You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/features/permission-syncing.mdx
+12-5Lines changed: 12 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,6 +18,8 @@ that they have access to on the code host. Practically, this means:
18
18
- Ask Sourcebot (and the underlying LLM) will only have access to repositories that the user has access to.
19
19
- File browsing is scoped to the repositories that the user has access to.
20
20
21
+
<Note>A repository's public-vs-private state is refreshed by [connection sync](/docs/connections/overview#connection-syncing), not by permission sync. After a visibility change at the code host, Sourcebot continues to apply its previous classification until the next connection sync runs (configurable via `resyncConnectionIntervalMs`, default 24 hours). Lower this value if your deployment expects faster propagation of visibility changes.</Note>
22
+
21
23
Permission syncing can be enabled by setting the `PERMISSION_SYNC_ENABLED` environment variable to `true`.
22
24
23
25
```bash
@@ -178,10 +180,6 @@ These flags are useful when you want different enforcement behavior across conne
178
180
}
179
181
```
180
182
181
-
<Note>When `enforcePermissionsForPublicRepos` is `true`, public repositories are visible to any user who has linked an account on the same code host. The check is at the host level rather than per-repo, so users do not need explicit upstream read access to each public repository individually.</Note>
182
-
183
-
<Note>A repository's public-vs-private state is refreshed by [connection sync](/docs/connections/overview#connection-syncing), not by permission sync. After a visibility change at the code host, Sourcebot continues to apply its previous classification until the next connection sync runs (configurable via `resyncConnectionIntervalMs`, default 24 hours). Lower this value if your deployment expects faster propagation of visibility changes.</Note>
184
-
185
183
The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED`, `enforcePermissions`, and `enforcePermissionsForPublicRepos`:
186
184
187
185
|`PERMISSION_SYNC_ENABLED`|`enforcePermissions`|`enforcePermissionsForPublicRepos`| Private repos enforced? | Public repos enforced? |
@@ -210,4 +208,13 @@ The sync intervals can be configured using the following settings in the [config
210
208
|`repoDrivenPermissionSyncIntervalMs`| number | 24 hours | 1 |
211
209
|`userDrivenPermissionSyncIntervalMs`| number | 24 hours | 1 |
212
210
213
-
<Note>Permission syncing fails closed only on authentication-related errors (`401`, `403`, `410`, or OAuth token refresh failures), in which case Sourcebot clears the affected account's permission rows immediately. Transient errors such as rate limits or `5xx` responses leave the previous permission state in effect until the next successful sync, so that brief upstream incidents do not strand users without access.</Note>
211
+
<Note>How Sourcebot handles errors during a permission sync depends on the type of error. Authentication errors (such as `401`, `403`, `410`, or a token refresh failure) cause Sourcebot to immediately revoke the affected user's access to repositories on that code host. Other errors (such as rate limits or `5xx` responses) are treated as transient: Sourcebot keeps the user's existing access until the next successful sync, so that a brief code host outage does not lock users out.</Note>
212
+
213
+
# FAQ
214
+
215
+
### What happens if there are transient errors with the code host?
216
+
217
+
It depends on the type of error.
218
+
219
+
-**Authentication errors** (such as `401`, `403`, `410`, or a token refresh failure): Sourcebot immediately revokes the affected user's access to repositories on that code host.
220
+
-**Rate limits or `5xx` responses**: Sourcebot keeps the user's existing access until the next successful sync runs.
0 commit comments