handled by Gap C: ProcessAuthorizationCallback.restoreIntegrationsForEntity flips {ERROR, DISABLED} back to ENABLED on successful re-auth, so Gaps B + C are complementary.

Files changed

File	Change
packages/core/modules/module.js	New DLGT_CREDENTIAL_INVALIDATED constant + this.notify(...) at end of markCredentialsInvalid(), wrapped in try/catch
packages/core/integrations/integration-base.js	module.delegate = this wiring in _appendModules loop + new receiveNotification() handler that flips status to ERROR
packages/core/handlers/backend-utils.js	Queue worker status discard extended from === 'DISABLED' to ['DISABLED', 'ERROR'].includes(status) at both check points (lines 157, 173)

Test plan

7 unit tests across 4 files (all green, 19 suites / 171 tests full regression clean):

• Module fires CREDENTIAL_INVALIDATED to its delegate after credential flip
• Module with delegate=null completes silently (backward compat)
• IntegrationBase flips to ERROR on CREDENTIAL_INVALIDATED
• IntegrationBase ignores unknown delegate strings
• IntegrationBase no-ops when this.id is falsy (not hydrated)
• IntegrationBase._appendModules sets module.delegate = this for all modules
• Queue worker discards message when integration status is ERROR

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1636cbaa51

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict auto-disable to permanent auth failures

Disabling the integration unconditionally on every CREDENTIAL_INVALIDATED event will also disable it for transient refresh failures, because OAuth2Requester.refreshAuth() emits DLGT_INVALID_AUTH for any caught error (including network/5xx issues), and Module.receiveNotification() maps that directly to markCredentialsInvalid(). With this new status flip, a temporary outage in the token endpoint can now move healthy integrations to DISABLED and stop all webhook processing until manual reauth, which is a functional regression from this change path.

Useful? React with 👍 / 👎.

[graphite-app]

Documentation inconsistency: Comment states the integration status will be flipped to "DISABLED" but the actual implementation sets it to "ERROR" (line 568). While both statuses are functionally handled the same way in backend-utils.js, this misleading comment could cause confusion during future maintenance.

Correct the comment to:

// and flips this integration's status to ERROR so the queue worker

Suggested change

	* and flips this integration's status to DISABLED so the queue worker
	* and flips this integration's status to ERROR so the queue worker

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.

This comment came from an experimental review—please leave feedback if it was helpful/unhelpful. Learn more about experimental comments here.

[sonarqubecloud]

Quality Gate failed

Failed conditions
20.1% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud