sourcebot-dev
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎docs/docs/configuration/config-file.mdx‎
Lines changed: 2 additions & 0 deletions b/‎docs/docs/configuration/config-file.mdx‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 1 addition & 0 deletions b/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/index.schema.mdx‎
Lines changed: 20 additions & 0 deletions b/‎docs/snippets/schemas/v3/index.schema.mdx‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎packages/backend/src/ee/accountPermissionSyncer.ts‎
Lines changed: 23 additions & 5 deletions b/‎packages/backend/src/ee/accountPermissionSyncer.ts‎
Lines changed: 23 additions & 5 deletions
diff --git a/‎packages/backend/src/ee/repoPermissionSyncer.ts‎
Lines changed: 1 addition & 1 deletion b/‎packages/backend/src/ee/repoPermissionSyncer.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/backend/src/github.test.ts‎
Lines changed: 61 additions & 2 deletions b/‎packages/backend/src/github.test.ts‎
Lines changed: 61 additions & 2 deletions
diff --git a/‎packages/backend/src/github.ts‎
Lines changed: 65 additions & 3 deletions b/‎packages/backend/src/github.ts‎
Lines changed: 65 additions & 3 deletions
diff --git a/‎packages/schemas/src/v3/index.schema.ts‎
Lines changed: 20 additions & 0 deletions b/‎packages/schemas/src/v3/index.schema.ts‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎packages/schemas/src/v3/index.type.ts‎
Lines changed: 8 additions & 0 deletions b/‎packages/schemas/src/v3/index.type.ts‎
Lines changed: 8 additions & 0 deletions
@@ -8,8 +8,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Fixed
+- Fixed issue where the branch filter in the repos detail page would not return any results. [#851](https://github.com/sourcebot-dev/sourcebot/pull/851)
 - Fixed token refresh error "Provider config not found or invalid for: x" when a sso is configured using deprecated env vars. [#841](https://github.com/sourcebot-dev/sourcebot/pull/841)
 
+## [4.10.25] - 2026-02-04
+
+### Fixed
+- Fixed issue where opening GitLab file links would result in a 404. [#846](https://github.com/sourcebot-dev/sourcebot/pull/846)
+- Fixed issue where file references in copied chat answers were relative paths instead of full browse URLs. [#847](https://github.com/sourcebot-dev/sourcebot/pull/847)
+- [EE] Fixed issue where account driven permission syncing would fail when attempting to authenticate with a GitHub App user token. [#850](https://github.com/sourcebot-dev/sourcebot/pull/850)
+
+### Added
+- [EE] Added `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` env var that, when enabled, will automatically link SSO accounts with the same email address. [#849](https://github.com/sourcebot-dev/sourcebot/pull/849)
+
+## [4.10.24] - 2026-02-03
+
+### Fixed
+- Fixed issue where external links would use internal service DNS names in k8s deployments, making them inaccessible. [#844](https://github.com/sourcebot-dev/sourcebot/pull/844)
+
+## [4.10.23] - 2026-02-02
+
+### Added
+- Added `listCommits` tool to Ask agent. [#843](https://github.com/sourcebot-dev/sourcebot/pull/843)
+
+## [4.10.22] - 2026-02-02
+
+### Added
+- Added `maxAccountPermissionSyncJobConcurrency` and `maxRepoPermissionSyncJobConcurrency` settings to configure concurrency for permission sync jobs (default: 8). [#840](https://github.com/sourcebot-dev/sourcebot/pull/840)
+
 ## [4.10.21] - 2026-02-02
 
 ### Added
 
@@ -52,6 +52,8 @@ The following are settings that can be provided in your config file to modify So
 | `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
 | `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
 | `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
+| `maxAccountPermissionSyncJobConcurrency`        | number  | 8          | 1       | Concurrent account permission sync jobs.                                               |
+| `maxRepoPermissionSyncJobConcurrency`           | number  | 8          | 1       | Concurrent repo permission sync jobs.                                                  |
 
 # Tokens
 
 
@@ -62,6 +62,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
+| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `false` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 
 ### Review Agent Environment Variables
 
@@ -79,6 +79,16 @@
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
+        },
+        "maxAccountPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
+        },
+        "maxRepoPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of repo permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
         }
       },
       "additionalProperties": false
@@ -215,6 +225,16 @@
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
+        },
+        "maxAccountPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
+        },
+        "maxRepoPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of repo permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
         }
       },
       "additionalProperties": false
 
@@ -42,7 +42,7 @@ export class AccountPermissionSyncer {
         });
         this.worker = new Worker<AccountPermissionSyncJob>(QUEUE_NAME, this.runJob.bind(this), {
             connection: redis,
-            concurrency: 1,
+            concurrency: this.settings.maxAccountPermissionSyncJobConcurrency,
         });
         this.worker.on('completed', this.onJobCompleted.bind(this));
         this.worker.on('failed', this.onJobFailed.bind(this));
@@ -179,15 +179,33 @@ export class AccountPermissionSyncer {
                     url: baseUrl,
                 });
 
-                const scopes = await getGitHubOAuthScopesForAuthenticatedUser(octokit);
-                if (!scopes.includes('repo')) {
-                    throw new Error(`OAuth token with scopes [${scopes.join(', ')}] is missing the 'repo' scope required for permission syncing.`);
+                const scopes = await getGitHubOAuthScopesForAuthenticatedUser(octokit, account.access_token);
+
+                // Token supports scope introspection (classic PAT or OAuth app token)
+                if (scopes !== null) {
+                    if (!scopes.includes('repo')) {
+                        throw new Error(`OAuth token with scopes [${scopes.join(', ')}] is missing the 'repo' scope required for permission syncing. Please re-authorize with GitHub to grant the required scope.`);
+                    }
                 }
 
                 // @note: we only care about the private repos since we don't need to build a mapping
                 // for public repos.
                 // @see: packages/web/src/prisma.ts
-                const githubRepos = await getReposForAuthenticatedUser(/* visibility = */ 'private', octokit);
+                let githubRepos;
+                try {
+                    githubRepos = await getReposForAuthenticatedUser(/* visibility = */ 'private', octokit);
+                } catch (error) {
+                    if (error && typeof error === 'object' && 'status' in error) {
+                        const status = (error as { status: number }).status;
+                        if (status === 401 || status === 403) {
+                            throw new Error(
+                                `GitHub API returned ${status} error. Your token may have expired or lacks the required permissions. ` +
+                                `Please re-authorize with GitHub to grant the necessary access.`
+                            );
+                        }
+                    }
+                    throw error;
+                }
                 const gitHubRepoIds = githubRepos.map(repo => repo.id.toString());
 
                 const repos = await this.db.repo.findMany({
 
@@ -35,7 +35,7 @@ export class RepoPermissionSyncer {
         });
         this.worker = new Worker<RepoPermissionSyncJob>(QUEUE_NAME, this.runJob.bind(this), {
             connection: redis,
-            concurrency: 1,
+            concurrency: this.settings.maxRepoPermissionSyncJobConcurrency,
         });
         this.worker.on('completed', this.onJobCompleted.bind(this));
         this.worker.on('failed', this.onJobFailed.bind(this));
 
@@ -1,5 +1,64 @@
-import { expect, test } from 'vitest';
-import { OctokitRepository, shouldExcludeRepo } from './github';
+import { expect, test, describe } from 'vitest';
+import {
+    OctokitRepository,
+    shouldExcludeRepo,
+    detectGitHubTokenType,
+    supportsOAuthScopeIntrospection,
+} from './github';
+
+describe('detectGitHubTokenType', () => {
+    test('detects classic PAT (ghp_)', () => {
+        expect(detectGitHubTokenType('ghp_abc123def456')).toBe('classic_pat');
+    });
+
+    test('detects OAuth app user token (gho_)', () => {
+        expect(detectGitHubTokenType('gho_abc123def456')).toBe('oauth_user');
+    });
+
+    test('detects GitHub App user token (ghu_)', () => {
+        expect(detectGitHubTokenType('ghu_abc123def456')).toBe('app_user');
+    });
+
+    test('detects GitHub App installation token (ghs_)', () => {
+        expect(detectGitHubTokenType('ghs_abc123def456')).toBe('app_installation');
+    });
+
+    test('detects fine-grained PAT (github_pat_)', () => {
+        expect(detectGitHubTokenType('github_pat_abc123def456')).toBe('fine_grained_pat');
+    });
+
+    test('returns unknown for unrecognized token format', () => {
+        expect(detectGitHubTokenType('some_random_token')).toBe('unknown');
+        expect(detectGitHubTokenType('')).toBe('unknown');
+        expect(detectGitHubTokenType('v1.abc123')).toBe('unknown');
+    });
+});
+
+describe('supportsOAuthScopeIntrospection', () => {
+    test('returns true for classic PAT', () => {
+        expect(supportsOAuthScopeIntrospection('classic_pat')).toBe(true);
+    });
+
+    test('returns true for OAuth app user token', () => {
+        expect(supportsOAuthScopeIntrospection('oauth_user')).toBe(true);
+    });
+
+    test('returns false for GitHub App user token', () => {
+        expect(supportsOAuthScopeIntrospection('app_user')).toBe(false);
+    });
+
+    test('returns false for GitHub App installation token', () => {
+        expect(supportsOAuthScopeIntrospection('app_installation')).toBe(false);
+    });
+
+    test('returns false for fine-grained PAT', () => {
+        expect(supportsOAuthScopeIntrospection('fine_grained_pat')).toBe(false);
+    });
+
+    test('returns false for unknown token type', () => {
+        expect(supportsOAuthScopeIntrospection('unknown')).toBe(false);
+    });
+});
 
 test('shouldExcludeRepo returns true when clone_url is undefined', () => {
     const repo = { full_name: 'test/repo' } as OctokitRepository;
 
@@ -12,6 +12,43 @@ import { fetchWithRetry, measure } from "./utils.js";
 
 export const GITHUB_CLOUD_HOSTNAME = "github.com";
 
+/**
+ * GitHub token types and their prefixes.
+ * @see https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
+ */
+export type GitHubTokenType =
+    | 'classic_pat'      // ghp_ - Personal Access Token (classic)
+    | 'oauth_user'       // gho_ - OAuth App user token
+    | 'app_user'         // ghu_ - GitHub App user token
+    | 'app_installation' // ghs_ - GitHub App installation token
+    | 'fine_grained_pat' // github_pat_ - Fine-grained PAT
+    | 'unknown';
+
+/**
+ * Token types that support scope introspection via x-oauth-scopes header.
+ */
+export const SCOPE_INTROSPECTABLE_TOKEN_TYPES: GitHubTokenType[] = ['classic_pat', 'oauth_user'];
+
+/**
+ * Detects the GitHub token type based on its prefix.
+ * @see https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
+ */
+export const detectGitHubTokenType = (token: string): GitHubTokenType => {
+    if (token.startsWith('ghp_')) return 'classic_pat';
+    if (token.startsWith('gho_')) return 'oauth_user';
+    if (token.startsWith('ghu_')) return 'app_user';
+    if (token.startsWith('ghs_')) return 'app_installation';
+    if (token.startsWith('github_pat_')) return 'fine_grained_pat';
+    return 'unknown';
+};
+
+/**
+ * Checks if a token type supports OAuth scope introspection via x-oauth-scopes header.
+ */
+export const supportsOAuthScopeIntrospection = (tokenType: GitHubTokenType): boolean => {
+    return SCOPE_INTROSPECTABLE_TOKEN_TYPES.includes(tokenType);
+};
+
 // Limit concurrent GitHub requests to avoid hitting rate limits and overwhelming installations.
 const MAX_CONCURRENT_GITHUB_QUERIES = 5;
 const githubQueryLimit = pLimit(MAX_CONCURRENT_GITHUB_QUERIES);
@@ -182,6 +219,10 @@ export const getRepoCollaborators = async (owner: string, repo: string, octokit:
     }
 }
 
+/**
+ * Lists repositories that the authenticated user has explicit permission (:read, :write, or :admin) to access.
+ * @see: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user
+ */
 export const getReposForAuthenticatedUser = async (visibility: 'all' | 'private' | 'public' = 'all', octokit: Octokit) => {
     try {
         const fetchFn = () => octokit.paginate(octokit.repos.listForAuthenticatedUser, {
@@ -198,9 +239,30 @@ export const getReposForAuthenticatedUser = async (visibility: 'all' | 'private'
     }
 }
 
-// Gets oauth scopes
-// @see: https://github.com/octokit/auth-token.js/?tab=readme-ov-file#find-out-what-scopes-are-enabled-for-oauth-tokens
-export const getOAuthScopesForAuthenticatedUser = async (octokit: Octokit) => {
+/**
+ * Gets OAuth scopes for a GitHub token.
+ *
+ * Returns `null` for token types that don't support scope introspection:
+ * - GitHub App user tokens (ghu_)
+ * - GitHub App installation tokens (ghs_)
+ * - Fine-grained PATs (github_pat_)
+ *
+ * Returns scope array for tokens that support introspection:
+ * - Classic PATs (ghp_)
+ * - OAuth App user tokens (gho_)
+ *
+ * @see https://github.com/octokit/auth-token.js/?tab=readme-ov-file#find-out-what-scopes-are-enabled-for-oauth-tokens
+ * @see https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
+ */
+export const getOAuthScopesForAuthenticatedUser = async (octokit: Octokit, token?: string): Promise<string[] | null> => {
+    // If token is provided, check if it supports scope introspection
+    if (token) {
+        const tokenType = detectGitHubTokenType(token);
+        if (!supportsOAuthScopeIntrospection(tokenType)) {
+            return null;
+        }
+    }
+
     try {
         const response = await octokit.request("HEAD /");
         const scopes = response.headers["x-oauth-scopes"]?.split(/,\s+/) || [];
 
@@ -78,6 +78,16 @@ const schema = {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
+        },
+        "maxAccountPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
+        },
+        "maxRepoPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of repo permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
         }
       },
       "additionalProperties": false
@@ -214,6 +224,16 @@ const schema = {
           "type": "number",
           "description": "The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.",
           "minimum": 1
+        },
+        "maxAccountPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of account permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
+        },
+        "maxRepoPermissionSyncJobConcurrency": {
+          "type": "number",
+          "description": "The number of repo permission sync jobs to run concurrently. Defaults to 8.",
+          "minimum": 1
         }
       },
       "additionalProperties": false
 
@@ -129,6 +129,14 @@ export interface Settings {
    * The interval (in milliseconds) at which the user permission syncer should run. Defaults to 24 hours.
    */
   experiment_userDrivenPermissionSyncIntervalMs?: number;
+  /**
+   * The number of account permission sync jobs to run concurrently. Defaults to 8.
+   */
+  maxAccountPermissionSyncJobConcurrency?: number;
+  /**
+   * The number of repo permission sync jobs to run concurrently. Defaults to 8.
+   */
+  maxRepoPermissionSyncJobConcurrency?: number;
 }
 /**
  * Search context