Merge branch 'main' into msukkari/oss_licenses

Author: msukkari

CHANGELOG.md

@@ -7,9 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Increased `SOURCEBOT_CHAT_MAX_STEP_COUNT` default from 20 to 100 to allow agents to perform more autonomous steps. [#1017](https://github.com/sourcebot-dev/sourcebot/pull/1017)
+
+## [4.15.9] - 2026-03-17
+
+### Added
+- Added read-only annotations to MCP tools for compatibility with Cursor Ask mode and other MCP clients that restrict tool usage based on behavior hints. [#1013](https://github.com/sourcebot-dev/sourcebot/pull/1013)
+
+## [4.15.8] - 2026-03-17
+
+### Added
+- Added support for connecting to Redis over TLS via `REDIS_TLS_ENABLED` and related environment variables. [#1011](https://github.com/sourcebot-dev/sourcebot/pull/1011)
+
+### Changed
+- `filterByFilepaths` in the MCP `search_code` tool now accepts regular expressions matched against the full file path, instead of treating values as escaped literals. [#1008](https://github.com/sourcebot-dev/sourcebot/pull/1008)
+
+### Fixed
+- Connection sync job failures now log the actual error reason instead of a generic message. [#1012](https://github.com/sourcebot-dev/sourcebot/pull/1012)
+
+## [4.15.7] - 2026-03-16
+
 ### Added
 - Added AGENTS.md with Cursor Cloud development environment instructions. [#1001](https://github.com/sourcebot-dev/sourcebot/pull/1001)
 - Added support for configuring SMTP via individual environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD) as an alternative to SMTP_CONNECTION_URL. [#1002](https://github.com/sourcebot-dev/sourcebot/pull/1002)
+- Added `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` and `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` environment variables to restrict API key creation and usage to organization owners. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
+
+### Changed
+- Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
 
 ## [4.15.6] - 2026-03-13
 

CLAUDE.md

@@ -247,6 +247,5 @@ PR description:
 
 After the PR is created:
 - Update CHANGELOG.md with an entry under `[Unreleased]` linking to the new PR. New entries should be placed at the bottom of their section.
-- If the change touches `packages/mcp`, update `packages/mcp/CHANGELOG.md` instead
 - Do NOT add a CHANGELOG entry for documentation-only changes (e.g., changes only in `docs/`)
 - Enterprise-only features (gated by an entitlement) should be prefixed with `[EE]` in the CHANGELOG entry (e.g., `- [EE] Added support for ...`)

docs/api-reference/sourcebot-public.openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v4.15.6",
+    "version": "v4.15.9",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing."
   },
   "tags": [

docs/docs.json

@@ -26,7 +26,14 @@
                                 "pages": [
                                     "docs/deployment/docker-compose",
                                     "docs/deployment/k8s",
-                                    "docs/deployment/sizing-guide"
+                                    "docs/deployment/sizing-guide",
+                                    {
+                                        "group": "Infrastructure",
+                                        "pages": [
+                                            "docs/deployment/infrastructure/architecture",
+                                            "docs/deployment/infrastructure/redis"
+                                        ]
+                                    }
                                 ]
                             }
                         ]
@@ -81,6 +88,7 @@
                         "group": "Configuration",
                         "pages": [
                             "docs/configuration/config-file",
+                            "docs/configuration/environment-variables",
                             {
                                 "group": "Indexing your code",
                                 "pages": [
@@ -110,7 +118,6 @@
                                     "docs/configuration/auth/faq"
                                 ]
                             },
-                            "docs/configuration/environment-variables",
                             "docs/license-key",
                             "docs/configuration/transactional-emails",
                             "docs/configuration/structured-logging",

docs/docs/configuration/environment-variables.mdx

@@ -23,7 +23,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
 | `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
 | `REDIS_DATA_DIR` | `$DATA_CACHE_DIR/redis` | <p>The data directory for the default Redis instance.</p> |
-| `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p> |
+| `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
 | `REDIS_REMOVE_ON_FAIL` | `100` | <p>Controls how many failed jobs are allowed to remain in Redis queues</p> |
 | `REPO_SYNC_RETRY_BASE_SLEEP_SECONDS` | `60` | <p>The base sleep duration (in seconds) for exponential backoff when retrying repository sync operations that fail</p> |
@@ -53,6 +53,9 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
+| `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
+| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
+| `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 
 
 ### Review Agent Environment Variables

docs/docs/deployment/infrastructure/architecture.mdx

@@ -0,0 +1,5 @@
+---
+title: Architecture Overview
+url: /docs/overview#architecture
+sidebarTitle: Architecture Overview
+---

docs/docs/deployment/infrastructure/redis.mdx

@@ -0,0 +1,24 @@
+---
+title: Redis
+sidebarTitle: Redis
+---
+
+Sourcebot uses Redis as a job queue for background indexing work.
+
+## TLS
+
+To enable TLS for your Redis connection, set `REDIS_TLS_ENABLED=true`. You can also enable TLS implicitly by using a `rediss://` connection string in `REDIS_URL`.
+
+| Variable | Default | Description |
+| :------- | :------ | :---------- |
+| `REDIS_TLS_ENABLED` | `false` | Enable TLS for the Redis connection. Alternatively, enable tls via `rediss://` connection string. |
+| `REDIS_TLS_CA_PATH` | - | Path to the CA certificate for the Redis connection. |
+| `REDIS_TLS_CERT_PATH` | - | Path to the certificate for the Redis connection. |
+| `REDIS_TLS_KEY_PATH` | - | Path to the private key for the Redis connection. |
+| `REDIS_TLS_KEY_PASSPHRASE` | - | Passphrase for encrypted private keys. Required if your TLS private key is password-protected. |
+| `REDIS_TLS_SERVERNAME` | - | Server name for SNI (Server Name Indication). Useful when connecting to Redis through a proxy or with custom certificates. |
+| `REDIS_TLS_REJECT_UNAUTHORIZED` | `true` | Set to `false` to disable certificate validation. Not recommended for production. When not set, defaults to Node.js secure behavior. |
+| `REDIS_TLS_CHECK_SERVER_IDENTITY` | - | Set to `false` to bypass server identity checking. Use with caution in enterprise environments with custom certificate setups. |
+| `REDIS_TLS_SECURE_PROTOCOL` | - | TLS protocol version (e.g., `TLSv1_2_method`, `TLSv1_3_method`). Uses Node.js defaults when not set. |
+| `REDIS_TLS_CIPHERS` | - | Custom cipher suite configuration. Allows specification of allowed TLS ciphers for enhanced security requirements. |
+| `REDIS_TLS_HONOR_CIPHER_ORDER` | - | Set to `true` to use server’s cipher order preference instead of client’s. Useful for enforcing security policies. |

packages/backend/src/connectionManager.ts

@@ -378,7 +378,7 @@ export class ConnectionManager {
             this.promClient.activeConnectionSyncJobs.dec({ connection: connection.name });
             this.promClient.connectionSyncJobFailTotal.inc({ connection: connection.name });
 
-            jobLogger.error(`Failed job ${job.id} for connection ${connection.name} (id: ${connection.id}). Failing job.`);
+            jobLogger.error(`Failed job ${job.id} for connection ${connection.name} (id: ${connection.id}). Reason: ${job.failedReason}`);
 
             const config = connection.config as unknown as ConnectionConfig;
             captureEvent('backend_connection_sync_job_failed', {

packages/backend/src/index.ts

@@ -6,7 +6,6 @@ import { createLogger, env, getConfigSettings, getDBConnectionString, hasEntitle
 import 'express-async-errors';
 import { existsSync } from 'fs';
 import { mkdir } from 'fs/promises';
-import { Redis } from 'ioredis';
 import { Api } from "./api.js";
 import { ConfigManager } from "./configManager.js";
 import { ConnectionManager } from './connectionManager.js';
@@ -18,6 +17,7 @@ import { RepoPermissionSyncer } from './ee/repoPermissionSyncer.js';
 import { shutdownPosthog } from "./posthog.js";
 import { PromClient } from './promClient.js';
 import { RepoIndexManager } from "./repoIndexManager.js";
+import { redis } from "./redis.js";
 
 const logger = createLogger('backend-entrypoint');
 
@@ -39,10 +39,6 @@ const prisma = new PrismaClient({
     },
 });
 
-const redis = new Redis(env.REDIS_URL, {
-    maxRetriesPerRequest: null
-});
-
 try {
     await redis.ping();
     logger.info('Connected to redis');
@@ -116,7 +112,7 @@ const listenToShutdownSignals = () => {
             await redis.quit();
             await api.dispose();
             await shutdownPosthog();
-            
+
             logger.info('All workers shut down gracefully');
             signals.forEach(sig => process.removeListener(sig, cleanup));
             return 0;

packages/backend/src/redis.ts

@@ -0,0 +1,50 @@
+import { env } from "@sourcebot/shared";
+import { Redis } from 'ioredis';
+import fs from "fs";
+
+const buildTlsOptions = (): Record<string, unknown> => {
+    if (env.REDIS_TLS_ENABLED !== "true" && !env.REDIS_URL.startsWith("rediss://")) {
+        return {};
+    }
+
+    return {
+        tls: {
+            ca: env.REDIS_TLS_CA_PATH
+                ? fs.readFileSync(env.REDIS_TLS_CA_PATH)
+                : undefined,
+            cert: env.REDIS_TLS_CERT_PATH
+                ? fs.readFileSync(env.REDIS_TLS_CERT_PATH)
+                : undefined,
+            key: env.REDIS_TLS_KEY_PATH
+                ? fs.readFileSync(env.REDIS_TLS_KEY_PATH)
+                : undefined,
+            ...(env.REDIS_TLS_REJECT_UNAUTHORIZED
+                ? { rejectUnauthorized: env.REDIS_TLS_REJECT_UNAUTHORIZED === 'true' }
+                : {}),
+            ...(env.REDIS_TLS_SERVERNAME
+                ? { servername: env.REDIS_TLS_SERVERNAME }
+                : {}),
+            ...(env.REDIS_TLS_CHECK_SERVER_IDENTITY === "false"
+                ? { checkServerIdentity: () => undefined }
+                : {}),
+            ...(env.REDIS_TLS_SECURE_PROTOCOL
+                ? { secureProtocol: env.REDIS_TLS_SECURE_PROTOCOL }
+                : {}),
+            ...(env.REDIS_TLS_CIPHERS ? { ciphers: env.REDIS_TLS_CIPHERS } : {}),
+            ...(env.REDIS_TLS_HONOR_CIPHER_ORDER
+                ? {
+                    honorCipherOrder: env.REDIS_TLS_HONOR_CIPHER_ORDER === "true",
+                }
+                : {}),
+            ...(env.REDIS_TLS_KEY_PASSPHRASE
+                ? { passphrase: env.REDIS_TLS_KEY_PASSPHRASE }
+                : {}),
+        },
+    };
+};
+
+
+export const redis = new Redis(env.REDIS_URL, {
+    maxRetriesPerRequest: null,
+    ...buildTlsOptions(),
+});