sourcebot-dev
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/docs/features/permission-syncing.mdx‎
Lines changed: 18 additions & 11 deletions b/‎docs/docs/features/permission-syncing.mdx‎
Lines changed: 18 additions & 11 deletions
diff --git a/‎docs/snippets/schemas/v3/azuredevops.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/azuredevops.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/bitbucket.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/bitbucket.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/connection.schema.mdx‎
Lines changed: 35 additions & 0 deletions b/‎docs/snippets/schemas/v3/connection.schema.mdx‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/genericGitHost.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/genericGitHost.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/gerrit.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/gerrit.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/gitea.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/gitea.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/github.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/github.schema.mdx‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/snippets/schemas/v3/gitlab.schema.mdx‎
Lines changed: 5 additions & 0 deletions b/‎docs/snippets/schemas/v3/gitlab.schema.mdx‎
Lines changed: 5 additions & 0 deletions
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [EE] Added `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variable to enable/disable repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
 - [EE] Added `enforcePermissions` per-connection flag to control whether repository permissions are enforced for a given connection. Defaults to the value of `PERMISSION_SYNC_ENABLED`. [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
 - [EE] Added `repoDrivenPermissionSyncIntervalMs` and `userDrivenPermissionSyncIntervalMs` config settings, deprecating the `experiment_` prefixed variants (still respected as fallbacks). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
+- [EE] Added `enforcePermissionsForPublicRepos` per-connection flag to restrict public repository visibility to users with a linked account for that connection's code host. [#993](https://github.com/sourcebot-dev/sourcebot/pull/993)
 
 ### Changed
 - [EE] Promoted `PERMISSION_SYNC_ENABLED` as the canonical env var for enabling permission syncing, deprecating `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` (still respected as a fallback). [#991](https://github.com/sourcebot-dev/sourcebot/pull/991)
 
@@ -147,9 +147,13 @@ The button will show a spinner while the sync is in progress and display a confi
 
 # Overriding enforcement per connection
 
-Each [connection](/docs/connections/overview) supports an `enforcePermissions` flag that controls whether permissions are enforced for repositories in that connection. This lets you mix code hosts in a single deployment - for example, enforcing access control on a private GitHub connection while keeping an internal Gerrit instance open to all users.
+Each [connection](/docs/connections/overview) supports two flags that control permission enforcement for that connection's repositories:
 
-By default, `enforcePermissions` inherits the value of `PERMISSION_SYNC_ENABLED`. You can override it per connection in the [config file](/docs/configuration/config-file):
+- **`enforcePermissions`**: Controls whether repository permissions are enforced for the connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`.
+- **`enforcePermissionsForPublicRepos`**: Controls whether repository permissions are enforced for public repositories in the connection. When true, public repositories are only visible to users with a linked account for the connection's code host. When false, public repositories are visible to all users. Has no effect when `enforcePermissions` is false. Defaults to false.
+
+
+These flags are useful when you want different enforcement behavior across connections. For example, you may want to enforce permissions on an internal GitHub Enterprise connection while leaving a public-facing Gerrit mirror open to all users. Or, you can use `enforcePermissionsForPublicRepos` to restrict public repositories on a Bitbucket connection so that only users who have authenticated with that host can browse them.
 
 ```json
 {
@@ -158,6 +162,11 @@ By default, `enforcePermissions` inherits the value of `PERMISSION_SYNC_ENABLED`
       "type": "github",
       "enforcePermissions": true
     },
+    "my-bitbucket": {
+      "type": "bitbucket",
+      "enforcePermissions": true,
+      "enforcePermissionsForPublicRepos": true
+    },
     "my-gerrit": {
       "type": "gerrit",
       "url": "https://gerrit.example.com",
@@ -167,16 +176,14 @@ By default, `enforcePermissions` inherits the value of `PERMISSION_SYNC_ENABLED`
 }
 ```
 
-Setting `enforcePermissions: false` on a connection makes all repositories from that connection accessible to any user, regardless of the global `PERMISSION_SYNC_ENABLED` setting.
-
-The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED` and `enforcePermissions`:
+The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED`, `enforcePermissions`, and `enforcePermissionsForPublicRepos`:
 
-| `PERMISSION_SYNC_ENABLED` | `enforcePermissions` | Permissions enforced? |
-|--------------------------|---------------------|-----------------------|
-| `true`                   | `true`              | Yes                   |
-| `true`                   | `false`             | No                    |
-| `false`                  | `true`              | No                    |
-| `false`                  | `false`             | No                    |
+| `PERMISSION_SYNC_ENABLED` | `enforcePermissions` | `enforcePermissionsForPublicRepos` | Private repos enforced? | Public repos enforced? |
+|--------------------------|---------------------|------------------------------------|------------------------|------------------------|
+| `true`                   | `true`              | `false`                            | Yes                    | No                     |
+| `true`                   | `true`              | `true`                             | Yes                    | Yes                    |
+| `true`                   | `false`             | any                                | No                     | No                     |
+| `false`                  | any                 | any                                | No                     | No                     |
 
 # How it works
 
 
@@ -193,6 +193,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -166,6 +166,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -209,6 +209,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -415,6 +420,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -574,6 +584,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -685,6 +700,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -859,6 +879,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1071,6 +1096,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
@@ -1144,6 +1174,11 @@
         "enforcePermissions": {
           "type": "boolean",
           "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+        },
+        "enforcePermissionsForPublicRepos": {
+          "type": "boolean",
+          "default": false,
+          "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
         }
       },
       "required": [
 
@@ -64,6 +64,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -104,6 +104,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -152,6 +152,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -205,6 +205,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [
 
@@ -199,6 +199,11 @@
     "enforcePermissions": {
       "type": "boolean",
       "description": "Controls whether repository permissions are enforced for this connection. When `PERMISSION_SYNC_ENABLED` is false, this setting has no effect. Defaults to the value of `PERMISSION_SYNC_ENABLED`. See https://docs.sourcebot.dev/docs/features/permission-syncing"
+    },
+    "enforcePermissionsForPublicRepos": {
+      "type": "boolean",
+      "default": false,
+      "description": "Controls whether repository permissions are enforced for public repositories in this connection. When true, public repositories are only visible to users with a linked account for this connection's code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false. See https://docs.sourcebot.dev/docs/features/permission-syncing"
     }
   },
   "required": [