feat(web): Add ability to refresh permissions from account linking settings (#945)

* feat(backend): add API endpoint to trigger account-driven permission sync (SOU-578)

Adds POST /api/trigger-account-permission-sync that creates and enqueues
an AccountPermissionSyncJob for a given accountId, with entitlement and
provider validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(web): generalize linked accounts with Linear-style UI

- Introduces `LinkedAccount` type in `ee/features/sso/actions.ts` covering all OAuth providers (SSO + account_linking), replacing the narrower `LinkedAccountProviderState`
- Rewrites linked accounts UI with Linear-style Connect / Connected dropdown pattern; dropdown includes Disconnect and Refresh Permissions actions
- Adds `triggerAccountPermissionSync` server action and worker API call for per-account permission refresh
- Renames settings page from "Permission Syncing" to "Linked Accounts"
- Removes `getLinkedAccountProviderStates` in favour of `getLinkedAccounts`
- Moves SSO-related components and actions from `ee/features/permissionSyncing/` to `ee/features/sso/`

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: update CHANGELOG for #945

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* changelog

* deprecate AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING option and always enable it

* add spinner when permissions are being refreshed

* feedback

* Add back AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING. Change default to true

* docs

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added login wall when anonymous users try to send messages on duplicated chats (askgh experiment). [#939](https://github.com/sourcebot-dev/sourcebot/pull/939)
 - Added `GET /api/ee/user` endpoint that returns the authenticated owner's user info (name, email, createdAt, updatedAt). [#940](https://github.com/sourcebot-dev/sourcebot/pull/940)
 - Added `selectedReposCount` to the `wa_chat_message_sent` PostHog event to track the number of selected repositories when users ask questions. [#941](https://github.com/sourcebot-dev/sourcebot/pull/941)
+- Added ability to re-sync repo permissions from the "linked accounts" settings page. [#945](https://github.com/sourcebot-dev/sourcebot/pull/945)
 
 ### Changed
 - Hide version upgrade toast for askgithub deployment (`EXPERIMENT_ASK_GH_ENABLED`). [#931](https://github.com/sourcebot-dev/sourcebot/pull/931)

CLAUDE.md

@@ -182,6 +182,16 @@ export const GET = apiHandler(async (request: NextRequest) => {
 });
 ```
 
+## Docs Images
+
+Images added to `.mdx` files in `docs/` should be wrapped in a `<Frame>` component:
+
+```mdx
+<Frame>
+  <img src="/images/my_image.png" alt="Description" />
+</Frame>
+```
+
 ## Branches and Pull Requests
 
 When creating a branch or opening a PR, ask the user for:

docs/docs/configuration/environment-variables.mdx

@@ -45,7 +45,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
-| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `false` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
+| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 
 ### Review Agent Environment Variables

docs/docs/features/permission-syncing.mdx

@@ -47,7 +47,7 @@ We are actively working on supporting more code hosts. If you'd like to see a sp
 
 # Getting started
 
-## GitHub
+### GitHub
 
 Prerequisites:
 - Configure a [GitHub connection](/docs/connections/github).
@@ -65,7 +65,7 @@ Permission syncing works with **GitHub.com**, **GitHub Enterprise Cloud**, and *
 - A GitHub [external identity provider](/docs/configuration/idp#github) must be configured to (1) correlate a Sourcebot user with a GitHub user, and (2) to list repositories that the user has access to for [User driven syncing](/docs/features/permission-syncing#how-it-works).
 - OAuth tokens must assume the `repo` scope in order to use the [List repositories for the authenticated user API](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user) during [User driven syncing](/docs/features/permission-syncing#how-it-works). Sourcebot **will only** use this token for **reads**.
 
-## GitLab
+### GitLab
 
 Prerequisites:
 - Configure a [GitLab connection](/docs/connections/gitlab).
@@ -80,7 +80,7 @@ Permission syncing works with **GitLab Self-managed** and **GitLab Cloud**. User
 - OAuth tokens require the `read_api` scope in order to use the [List projects for the authenticated user API](https://docs.gitlab.com/ee/api/projects.html#list-all-projects) during [User driven syncing](/docs/features/permission-syncing#how-it-works).
 - [Internal GitLab projects](https://docs.gitlab.com/user/public_access/#internal-projects-and-groups) are **not** enforced by permission syncing and therefore are visible to all users. Only [private projects](https://docs.gitlab.com/user/public_access/#private-projects-and-groups) are enforced.
 
-## Bitbucket Cloud
+### Bitbucket Cloud
 
 Prerequisites:
 - Configure a [Bitbucket Cloud connection](/docs/connections/bitbucket-cloud).
@@ -104,7 +104,7 @@ If your workspace relies heavily on group or project-level permissions rather th
 - A Bitbucket Cloud [external identity provider](/docs/configuration/idp#bitbucket-cloud) must be configured to (1) correlate a Sourcebot user with a Bitbucket Cloud user, and (2) to list repositories that the user has access to for [User driven syncing](/docs/features/permission-syncing#how-it-works).
 - OAuth tokens require the `account` and `repository` scopes. The `repository` scope is required to list private repositories during [User driven syncing](/docs/features/permission-syncing#how-it-works).
 
-## Bitbucket Data Center
+### Bitbucket Data Center
 
 Prerequisites:
 - Configure a [Bitbucket Data Center connection](/docs/connections/bitbucket-data-center).
@@ -138,4 +138,18 @@ User driven and repo driven syncing occurs every 24 hours by default. These inte
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
 | `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
-| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
+| `experiment_userDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
+
+## Manually refreshing permissions
+
+If a user's permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the **Linked Accounts** page:
+
+1. Navigate to **Settings → Linked Accounts**.
+2. Click the **Connected** button next to the relevant code host account.
+3. Select **Refresh Permissions** from the dropdown.
+
+<Frame>
+  <img src="/images/linked_accounts_refresh_permissions.png" alt="Linked Accounts - Refresh Permissions" />
+</Frame>
+
+The button will show a spinner while the sync is in progress and display a confirmation once it completes.

docs/images/linked_accounts_refresh_permissions.png

@@ -1,10 +1,11 @@
 import { PrismaClient, RepoIndexingJobType } from '@sourcebot/db';
-import { createLogger } from '@sourcebot/shared';
+import { createLogger, env, hasEntitlement, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from '@sourcebot/shared';
 import express, { Request, Response } from 'express';
 import 'express-async-errors';
 import * as http from "http";
 import z from 'zod';
 import { ConnectionManager } from './connectionManager.js';
+import { AccountPermissionSyncer } from './ee/accountPermissionSyncer.js';
 import { PromClient } from './promClient.js';
 import { RepoIndexManager } from './repoIndexManager.js';
 import { createGitHubRepoRecord } from './repoCompileUtils.js';
@@ -22,6 +23,7 @@ export class Api {
         private prisma: PrismaClient,
         private connectionManager: ConnectionManager,
         private repoIndexManager: RepoIndexManager,
+        private accountPermissionSyncer: AccountPermissionSyncer,
     ) {
         const app = express();
         app.use(express.json());
@@ -36,6 +38,7 @@ export class Api {
 
         app.post('/api/sync-connection', this.syncConnection.bind(this));
         app.post('/api/index-repo', this.indexRepo.bind(this));
+        app.post('/api/trigger-account-permission-sync', this.triggerAccountPermissionSync.bind(this));
         app.post(`/api/experimental/add-github-repo`, this.experimental_addGithubRepo.bind(this));
 
         this.server = app.listen(PORT, () => {
@@ -96,6 +99,41 @@ export class Api {
         res.status(200).json({ jobId });
     }
 
+    private async triggerAccountPermissionSync(req: Request, res: Response) {
+        if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED !== 'true' || !hasEntitlement('permission-syncing')) {
+            res.status(403).json({ error: 'Permission syncing is not enabled.' });
+            return;
+        }
+
+        const schema = z.object({
+            accountId: z.string(),
+        }).strict();
+
+        const parsed = schema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json({ error: parsed.error.message });
+            return;
+        }
+
+        const { accountId } = parsed.data;
+        const account = await this.prisma.account.findUnique({
+            where: { id: accountId },
+        });
+
+        if (!account) {
+            res.status(404).json({ error: 'Account not found' });
+            return;
+        }
+
+        if (!PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS.includes(account.provider as typeof PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS[number])) {
+            res.status(400).json({ error: `Provider '${account.provider}' does not support permission syncing.` });
+            return;
+        }
+
+        const jobId = await this.accountPermissionSyncer.schedulePermissionSyncForAccount(account);
+        res.status(200).json({ jobId });
+    }
+
     private async experimental_addGithubRepo(req: Request, res: Response) {
         const schema = z.object({
             owner: z.string(),

packages/backend/src/api.ts

@@ -1,23 +1,8 @@
-import { CodeHostType } from "@sourcebot/db";
-import { env, IdentityProviderType } from "@sourcebot/shared";
+import { env } from "@sourcebot/shared";
 import path from "path";
 
 export const SINGLE_TENANT_ORG_ID = 1;
 
-export const PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES: CodeHostType[] = [
-    'github',
-    'gitlab',
-    'bitbucketCloud',
-    'bitbucketServer',
-];
-
-export const PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS: IdentityProviderType[] = [
-    'github',
-    'gitlab',
-    'bitbucket-cloud',
-    'bitbucket-server',
-];
-
 export const REPOS_CACHE_DIR = path.join(env.DATA_CACHE_DIR, 'repos');
 export const INDEX_CACHE_DIR = path.join(env.DATA_CACHE_DIR, 'index');
 

packages/backend/src/constants.ts

@@ -1,9 +1,8 @@
 import * as Sentry from "@sentry/node";
 import { PrismaClient, AccountPermissionSyncJobStatus, Account, PermissionSyncSource} from "@sourcebot/db";
-import { env, hasEntitlement, createLogger, loadConfig, decryptOAuthToken } from "@sourcebot/shared";
+import { env, hasEntitlement, createLogger, loadConfig, decryptOAuthToken, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
 import { Job, Queue, Worker } from "bullmq";
 import { Redis } from "ioredis";
-import { PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "../constants.js";
 import {
     createOctokitFromToken,
     getOAuthScopesForAuthenticatedUser as getGitHubOAuthScopesForAuthenticatedUser,
@@ -116,6 +115,22 @@ export class AccountPermissionSyncer {
         await this.queue.close();
     }
 
+    public async schedulePermissionSyncForAccount(account: Account) {
+        const [job] = await this.db.accountPermissionSyncJob.createManyAndReturn({
+            data: [{ accountId: account.id }],
+        });
+
+        await this.queue.add('accountPermissionSyncJob', {
+            jobId: job.id,
+        }, {
+            removeOnComplete: env.REDIS_REMOVE_ON_COMPLETE,
+            removeOnFail: env.REDIS_REMOVE_ON_FAIL,
+            priority: 1,
+        });
+
+        return job.id;
+    }
+
     private async schedulePermissionSync(accounts: Account[]) {
         // @note: we don't perform this in a transaction because
         // we want to avoid the situation where a job is created and run

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -1,10 +1,9 @@
 import * as Sentry from "@sentry/node";
 import { PermissionSyncSource, PrismaClient, Repo, RepoPermissionSyncJobStatus } from "@sourcebot/db";
-import { createLogger } from "@sourcebot/shared";
+import { createLogger, PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "@sourcebot/shared";
 import { env, hasEntitlement } from "@sourcebot/shared";
 import { Job, Queue, Worker } from 'bullmq';
 import { Redis } from 'ioredis';
-import { PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "../constants.js";
 import { createOctokitFromToken, getRepoCollaborators, GITHUB_CLOUD_HOSTNAME } from "../github.js";
 import { createGitLabFromPersonalAccessToken, getProjectMembers } from "../gitlab.js";
 import { createBitbucketCloudClient, createBitbucketServerClient, getExplicitUserPermissionsForCloudRepo, getUserPermissionsForServerRepo } from "../bitbucket.js";

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -82,6 +82,7 @@ const api = new Api(
     prisma,
     connectionManager,
     repoIndexManager,
+    accountPermissionSyncer,
 );
 
 logger.info('Worker started.');