Merge branch 'main' into cursor/development-environment-setup-5c91

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>

Author: cursoragent

.env.development

@@ -40,12 +40,6 @@ CONFIG_PATH=${PWD}/config.json # Path to the sourcebot config file (if one exist
 # Redis
 REDIS_URL="redis://localhost:6379"
 
-# Stripe
-# STRIPE_SECRET_KEY: z.string().optional(),
-# STRIPE_PRODUCT_ID: z.string().optional(),
-# STRIPE_WEBHOOK_SECRET: z.string().optional(),
-# STRIPE_ENABLE_TEST_CLOCKS=false
-
 # Agents
 
 # GITHUB_APP_ID=
@@ -75,4 +69,5 @@ SOURCEBOT_TELEMETRY_DISABLED=true # Disables telemetry collection
 
 # CONFIG_MAX_REPOS_NO_TOKEN=
 NODE_ENV=development
-# SOURCEBOT_TENANCY_MODE=single
+
+DEBUG_WRITE_CHAT_MESSAGES_TO_FILE=true

.github/workflows/license-audit.yml

@@ -0,0 +1,197 @@
+name: License Audit
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "yarn.lock"
+      - "package.json"
+      - "packages/*/package.json"
+      - "scripts/fetchLicenses.mjs"
+      - "scripts/summarizeLicenses.mjs"
+      - "scripts/npmLicenseMap.json"
+      - "scripts/licenseAuditPrompt.txt"
+      - "scripts/runLicenseAudit.sh"
+  workflow_dispatch:
+
+jobs:
+  license-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "yarn"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Fetch licenses
+        run: node scripts/fetchLicenses.mjs
+
+      - name: Summarize licenses
+        run: node scripts/summarizeLicenses.mjs
+
+      - name: Read audit prompt
+        id: read-prompt
+        run: |
+          {
+            echo 'PROMPT<<PROMPT_EOF'
+            cat scripts/licenseAuditPrompt.txt
+            echo 'PROMPT_EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Audit licenses with Claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          claude_args: '--allowedTools "Bash,Read,Write,Glob,Grep,WebFetch"'
+          prompt: ${{ steps.read-prompt.outputs.PROMPT }}
+
+      - name: Validate audit result
+        run: |
+          if [ ! -f license-audit-result.json ]; then
+            echo "::error::license-audit-result.json was not created by the audit step"
+            exit 1
+          fi
+
+          STATUS=$(node -e "const r = require('./license-audit-result.json'); console.log(r.status)")
+          UNRESOLVED=$(node -e "const r = require('./license-audit-result.json'); console.log(r.summary.unresolvedCount)")
+          STRONG=$(node -e "const r = require('./license-audit-result.json'); console.log(r.summary.strongCopyleftCount)")
+          WEAK=$(node -e "const r = require('./license-audit-result.json'); console.log(r.summary.weakCopyleftCount)")
+          RESOLVED=$(node -e "const r = require('./license-audit-result.json'); console.log(r.summary.resolvedCount)")
+
+          echo "## License Audit Result: $STATUS"
+          echo ""
+          echo "- Resolved: $RESOLVED"
+          echo "- Unresolved: $UNRESOLVED"
+          echo "- Strong copyleft: $STRONG"
+          echo "- Weak copyleft: $WEAK"
+
+          if [ "$STATUS" = "FAIL" ]; then
+            echo ""
+            echo "::error::License audit failed. See details below:"
+            node -e "const r = require('./license-audit-result.json'); r.failReasons.forEach(r => console.log('  - ' + r))"
+            exit 1
+          fi
+
+      - name: Comment on PR
+        if: always() && github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const resultPath = 'license-audit-result.json';
+
+            // Determine if we should comment
+            let shouldComment = false;
+            let body = '';
+
+            if (!fs.existsSync(resultPath)) {
+              shouldComment = true;
+              body = `## License Audit\n\n:x: Audit failed to produce results. Check the workflow logs for details.`;
+            } else {
+              const result = JSON.parse(fs.readFileSync(resultPath, 'utf-8'));
+              const hasWeakCopyleft = result.summary.weakCopyleftCount > 0;
+              const isFail = result.status === 'FAIL';
+
+              if (!isFail && !hasWeakCopyleft) {
+                return;
+              }
+
+              shouldComment = true;
+              const icon = isFail ? ':x:' : ':warning:';
+
+              body = `## License Audit\n\n`;
+              body += `${icon} **Status: ${result.status}**\n\n`;
+              body += `| Metric | Count |\n|---|---|\n`;
+              body += `| Total packages | ${result.summary.totalPackages} |\n`;
+              body += `| Resolved (non-standard) | ${result.summary.resolvedCount} |\n`;
+              body += `| Unresolved | ${result.summary.unresolvedCount} |\n`;
+              body += `| Strong copyleft | ${result.summary.strongCopyleftCount} |\n`;
+              body += `| Weak copyleft | ${result.summary.weakCopyleftCount} |\n`;
+
+              if (result.failReasons && result.failReasons.length > 0) {
+                body += `\n### Fail Reasons\n\n`;
+                for (const reason of result.failReasons) {
+                  body += `- ${reason}\n`;
+                }
+              }
+
+              if (result.unresolved && result.unresolved.length > 0) {
+                body += `\n### Unresolved Packages\n\n`;
+                body += `| Package | Version | License | Reason |\n|---|---|---|---|\n`;
+                for (const pkg of result.unresolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` | ${pkg.reason} |\n`;
+                }
+              }
+
+              if (result.copyleft && result.copyleft.strong && result.copyleft.strong.length > 0) {
+                body += `\n### Strong Copyleft Packages\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.strong) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
+              }
+
+              if (result.copyleft && result.copyleft.weak && result.copyleft.weak.length > 0) {
+                body += `\n### Weak Copyleft Packages (informational)\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.weak) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
+              }
+
+              if (result.resolved && result.resolved.length > 0) {
+                body += `\n<details><summary>Resolved Packages (${result.resolved.length})</summary>\n\n`;
+                body += `| Package | Version | Original | Resolved | Source |\n|---|---|---|---|---|\n`;
+                for (const pkg of result.resolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.originalLicense}\` | \`${pkg.resolvedLicense}\` | ${pkg.source} |\n`;
+                }
+                body += `\n</details>\n`;
+              }
+            }
+
+            if (!shouldComment) return;
+
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.data.find(c => c.body.startsWith('## License Audit'));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-audit
+          path: |
+            oss-licenses.json
+            oss-license-summary.json
+            license-audit-result.json

.gitignore

@@ -163,4 +163,7 @@ dist
 .sourcebot
 /bin
 /config.json
-.DS_Store
+.DS_Store
+oss-licenses.json
+oss-license-summary.json
+license-audit-result.json

AGENTS.md

@@ -33,6 +33,10 @@ Standard dev commands are documented in `CONTRIBUTING.md` and `package.json`. Ke
 - **Build deps only:** `yarn build:deps` (builds shared packages: schemas, db, shared, query-language)
 - **DB migrations:** `yarn dev:prisma:migrate:dev`
 
+### Deprecated Packages
+
+- **`packages/mcp`** - This standalone MCP package is deprecated. Do NOT modify it. MCP functionality is now handled by the web package at `packages/web/src/features/mcp/`.
+
 ### Non-obvious Caveats
 
 - **Docker must be running** before `yarn dev`. Start it with `docker compose -f docker-compose-dev.yml up -d`. The backend will fail to connect to Redis/PostgreSQL otherwise.

CHANGELOG.md

@@ -7,13 +7,129 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.16.5] - 2026-04-02
+
+### Added
+- Added `GET /api/commit` endpoint for retrieving details about a single commit, including parent commit SHAs [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+
+### Changed
+- Replaced placeholder avatars with deterministic minidenticon-based avatars generated from email addresses [#1072](https://github.com/sourcebot-dev/sourcebot/pull/1072)
+- Changed `author_name` and `author_email` fields to `authorName` and `authorEmail` in `GET /api/commits` response [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+- Changed `oldPath` and `newPath` in `GET /api/diff` response from `"/dev/null"` to `null` for added/deleted files [#1077](https://github.com/sourcebot-dev/sourcebot/pull/1077)
+- Bumped `simple-git` to `3.33.0`. [#1078](https://github.com/sourcebot-dev/sourcebot/pull/1078)
+
+## [4.16.4] - 2026-04-01
+
+### Added
+- Added `GET /api/diff` endpoint for retrieving structured diffs between two git refs [#1063](https://github.com/sourcebot-dev/sourcebot/pull/1063)
+
+### Fixed
+- Fixed `GET /api/mcp` hanging with zero bytes by returning `405 Method Not Allowed` per the MCP Streamable HTTP spec [#1064](https://github.com/sourcebot-dev/sourcebot/pull/1064)
+- Fixed tokens with trailing newlines breaking git clone URLs by adding `.trim()` in `getTokenFromConfig()` [#1067](https://github.com/sourcebot-dev/sourcebot/pull/1067)
+
+### Removed
+- Removed "general" settings page with options to change organization name and domain. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
+
+### Changed
+- Changed the analytics and license settings pages to only be viewable by organization owners. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
+
+## [4.16.3] - 2026-03-27
+
+### Added
+- Added support for `.gitattributes` `linguist-language` overrides in the file viewer ([#1048](https://github.com/sourcebot-dev/sourcebot/pull/1048))
+- Added Basic language syntax highlighting in the file viewer ([#1054](https://github.com/sourcebot-dev/sourcebot/pull/1054))
+
+### Fixed
+- Fixed Ask GitHub landing page chat box placement to be centered on the page instead of at the bottom. [#1046](https://github.com/sourcebot-dev/sourcebot/pull/1046)
+- Fixed issue where local git connections (`file://`) would fail when matching a file instead of a directory. [#1049](https://github.com/sourcebot-dev/sourcebot/pull/1049)
+- Fixed regex queries containing parentheses (e.g. `(test|render)<`) being incorrectly split into multiple search terms instead of treated as a single regex pattern. [#1050](https://github.com/sourcebot-dev/sourcebot/pull/1050)
+
+## [4.16.2] - 2026-03-25
+
+### Fixed
+- Fixed line numbers being selectable in Safari in the lightweight code highlighter. [#1037](https://github.com/sourcebot-dev/sourcebot/pull/1037)
+- Fixed GitLab sync deleting repos when the API returns a non-404 error (e.g. 500) during group/user/project fetch. [#1039](https://github.com/sourcebot-dev/sourcebot/pull/1039)
+- Fixed React hydration mismatch in `KeyboardShortcutHint` caused by platform detection running at module load time during SSR. [#1041](https://github.com/sourcebot-dev/sourcebot/pull/1041)
+- Fixed rendering performance for ask threads, especially when hovering or selecting citations. [#1042](https://github.com/sourcebot-dev/sourcebot/pull/1042)
+
+### Added
+- Added optional copy button to the lightweight code highlighter (`isCopyButtonVisible` prop), shown on hover. [#1037](https://github.com/sourcebot-dev/sourcebot/pull/1037)
+
+## [4.16.1] - 2026-03-24
+
+### Fixed
+- Fixed scroll position when selecting chat references that point to lines further down in a file. [#1036](https://github.com/sourcebot-dev/sourcebot/pull/1036)
+
+## [4.16.0] - 2026-03-24
+
+### Changed
+- Changed language detection to resolve file extensions with multiple language resolutions (e.g., .md) to the most common resolution. [#1026](https://github.com/sourcebot-dev/sourcebot/pull/1026)
+- Changed the `webUrl` property of the `/api/repos` api to return a URL rather than just a path. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Changed the ask search scope selector to allow submitting questions with no search scope selected. When no selection is made, the agent will be able to search over all repos the user has access to. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Renamed the `search_code` tool to `grep` for ask and mcp. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Improved auto-scroll behavior in the ask chat thread. [#1031](https://github.com/sourcebot-dev/sourcebot/pull/1031)
+
+### Added
+- Added `glob`, `find_symbol_definitions`, and `find_symbol_references` tools to the ask agent and MCP server. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Added `list_tree` tool to the ask agent. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Added input & output token breakdown in ask details card. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Added `path` parameter to the `/api/commits` api to allow filtering commits by paths. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Search contexts now support topic-based filtering with new `includeTopics` and `excludeTopics` fields, enabling repository filtering by GitHub/GitLab topics with glob pattern support and case-insensitive matching.[#1028](https://github.com/sourcebot-dev/sourcebot/pull/1028)
+
+### Fixed
+- Fixed issue where ask responses would sometimes appear in the details panel while generating. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Fixed reference panel overflow issue in the ask UI. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Fixed homepage scrolling issue in the ask UI. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
+- Fixed UI freeze when the `grep` tool returns a large number of results with `groupByRepo=true`. [#1032](https://github.com/sourcebot-dev/sourcebot/pull/1032)
+- Fixed issue where the search scope selection persisted after a new thread is created. [#1033](https://github.com/sourcebot-dev/sourcebot/pull/1033)
+- Fixed inaccurate scroll position when selecting a chat reference in the ask UI. [#1035](https://github.com/sourcebot-dev/sourcebot/pull/1035)
+
+## [4.15.11] - 2026-03-20
+
+### Changed
+- Updated JumpCloud SSO documentation to clarify token endpoint authentication method requirement and AUTH_SECRET configuration. [#1022](https://github.com/sourcebot-dev/sourcebot/pull/1022)
+- The `ask_codebase` MCP tool is now hidden when no language model providers are configured. [#1018](https://github.com/sourcebot-dev/sourcebot/pull/1018)
+
+## [4.15.10] - 2026-03-20
+
+### Changed
+- Increased `SOURCEBOT_CHAT_MAX_STEP_COUNT` default from 20 to 100 to allow agents to perform more autonomous steps. [#1017](https://github.com/sourcebot-dev/sourcebot/pull/1017)
+- [EE] Fix error with Jumpcloud SSO state param [#1020](https://github.com/sourcebot-dev/sourcebot/pull/1020)
+
+## [4.15.9] - 2026-03-17
+
+### Added
+- Added read-only annotations to MCP tools for compatibility with Cursor Ask mode and other MCP clients that restrict tool usage based on behavior hints. [#1013](https://github.com/sourcebot-dev/sourcebot/pull/1013)
+
+## [4.15.8] - 2026-03-17
+
+### Added
+- Added support for connecting to Redis over TLS via `REDIS_TLS_ENABLED` and related environment variables. [#1011](https://github.com/sourcebot-dev/sourcebot/pull/1011)
+
+### Changed
+- `filterByFilepaths` in the MCP `search_code` tool now accepts regular expressions matched against the full file path, instead of treating values as escaped literals. [#1008](https://github.com/sourcebot-dev/sourcebot/pull/1008)
+
+### Fixed
+- Connection sync job failures now log the actual error reason instead of a generic message. [#1012](https://github.com/sourcebot-dev/sourcebot/pull/1012)
+
+## [4.15.7] - 2026-03-16
+
 ### Added
 - Added AGENTS.md with Cursor Cloud development environment instructions. [#1001](https://github.com/sourcebot-dev/sourcebot/pull/1001)
+- Added support for configuring SMTP via individual environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD) as an alternative to SMTP_CONNECTION_URL. [#1002](https://github.com/sourcebot-dev/sourcebot/pull/1002)
+- Added `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` and `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` environment variables to restrict API key creation and usage to organization owners. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
+
+### Changed
+- Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
+
+### Modified
+- Made OSS license audit runnable locally [#1021](https://github.com/sourcebot-dev/sourcebot/pull/1021)
 
 ## [4.15.6] - 2026-03-13
 
 ### Added
 - Added generated OpenAPI documentation for the public search, repo, and file browsing API surface. [#996](https://github.com/sourcebot-dev/sourcebot/pull/996)
+- Added OSS license audit github action. [#1003](https://github.com/sourcebot-dev/sourcebot/pull/1003)
 
 ### Fixed
 - [EE] Fixed account-driven permission sync silently wiping all Bitbucket Server repository permissions when the OAuth token expires on instances with anonymous access enabled. [#998](https://github.com/sourcebot-dev/sourcebot/pull/998)