Merge branch 'main' into brendan-kellam/multi-owner-support

Author: brendan-kellam

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,7 +2,7 @@
 name: "💡 Feature Request"
 about: Suggest an idea for this project
 title: "[FR] "
-labels: enhancement
+labels: Feature
 assignees: ''
 
 ---

CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.15.3] - 2026-03-10
+
+### Fixed
+- [EE] Handle duplicate `resource` query parameters in the OAuth authorization endpoint. [#987](https://github.com/sourcebot-dev/sourcebot/pull/987)
+
+## [4.15.2] - 2026-03-06
+
+### Fixed
+- [EE] Avoid advertising OAuth support on MCP endpoints if that entitlement is not actually configured. [#985](https://github.com/sourcebot-dev/sourcebot/pull/985)
+
+## [4.15.1] - 2026-03-06
+
+### Fixed
+- Fixed issue where users would not be redirected to the homepage when clicking "continue with guest". [#984](https://github.com/sourcebot-dev/sourcebot/pull/984)
+
+### Changed
+- Increased pagination limit to 1000 for bitbucket data center requests. [#981](https://github.com/sourcebot-dev/sourcebot/pull/981)
+
+## [4.15.0] - 2026-03-05
+
+### Added
+- Added MCP and API key usage tracking to analytics dashboard and added audit retention system [#950](https://github.com/sourcebot-dev/sourcebot/pull/950)
+
+## [4.14.0] - 2026-03-05
+
+### Added
+- Added support a MCP streamable http transport hosted at `/api/mcp`. [#976](https://github.com/sourcebot-dev/sourcebot/pull/976)
+- [EE] Added support for Oauth 2.1 to the remote MCP server hosted at `/api/mcp`. [#977](https://github.com/sourcebot-dev/sourcebot/pull/977)
+
 ## [4.13.2] - 2026-03-02
 
 ### Changed

CLAUDE.md

@@ -184,7 +184,7 @@ export const GET = apiHandler(async (request: NextRequest) => {
 
 ## Next.js Router Navigation
 
-Do NOT call `router.refresh()` immediately after `router.push()`. In Next.js 16, the prefetch cache and navigation system was completely rewritten, and calling `router.refresh()` right after `router.push()` creates a race condition — the refresh invalidates the cache and can interrupt the in-flight navigation, leaving the page stuck or not loading.
+Do NOT call `router.refresh()` immediately after `router.push()`. In Next.js 16, the prefetch cache and navigation system was completely rewritten, and calling `router.refresh()` right after `router.push()` creates a race condition. The refresh invalidates the cache and can interrupt the in-flight navigation, leaving the page stuck or not loading.
 
 ```ts
 // Bad - router.refresh() races with router.push() in Next.js 16
@@ -197,6 +197,18 @@ router.push(url); // ✅
 
 If you need to refresh server component data after a mutation, use the server-side `refresh()` from `next/cache` in a Server Action instead of `router.refresh()` on the client.
 
+## Documentation Writing Style
+
+When writing or editing `.mdx` files in `docs/`:
+
+- Do NOT use em dashes (`—`). Use periods to break sentences, commas, or parentheses instead.
+- Write in second person ("you") and present tense.
+- Keep sentences short and direct. Lead with what the user needs to know.
+- Use bold for UI elements and key terms (e.g., **Settings → API Keys**).
+- Use inline code for technical values, flags, and identifiers (e.g., `REPO_READ`).
+- Prefer short paragraphs (1-3 sentences). Use bullet lists to break up dense information.
+- Use tables for parameter documentation.
+
 ## Docs Images
 
 Images added to `.mdx` files in `docs/` should be wrapped in a `<Frame>` component:
@@ -237,3 +249,4 @@ After the PR is created:
 - Update CHANGELOG.md with an entry under `[Unreleased]` linking to the new PR. New entries should be placed at the bottom of their section.
 - If the change touches `packages/mcp`, update `packages/mcp/CHANGELOG.md` instead
 - Do NOT add a CHANGELOG entry for documentation-only changes (e.g., changes only in `docs/`)
+- Enterprise-only features (gated by an entitlement) should be prefixed with `[EE]` in the CHANGELOG entry (e.g., `- [EE] Added support for ...`)

README.md

@@ -11,7 +11,7 @@
          <a href="https://docs.sourcebot.dev/self-hosting/overview">
             <strong>Self Host</strong>
          </a> · 
-         <a href="https://demo.sourcebot.dev">
+         <a href="https://app.sourcebot.dev">
             <strong>Public Demo</strong>
          </a>
       </h3>
@@ -41,7 +41,7 @@ Sourcebot is a self-hosted tool that helps you understand your codebase.
 - **Ask Sourcebot:** Ask questions about your codebase and have Sourcebot provide detailed answers grounded with inline citations.
 - **Code search:** Search and navigate across all your repos and branches, no matter where they’re hosted.
 
-Try it out in our [public demo](https://demo.sourcebot.dev)!
+Try it out in our [public demo](https://app.sourcebot.dev)!
 
 https://github.com/user-attachments/assets/ed66a622-e38f-4947-a531-86df1e1e0218
 
@@ -108,7 +108,7 @@ docker compose up
 To configure Sourcebot (index your own repos, connect your LLMs, etc), check out our [docs](https://docs.sourcebot.dev/docs/configuration/config-file).
 
 > [!NOTE]
-> Sourcebot collects <a href="https://demo.sourcebot.dev/~/search?query=captureEvent%5C(%20repo%3Asourcebot">anonymous usage data</a> by default to help us improve the product. No sensitive data is collected, but if you'd like to disable this you can do so by setting the `SOURCEBOT_TELEMETRY_DISABLED` environment
+> Sourcebot collects <a href="https://app.sourcebot.dev/~/search?query=captureEvent%5C(%20repo%3Asourcebot">anonymous usage data</a> by default to help us improve the product. No sensitive data is collected, but if you'd like to disable this you can do so by setting the `SOURCEBOT_TELEMETRY_DISABLED` environment
 > variable to `true`. Please refer to our [telemetry docs](https://docs.sourcebot.dev/docs/overview#telemetry) for more information.
 
 # Build from source

docs/docs.json

@@ -52,9 +52,9 @@
                                     "docs/features/ask/add-model-providers"
                                 ]
                             },
+                            "docs/features/mcp-server",
                             "docs/features/code-navigation",
                             "docs/features/analytics",
-                            "docs/features/mcp-server",
                             "docs/features/permission-syncing",
                             {
                                 "group": "Agents",

docs/docs/configuration/audit-logs.mdx

@@ -5,7 +5,7 @@ sidebarTitle: Audit logs
 
 import LicenseKeyRequired from '/snippets/license-key-required.mdx'
 
-<LicenseKeyRequired />
+<LicenseKeyRequired feature="Audit Logs" />
 
 Audit logs are a collection of notable events performed by users within a Sourcebot deployment. Each audit log records information on the action taken, the user who performed the 
 action, and when the action took place. 
@@ -15,6 +15,9 @@ This feature gives security and compliance teams the necessary information to en
 ## Enabling/Disabling Audit Logs
 Audit logs are enabled by default and can be controlled with the `SOURCEBOT_EE_AUDIT_LOGGING_ENABLED` [environment variable](/docs/configuration/environment-variables).
 
+## Retention Policy
+By default, audit logs older than 180 days are automatically pruned daily. You can configure the retention period using the `SOURCEBOT_EE_AUDIT_RETENTION_DAYS` [environment variable](/docs/configuration/environment-variables). Set it to `0` to disable automatic pruning and retain logs indefinitely.
+
 ## Fetching Audit Logs
 Audit logs are stored in the [postgres database](/docs/overview#architecture) connected to Sourcebot. To fetch all of the audit logs, you can use the following API:
 
@@ -110,26 +113,35 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
 
 | Action  | Actor Type | Target Type |
 | :------- | :------ | :------|
-| `api_key.creation_failed`             | `user` | `org` |
 | `api_key.created`                     | `user` | `api_key` |
-| `api_key.deletion_failed`             | `user` | `org` |
+| `api_key.creation_failed`             | `user` | `org` |
 | `api_key.deleted`                     | `user` | `api_key` |
+| `api_key.deletion_failed`             | `user` | `org` |
+| `audit.fetch`                         | `user` | `org` |
+| `chat.deleted`                        | `user` | `chat` |
+| `chat.shared_with_users`              | `user` | `chat` |
+| `chat.unshared_with_user`             | `user` | `chat` |
+| `chat.visibility_updated`             | `user` | `chat` |
+| `org.ownership_transfer_failed`       | `user` | `org` |
+| `org.ownership_transferred`           | `user` | `org` |
+| `user.created_ask_chat`               | `user` | `org` |
 | `user.creation_failed`                | `user` | `user` |
-| `user.owner_created`                  | `user` | `org` |
-| `user.performed_code_search`              | `user` | `org` |
-| `user.performed_find_references` | `user` | `org` |
-| `user.performed_goto_definition` | `user` | `org` |
-| `user.created_ask_chat`          | `user` | `org` |
-| `user.jit_provisioning_failed`        | `user` | `org` |
-| `user.jit_provisioned`                | `user` | `org` |
-| `user.join_request_creation_failed`   | `user` | `org` |
-| `user.join_requested`                 | `user` | `org` |
-| `user.join_request_approve_failed`    | `user` | `account_join_request` |
-| `user.join_request_approved`          | `user` | `account_join_request` |
-| `user.invite_failed`                  | `user` | `org` |
-| `user.invites_created`                | `user` | `org` |
+| `user.delete`                         | `user` | `user` |
+| `user.fetched_file_source`            | `user` | `org` |
+| `user.fetched_file_tree`              | `user` | `org` |
 | `user.invite_accept_failed`           | `user` | `invite` |
 | `user.invite_accepted`                | `user` | `invite` |
+| `user.invite_failed`                  | `user` | `org` |
+| `user.invites_created`                | `user` | `org` |
+| `user.join_request_approve_failed`    | `user` | `account_join_request` |
+| `user.join_request_approved`          | `user` | `account_join_request` |
+| `user.list`                           | `user` | `org` |
+| `user.listed_repos`                   | `user` | `org` |
+| `user.owner_created`                  | `user` | `org` |
+| `user.performed_code_search`          | `user` | `org` |
+| `user.performed_find_references`      | `user` | `org` |
+| `user.performed_goto_definition`      | `user` | `org` |
+| `user.read`                           | `user` | `user` |
 | `user.signed_in`                      | `user` | `user` |
 | `user.signed_out`                     | `user` | `user` |
 | `org.ownership_transfer_failed`       | `user` | `org` |
@@ -182,7 +194,7 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
       },
       "targetType": {
         "type": "string",
-        "enum": ["user", "org", "file", "api_key", "account_join_request", "invite"]
+        "enum": ["user", "org", "file", "api_key", "account_join_request", "invite", "chat"]
       },
       "sourcebotVersion": {
         "type": "string"
@@ -194,7 +206,8 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
             "properties": {
               "message": { "type": "string" },
               "api_key": { "type": "string" },
-              "emails": { "type": "string" }
+              "emails": { "type": "string" },
+              "source": { "type": "string" }
             },
             "additionalProperties": false
           },

docs/docs/configuration/environment-variables.mdx

@@ -42,6 +42,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `HTTPS_PROXY` | - | <p>HTTPS proxy URL for routing SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
 | `NO_PROXY` | - | <p>Comma-separated list of hostnames or domains that should bypass the proxy (e.g., `localhost,127.0.0.1,.internal.domain`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
 | `SOURCEBOT_EE_AUDIT_LOGGING_ENABLED` | `true` | <p>Enables/disables audit logging</p> |
+| `SOURCEBOT_EE_AUDIT_RETENTION_DAYS` | `180` | <p>The number of days to retain audit logs. Audit log records older than this will be automatically pruned daily. Set to `0` to disable pruning and retain logs indefinitely.</p> |
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |

docs/docs/configuration/idp.mdx

@@ -5,7 +5,7 @@ sidebarTitle: External identity providers
 
 import LicenseKeyRequired from '/snippets/license-key-required.mdx'
 
-<LicenseKeyRequired />
+<LicenseKeyRequired feature="External Identity Providers" />
 
 You can connect Sourcebot to various **external identity providers** to associate a Sourcebot user with one or more external service accounts (ex. Google, GitHub, etc).
 

docs/docs/connections/ado-cloud.mdx

@@ -100,8 +100,11 @@ Next, provide the access [token](/docs/configuration/config-file#tokens) via an
                 // note: this env var can be named anything. It
                 // doesn't need to be `ADO_TOKEN`.
                 "env": "ADO_TOKEN"
-            }
-            // .. rest of config ..
+            },
+            // At least one of the following is required to specify which repos to sync:
+            "repos": ["organizationName/projectName/repoName"],
+            // "orgs": ["organizationName"],
+            // "projects": ["organizationName/projectName"]
         }
         ```
 

docs/docs/connections/ado-server.mdx

@@ -114,8 +114,11 @@ Next, provide the access [token](/docs/configuration/config-file#tokens) via an
                 // note: this env var can be named anything. It
                 // doesn't need to be `ADO_TOKEN`.
                 "env": "ADO_TOKEN"
-            }
-            // .. rest of config ..
+            },
+            // At least one of the following is required to specify which repos to sync:
+            "repos": ["collectionName/projectName/repoName"],
+            // "orgs": ["collectionName"],
+            // "projects": ["collectionName/projectName"]
         }
         ```