feat(backend): only allow repo-driven permission syncing to be disabled

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - [EE] Added multi-owner support with promote/demote actions. [#988](https://github.com/sourcebot-dev/sourcebot/pull/988)
-- [EE] Added `PERMISSION_SYNC_USER_DRIVEN_ENABLED` and `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variables to independently enable/disable user-driven and repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
+- [EE] Added `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variable to enable/disable repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
 
 ## [4.15.3] - 2026-03-10
 

docs/docs/configuration/environment-variables.mdx

@@ -46,7 +46,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
-| `PERMISSION_SYNC_USER_DRIVEN_ENABLED` | `true` | <p>Enables/disables [user-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 

docs/docs/features/permission-syncing.mdx

@@ -134,11 +134,10 @@ Permission syncing works by periodically syncing ACLs from the code host(s) to S
 - **User driven** : fetches the list of all repositories that a given user has access to.
 - **Repo driven** : fetches the list of all users that have access to a given repository.
 
-User driven and repo driven syncing occurs every 24 hours by default. Each sync direction can be independently enabled or disabled using the following environment variables:
+User driven and repo driven syncing occurs every 24 hours by default. Repo-driven syncing can be disabled independently using the following environment variable:
 
 | Environment variable | Default | Description |
 |---|---|---|
-| `PERMISSION_SYNC_USER_DRIVEN_ENABLED` | `true` | Enables/disables user-driven syncing. |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | Enables/disables repo-driven syncing. |
 
 The sync intervals can be configured using the following settings in the [config file](/docs/configuration/config-file):

packages/backend/src/index.ts

@@ -79,9 +79,7 @@ else if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement(
     if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {
         repoPermissionSyncer.startScheduler();
     }
-    if (env.PERMISSION_SYNC_USER_DRIVEN_ENABLED === 'true') {
-        accountPermissionSyncer.startScheduler();
-    }
+    accountPermissionSyncer.startScheduler();
 }
 
 const api = new Api(

packages/shared/src/env.server.ts

@@ -247,7 +247,6 @@ export const env = createEnv({
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
         EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
-        PERMISSION_SYNC_USER_DRIVEN_ENABLED: booleanSchema.default('true'),
         PERMISSION_SYNC_REPO_DRIVEN_ENABLED: booleanSchema.default('true'),
         EXPERIMENT_ASK_GH_ENABLED: booleanSchema.default('false'),