Merge branch 'main' into feature/add-ref-to-search-results

Author: Amresh-01

.github/workflows/vulnerability-triage.yml

@@ -7,6 +7,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
+
+## [5.0.4] - 2026-06-18
+
+### Changed
+- Decoupled offline-license anonymous access from the seat cap. [#1349](https://github.com/sourcebot-dev/sourcebot/pull/1349)
+
+### Added
+- Recorded service ping history locally and added a "Download usage report" button to the offline license settings page, so offline deployments can export their usage and send it to us. [#1348](https://github.com/sourcebot-dev/sourcebot/pull/1348)
+
+### Fixed
+- Upgraded `@grpc/grpc-js` to `^1.14.4`. [#1315](https://github.com/sourcebot-dev/sourcebot/pull/1315)
+- Upgraded `vite` to `^8.0.16`. [#1313](https://github.com/sourcebot-dev/sourcebot/pull/1313)
+- Upgraded `ws` to `^8.21.0`. [#1324](https://github.com/sourcebot-dev/sourcebot/pull/1324)
+- Upgraded `@babel/core` to `^7.29.6`. [#1333](https://github.com/sourcebot-dev/sourcebot/pull/1333)
+- Upgraded `markdown-it` to `^14.2.0`. [#1321](https://github.com/sourcebot-dev/sourcebot/pull/1321)
+- Upgraded `form-data` to `^4.0.6`. [#1316](https://github.com/sourcebot-dev/sourcebot/pull/1316)
+- Upgraded `hono` to `^4.12.25`. [#1322](https://github.com/sourcebot-dev/sourcebot/pull/1322)
+- Upgraded `dompurify` to `^3.4.11`. [#1332](https://github.com/sourcebot-dev/sourcebot/pull/1332)
+- Upgraded `nodemailer` to `^8.0.11`. [#1328](https://github.com/sourcebot-dev/sourcebot/pull/1328)
+- Upgraded `js-yaml` to `^4.2.0`. [#1335](https://github.com/sourcebot-dev/sourcebot/pull/1335)
+- Upgraded `protobufjs` to `^7.6.4`. [#1336](https://github.com/sourcebot-dev/sourcebot/pull/1336)
+- Upgraded `tar` to `^7.5.16`. [#1338](https://github.com/sourcebot-dev/sourcebot/pull/1338)
+- Upgraded `esbuild` to `^0.28.1`. [#1342](https://github.com/sourcebot-dev/sourcebot/pull/1342)
+- Enabled Next.js version skew protection to fix "Failed to load chunk" errors during rolling deploys. [#1346](https://github.com/sourcebot-dev/sourcebot/pull/1346)
+
 ## [5.0.3] - 2026-06-17
 
 ### Changed

CHANGELOG.md

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v5.0.3",
+    "version": "v5.0.4",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing. Authentication is instance-dependent: API keys are the standard integration mechanism, OAuth bearer tokens are EE-only, and some instances may allow anonymous access."
   },
   "tags": [

docs/api-reference/sourcebot-public.openapi.json

@@ -59,6 +59,7 @@
         "teeny-request@npm:^10.0.0": "^10.1.2",
         "uuid": "^14.0.0",
         "fast-uri@npm:^3.0.1": "^3.1.2",
-        "shell-quote@npm:1.8.3": "^1.8.4"
+        "shell-quote@npm:1.8.3": "^1.8.4",
+        "ws@npm:~8.20.1": "^8.21.0"
     }
 }

package.json

@@ -0,0 +1,12 @@
+-- CreateTable
+CREATE TABLE "ServicePingEvent" (
+    "id" TEXT NOT NULL,
+    "payload" JSONB NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "orgId" INTEGER NOT NULL,
+
+    CONSTRAINT "ServicePingEvent_pkey" PRIMARY KEY ("id")
+);
+
+-- AddForeignKey
+ALTER TABLE "ServicePingEvent" ADD CONSTRAINT "ServicePingEvent_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/migrations/20260618210032_add_service_ping_event_table/migration.sql

@@ -318,6 +318,7 @@ model Org {
   mcpServers McpServer[]
 
   license License?
+  servicePingEvents ServicePingEvent[]
 }
 
 model License {
@@ -358,6 +359,15 @@ model License {
   updatedAt         DateTime @updatedAt
 }
 
+model ServicePingEvent {
+  id String @id @default(cuid())
+  payload Json
+  createdAt DateTime @default(now())
+
+  org   Org @relation(fields: [orgId], references: [id], onDelete: Cascade)
+  orgId Int
+}
+
 enum OrgRole {
   OWNER
   MEMBER

packages/db/prisma/schema.prisma

@@ -40,11 +40,12 @@ const encodeOfflineKey = (payload: object): string => {
 const futureDate = new Date(Date.now() + 1000 * 60 * 60 * 24 * 365).toISOString();
 const pastDate = new Date(Date.now() - 1000 * 60 * 60 * 24).toISOString();
 
-const validOfflineKey = (overrides: { seats?: number; expiryDate?: string } = {}) =>
+const validOfflineKey = (overrides: { seats?: number; anonymousAccess?: boolean; expiryDate?: string } = {}) =>
     encodeOfflineKey({
         id: 'test-customer',
         expiryDate: overrides.expiryDate ?? futureDate,
         ...(overrides.seats !== undefined ? { seats: overrides.seats } : {}),
+        ...(overrides.anonymousAccess !== undefined ? { anonymousAccess: overrides.anonymousAccess } : {}),
         sig: 'fake-sig',
     });
 
@@ -112,23 +113,35 @@ describe('isAnonymousAccessAvailable', () => {
     });
 
     describe('with an offline license key', () => {
-        test('returns false when offline key has a seat count', () => {
+        test('returns false when offline key does not grant anonymous access', () => {
             mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100 });
             expect(isAnonymousAccessAvailable(null)).toBe(false);
         });
 
-        test('returns true when offline key has no seat count (unlimited)', () => {
+        test('returns false when offline key is uncapped but does not grant anonymous access', () => {
+            // Uncapped (no seats) no longer implies anonymous access — it must
+            // be granted explicitly via the `anonymousAccess` flag.
             mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey();
+            expect(isAnonymousAccessAvailable(null)).toBe(false);
+        });
+
+        test('returns true when offline key explicitly grants anonymous access', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ anonymousAccess: true });
             expect(isAnonymousAccessAvailable(null)).toBe(true);
         });
 
-        test('unlimited offline key beats an active online license', () => {
-            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey();
+        test('anonymous access is independent of the seat cap', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100, anonymousAccess: true });
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+
+        test('anonymous-access offline key beats an active online license', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ anonymousAccess: true });
             expect(isAnonymousAccessAvailable(makeLicense({ status: 'active' }))).toBe(true);
         });
 
         test('falls through to online license check when offline key is expired', () => {
-            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100, expiryDate: pastDate });
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ anonymousAccess: true, expiryDate: pastDate });
             expect(isAnonymousAccessAvailable(null)).toBe(true);
             expect(isAnonymousAccessAvailable(makeLicense({ status: 'active' }))).toBe(false);
         });
@@ -144,7 +157,7 @@ describe('isAnonymousAccessAvailable', () => {
         });
 
         test('falls through when offline key signature is invalid', () => {
-            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100 });
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ anonymousAccess: true });
             mocks.verifySignature.mockReturnValue(false);
             expect(isAnonymousAccessAvailable(null)).toBe(true);
         });

packages/shared/src/entitlements.test.ts

@@ -12,6 +12,8 @@ const offlineLicensePrefix = "sourcebot_ee_";
 const offlineLicensePayloadSchema = z.object({
     id: z.string(),
     seats: z.number().optional(),
+    // Whether anonymous (unauthenticated) access is permitted.
+    anonymousAccess: z.boolean().optional(),
     // ISO 8601 date string
     expiryDate: z.string().datetime(),
     sig: z.string(),
@@ -50,7 +52,13 @@ const decodeOfflineLicenseKeyPayload = (payload: string): getValidOfflineLicense
         const payloadJson = JSON.parse(decodedPayload);
         const licenseData = offlineLicensePayloadSchema.parse(payloadJson);
 
+        // Keys are listed alphabetically to match the canonical JSON the
+        // signer produces (Python `json.dumps(..., sort_keys=True)`).
+        // `JSON.stringify` drops `undefined` values, so omitted optional
+        // fields (e.g. a legacy key without `anonymousAccess`) verify exactly
+        // as they were originally signed.
         const dataToVerify = JSON.stringify({
+            anonymousAccess: licenseData.anonymousAccess,
             expiryDate: licenseData.expiryDate,
             id: licenseData.id,
             seats: licenseData.seats
@@ -120,17 +128,25 @@ const getValidOnlineLicense = (_license: License | null): License | null => {
     return null;
 }
 
+export const isValidOfflineLicenseActive = (): boolean => {
+    return getValidOfflineLicense() !== null;
+}
+
+export const isValidOnlineLicenseActive = (_license: License | null): boolean => {
+    return getValidOnlineLicense(_license) !== null;
+}
+
 export const isValidLicenseActive = (_license: License | null): boolean => {
     return (
-        getValidOfflineLicense() !== null ||
-        getValidOnlineLicense(_license) !== null
+        isValidOfflineLicenseActive() ||
+        isValidOnlineLicenseActive(_license)
     );
 }
 
 export const isAnonymousAccessAvailable = (_license: License | null): boolean => {
     const offlineKey = getValidOfflineLicense();
     if (offlineKey) {
-        return offlineKey.seats === undefined;
+        return offlineKey.anonymousAccess === true;
     }
 
     const onlineLicense = getValidOnlineLicense(_license);
@@ -163,6 +179,7 @@ export const hasEntitlement = (entitlement: Entitlement, _license: License | nul
 export type OfflineLicenseMetadata = {
     id: string;
     seats?: number;
+    anonymousAccess?: boolean;
     expiryDate: string;
 }
 
@@ -178,6 +195,7 @@ export const getOfflineLicenseMetadata = (): OfflineLicenseMetadata | null => {
     return {
         id: license.id,
         seats: license.seats,
+        anonymousAccess: license.anonymousAccess,
         expiryDate: license.expiryDate,
     };
 }

packages/shared/src/entitlements.ts

@@ -6,6 +6,8 @@ export {
     getEntitlements as _getEntitlements,
     isAnonymousAccessAvailable as _isAnonymousAccessAvailable,
     isValidLicenseActive as _isValidLicenseActive,
+    isValidOfflineLicenseActive,
+    isValidOnlineLicenseActive as _isValidOnlineLicenseActive,
     getSeatCap,
     getOfflineLicenseMetadata,
     STALE_ONLINE_LICENSE_THRESHOLD_MS,

packages/shared/src/index.server.ts

@@ -1,2 +1,2 @@
 // This file is auto-generated by .github/workflows/release-sourcebot.yml
-export const SOURCEBOT_VERSION = "v5.0.3";
+export const SOURCEBOT_VERSION = "v5.0.4";