feat(backend): add PermissionSyncSource to AccountToRepoPermission

- Adds `PermissionSyncSource` enum (`ACCOUNT_DRIVEN` / `REPO_DRIVEN`) and `source` field to `AccountToRepoPermission` table (non-nullable, defaults to `ACCOUNT_DRIVEN`)
- Both syncers now set `source` on all created permission records
- Repo-driven syncer uses `isPartialSync` flag (true for Bitbucket Cloud) to only delete `REPO_DRIVEN` records on cleanup, preserving `ACCOUNT_DRIVEN` records from the account syncer
- Adds `skipDuplicates: true` to repo-driven `createMany` to handle overlap between the two sync paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -1,5 +1,5 @@
 import * as Sentry from "@sentry/node";
-import { PrismaClient, AccountPermissionSyncJobStatus, Account} from "@sourcebot/db";
+import { PrismaClient, AccountPermissionSyncJobStatus, Account, PermissionSyncSource} from "@sourcebot/db";
 import { env, hasEntitlement, createLogger, loadConfig, decryptOAuthToken } from "@sourcebot/shared";
 import { Job, Queue, Worker } from "bullmq";
 import { Redis } from "ioredis";
@@ -309,6 +309,7 @@ export class AccountPermissionSyncer {
                 data: repoIds.map(repoId => ({
                     accountId: account.id,
                     repoId,
+                    source: PermissionSyncSource.ACCOUNT_DRIVEN,
                 })),
                 skipDuplicates: true,
             })

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -1,5 +1,5 @@
 import * as Sentry from "@sentry/node";
-import { PrismaClient, Repo, RepoPermissionSyncJobStatus } from "@sourcebot/db";
+import { PermissionSyncSource, PrismaClient, Repo, RepoPermissionSyncJobStatus } from "@sourcebot/db";
 import { createLogger } from "@sourcebot/shared";
 import { env, hasEntitlement } from "@sourcebot/shared";
 import { Job, Queue, Worker } from 'bullmq';
@@ -184,7 +184,13 @@ export class RepoPermissionSyncer {
             throw new Error(`No credentials found for repo ${id}`);
         }
 
-        const accountIds = await (async () => {
+        const {
+            accountIds,
+            isPartialSync = false,
+        } = await (async (): Promise<{
+            accountIds: string[],
+            isPartialSync?: boolean
+        }> => {
             if (repo.external_codeHostType === 'github') {
                 const isGitHubCloud = credentials.hostUrl ? new URL(credentials.hostUrl).hostname === GITHUB_CLOUD_HOSTNAME : true;
                 const { octokit } = await createOctokitFromToken({
@@ -213,7 +219,9 @@ export class RepoPermissionSyncer {
                     },
                 });
 
-                return accounts.map(account => account.id);
+                return {
+                    accountIds: accounts.map(account => account.id),
+                }
             } else if (repo.external_codeHostType === 'gitlab') {
                 const api = await createGitLabFromPersonalAccessToken({
                     token: credentials.token,
@@ -237,7 +245,9 @@ export class RepoPermissionSyncer {
                     },
                 });
 
-                return accounts.map(account => account.id);
+                return {
+                    accountIds: accounts.map(account => account.id),
+                }
             } else if (repo.external_codeHostType === 'bitbucketCloud') {
                 const config = credentials.connectionConfig as BitbucketConnectionConfig | undefined;
                 if (!config) {
@@ -273,10 +283,17 @@ export class RepoPermissionSyncer {
                     },
                 });
 
-                return accounts.map(account => account.id);
+                return {
+                    accountIds: accounts.map(account => account.id),
+                    // Since we only fetch users who have been explicitly granted accesss to the repo,
+                    // this is a partial sync.
+                    isPartialSync: true,
+                }
             }
 
-            return [];
+            return {
+                accountIds: [],
+            }
         })();
 
         await this.db.$transaction([
@@ -286,15 +303,21 @@ export class RepoPermissionSyncer {
                 },
                 data: {
                     permittedAccounts: {
-                        deleteMany: {},
+                        // @note: if this is a partial sync, we only want to delete the repo-driven permissions
+                        // since we don't want to overwrite the account-driven permissions.
+                        deleteMany: isPartialSync ? {
+                            source: PermissionSyncSource.REPO_DRIVEN,
+                        } : {},
                     }
                 }
             }),
             this.db.accountToRepoPermission.createMany({
                 data: accountIds.map(accountId => ({
                     accountId,
                     repoId: repo.id,
+                    source: PermissionSyncSource.REPO_DRIVEN,
                 })),
+                skipDuplicates: true,
             })
         ]);
     }

packages/db/prisma/migrations/20260224202008_add_source_field_to_account_to_repo_permission_table/migration.sql

@@ -0,0 +1,5 @@
+-- CreateEnum
+CREATE TYPE "PermissionSyncSource" AS ENUM ('ACCOUNT_DRIVEN', 'REPO_DRIVEN');
+
+-- AlterTable
+ALTER TABLE "AccountToRepoPermission" ADD COLUMN     "source" "PermissionSyncSource" NOT NULL DEFAULT 'ACCOUNT_DRIVEN';

packages/db/prisma/schema.prisma

@@ -390,6 +390,11 @@ model AccountPermissionSyncJob {
   accountId String
 }
 
+enum PermissionSyncSource {
+  ACCOUNT_DRIVEN
+  REPO_DRIVEN
+}
+
 model AccountToRepoPermission {
   createdAt DateTime @default(now())
 
@@ -399,6 +404,8 @@ model AccountToRepoPermission {
   account   Account   @relation(fields: [accountId], references: [id], onDelete: Cascade)
   accountId String
 
+  source PermissionSyncSource @default(ACCOUNT_DRIVEN)
+
   @@id([repoId, accountId])
 }