Merge branch 'main' into cursor/SOU-718-ask-codebase-tool-visibility-26fc

Author: msukkari

.github/workflows/license-audit.yml

@@ -10,6 +10,8 @@ on:
       - "scripts/fetchLicenses.mjs"
       - "scripts/summarizeLicenses.mjs"
       - "scripts/npmLicenseMap.json"
+      - "scripts/licenseAuditPrompt.txt"
+      - "scripts/runLicenseAudit.sh"
   workflow_dispatch:
 
 jobs:
@@ -40,80 +42,21 @@ jobs:
       - name: Summarize licenses
         run: node scripts/summarizeLicenses.mjs
 
+      - name: Read audit prompt
+        id: read-prompt
+        run: |
+          {
+            echo 'PROMPT<<PROMPT_EOF'
+            cat scripts/licenseAuditPrompt.txt
+            echo 'PROMPT_EOF'
+          } >> "$GITHUB_OUTPUT"
+
       - name: Audit licenses with Claude
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           claude_args: '--allowedTools "Bash,Read,Write,Glob,Grep,WebFetch"'
-          prompt: |
-            You are a license compliance auditor. Your job is to review the OSS dependency
-            licenses in this repository and produce a structured audit result.
-
-            ## Steps
-
-            1. Read the file `oss-licenses.json` in the repo root.
-
-            2. Identify every package whose `license` field is:
-               - `"UNKNOWN"`
-               - A non-standard SPDX string (e.g., `"SEE LICENSE IN LICENSE"`, `"UNLICENSED"`,
-                 `"SEE LICENSE IN ..."`, or any value that is not a recognized SPDX identifier)
-               - An object instead of a string (e.g., `{"type":"MIT","url":"..."}`)
-
-            3. For each such package, try to resolve the actual license:
-               - Use WebFetch to visit `https://www.npmjs.com/package/<package-name>` and look
-                 for license information on the npm page.
-               - If the npm page is inconclusive, check the package's `repository` or `homepage`
-                 URL (from oss-licenses.json) via WebFetch to find a LICENSE file.
-               - If the license field is an object like `{"type":"MIT","url":"..."}`, extract the
-                 `type` field as the resolved license.
-
-            4. Identify all copyleft-licensed packages. Classify them as:
-               - **Strong copyleft**: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0, SSPL-1.0, EUPL-1.1,
-                 EUPL-1.2, CPAL-1.0, OSL-3.0 (and any `-only` or `-or-later` variants)
-               - **Weak copyleft**: LGPL-2.0, LGPL-2.1, LGPL-3.0, MPL-2.0, CC-BY-SA-3.0,
-                 CC-BY-SA-4.0 (and any `-only` or `-or-later` variants)
-
-            5. Write a file called `license-audit-result.json` in the repo root with this structure:
-               ```json
-               {
-                 "status": "PASS or FAIL",
-                 "failReasons": ["list of reasons if FAIL, empty array if PASS"],
-                 "summary": {
-                   "totalPackages": 0,
-                   "resolvedCount": 0,
-                   "unresolvedCount": 0,
-                   "strongCopyleftCount": 0,
-                   "weakCopyleftCount": 0
-                 },
-                 "resolved": [
-                   { "name": "pkg-name", "version": "1.0.0", "originalLicense": "...", "resolvedLicense": "MIT", "source": "npm page / GitHub repo / extracted from object" }
-                 ],
-                 "unresolved": [
-                   { "name": "pkg-name", "version": "1.0.0", "license": "UNKNOWN", "reason": "why it could not be resolved" }
-                 ],
-                 "copyleft": {
-                   "strong": [
-                     { "name": "pkg-name", "version": "1.0.0", "license": "GPL-3.0" }
-                   ],
-                   "weak": [
-                     { "name": "pkg-name", "version": "1.0.0", "license": "MPL-2.0" }
-                   ]
-                 }
-               }
-               ```
-
-            6. Set `status` to `"FAIL"` if `unresolvedCount > 0` OR `strongCopyleftCount > 0`.
-               Otherwise set it to `"PASS"`.
-
-            7. If the status is FAIL, populate `failReasons` with human-readable explanations, e.g.:
-               - "2 packages have unresolvable licenses: pkg-a, pkg-b"
-               - "1 package uses strong copyleft license: pkg-c (GPL-3.0)"
-
-            ## Important Notes
-            - Do NOT modify any source files. Only write `license-audit-result.json`.
-            - Be thorough: check every non-standard license, not just a sample.
-            - If a package's license object has a `type` field, that counts as resolved.
-            - Weak copyleft licenses (LGPL, MPL) are flagged but do NOT cause a FAIL.
+          prompt: ${{ steps.read-prompt.outputs.PROMPT }}
 
       - name: Validate audit result
         run: |
@@ -148,86 +91,79 @@ jobs:
         with:
           script: |
             const fs = require('fs');
-            const path = 'license-audit-result.json';
+            const resultPath = 'license-audit-result.json';
 
-            if (!fs.existsSync(path)) {
-              const body = `## License Audit\n\n:x: Audit failed to produce results. Check the workflow logs for details.`;
-              const comments = await github.rest.issues.listComments({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-              });
-              const existing = comments.data.find(c => c.body.startsWith('## License Audit'));
-              if (existing) {
-                await github.rest.issues.updateComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  comment_id: existing.id,
-                  body,
-                });
-              } else {
-                await github.rest.issues.createComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: context.issue.number,
-                  body,
-                });
-              }
-              return;
-            }
+            // Determine if we should comment
+            let shouldComment = false;
+            let body = '';
 
-            const result = JSON.parse(fs.readFileSync(path, 'utf-8'));
-            const icon = result.status === 'PASS' ? ':white_check_mark:' : ':x:';
+            if (!fs.existsSync(resultPath)) {
+              shouldComment = true;
+              body = `## License Audit\n\n:x: Audit failed to produce results. Check the workflow logs for details.`;
+            } else {
+              const result = JSON.parse(fs.readFileSync(resultPath, 'utf-8'));
+              const hasWeakCopyleft = result.summary.weakCopyleftCount > 0;
+              const isFail = result.status === 'FAIL';
 
-            let body = `## License Audit\n\n`;
-            body += `${icon} **Status: ${result.status}**\n\n`;
-            body += `| Metric | Count |\n|---|---|\n`;
-            body += `| Total packages | ${result.summary.totalPackages} |\n`;
-            body += `| Resolved (non-standard) | ${result.summary.resolvedCount} |\n`;
-            body += `| Unresolved | ${result.summary.unresolvedCount} |\n`;
-            body += `| Strong copyleft | ${result.summary.strongCopyleftCount} |\n`;
-            body += `| Weak copyleft | ${result.summary.weakCopyleftCount} |\n`;
+              if (!isFail && !hasWeakCopyleft) {
+                return;
+              }
 
-            if (result.failReasons && result.failReasons.length > 0) {
-              body += `\n### Fail Reasons\n\n`;
-              for (const reason of result.failReasons) {
-                body += `- ${reason}\n`;
+              shouldComment = true;
+              const icon = isFail ? ':x:' : ':warning:';
+
+              body = `## License Audit\n\n`;
+              body += `${icon} **Status: ${result.status}**\n\n`;
+              body += `| Metric | Count |\n|---|---|\n`;
+              body += `| Total packages | ${result.summary.totalPackages} |\n`;
+              body += `| Resolved (non-standard) | ${result.summary.resolvedCount} |\n`;
+              body += `| Unresolved | ${result.summary.unresolvedCount} |\n`;
+              body += `| Strong copyleft | ${result.summary.strongCopyleftCount} |\n`;
+              body += `| Weak copyleft | ${result.summary.weakCopyleftCount} |\n`;
+
+              if (result.failReasons && result.failReasons.length > 0) {
+                body += `\n### Fail Reasons\n\n`;
+                for (const reason of result.failReasons) {
+                  body += `- ${reason}\n`;
+                }
               }
-            }
 
-            if (result.unresolved && result.unresolved.length > 0) {
-              body += `\n### Unresolved Packages\n\n`;
-              body += `| Package | Version | License | Reason |\n|---|---|---|---|\n`;
-              for (const pkg of result.unresolved) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` | ${pkg.reason} |\n`;
+              if (result.unresolved && result.unresolved.length > 0) {
+                body += `\n### Unresolved Packages\n\n`;
+                body += `| Package | Version | License | Reason |\n|---|---|---|---|\n`;
+                for (const pkg of result.unresolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` | ${pkg.reason} |\n`;
+                }
               }
-            }
 
-            if (result.copyleft && result.copyleft.strong && result.copyleft.strong.length > 0) {
-              body += `\n### Strong Copyleft Packages\n\n`;
-              body += `| Package | Version | License |\n|---|---|---|\n`;
-              for (const pkg of result.copyleft.strong) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+              if (result.copyleft && result.copyleft.strong && result.copyleft.strong.length > 0) {
+                body += `\n### Strong Copyleft Packages\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.strong) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
               }
-            }
 
-            if (result.copyleft && result.copyleft.weak && result.copyleft.weak.length > 0) {
-              body += `\n### Weak Copyleft Packages (informational)\n\n`;
-              body += `| Package | Version | License |\n|---|---|---|\n`;
-              for (const pkg of result.copyleft.weak) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+              if (result.copyleft && result.copyleft.weak && result.copyleft.weak.length > 0) {
+                body += `\n### Weak Copyleft Packages (informational)\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.weak) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
               }
-            }
 
-            if (result.resolved && result.resolved.length > 0) {
-              body += `\n<details><summary>Resolved Packages (${result.resolved.length})</summary>\n\n`;
-              body += `| Package | Version | Original | Resolved | Source |\n|---|---|---|---|---|\n`;
-              for (const pkg of result.resolved) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.originalLicense}\` | \`${pkg.resolvedLicense}\` | ${pkg.source} |\n`;
+              if (result.resolved && result.resolved.length > 0) {
+                body += `\n<details><summary>Resolved Packages (${result.resolved.length})</summary>\n\n`;
+                body += `| Package | Version | Original | Resolved | Source |\n|---|---|---|---|---|\n`;
+                for (const pkg of result.resolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.originalLicense}\` | \`${pkg.resolvedLicense}\` | ${pkg.source} |\n`;
+                }
+                body += `\n</details>\n`;
               }
-              body += `\n</details>\n`;
             }
 
+            if (!shouldComment) return;
+
             const comments = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Updated JumpCloud SSO documentation to clarify token endpoint authentication method requirement and AUTH_SECRET configuration. [#1022](https://github.com/sourcebot-dev/sourcebot/pull/1022)
+
+## [4.15.10] - 2026-03-20
+
 ### Changed
 - Increased `SOURCEBOT_CHAT_MAX_STEP_COUNT` default from 20 to 100 to allow agents to perform more autonomous steps. [#1017](https://github.com/sourcebot-dev/sourcebot/pull/1017)
 - The `ask_codebase` MCP tool is now hidden when no language model providers are configured. [#1018](https://github.com/sourcebot-dev/sourcebot/pull/1018)
@@ -37,10 +42,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
 
+### Modified
+- Made OSS license audit runnable locally [#1021](https://github.com/sourcebot-dev/sourcebot/pull/1021)
+
+
 ## [4.15.6] - 2026-03-13
 
 ### Added
 - Added generated OpenAPI documentation for the public search, repo, and file browsing API surface. [#996](https://github.com/sourcebot-dev/sourcebot/pull/996)
+- Added OSS license audit github action. [#1003](https://github.com/sourcebot-dev/sourcebot/pull/1003)
 
 ### Fixed
 - [EE] Fixed account-driven permission sync silently wiping all Bitbucket Server repository permissions when the OAuth token expires on instances with anonymous access enabled. [#998](https://github.com/sourcebot-dev/sourcebot/pull/998)

docs/api-reference/sourcebot-public.openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v4.15.9",
+    "version": "v4.15.10",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing."
   },
   "tags": [

docs/docs/configuration/idp.mdx

@@ -531,6 +531,7 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
 
         When configuring your application:
         - Set the SSO type to "OIDC"
+        - Set the **Token Endpoint Authentication Method** to `client_secret_basic`. JumpCloud defaults to `client_secret_post`, but Sourcebot requires `client_secret_basic`.
         - Add `<sourcebot_url>/api/auth/callback/jumpcloud` to the redirect URIs (ex. https://sourcebot.coolcorp.com/api/auth/callback/jumpcloud)
         - Set the login URL to `<sourcebot_url>/login`
 
@@ -539,6 +540,8 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
     <Step title="Define environment variables">
         The client id, secret, and issuer URL are provided to Sourcebot via environment variables. These can be named whatever you like
         (ex. `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_ID`, `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_SECRET`, and `JUMPCLOUD_IDENTITY_PROVIDER_ISSUER`)
+
+        You must also set the `AUTH_SECRET` environment variable. Generate one with `openssl rand -base64 33` and pass it to your Sourcebot deployment. While `AUTH_SECRET` is auto-generated if not provided, it must be explicitly set for SSO to work reliably across restarts.
     </Step>
     <Step title="Define the identity provider config">
         Create a `identityProvider` object in the [config file](/docs/configuration/config-file) with the following fields:

packages/shared/src/version.ts

@@ -1,2 +1,2 @@
 // This file is auto-generated by .github/workflows/release-sourcebot.yml
-export const SOURCEBOT_VERSION = "v4.15.9";
+export const SOURCEBOT_VERSION = "v4.15.10";

packages/web/src/ee/features/sso/sso.ts

@@ -442,6 +442,7 @@ const createJumpCloudProvider = (clientId: string, clientSecret: string, issuer:
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        checks: ["pkce", "state"],
         allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     } as Provider;
 }

scripts/licenseAuditPrompt.txt

@@ -0,0 +1,68 @@
+You are a license compliance auditor. Your job is to review the OSS dependency
+licenses in this repository and produce a structured audit result.
+
+## Steps
+
+1. Read the file `oss-licenses.json` in the repo root.
+
+2. Identify every package whose `license` field is:
+   - `"UNKNOWN"`
+   - A non-standard SPDX string (e.g., `"SEE LICENSE IN LICENSE"`, `"UNLICENSED"`,
+     `"SEE LICENSE IN ..."`, or any value that is not a recognized SPDX identifier)
+   - An object instead of a string (e.g., `{"type":"MIT","url":"..."}`)
+
+3. For each such package, try to resolve the actual license:
+   - Use WebFetch to visit `https://www.npmjs.com/package/<package-name>` and look
+     for license information on the npm page.
+   - If the npm page is inconclusive, check the package's `repository` or `homepage`
+     URL (from oss-licenses.json) via WebFetch to find a LICENSE file.
+   - If the license field is an object like `{"type":"MIT","url":"..."}`, extract the
+     `type` field as the resolved license.
+
+4. Identify all copyleft-licensed packages. Classify them as:
+   - **Strong copyleft**: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0, SSPL-1.0, EUPL-1.1,
+     EUPL-1.2, CPAL-1.0, OSL-3.0 (and any `-only` or `-or-later` variants)
+   - **Weak copyleft**: LGPL-2.0, LGPL-2.1, LGPL-3.0, MPL-2.0, CC-BY-SA-3.0,
+     CC-BY-SA-4.0 (and any `-only` or `-or-later` variants)
+
+5. Write a file called `license-audit-result.json` in the repo root with this structure:
+   ```json
+   {
+     "status": "PASS or FAIL",
+     "failReasons": ["list of reasons if FAIL, empty array if PASS"],
+     "summary": {
+       "totalPackages": 0,
+       "resolvedCount": 0,
+       "unresolvedCount": 0,
+       "strongCopyleftCount": 0,
+       "weakCopyleftCount": 0
+     },
+     "resolved": [
+       { "name": "pkg-name", "version": "1.0.0", "originalLicense": "...", "resolvedLicense": "MIT", "source": "npm page / GitHub repo / extracted from object" }
+     ],
+     "unresolved": [
+       { "name": "pkg-name", "version": "1.0.0", "license": "UNKNOWN", "reason": "why it could not be resolved" }
+     ],
+     "copyleft": {
+       "strong": [
+         { "name": "pkg-name", "version": "1.0.0", "license": "GPL-3.0" }
+       ],
+       "weak": [
+         { "name": "pkg-name", "version": "1.0.0", "license": "MPL-2.0" }
+       ]
+     }
+   }
+   ```
+
+6. Set `status` to `"FAIL"` if `unresolvedCount > 0` OR `strongCopyleftCount > 0`.
+   Otherwise set it to `"PASS"`.
+
+7. If the status is FAIL, populate `failReasons` with human-readable explanations, e.g.:
+   - "2 packages have unresolvable licenses: pkg-a, pkg-b"
+   - "1 package uses strong copyleft license: pkg-c (GPL-3.0)"
+
+## Important Notes
+- Do NOT modify any source files. Only write `license-audit-result.json`.
+- Be thorough: check every non-standard license, not just a sample.
+- If a package's license object has a `type` field, that counts as resolved.
+- Weak copyleft licenses (LGPL, MPL) are flagged but do NOT cause a FAIL.