refactor(broker): narrow ProviderHealthLookup to avoid loading secrets

Replace GetProfile (loads full Profile with client_secret, params, etc.)
with GetHealthStatus (SELECT only health_status) for the background
ConnectionHealthWorker's provider cross-reference.

Changes:
- Add Store.GetHealthStatus(uuid) (string, error) — single-column query
- Narrow ProviderHealthLookup interface to GetHealthStatus
- Update isProviderDown to use string status directly
- Remove provider package import from connection_health.go
- Add sqlmock tests for GetHealthStatus (success, not found)
- Update all mock expectations in connection_health_test.go

Author: sangalo20

nexus-broker/cmd/nexus-broker/main.go

@@ -144,7 +144,7 @@ func main() {
 	go healthWorker.Start(cleanupCtx)
 
 	// Start connection health worker (polls every 1m)
-	// The store implements ProviderHealthLookup via GetProfile(uuid.UUID)
+	// The store implements ProviderHealthLookup via GetHealthStatus(uuid.UUID)
 	connHealthWorker := service.NewConnectionHealthWorker(connRepo, connSvc, store, 1*time.Minute)
 	go connHealthWorker.Start(cleanupCtx)
 

nexus-broker/internal/service/connection_health.go

@@ -12,13 +12,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/domain"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/repository"
-	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/provider"
 )
 
 // ProviderHealthLookup provides read-only access to provider health status.
-// This avoids importing the full Store and keeps the dependency narrow.
+// Uses a narrow query that only fetches health_status, avoiding loading
+// sensitive fields (client_secret, params, etc.) into worker memory.
 type ProviderHealthLookup interface {
-	GetProfile(id uuid.UUID) (*provider.Profile, error)
+	GetHealthStatus(id uuid.UUID) (string, error)
 }
 
 // ConnectionHealthWorker polls for active connections and verifies their health
@@ -129,12 +129,12 @@ func (w *ConnectionHealthWorker) isProviderDown(providerID uuid.UUID) bool {
 		return false // No lookup available, assume provider is fine
 	}
 
-	profile, err := w.providerHealth.GetProfile(providerID)
+	status, err := w.providerHealth.GetHealthStatus(providerID)
 	if err != nil {
 		return false // Can't look up, assume provider is fine
 	}
 
-	return profile.HealthStatus == "unhealthy" || profile.HealthStatus == "degraded"
+	return status == "unhealthy" || status == "degraded"
 }
 
 func (w *ConnectionHealthWorker) checkConnection(ctx context.Context, c *domain.ConnectionWithProvider) string {

nexus-broker/internal/service/connection_health_test.go

@@ -15,7 +15,6 @@ import (
 
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/domain"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/service"
-	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/provider"
 )
 
 // Add missing mock methods to MockConnectionRepository
@@ -100,12 +99,9 @@ type MockProviderHealthLookup struct {
 	mock.Mock
 }
 
-func (m *MockProviderHealthLookup) GetProfile(id uuid.UUID) (*provider.Profile, error) {
+func (m *MockProviderHealthLookup) GetHealthStatus(id uuid.UUID) (string, error) {
 	args := m.Called(id)
-	if args.Get(0) != nil {
-		return args.Get(0).(*provider.Profile), args.Error(1)
-	}
-	return nil, args.Error(1)
+	return args.String(0), args.Error(1)
 }
 
 func TestConnectionHealthWorker_OAuth2_Healthy(t *testing.T) {
@@ -167,7 +163,7 @@ func TestConnectionHealthWorker_OAuth2_Expired(t *testing.T) {
 	mockSvc.On("Refresh", mock.Anything, connID).Return(&service.RefreshResponse{StatusCode: 400}, errors.New("invalid_grant")).Once()
 
 	// Provider is healthy, so the connection should be expired (not shielded)
-	mockHealth.On("GetProfile", providerID).Return(&provider.Profile{HealthStatus: "healthy"}, nil).Once()
+	mockHealth.On("GetHealthStatus", providerID).Return("healthy", nil).Once()
 
 	// Should update connection status to expired
 	mockRepo.On("UpdateStatus", mock.Anything, connID, "expired").Return(nil).Once()
@@ -213,7 +209,7 @@ func TestConnectionHealthWorker_OAuth2_ProviderDown_ShieldsExpiration(t *testing
 	mockSvc.On("Refresh", mock.Anything, connID).Return(&service.RefreshResponse{StatusCode: 401}, errors.New("token revoked")).Once()
 
 	// Provider is unhealthy → should shield the connection from being expired
-	mockHealth.On("GetProfile", providerID).Return(&provider.Profile{HealthStatus: "unhealthy"}, nil).Once()
+	mockHealth.On("GetHealthStatus", providerID).Return("unhealthy", nil).Once()
 
 	// Should NOT call UpdateStatus (no expiration)
 	// Should update health to "unhealthy" instead of "expired"
@@ -265,7 +261,7 @@ func TestConnectionHealthWorker_APIKey_Expired(t *testing.T) {
 	mockSvc.On("GetToken", mock.Anything, connID).Return(creds, "api_key_strategy", nil).Once()
 
 	// Provider is healthy, so expiration should proceed
-	mockHealth.On("GetProfile", providerID).Return(&provider.Profile{HealthStatus: "healthy"}, nil).Once()
+	mockHealth.On("GetHealthStatus", providerID).Return("healthy", nil).Once()
 
 	// Should update connection status to expired
 	mockRepo.On("UpdateStatus", mock.Anything, connID, "expired").Return(nil).Once()

nexus-broker/pkg/provider/store.go

@@ -424,6 +424,21 @@ func (s *Store) UpdateHealthStatus(id uuid.UUID, status string, message *string)
 	return nil
 }
 
+// GetHealthStatus returns only the health_status for a provider.
+// This is a narrow query intended for background workers that need to
+// cross-reference provider health without loading sensitive fields.
+func (s *Store) GetHealthStatus(id uuid.UUID) (string, error) {
+	var status string
+	err := s.db.QueryRow(
+		`SELECT COALESCE(health_status, 'unknown') FROM provider_profiles WHERE id = $1 AND deleted_at IS NULL`,
+		id,
+	).Scan(&status)
+	if err != nil {
+		return "", fmt.Errorf("failed to get provider health status: %w", err)
+	}
+	return status, nil
+}
+
 // GetMetadata retrieves integration metadata for all providers, grouped by auth_type
 func (s *Store) GetMetadata() (map[string]map[string]interface{}, error) {
 

nexus-broker/pkg/provider/store_test.go

@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"testing"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/jmoiron/sqlx"
@@ -208,3 +209,211 @@ func TestGetProfile_NullValues(t *testing.T) {
 		assert.Equal(t, "null-provider", profile.Name)
 	}
 }
+
+func TestGetAllProfiles_Success(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	id1 := uuid.New()
+	id2 := uuid.New()
+	now := time.Now()
+	msg := "timeout reaching token_endpoint"
+
+	// Must match the exact 19-column order in GetAllProfiles SELECT:
+	// id, name, client_id, client_secret, auth_url, token_url, issuer,
+	// enable_discovery, scopes, auth_type, auth_header,
+	// api_base_url, user_info_endpoint, params, description, category,
+	// last_health_check_at, health_status, health_message
+	rows := sqlmock.NewRows([]string{
+		"id", "name", "client_id", "client_secret", "auth_url", "token_url", "issuer",
+		"enable_discovery", "scopes", "auth_type", "auth_header",
+		"api_base_url", "user_info_endpoint", "params", "description", "category",
+		"last_health_check_at", "health_status", "health_message",
+	}).AddRow(
+		id1.String(), "google", ptr("cid"), ptr("csec"), ptr("https://auth"), ptr("https://token"), nil,
+		true, []byte("{email,profile}"), "oauth2", "",
+		"https://api.google.com", "/userinfo", nil, "Google OAuth", "Identity",
+		now, "healthy", nil,
+	).AddRow(
+		id2.String(), "stripe", nil, nil, nil, nil, nil,
+		false, []byte("{}"), "api_key", "Authorization",
+		"https://api.stripe.com", "/v1/account", nil, "Stripe API", "Payments",
+		now, "unhealthy", &msg,
+	)
+
+	mock.ExpectQuery(`SELECT .* FROM provider_profiles`).WillReturnRows(rows)
+
+	profiles, err := store.GetAllProfiles()
+	assert.NoError(t, err)
+	assert.Len(t, profiles, 2)
+
+	// Verify first profile health fields
+	assert.Equal(t, id1, profiles[0].ID)
+	assert.Equal(t, "google", profiles[0].Name)
+	assert.Equal(t, "healthy", profiles[0].HealthStatus)
+	assert.NotNil(t, profiles[0].LastHealthCheckAt)
+	assert.Nil(t, profiles[0].HealthMessage)
+
+	// Verify second profile health fields
+	assert.Equal(t, id2, profiles[1].ID)
+	assert.Equal(t, "stripe", profiles[1].Name)
+	assert.Equal(t, "unhealthy", profiles[1].HealthStatus)
+	assert.NotNil(t, profiles[1].HealthMessage)
+	assert.Equal(t, "timeout reaching token_endpoint", *profiles[1].HealthMessage)
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestGetAllProfiles_Empty(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	rows := sqlmock.NewRows([]string{
+		"id", "name", "client_id", "client_secret", "auth_url", "token_url", "issuer",
+		"enable_discovery", "scopes", "auth_type", "auth_header",
+		"api_base_url", "user_info_endpoint", "params", "description", "category",
+		"last_health_check_at", "health_status", "health_message",
+	})
+
+	mock.ExpectQuery(`SELECT .* FROM provider_profiles`).WillReturnRows(rows)
+
+	profiles, err := store.GetAllProfiles()
+	assert.NoError(t, err)
+	assert.Nil(t, profiles) // append to nil slice returns nil
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestGetAllProfiles_QueryError(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	mock.ExpectQuery(`SELECT .* FROM provider_profiles`).
+		WillReturnError(sql.ErrConnDone)
+
+	profiles, err := store.GetAllProfiles()
+	assert.Error(t, err)
+	assert.Nil(t, profiles)
+	assert.Contains(t, err.Error(), "failed to query all profiles")
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUpdateHealthStatus_Success(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	providerID := uuid.New()
+	msg := "token_url 503"
+
+	// Verify the UPDATE is called with (status, message, id) in correct order
+	mock.ExpectExec(`UPDATE provider_profiles SET health_status = \$1, health_message = \$2, last_health_check_at = NOW\(\) WHERE id = \$3`).
+		WithArgs("unhealthy", &msg, providerID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	err = store.UpdateHealthStatus(providerID, "unhealthy", &msg)
+	assert.NoError(t, err)
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUpdateHealthStatus_NilMessage(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	providerID := uuid.New()
+
+	mock.ExpectExec(`UPDATE provider_profiles SET health_status = \$1, health_message = \$2, last_health_check_at = NOW\(\) WHERE id = \$3`).
+		WithArgs("healthy", nil, providerID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	err = store.UpdateHealthStatus(providerID, "healthy", nil)
+	assert.NoError(t, err)
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestUpdateHealthStatus_DBError(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	providerID := uuid.New()
+
+	mock.ExpectExec(`UPDATE provider_profiles SET health_status`).
+		WithArgs("unhealthy", nil, providerID).
+		WillReturnError(sql.ErrConnDone)
+
+	err = store.UpdateHealthStatus(providerID, "unhealthy", nil)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to update provider health status")
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestGetHealthStatus_Success(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	providerID := uuid.New()
+	rows := sqlmock.NewRows([]string{"health_status"}).AddRow("unhealthy")
+
+	mock.ExpectQuery(`SELECT COALESCE\(health_status, 'unknown'\) FROM provider_profiles WHERE id = \$1`).
+		WithArgs(providerID).
+		WillReturnRows(rows)
+
+	status, err := store.GetHealthStatus(providerID)
+	assert.NoError(t, err)
+	assert.Equal(t, "unhealthy", status)
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
+func TestGetHealthStatus_NotFound(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	assert.NoError(t, err)
+	defer db.Close()
+
+	sqlxDB := sqlx.NewDb(db, "sqlmock")
+	store := NewStore(sqlxDB)
+
+	providerID := uuid.New()
+
+	mock.ExpectQuery(`SELECT COALESCE\(health_status, 'unknown'\) FROM provider_profiles WHERE id = \$1`).
+		WithArgs(providerID).
+		WillReturnError(sql.ErrNoRows)
+
+	status, err := store.GetHealthStatus(providerID)
+	assert.Error(t, err)
+	assert.Equal(t, "", status)
+	assert.Contains(t, err.Error(), "failed to get provider health status")
+
+	assert.NoError(t, mock.ExpectationsWereMet())
+}