feat(worker): add per-connection enforcePermissions toggle and promote PERMISSION_SYNC_ENABLED

- Add `enforcePermissions` boolean to all connection config schemas (github, gitlab, bitbucket, gitea, gerrit, azuredevops, genericGitHost). Defaults to the value of `PERMISSION_SYNC_ENABLED` when not set.
- Add `enforcePermissions` column to the `Connection` DB model (migration: 20260310050300).
- Sync `enforcePermissions` from config in `configManager.ts` on create/update.
- Filter repo permission syncer to only queue repos with at least one connection with `enforcePermissions: true`.
- Update `getRepoPermissionFilterForUser` in `prisma.ts` to exempt repos where no connection has `enforcePermissions: true`.
- Deprecate `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` in favour of `PERMISSION_SYNC_ENABLED` (backwards-compatible via Zod transform fallback).
- Remove `isPermissionSyncEnabled()` helper; replace all call sites with `env.PERMISSION_SYNC_ENABLED === 'true'`.
- Add unit tests for `PERMISSION_SYNC_ENABLED` env var behaviour in `packages/shared/src/env.server.test.ts`.
- Extract `createEnv` options as named export to preserve JSDoc (`@deprecated`) in emitted `.d.ts` (see microsoft/TypeScript#62309).
- Update permission-syncing and environment-variables docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

docs/docs/configuration/environment-variables.mdx

@@ -45,8 +45,8 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `SOURCEBOT_EE_AUDIT_RETENTION_DAYS` | `180` | <p>The number of days to retain audit logs. Audit log records older than this will be automatically pruned daily. Set to `0` to disable pruning and retain logs indefinitely.</p> |
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
-| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
-| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
+| `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 

docs/docs/features/permission-syncing.mdx

@@ -18,11 +18,11 @@ that they have access to on the code host. Practically, this means:
 - Ask Sourcebot (and the underlying LLM) will only have access to repositories that the user has access to.
 - File browsing is scoped to the repositories that the user has access to.
 
-Permission syncing can be enabled by setting the `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` environment variable to `true`.
+Permission syncing can be enabled by setting the `PERMISSION_SYNC_ENABLED` environment variable to `true`.
 
 ```bash
 docker run \
-    -e EXPERIMENT_EE_PERMISSION_SYNC_ENABLED=true \
+    -e PERMISSION_SYNC_ENABLED=true \
     /* additional args */ \
     ghcr.io/sourcebot-dev/sourcebot:latest
 ```
@@ -130,6 +130,54 @@ If your instance relies heavily on project or group-level permissions, we recomm
 - The connection token must have **Repository Read** permissions so Sourcebot can read repository-level user permissions for [Repo driven syncing](/docs/features/permission-syncing#how-it-works).
 - OAuth tokens require the `REPO_READ` scope to list accessible repositories during [User driven syncing](/docs/features/permission-syncing#how-it-works).
 
+# Manually refreshing permissions
+
+If a user's permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the **Linked Accounts** page:
+
+1. Navigate to **Settings → Linked Accounts**.
+2. Click the **Connected** button next to the relevant code host account.
+3. Select **Refresh Permissions** from the dropdown.
+
+<Frame>
+  <img src="/images/linked_accounts_refresh_permissions.png" alt="Linked Accounts - Refresh Permissions" />
+</Frame>
+
+The button will show a spinner while the sync is in progress and display a confirmation once it completes.
+
+
+# Overriding enforcement per connection
+
+Each [connection](/docs/connections/overview) supports an `enforcePermissions` flag that controls whether permissions are enforced for repositories in that connection. This lets you mix code hosts in a single deployment - for example, enforcing access control on a private GitHub connection while keeping an internal Gerrit instance open to all users.
+
+By default, `enforcePermissions` inherits the value of `PERMISSION_SYNC_ENABLED`. You can override it per connection in the [config file](/docs/configuration/config-file):
+
+```json
+{
+  "connections": {
+    "my-github": {
+      "type": "github",
+      "enforcePermissions": true
+    },
+    "my-gerrit": {
+      "type": "gerrit",
+      "url": "https://gerrit.example.com",
+      "enforcePermissions": false
+    }
+  }
+}
+```
+
+Setting `enforcePermissions: false` on a connection makes all repositories from that connection accessible to any user, regardless of the global `PERMISSION_SYNC_ENABLED` setting.
+
+The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED` and `enforcePermissions`:
+
+| `PERMISSION_SYNC_ENABLED` | `enforcePermissions` | Permissions enforced? |
+|--------------------------|---------------------|-----------------------|
+| `true`                   | `true`              | Yes                   |
+| `true`                   | `false`             | No                    |
+| `false`                  | `true`              | No                    |
+| `false`                  | `false`             | No                    |
+
 # How it works
 
 Permission syncing works by periodically syncing ACLs from the code host(s) to Sourcebot to build an internal mapping between Users and Repositories. This mapping is hydrated in two directions:
@@ -147,18 +195,4 @@ The sync intervals can be configured using the following settings in the [config
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
 | `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-
-## Manually refreshing permissions
-
-If a user's permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the **Linked Accounts** page:
-
-1. Navigate to **Settings → Linked Accounts**.
-2. Click the **Connected** button next to the relevant code host account.
-3. Select **Refresh Permissions** from the dropdown.
-
-<Frame>
-  <img src="/images/linked_accounts_refresh_permissions.png" alt="Linked Accounts - Refresh Permissions" />
-</Frame>
-
-The button will show a spinner while the sync is in progress and display a confirmation once it completes.
+| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |

docs/snippets/schemas/v3/azuredevops.schema.mdx

@@ -189,6 +189,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/bitbucket.schema.mdx

@@ -162,6 +162,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/connection.schema.mdx

@@ -205,6 +205,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -407,6 +411,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -562,6 +570,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -669,6 +681,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -839,6 +855,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1047,6 +1067,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1116,6 +1140,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [

docs/snippets/schemas/v3/genericGitHost.schema.mdx

@@ -60,6 +60,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/gerrit.schema.mdx

@@ -100,6 +100,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/gitea.schema.mdx

@@ -148,6 +148,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/github.schema.mdx

@@ -201,6 +201,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/gitlab.schema.mdx

@@ -195,6 +195,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [