feat: add per-connection enforcePermissions toggle and promote PERMISSION_SYNC_ENABLED (#991)

* feat(worker): add per-connection enforcePermissions toggle and promote PERMISSION_SYNC_ENABLED

- Add `enforcePermissions` boolean to all connection config schemas (github, gitlab, bitbucket, gitea, gerrit, azuredevops, genericGitHost). Defaults to the value of `PERMISSION_SYNC_ENABLED` when not set.
- Add `enforcePermissions` column to the `Connection` DB model (migration: 20260310050300).
- Sync `enforcePermissions` from config in `configManager.ts` on create/update.
- Filter repo permission syncer to only queue repos with at least one connection with `enforcePermissions: true`.
- Update `getRepoPermissionFilterForUser` in `prisma.ts` to exempt repos where no connection has `enforcePermissions: true`.
- Deprecate `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` in favour of `PERMISSION_SYNC_ENABLED` (backwards-compatible via Zod transform fallback).
- Remove `isPermissionSyncEnabled()` helper; replace all call sites with `env.PERMISSION_SYNC_ENABLED === 'true'`.
- Add unit tests for `PERMISSION_SYNC_ENABLED` env var behaviour in `packages/shared/src/env.server.test.ts`.
- Extract `createEnv` options as named export to preserve JSDoc (`@deprecated`) in emitted `.d.ts` (see microsoft/TypeScript#62309).
- Update permission-syncing and environment-variables docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: update CHANGELOG for #991

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: add repoDrivenPermissionSyncIntervalMs and userDrivenPermissionSyncIntervalMs config settings

- Add `repoDrivenPermissionSyncIntervalMs` and `userDrivenPermissionSyncIntervalMs` to the config schema, deprecating the `experiment_` prefixed variants (still respected as fallbacks in getConfigSettings).
- Update repoPermissionSyncer and accountPermissionSyncer to use the new setting names.
- Add tests for getConfigSettings fallback behaviour.
- Update docs and CHANGELOG.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feedback

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -10,6 +10,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - [EE] Added multi-owner support with promote/demote actions. [#988](https://github.com/sourcebot-dev/sourcebot/pull/988)
 - [EE] Added `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variable to enable/disable repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
+- [EE] Added `enforcePermissions` per-connection flag to control whether repository permissions are enforced for a given connection. Defaults to the value of `PERMISSION_SYNC_ENABLED`. [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
+- [EE] Added `repoDrivenPermissionSyncIntervalMs` and `userDrivenPermissionSyncIntervalMs` config settings, deprecating the `experiment_` prefixed variants (still respected as fallbacks). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
+
+### Changed
+- [EE] Promoted `PERMISSION_SYNC_ENABLED` as the canonical env var for enabling permission syncing, deprecating `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` (still respected as a fallback). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
 
 ## [4.15.3] - 2026-03-10
 

docs/docs/configuration/config-file.mdx

@@ -50,8 +50,10 @@ The following are settings that can be provided in your config file to modify So
 | `repoGarbageCollectionGracePeriodMs`            | number  | 10 seconds | 1       | Grace period to avoid deleting shards while loading.                                   |
 | `repoIndexTimeoutMs`                            | number  | 2 hours    | 1       | Timeout for a single repo‑indexing run.                                                |
 | `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
-| `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
+| `repoDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
+| `userDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
+| `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `repoDrivenPermissionSyncIntervalMs` instead.             |
+| `experiment_userDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `userDrivenPermissionSyncIntervalMs` instead.             |
 | `maxAccountPermissionSyncJobConcurrency`        | number  | 8          | 1       | Concurrent account permission sync jobs.                                               |
 | `maxRepoPermissionSyncJobConcurrency`           | number  | 8          | 1       | Concurrent repo permission sync jobs.                                                  |
 

docs/docs/configuration/environment-variables.mdx

@@ -45,8 +45,9 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `SOURCEBOT_EE_AUDIT_RETENTION_DAYS` | `180` | <p>The number of days to retain audit logs. Audit log records older than this will be automatically pruned daily. Set to `0` to disable pruning and retain logs indefinitely.</p> |
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
-| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
-| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
+| `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
+| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 

docs/docs/features/permission-syncing.mdx

@@ -18,11 +18,11 @@ that they have access to on the code host. Practically, this means:
 - Ask Sourcebot (and the underlying LLM) will only have access to repositories that the user has access to.
 - File browsing is scoped to the repositories that the user has access to.
 
-Permission syncing can be enabled by setting the `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` environment variable to `true`.
+Permission syncing can be enabled by setting the `PERMISSION_SYNC_ENABLED` environment variable to `true`.
 
 ```bash
 docker run \
-    -e EXPERIMENT_EE_PERMISSION_SYNC_ENABLED=true \
+    -e PERMISSION_SYNC_ENABLED=true \
     /* additional args */ \
     ghcr.io/sourcebot-dev/sourcebot:latest
 ```
@@ -97,9 +97,9 @@ Permission syncing works with **Bitbucket Cloud**. OAuth tokens must assume the
 - Membership in the [project that contains the repository](https://support.atlassian.com/bitbucket-cloud/docs/configure-project-permissions-for-users-and-groups/)
 - Membership in a group that is part of a project containing the repository
 
-These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all private repositories accessible to each authenticated user. However, there may be a delay between when a repository is added and when affected users gain access in Sourcebot (up to the `experiment_userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
+These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all private repositories accessible to each authenticated user. However, there may be a delay between when a repository is added and when affected users gain access in Sourcebot (up to the `userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
 
-If your workspace relies heavily on group or project-level permissions rather than direct user grants, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
+If your workspace relies heavily on group or project-level permissions rather than direct user grants, we recommend reducing the `userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
 </Warning>
 
 **Notes:**
@@ -120,16 +120,64 @@ Permission syncing works with **Bitbucket Data Center**. OAuth tokens must assum
 - Project-level permissions (inherited by all repos in the project)
 - Group membership
 
-These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all repositories accessible to each authenticated user using the `REPO_READ` scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the `experiment_userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
+These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all repositories accessible to each authenticated user using the `REPO_READ` scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the `userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
 
-If your instance relies heavily on project or group-level permissions, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
+If your instance relies heavily on project or group-level permissions, we recommend reducing the `userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
 </Warning>
 
 **Notes:**
 - A Bitbucket Data Center [external identity provider](/docs/configuration/idp#bitbucket-server) must be configured to (1) correlate a Sourcebot user with a Bitbucket Data Center user, and (2) to list repositories that the user has access to for [User driven syncing](/docs/features/permission-syncing#how-it-works).
 - The connection token must have **Repository Read** permissions so Sourcebot can read repository-level user permissions for [Repo driven syncing](/docs/features/permission-syncing#how-it-works).
 - OAuth tokens require the `REPO_READ` scope to list accessible repositories during [User driven syncing](/docs/features/permission-syncing#how-it-works).
 
+# Manually refreshing permissions
+
+If a user's permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the **Linked Accounts** page:
+
+1. Navigate to **Settings → Linked Accounts**.
+2. Click the **Connected** button next to the relevant code host account.
+3. Select **Refresh Permissions** from the dropdown.
+
+<Frame>
+  <img src="/images/linked_accounts_refresh_permissions.png" alt="Linked Accounts - Refresh Permissions" />
+</Frame>
+
+The button will show a spinner while the sync is in progress and display a confirmation once it completes.
+
+
+# Overriding enforcement per connection
+
+Each [connection](/docs/connections/overview) supports an `enforcePermissions` flag that controls whether permissions are enforced for repositories in that connection. This lets you mix code hosts in a single deployment - for example, enforcing access control on a private GitHub connection while keeping an internal Gerrit instance open to all users.
+
+By default, `enforcePermissions` inherits the value of `PERMISSION_SYNC_ENABLED`. You can override it per connection in the [config file](/docs/configuration/config-file):
+
+```json
+{
+  "connections": {
+    "my-github": {
+      "type": "github",
+      "enforcePermissions": true
+    },
+    "my-gerrit": {
+      "type": "gerrit",
+      "url": "https://gerrit.example.com",
+      "enforcePermissions": false
+    }
+  }
+}
+```
+
+Setting `enforcePermissions: false` on a connection makes all repositories from that connection accessible to any user, regardless of the global `PERMISSION_SYNC_ENABLED` setting.
+
+The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED` and `enforcePermissions`:
+
+| `PERMISSION_SYNC_ENABLED` | `enforcePermissions` | Permissions enforced? |
+|--------------------------|---------------------|-----------------------|
+| `true`                   | `true`              | Yes                   |
+| `true`                   | `false`             | No                    |
+| `false`                  | `true`              | No                    |
+| `false`                  | `false`             | No                    |
+
 # How it works
 
 Permission syncing works by periodically syncing ACLs from the code host(s) to Sourcebot to build an internal mapping between Users and Repositories. This mapping is hydrated in two directions:
@@ -146,19 +194,5 @@ The sync intervals can be configured using the following settings in the [config
 
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
-| `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-
-## Manually refreshing permissions
-
-If a user's permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the **Linked Accounts** page:
-
-1. Navigate to **Settings → Linked Accounts**.
-2. Click the **Connected** button next to the relevant code host account.
-3. Select **Refresh Permissions** from the dropdown.
-
-<Frame>
-  <img src="/images/linked_accounts_refresh_permissions.png" alt="Linked Accounts - Refresh Permissions" />
-</Frame>
-
-The button will show a spinner while the sync is in progress and display a confirmation once it completes.
+| `repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
+| `userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |

docs/snippets/schemas/v3/azuredevops.schema.mdx

@@ -189,6 +189,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/bitbucket.schema.mdx

@@ -162,6 +162,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/connection.schema.mdx

@@ -205,6 +205,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -407,6 +411,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -562,6 +570,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -669,6 +681,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -839,6 +855,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1047,6 +1067,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1116,6 +1140,10 @@
             }
           },
           "additionalProperties": false
+        },
+        "enforcePermissions": {
+          "type": "boolean",
+          "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [

docs/snippets/schemas/v3/genericGitHost.schema.mdx

@@ -60,6 +60,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/gerrit.schema.mdx

@@ -100,6 +100,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [

docs/snippets/schemas/v3/gitea.schema.mdx

@@ -148,6 +148,10 @@
         }
       },
       "additionalProperties": false
+    },
+    "enforcePermissions": {
+      "type": "boolean",
+      "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [