feat: add repoDrivenPermissionSyncIntervalMs and userDrivenPermissionSyncIntervalMs config settings

- Add `repoDrivenPermissionSyncIntervalMs` and `userDrivenPermissionSyncIntervalMs` to the config schema, deprecating the `experiment_` prefixed variants (still respected as fallbacks in getConfigSettings).
- Update repoPermissionSyncer and accountPermissionSyncer to use the new setting names.
- Add tests for getConfigSettings fallback behaviour.
- Update docs and CHANGELOG.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [EE] Added multi-owner support with promote/demote actions. [#988](https://github.com/sourcebot-dev/sourcebot/pull/988)
 - [EE] Added `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variable to enable/disable repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
 - [EE] Added `enforcePermissions` per-connection flag to control whether repository permissions are enforced for a given connection. Defaults to the value of `PERMISSION_SYNC_ENABLED`. [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
+- [EE] Added `repoDrivenPermissionSyncIntervalMs` and `userDrivenPermissionSyncIntervalMs` config settings, deprecating the `experiment_` prefixed variants (still respected as fallbacks). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
 
 ### Changed
 - [EE] Promoted `PERMISSION_SYNC_ENABLED` as the canonical env var for enabling permission syncing, deprecating `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` (still respected as a fallback). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)

docs/docs/configuration/config-file.mdx

@@ -50,8 +50,10 @@ The following are settings that can be provided in your config file to modify So
 | `repoGarbageCollectionGracePeriodMs`            | number  | 10 seconds | 1       | Grace period to avoid deleting shards while loading.                                   |
 | `repoIndexTimeoutMs`                            | number  | 2 hours    | 1       | Timeout for a single repo‑indexing run.                                                |
 | `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
-| `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
+| `repoDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
+| `userDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
+| `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `repoDrivenPermissionSyncIntervalMs` instead.             |
+| `experiment_userDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `userDrivenPermissionSyncIntervalMs` instead.             |
 | `maxAccountPermissionSyncJobConcurrency`        | number  | 8          | 1       | Concurrent account permission sync jobs.                                               |
 | `maxRepoPermissionSyncJobConcurrency`           | number  | 8          | 1       | Concurrent repo permission sync jobs.                                                  |
 

docs/docs/configuration/environment-variables.mdx

@@ -47,6 +47,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
+| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 

docs/docs/features/permission-syncing.mdx

@@ -97,9 +97,9 @@ Permission syncing works with **Bitbucket Cloud**. OAuth tokens must assume the
 - Membership in the [project that contains the repository](https://support.atlassian.com/bitbucket-cloud/docs/configure-project-permissions-for-users-and-groups/)
 - Membership in a group that is part of a project containing the repository
 
-These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all private repositories accessible to each authenticated user. However, there may be a delay between when a repository is added and when affected users gain access in Sourcebot (up to the `experiment_userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
+These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all private repositories accessible to each authenticated user. However, there may be a delay between when a repository is added and when affected users gain access in Sourcebot (up to the `userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
 
-If your workspace relies heavily on group or project-level permissions rather than direct user grants, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
+If your workspace relies heavily on group or project-level permissions rather than direct user grants, we recommend reducing the `userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
 </Warning>
 
 **Notes:**
@@ -120,9 +120,9 @@ Permission syncing works with **Bitbucket Data Center**. OAuth tokens must assum
 - Project-level permissions (inherited by all repos in the project)
 - Group membership
 
-These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all repositories accessible to each authenticated user using the `REPO_READ` scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the `experiment_userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
+These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all repositories accessible to each authenticated user using the `REPO_READ` scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the `userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
 
-If your instance relies heavily on project or group-level permissions, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
+If your instance relies heavily on project or group-level permissions, we recommend reducing the `userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
 </Warning>
 
 **Notes:**
@@ -194,5 +194,5 @@ The sync intervals can be configured using the following settings in the [config
 
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
-| `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
+| `repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
+| `userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |

docs/snippets/schemas/v3/index.schema.mdx

@@ -70,16 +70,28 @@
           "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         },
-        "experiment_repoDrivenPermissionSyncIntervalMs": {
+        "repoDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the repo permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
-        "experiment_userDrivenPermissionSyncIntervalMs": {
+        "userDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
+        "experiment_repoDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `repoDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
+        "experiment_userDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `userDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
         "maxAccountPermissionSyncJobConcurrency": {
           "type": "number",
           "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
@@ -216,16 +228,28 @@
           "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         },
-        "experiment_repoDrivenPermissionSyncIntervalMs": {
+        "repoDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the repo permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
-        "experiment_userDrivenPermissionSyncIntervalMs": {
+        "userDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
+        "experiment_repoDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `repoDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
+        "experiment_userDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `userDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
         "maxAccountPermissionSyncJobConcurrency": {
           "type": "number",
           "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -57,7 +57,7 @@ export class AccountPermissionSyncer {
         logger.debug('Starting scheduler');
 
         this.interval = setIntervalAsync(async () => {
-            const thresholdDate = new Date(Date.now() - this.settings.experiment_userDrivenPermissionSyncIntervalMs);
+            const thresholdDate = new Date(Date.now() - this.settings.userDrivenPermissionSyncIntervalMs);
 
             const accounts = await this.db.account.findMany({
                 where: {

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -53,7 +53,7 @@ export class RepoPermissionSyncer {
 
         this.interval = setIntervalAsync(async () => {
             // @todo: make this configurable
-            const thresholdDate = new Date(Date.now() - this.settings.experiment_repoDrivenPermissionSyncIntervalMs);
+            const thresholdDate = new Date(Date.now() - this.settings.repoDrivenPermissionSyncIntervalMs);
 
             const repos = await this.db.repo.findMany({
                 // Repos need their permissions to be synced against the code host when...
@@ -280,7 +280,7 @@ export class RepoPermissionSyncer {
                 // granted access to this repository. Users who have access via a group added to the repo,
                 // via project-level membership, or via a group in a project are NOT captured here.
                 // These users will still gain access through user-driven syncing (accountPermissionSyncer),
-                // but there may be a delay of up to `experiment_userDrivenPermissionSyncIntervalMs` before
+                // but there may be a delay of up to `userDrivenPermissionSyncIntervalMs` before
                 // they see the repository in Sourcebot.
                 // @see: https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-repositories-workspace-repo-slug-permissions-config-users-get
                 const users = await getExplicitUserPermissionsForCloudRepo(client, workspace, repoSlug);

packages/schemas/src/v3/index.schema.ts

@@ -69,16 +69,28 @@ const schema = {
           "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         },
-        "experiment_repoDrivenPermissionSyncIntervalMs": {
+        "repoDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the repo permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
-        "experiment_userDrivenPermissionSyncIntervalMs": {
+        "userDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
+        "experiment_repoDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `repoDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
+        "experiment_userDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `userDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
         "maxAccountPermissionSyncJobConcurrency": {
           "type": "number",
           "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
@@ -215,16 +227,28 @@ const schema = {
           "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         },
-        "experiment_repoDrivenPermissionSyncIntervalMs": {
+        "repoDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the repo permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
-        "experiment_userDrivenPermissionSyncIntervalMs": {
+        "userDrivenPermissionSyncIntervalMs": {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
         },
+        "experiment_repoDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `repoDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
+        "experiment_userDrivenPermissionSyncIntervalMs": {
+          "type": "number",
+          "deprecated": true,
+          "description": "Deprecated. Use `userDrivenPermissionSyncIntervalMs` instead.",
+          "minimum": 1
+        },
         "maxAccountPermissionSyncJobConcurrency": {
           "type": "number",
           "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",

packages/schemas/src/v3/index.type.ts

@@ -126,10 +126,20 @@ export interface Settings {
   /**
    * The interval (in milliseconds) at which the repo permission syncer should run. Defaults to 24 hours.
    */
-  experiment_repoDrivenPermissionSyncIntervalMs?: number;
+  repoDrivenPermissionSyncIntervalMs?: number;
   /**
    * The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.
    */
+  userDrivenPermissionSyncIntervalMs?: number;
+  /**
+   * @deprecated
+   * Deprecated. Use `repoDrivenPermissionSyncIntervalMs` instead.
+   */
+  experiment_repoDrivenPermissionSyncIntervalMs?: number;
+  /**
+   * @deprecated
+   * Deprecated. Use `userDrivenPermissionSyncIntervalMs` instead.
+   */
   experiment_userDrivenPermissionSyncIntervalMs?: number;
   /**
    * The number of account permission sync jobs to run concurrently. Defaults to 8.

packages/shared/src/constants.ts

@@ -30,8 +30,10 @@ export const DEFAULT_CONFIG_SETTINGS: ConfigSettings = {
     repoGarbageCollectionGracePeriodMs: 10 * 1000, // 10 seconds
     repoIndexTimeoutMs: 1000 * 60 * 60 * 2, // 2 hours
     enablePublicAccess: false, // deprected, use FORCE_ENABLE_ANONYMOUS_ACCESS instead
-    experiment_repoDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours
-    experiment_userDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours
+    repoDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours
+    userDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours
+    experiment_repoDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours (deprecated)
+    experiment_userDrivenPermissionSyncIntervalMs: 1000 * 60 * 60 * 24, // 24 hours (deprecated)
     maxAccountPermissionSyncJobConcurrency: 8,
     maxRepoPermissionSyncJobConcurrency: 8,
 }