chore: remove embedded Postgres, Redis, secrets from Docker image (#1264)

* chore: remove embedded Postgres and Redis from the Docker image

As of v5, Sourcebot no longer ships an embedded Postgres or Redis.
External instances are now required via DATABASE_URL and REDIS_URL.

- Dockerfile: drop postgresql16/redis packages, DATABASE_DATA_DIR/
  REDIS_DATA_DIR env, postgres/redis users, and /run/postgresql setup
- entrypoint.sh: hard-fail with guidance when DATABASE_URL/REDIS_URL are
  unset; remove embedded init/startup blocks
- supervisord.conf: remove the redis program
- docs: mark DATABASE_URL/REDIS_URL required, drop data-dir vars, document
  the breaking change and data migration in the v4-to-v5 guide
- CHANGELOG: note the breaking change

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs: point CHANGELOG entry at PR #1264

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* changelog

* docs: expand v4-to-v5 guide; require AUTH_SECRET and SOURCEBOT_ENCRYPTION_KEY

- entrypoint.sh: require AUTH_SECRET and SOURCEBOT_ENCRYPTION_KEY explicitly
  (no auto-generation, no plaintext file loading); hard-fail with migration
  guidance and warn if the legacy plaintext files linger
- v4-to-v5 guide: document the secrets, role-management, and external
  Postgres/Redis breaking changes with per-item migration steps
- environment-variables: mark both secrets required
- roles-and-permissions: add default-role-by-plan table
- CHANGELOG: update breaking-change entries

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs nit

* changelog nit

* final nits

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -7,19 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
-- Added ask connectors: connect 3rd party MCP servers to your ask agent. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
-- Added progress bar when navigating between pages. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
-- Added a integrated changelog into the sidebar. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
-- Added scroll position restoration when viewing files in the code browser, so returning to a previously viewed file restores your scroll position. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+Checkout the [migration guide](https://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide) for details on upgrading your instance to v5.
 
 ### Changed
-- [**Breaking Change**] Changed the default role assignment to `Owner` for organizations on the free tier. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
-- [**Breaking Change**] Relicensed Ask Sourcebot and MCP under ee. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- [**Breaking Change**] Changed the default role assignment to `Owner` for organizations on the free tier. See the [v4 to v5 guide](https://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide). [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- [**Breaking Change**] Relicensed Ask Sourcebot and MCP under ee. See the [v4 to v5 guide](https://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide). [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- [**Breaking Change**] Removed the embedded Postgres and Redis from the Docker image. External Postgres and Redis are now required: set `DATABASE_URL` and `REDIS_URL`, or deploy with the provided `docker-compose.yml`. See the [v4 to v5 guide](https://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide). [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- [**Breaking Change**] Sourcebot no longer auto-generates `AUTH_SECRET` and `SOURCEBOT_ENCRYPTION_KEY`, nor reads them from the plaintext files it previously wrote to the data volume; both must now be set explicitly as environment variables. See the [v4 to v5 guide](https://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide). [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
 - Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
 - Improved the `setup-sourcebot` wizard: prompts for a setup directory, clarifies that secrets are stored locally in `.env`, switches multi-select to Tab, hides "No results" until a real search runs, and detects/cleans up conflicting Docker deployments and volumes before starting. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
 
+### Added
+- Added ask connectors: connect 3rd party MCP servers to your ask agent. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- Added progress bar when navigating between pages. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- Added a integrated changelog into the sidebar. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+- Added scroll position restoration when viewing files in the code browser, so returning to a previously viewed file restores your scroll position. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
+
 ### Fixed
 - Fixed git "dubious ownership" errors when the container runs as a non-root user by setting `safe.directory` at the system level instead of the global (root-only) level. [#1106](https://github.com/sourcebot-dev/sourcebot/pull/1106)
 

Dockerfile

@@ -163,8 +163,6 @@ ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV DATA_DIR=/data
 ENV DATA_CACHE_DIR=$DATA_DIR/.sourcebot
-ENV DATABASE_DATA_DIR=$DATA_CACHE_DIR/db
-ENV REDIS_DATA_DIR=$DATA_CACHE_DIR/redis
 ENV SOURCEBOT_PUBLIC_KEY_PATH=/app/public.pem
 # PAPIK = Project API Key
 # Note that this key does not need to be kept secret, so it's not
@@ -180,7 +178,7 @@ ENV SOURCEBOT_LOG_LEVEL=info
 # ENV SOURCEBOT_TELEMETRY_DISABLED=1
 
 # Configure dependencies
-RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip && \
+RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \
     apk upgrade --no-cache
 
 # Remove npm (unused — we use Yarn). The Node.js base image bundles npm
@@ -200,8 +198,6 @@ ARG GID=1500
 # The container can be run as root (default) or as sourcebot user using docker run --user
 RUN addgroup -g $GID sourcebot && \
     adduser -D -u $UID -h /app -S sourcebot && \
-    adduser sourcebot postgres && \
-    adduser sourcebot redis && \
     chown -R sourcebot /app && \
     adduser sourcebot node && \
     mkdir /var/log/sourcebot && \
@@ -252,11 +248,6 @@ COPY --chown=sourcebot:sourcebot --from=shared-libs-builder /app/packages/queryL
 # Fixes git "dubious ownership" issues when the volume is mounted with different permissions to the container.
 RUN git config --system safe.directory "*"
 
-# Configure the database
-RUN mkdir -p /run/postgresql && \
-    chown -R postgres:postgres /run/postgresql && \
-    chmod 775 /run/postgresql
-
 # Make app directory accessible to both root and sourcebot user
 RUN chown -R sourcebot /app \
 	&& chgrp -R 0  /app \

docs/docs/configuration/auth/roles-and-permissions.mdx

@@ -17,6 +17,14 @@ Note that when [permission syncing](/docs/features/permission-syncing) is enable
 On the free plan, all signed-in users are given the `Owner` role.
 </Note>
 
+## Default role assignment
+
+When a user joins your organization, they are assigned a default role. This assignment, and the ability to [manage the user's role](#managing-member-roles) afterwards, depends on [your plan](/docs/activating-a-subscription):
+
+| Plan | Default role | Role management |
+| :--- | :----------- | :-------------- |
+| **Free** | `Owner` | Not available. A user's role cannot be changed. |
+| **Paid** | `Member` | Available. Owners can [promote or demote](#managing-member-roles) members. |
 
 ## Managing member roles
 

docs/docs/configuration/environment-variables.mdx

@@ -12,7 +12,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | :------- | :------ | :---------- |
 | `AUTH_CREDENTIALS_LOGIN_ENABLED` | `true` | <p>Enables/disables authentication with basic credentials. Username and passwords are stored encrypted at rest within the postgres database. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info</p> |
 | `AUTH_EMAIL_CODE_LOGIN_ENABLED` | `false` | <p>Enables/disables authentication with a login code that's sent to a users email. `SMTP_CONNECTION_URL` and `EMAIL_FROM_ADDRESS` must also be set. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info </p> |
-| `AUTH_SECRET` | Automatically generated at startup if no value is provided. Generated using `openssl rand -base64 33` | <p>Used to validate login session cookies</p> |
+| `AUTH_SECRET` **(required)** | - | <p>Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.</p> |
 | `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) | <p>Relative time from now in seconds when to expire the session.</p> |
 | `AUTH_SESSION_UPDATE_AGE_SECONDS` | `86400` (1 day) | <p>How often the session should be updated in seconds. If set to `0`, session is updated every time.</p> |
 | `OAUTH_AUTHORIZATION_CODE_TTL_SECONDS` | `600` (10 minutes) | <p>Lifetime of an OAuth authorization code, in seconds.</p> |
@@ -22,13 +22,11 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `CONFIG_PATH` | `-` | <p>The container relative path to the declarative configuration file. See [this doc](/docs/configuration/declarative-config) for more info.</p> | 
 | `DATA_CACHE_DIR` | `$DATA_DIR/.sourcebot` | <p>The root data directory in which all data written to disk by Sourcebot will be located.</p> |
 | `DATA_DIR` | `/data` | <p>The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)</p> |
-| `DATABASE_DATA_DIR` | `$DATA_CACHE_DIR/db` | <p>The data directory for the default Postgres database.</p> |
-| `DATABASE_URL` | `postgresql://postgres@ localhost:5432/sourcebot` | <p>Connection string of your Postgres database. By default, a Postgres database is automatically provisioned at startup within the container.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
+| `DATABASE_URL` **(required)** | - | <p>Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
 | `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
 | `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
-| `REDIS_DATA_DIR` | `$DATA_CACHE_DIR/redis` | <p>The data directory for the default Redis instance.</p> |
-| `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
+| `REDIS_URL` **(required)** | - | <p>Connection string of your Redis instance, e.g. `redis://host:6379`.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
 | `REDIS_REMOVE_ON_FAIL` | `100` | <p>Controls how many failed jobs are allowed to remain in Redis queues</p> |
 | `REPO_SYNC_RETRY_BASE_SLEEP_SECONDS` | `60` | <p>The base sleep duration (in seconds) for exponential backoff when retrying repository sync operations that fail</p> |
@@ -38,7 +36,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `SMTP_PORT` | `-` | <p>The port of the SMTP server.</p> |
 | `SMTP_USERNAME` | `-` | <p>The username for SMTP authentication.</p> |
 | `SMTP_PASSWORD` | `-` | <p>The password for SMTP authentication.</p> |
-| `SOURCEBOT_ENCRYPTION_KEY` | Automatically generated at startup if no value is provided. Generated using `openssl rand -base64 24` | <p>Used to encrypt connection secrets and generate API keys.</p> |
+| `SOURCEBOT_ENCRYPTION_KEY` **(required)** | - | <p>Used to encrypt connection secrets and generate API keys. Generate one with `openssl rand -base64 24`.</p> |
 | `SOURCEBOT_PUBLIC_KEY_PATH` | `/app/public.pem` | <p>Sourcebot's public key that's used to verify encrypted license key signatures.</p> |
 | `SOURCEBOT_LOG_LEVEL` | `info` | <p>The Sourcebot logging level. Valid values are `debug`, `info`, `warn`, `error`, in order of severity.</p> |
 | `SOURCEBOT_STRUCTURED_LOGGING_ENABLED` | `false` | <p>Enables/disable structured JSON logging. See [this doc](/docs/configuration/structured-logging) for more info.</p> |