Merge branch 'main' into v5

Author: brendan-kellam

.github/workflows/_build.yml

@@ -104,7 +104,7 @@ jobs:
 
       - name: Build Docker image
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           build-args: |

.github/workflows/pr-gate.yml

@@ -19,6 +19,6 @@ jobs:
 
       - name: Build Docker image
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .

CHANGELOG.md

@@ -11,6 +11,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
 - Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
 
+## [4.17.1] - 2026-05-04
+
+### Added
+- Added three new audit actions covering the full org membership lifecycle: `org.member_added`, `org.member_removed`, and `org.member_left`. [#1165](https://github.com/sourcebot-dev/sourcebot/pull/1165)
+- Added per-user JWT session versioning so admin-driven member removals (and voluntary leaves) invalidate the removed user's active JWT cookies, personal API keys, and OAuth tokens atomically on their next request. [#1168](https://github.com/sourcebot-dev/sourcebot/pull/1168)
+
+### Fixed
+- Fixed Azure DevOps connection schema to allow spaces in project and repository names. [#1170](https://github.com/sourcebot-dev/sourcebot/pull/1170)
+
 ## [4.17.0] - 2026-04-30
 
 ### Added

README.md

@@ -8,7 +8,7 @@
 <div align="center">
    <div>
       <h3>
-         <a href="https://docs.sourcebot.dev/self-hosting/overview">
+         <a href="https://docs.sourcebot.dev">
             <strong>Self Host</strong>
          </a> · 
          <a href="https://app.sourcebot.dev">

docs/api-reference/sourcebot-public.openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v4.17.0",
+    "version": "v4.17.1",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing. Authentication is instance-dependent: API keys are the standard integration mechanism, OAuth bearer tokens are EE-only, and some instances may allow anonymous access."
   },
   "tags": [

docs/docs/configuration/audit-logs.mdx

@@ -145,6 +145,9 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
 | `user.signed_out`                     | `user` | `user` |
 | `org.member_promoted_to_owner`        | `user` | `user` |
 | `org.owner_demoted_to_member`         | `user` | `user` |
+| `org.member_added`                    | `user` | `user` |
+| `org.member_removed`                  | `user` | `user` |
+| `org.member_left`                     | `user` | `user` |
 
 
 ## Response schema

docs/snippets/schemas/v3/azuredevops.schema.mdx

@@ -82,7 +82,7 @@
       "type": "array",
       "items": {
         "type": "string",
-        "pattern": "^[\\w.-]+\\/[\\w.-]+$"
+        "pattern": "^[\\w.-]+\\/[\\w. -]+$"
       },
       "default": [],
       "examples": [
@@ -97,7 +97,7 @@
       "type": "array",
       "items": {
         "type": "string",
-        "pattern": "^[\\w.-]+\\/[\\w.-]+\\/[\\w.-]+$"
+        "pattern": "^[\\w.-]+\\/[\\w. -]+\\/[\\w. -]+$"
       },
       "default": [],
       "examples": [

packages/db/prisma/migrations/20260501170139_add_user_session_version/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "sessionVersion" INTEGER NOT NULL DEFAULT 0;

packages/db/prisma/schema.prisma

@@ -403,6 +403,11 @@ model User {
   oauthAuthCodes     OAuthAuthorizationCode[]
   oauthRefreshTokens OAuthRefreshToken[]
 
+  /// Per-user JWT version. Incremented to invalidate every active session for
+  /// this user on their next request. Compared against the `sessionVersion`
+  /// claim baked into the JWT cookie at mint time.
+  sessionVersion Int @default(0)
+
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 

packages/schemas/src/v3/azuredevops.schema.ts

@@ -81,7 +81,7 @@ const schema = {
       "type": "array",
       "items": {
         "type": "string",
-        "pattern": "^[\\w.-]+\\/[\\w.-]+$"
+        "pattern": "^[\\w.-]+\\/[\\w. -]+$"
       },
       "default": [],
       "examples": [
@@ -96,7 +96,7 @@ const schema = {
       "type": "array",
       "items": {
         "type": "string",
-        "pattern": "^[\\w.-]+\\/[\\w.-]+\\/[\\w.-]+$"
+        "pattern": "^[\\w.-]+\\/[\\w. -]+\\/[\\w. -]+$"
       },
       "default": [],
       "examples": [