chore: resolve merge conflict with main

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>

Author: cursoragent

.env.development

@@ -40,12 +40,6 @@ CONFIG_PATH=${PWD}/config.json # Path to the sourcebot config file (if one exist
 # Redis
 REDIS_URL="redis://localhost:6379"
 
-# Stripe
-# STRIPE_SECRET_KEY: z.string().optional(),
-# STRIPE_PRODUCT_ID: z.string().optional(),
-# STRIPE_WEBHOOK_SECRET: z.string().optional(),
-# STRIPE_ENABLE_TEST_CLOCKS=false
-
 # Agents
 
 # GITHUB_APP_ID=
@@ -75,6 +69,5 @@ SOURCEBOT_TELEMETRY_DISABLED=true # Disables telemetry collection
 
 # CONFIG_MAX_REPOS_NO_TOKEN=
 NODE_ENV=development
-# SOURCEBOT_TENANCY_MODE=single
 
 DEBUG_WRITE_CHAT_MESSAGES_TO_FILE=true

CHANGELOG.md

@@ -10,6 +10,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Updated MCP OAuth consent screen to use Sourcebot branded logo with dark/light mode support. [#1062](https://github.com/sourcebot-dev/sourcebot/pull/1062)
 
+## [4.16.5] - 2026-04-02
+
+### Added
+- Added `GET /api/commit` endpoint for retrieving details about a single commit, including parent commit SHAs [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+
+### Changed
+- Replaced placeholder avatars with deterministic minidenticon-based avatars generated from email addresses [#1072](https://github.com/sourcebot-dev/sourcebot/pull/1072)
+- Changed `author_name` and `author_email` fields to `authorName` and `authorEmail` in `GET /api/commits` response [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+- Changed `oldPath` and `newPath` in `GET /api/diff` response from `"/dev/null"` to `null` for added/deleted files [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+- Bumped `simple-git` to `3.33.0`. [#1078](https://github.com/sourcebot-dev/sourcebot/pull/1078)
+
+## [4.16.4] - 2026-04-01
+
+### Added
+- Added `GET /api/diff` endpoint for retrieving structured diffs between two git refs [#1063](https://github.com/sourcebot-dev/sourcebot/pull/1063)
+
+### Fixed
+- Fixed `GET /api/mcp` hanging with zero bytes by returning `405 Method Not Allowed` per the MCP Streamable HTTP spec [#1064](https://github.com/sourcebot-dev/sourcebot/pull/1064)
+- Fixed tokens with trailing newlines breaking git clone URLs by adding `.trim()` in `getTokenFromConfig()` [#1067](https://github.com/sourcebot-dev/sourcebot/pull/1067)
+
+### Removed
+- Removed "general" settings page with options to change organization name and domain. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
+
+### Changed
+- Changed the analytics and license settings pages to only be viewable by organization owners. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
+
 ## [4.16.3] - 2026-03-27
 
 ### Added

CLAUDE.md

@@ -71,6 +71,13 @@ className="border-[var(--border)] bg-[var(--card)] text-[var(--foreground)]"
 
 ## API Route Handlers
 
+When implementing a new API route, ask the user whether it should be part of the public API. If yes:
+
+1. Add the request/response Zod schemas to `packages/web/src/openapi/publicApiSchemas.ts`, calling `.openapi('SchemaName')` on each schema to register it with a name.
+2. Register the route in `packages/web/src/openapi/publicApiDocument.ts` using `registry.registerPath(...)`, assigning it to the appropriate tag.
+3. Add the endpoint to the relevant group in the `API Reference` tab of `docs/docs.json`.
+4. Regenerate the OpenAPI spec by running `yarn workspace @sourcebot/web openapi:generate`.
+
 Route handlers should validate inputs using Zod schemas.
 
 **Query parameters** (GET requests):
@@ -148,11 +155,11 @@ Server actions should be used for mutations (POST/PUT/DELETE operations), not fo
 
 ## Authentication
 
-Use `withAuthV2` or `withOptionalAuthV2` from `@/withAuthV2` to protect server actions and API routes.
+Use `withAuth` or `withOptionalAuth` from `@/middleware/withAuth` to protect server actions and API routes.
 
-- **`withAuthV2`** - Requires authentication. Returns `notAuthenticated()` if user is not logged in.
-- **`withOptionalAuthV2`** - Allows anonymous access if the org has anonymous access enabled. `user` may be `undefined`.
-- **`withMinimumOrgRole`** - Wrap inside auth context to require a minimum role (e.g., `OrgRole.OWNER`).
+- **`withAuth`** - Requires authentication. Returns `notAuthenticated()` if user is not logged in.
+- **`withOptionalAuth`** - Allows anonymous access if the org has anonymous access enabled. `user` may be `undefined`.
+- **`withMinimumOrgRole`** - Wrap inside auth context to require a minimum role (e.g., `OrgRole.OWNER`). Import from `@/middleware/withMinimumOrgRole`.
 
 **Important:** Always use the `prisma` instance provided by the auth context. This instance has `userScopedPrismaClientExtension` applied, which enforces repository visibility rules (e.g., filtering repos based on user permissions). Do NOT import `prisma` directly from `@/prisma` in actions or routes that return data to the client.
 
@@ -161,19 +168,19 @@ Use `withAuthV2` or `withOptionalAuthV2` from `@/withAuthV2` to protect server a
 ```ts
 'use server';
 
-import { sew } from "@/actions";
-import { withAuthV2 } from "@/withAuthV2";
+import { sew } from "@/middleware/sew";
+import { withAuth } from "@/middleware/withAuth";
 
 export const myProtectedAction = async ({ id }: { id: string }) => sew(() =>
-    withAuthV2(async ({ org, user, prisma }) => {
+    withAuth(async ({ org, user, prisma }) => {
         // user is guaranteed to be defined
         // prisma is scoped to the user
         return { success: true };
     })
 );
 
 export const myPublicAction = async ({ id }: { id: string }) => sew(() =>
-    withOptionalAuthV2(async ({ org, user, prisma }) => {
+    withOptionalAuth(async ({ org, user, prisma }) => {
         // user may be undefined for anonymous access
         return { success: true };
     })
@@ -185,10 +192,10 @@ export const myPublicAction = async ({ id }: { id: string }) => sew(() =>
 ```ts
 import { serviceErrorResponse } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
-import { withAuthV2 } from "@/withAuthV2";
+import { withAuth } from "@/middleware/withAuth";
 
 export const GET = apiHandler(async (request: NextRequest) => {
-    const result = await withAuthV2(async ({ org, user, prisma }) => {
+    const result = await withAuth(async ({ org, user, prisma }) => {
         // ... your logic
         return data;
     });