feat!: connector system with grant implementation

[mateonunez]

This PR introduces comprehensive multi-user/tenant support for connectors, adds encryption for sensitive configuration data, and implements a grant-based access control system. This enables secure, user-scoped connector management in a multi-tenant environment.

✨ New Features

1. Encryption Utilities (core/src/utils/encryption.utils.ts)

• AES-256-CBC encryption/decryption using CryptoJS (browser-compatible)
• Encrypts sensitive connector configuration data before storage
• Supports 64-character hex encryption keys (32 bytes)
• New environment variable: AIT_ENCRYPTION_KEY (required for connector configs)
• Added to all relevant .env.example files

2. Connector Grant Service (connectors/src/services/connector.grant.service.ts)

• Centralized service for checking user access to connectors
• Cached grant checks (1-minute TTL) for performance
• Methods:
  • isGranted(vendor, userId?): Check if user has access to a vendor
  • getGrantedVendors(userId): Get all granted vendors for a user
  • invalidateCache(): Clear grant cache
• Supports both user-scoped and global grants

3. Multi-User Connector Architecture

• Connector Services: All connector services now accept optional IConnectorOAuthConfig with userId and connectorConfigId
• Connector Repositories: All repositories now require userId and connectorConfigId in constructors
• Connector Factory: New getServiceByConfig() method that:
  • Loads connector config from database by configId and userId
  • Automatically decrypts encrypted settings
  • Injects userId and connectorConfigId into service config
  • Caches service instances per user-config pair

4. Database Schema Updates

• New migrations for connector_configs, oauth_tokens, and providers tables
• Removed default UUIDs from ID columns (migrations 0039-0043)
• Added connector-configs.schema.ts with encrypted config support
• Consolidated schema exports in postgres/src/schemas/index.ts

🔧 Improvements

Gateway Routes

• All connector routes now support userId via:
  • X-User-Id header
  • userId query parameter
  • OAuth state parameter (format: configId:userId)
• Routes use getServiceByConfig() for database-driven connector instances
• Maintains backward compatibility with legacy getService() method

Browser Compatibility

• Hash Utils: Migrated from Node.js crypto to CryptoJS for browser compatibility
  • Supports MD5 and SHA256 algorithms
  • Works in both Node.js and browser environments
• Vite Config: Enhanced polyfills for buffer, global, and process
  • Added explicit path aliases for polyfill shims
  • Added buffer@^6.0.3 dependency

UI Enhancements

• Added vendor prop to all integration pages (GitHub, Linear, Spotify, X, Slack, Notion, Google)
• Improved VendorConnectButton with fallback icons and colors
• Updated stats page layout for better responsiveness
• Removed debug console.log from stream parser

Postgres Package

• Added db:seed script for database seeding
• Added db:cleanup script for truncating oauth_tokens
• Exported Drizzle ORM helpers (and, eq) from main index
• Schema exports now centralized in schemas/index.ts

🔄 Refactoring

• Connector Service Base: Added userId and connectorConfigId getters
• OAuth Utils: Updated saveOAuthData() to accept userId and connectorConfigId
• OAuth Config Interface: Added optional userId and connectorConfigId fields
• Connector Type: Updated constructor signature to accept optional IConnectorOAuthConfig

📦 Dependencies

• Added buffer@^6.0.3 to @ait/uit for browser polyfills
• Added @ait/postgres dependency to @ait/gateway

🔌 Configuration

• New Environment Variables:
  • AIT_ENCRYPTION_KEY: 64-character hex string (32 bytes) for encrypting connector configs
  • Required in: root .env, connectors/.env, postgres/.env, retove/.env

🗄️ Database Migrations

• 0038: Initial connector configs schema
• 0039-0042: UUID default value changes for connector tables
• 0043: Removed default UUIDs (final state)

🔒 Security

• Sensitive connector configuration data is now encrypted at rest
• User-scoped connector access enforced at database level
• Grant checks prevent unauthorized connector access
• Encryption key validation (must be 64-character hex)

📊 Impact

• Multi-Tenancy: Full support for user-scoped connectors
• Security: Encrypted storage of sensitive OAuth tokens and configs
• Performance: Cached grant checks reduce database queries
• Compatibility: Browser-compatible hash utilities enable frontend usage

🧪 Testing

• Added encryption utils tests (encryption.utils.test.ts)
• All connector services updated to support new constructor pattern
• Gateway routes tested with userId extraction from multiple sources

⚠️ Breaking Changes

• Connector service constructors now require optional config parameter
• Connector repositories require userId and connectorConfigId in constructors
• AIT_ENCRYPTION_KEY environment variable is now required for connector functionality
• Hash utilities API unchanged but implementation changed (CryptoJS instead of Node crypto)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
ait.chat	Ready	Preview, Comment	Jan 7, 2026 8:17pm