sourcebot-dev
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/docs/configuration/audit-logs.mdx‎
Lines changed: 2 additions & 2 deletions b/‎docs/docs/configuration/audit-logs.mdx‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/docs/configuration/auth/access-settings.mdx‎
Lines changed: 4 additions & 4 deletions b/‎docs/docs/configuration/auth/access-settings.mdx‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/docs/configuration/auth/roles-and-permissions.mdx‎
Lines changed: 38 additions & 4 deletions b/‎docs/docs/configuration/auth/roles-and-permissions.mdx‎
Lines changed: 38 additions & 4 deletions
diff --git a/‎docs/docs/license-key.mdx‎
Lines changed: 1 addition & 0 deletions b/‎docs/docs/license-key.mdx‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/images/demote_to_member.png‎
56.7 KB b/‎docs/images/demote_to_member.png‎
56.7 KB
diff --git a/‎docs/images/managing_owners.png‎
256 KB b/‎docs/images/managing_owners.png‎
256 KB
diff --git a/‎docs/images/owner_leave_org.png‎
60.5 KB b/‎docs/images/owner_leave_org.png‎
60.5 KB
diff --git a/‎docs/images/promote_to_owner.png‎
55.3 KB b/‎docs/images/promote_to_owner.png‎
55.3 KB
diff --git a/‎packages/web/src/actions.ts‎
Lines changed: 1 addition & 171 deletions b/‎packages/web/src/actions.ts‎
Lines changed: 1 addition & 171 deletions
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- [EE] Added multi-owner support with promote/demote actions. [#988](https://github.com/sourcebot-dev/sourcebot/pull/988)
+
 ## [4.15.3] - 2026-03-10
 
 ### Fixed
 
@@ -122,8 +122,6 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
 | `chat.shared_with_users`              | `user` | `chat` |
 | `chat.unshared_with_user`             | `user` | `chat` |
 | `chat.visibility_updated`             | `user` | `chat` |
-| `org.ownership_transfer_failed`       | `user` | `org` |
-| `org.ownership_transferred`           | `user` | `org` |
 | `user.created_ask_chat`               | `user` | `org` |
 | `user.creation_failed`                | `user` | `user` |
 | `user.delete`                         | `user` | `user` |
@@ -144,6 +142,8 @@ curl --request GET '$SOURCEBOT_URL/api/ee/audit' \
 | `user.read`                           | `user` | `user` |
 | `user.signed_in`                      | `user` | `user` |
 | `user.signed_out`                     | `user` | `user` |
+| `org.member_promoted_to_owner`        | `user` | `user` |
+| `org.owner_demoted_to_member`         | `user` | `user` |
 
 
 ## Response schema
 
@@ -17,20 +17,20 @@ When accessing Sourcebot anonymously, a user's permissions are limited to that o
 
 # Member Approval 
 
-By default, Sourcebot requires new members to be approved by the owner of the deployment. This section explains how approvals work and how
+By default, Sourcebot requires new members to be approved by an owner of the deployment. This section explains how approvals work and how
 to configure this behavior.
 
 ### Configuration
-Member approval can be configured by the owner of the deployment by navigating to **Settings -> Access**, or by setting the `REQUIRE_APPROVAL_NEW_MEMBERS` environment variable. When the environment variable is set, the UI toggle is disabled and the setting is controlled by the environment variable.
+Member approval can be configured by an owner of the deployment by navigating to **Settings -> Access**, or by setting the `REQUIRE_APPROVAL_NEW_MEMBERS` environment variable. When the environment variable is set, the UI toggle is disabled and the setting is controlled by the environment variable.
 
 ![Member Approval Toggle](/images/member_approval_toggle.png)
 
 ### Managing Requests
 
 If member approval is enabled, new members will be asked to submit a join request after signing up. They will not have access to the Sourcebot deployment
-until this request is approved by the owner.
+until this request is approved by an owner.
 
-The owner can see and manage all pending join requests by navigating to **Settings -> Members**.
+Owners can see and manage all pending join requests by navigating to **Settings -> Members**.
 
 ## Invite link
 
 
@@ -3,12 +3,46 @@ title: Roles and Permissions
 sidebarTitle: Roles and permissions
 ---
 
-<Note>Looking to sync permissions with your identify provider? We're working on it - [reach out](https://www.sourcebot.dev/contact) to us to learn more</Note>
-
 Each member has a role which defines their permissions within an organization:
 
 | Role | Permission |
 | :--- | :--------- |
-| `Owner` | Each organization has a single `Owner`. This user has full access rights, including: connection management, organization management, and inviting new members. |
+| `Owner` | An organization can have one or more `Owner`s. Owners have full access rights, including: connection management, organization management, and inviting new members. |
 | `Member` | Read-only access to the organization. A `Member` can search across the repos indexed by an organization's connections, as well as view the organizations configuration and member list. However, they cannot modify this configuration or invite new members. |
-| `Guest` | When accessing Sourcebot [anonymously](/docs/configuration/auth/access-settings#anonymous-access), a user has the `Guest` role. `Guest`'s can search across repos indexed by an organization's connections, but cannot view any information regarding the organizations configuration or members. |
+| `Guest` | When accessing Sourcebot [anonymously](/docs/configuration/auth/access-settings#anonymous-access), a user has the `Guest` role. `Guest`'s can search across repos indexed by an organization's connections, but cannot view any information regarding the organizations configuration or members. |
+
+## Managing owners
+
+import LicenseKeyRequired from '/snippets/license-key-required.mdx'
+
+<LicenseKeyRequired feature="Multiple owners" />
+
+organizations support multiple owners, allowing you to share administrative responsibilities across your team. Owners can promote members to owner and demote other owners back to member from **Settings -> Members**.
+
+<Frame>
+  <img src="/images/managing_owners.png" alt="Members settings page showing team members and their roles" />
+</Frame>
+
+### Promoting a member to owner
+
+To promote a member, click the action menu (three dots) next to their name in the members list and select **Promote to owner**. The member will immediately gain full administrative access.
+
+<Frame>
+  <img src="/images/promote_to_owner.png" alt="Dropdown menu showing Promote to owner option for a member" />
+</Frame>
+
+### Demoting an owner to member
+
+To demote an owner, click the action menu next to their name and select **Demote to member**. Owners can also demote themselves to step down from the role. The last remaining owner of an organization cannot be demoted - at least one owner must exist at all times.
+
+<Frame>
+  <img src="/images/demote_to_member.png" alt="Dropdown menu showing Demote to member option for an owner" />
+</Frame>
+
+### Leaving an organization as an owner
+
+An owner can leave the organization as long as at least one other owner exists. If you are the last owner, you must promote another member to owner before leaving.
+
+<Frame>
+  <img src="/images/owner_leave_org.png" alt="Dropdown menu showing Leave organization option for an owner" />
+</Frame>
@@ -40,6 +40,7 @@ docker run \
 | [Audit logs](/docs/configuration/audit-logs) | 🛑 | ✅ |
 | [Analytics](/docs/features/analytics) | 🛑 | ✅ |
 | [MCP OAuth](/docs/features/mcp-server#oauth-2-0) | 🛑 | ✅ |
+| [Multiple owners](/docs/configuration/auth/roles-and-permissions#managing-owners) | 🛑 | ✅ |
 
 
 ## Questions?
 
@@ -22,7 +22,7 @@ import { createTransport } from "nodemailer";
 import { Octokit } from "octokit";
 import { auth } from "./auth";
 import { getOrgFromDomain } from "./data/org";
-import { decrementOrgSeatCount, getSubscriptionForOrg } from "./ee/features/billing/serverUtils";
+import { getSubscriptionForOrg } from "./ee/features/billing/serverUtils";
 import { IS_BILLING_ENABLED } from "./ee/features/billing/stripe";
 import InviteUserEmail from "./emails/inviteUserEmail";
 import JoinRequestApprovedEmail from "./emails/joinRequestApprovedEmail";
@@ -1150,102 +1150,6 @@ export const getInviteInfo = async (inviteId: string) => sew(() =>
         }
     }));
 
-export const transferOwnership = async (newOwnerId: string, domain: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
-    withAuth((userId) =>
-        withOrgMembership(userId, domain, async ({ org }) => {
-            const currentUserId = userId;
-
-            const failAuditCallback = async (error: string) => {
-                await auditService.createAudit({
-                    action: "org.ownership_transfer_failed",
-                    actor: {
-                        id: currentUserId,
-                        type: "user"
-                    },
-                    target: {
-                        id: org.id.toString(),
-                        type: "org"
-                    },
-                    orgId: org.id,
-                    metadata: {
-                        message: error
-                    }
-                })
-            }
-            if (newOwnerId === currentUserId) {
-                await failAuditCallback("User is already the owner of this org");
-                return {
-                    statusCode: StatusCodes.BAD_REQUEST,
-                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                    message: "You're already the owner of this org",
-                } satisfies ServiceError;
-            }
-
-            const newOwner = await prisma.userToOrg.findUnique({
-                where: {
-                    orgId_userId: {
-                        userId: newOwnerId,
-                        orgId: org.id,
-                    },
-                },
-            });
-
-            if (!newOwner) {
-                await failAuditCallback("The user you're trying to make the owner doesn't exist");
-                return {
-                    statusCode: StatusCodes.BAD_REQUEST,
-                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                    message: "The user you're trying to make the owner doesn't exist",
-                } satisfies ServiceError;
-            }
-
-            await prisma.$transaction([
-                prisma.userToOrg.update({
-                    where: {
-                        orgId_userId: {
-                            userId: newOwnerId,
-                            orgId: org.id,
-                        },
-                    },
-                    data: {
-                        role: "OWNER",
-                    }
-                }),
-                prisma.userToOrg.update({
-                    where: {
-                        orgId_userId: {
-                            userId: currentUserId,
-                            orgId: org.id,
-                        },
-                    },
-                    data: {
-                        role: "MEMBER",
-                    }
-                })
-            ]);
-
-            await auditService.createAudit({
-                action: "org.ownership_transferred",
-                actor: {
-                    id: currentUserId,
-                    type: "user"
-                },
-                target: {
-                    id: org.id.toString(),
-                    type: "org"
-                },
-                orgId: org.id,
-                metadata: {
-                    message: `Ownership transferred from ${currentUserId} to ${newOwnerId}`
-                }
-            });
-
-            return {
-                success: true,
-            }
-        }, /* minRequiredRole = */ OrgRole.OWNER)
-    ));
-
 export const checkIfOrgDomainExists = async (domain: string): Promise<boolean | ServiceError> => sew(() =>
     withAuth(async () => {
         const org = await prisma.org.findFirst({
@@ -1257,80 +1161,6 @@ export const checkIfOrgDomainExists = async (domain: string): Promise<boolean |
         return !!org;
     }));
 
-export const removeMemberFromOrg = async (memberId: string, domain: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
-    withAuth(async (userId) =>
-        withOrgMembership(userId, domain, async ({ org }) => {
-            const targetMember = await prisma.userToOrg.findUnique({
-                where: {
-                    orgId_userId: {
-                        orgId: org.id,
-                        userId: memberId,
-                    }
-                }
-            });
-
-            if (!targetMember) {
-                return notFound();
-            }
-
-            await prisma.$transaction(async (tx) => {
-                await tx.userToOrg.delete({
-                    where: {
-                        orgId_userId: {
-                            orgId: org.id,
-                            userId: memberId,
-                        }
-                    }
-                });
-
-                if (IS_BILLING_ENABLED) {
-                    const result = await decrementOrgSeatCount(org.id, tx);
-                    if (isServiceError(result)) {
-                        throw result;
-                    }
-                }
-            });
-
-            return {
-                success: true,
-            }
-        }, /* minRequiredRole = */ OrgRole.OWNER)
-    ));
-
-export const leaveOrg = async (domain: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
-    withAuth(async (userId) =>
-        withOrgMembership(userId, domain, async ({ org, userRole }) => {
-            if (userRole === OrgRole.OWNER) {
-                return {
-                    statusCode: StatusCodes.FORBIDDEN,
-                    errorCode: ErrorCode.OWNER_CANNOT_LEAVE_ORG,
-                    message: "Organization owners cannot leave their own organization",
-                } satisfies ServiceError;
-            }
-
-            await prisma.$transaction(async (tx) => {
-                await tx.userToOrg.delete({
-                    where: {
-                        orgId_userId: {
-                            orgId: org.id,
-                            userId: userId,
-                        }
-                    }
-                });
-
-                if (IS_BILLING_ENABLED) {
-                    const result = await decrementOrgSeatCount(org.id, tx);
-                    if (isServiceError(result)) {
-                        throw result;
-                    }
-                }
-            });
-
-            return {
-                success: true,
-            }
-        })
-    ));
 
 export const getOrgMembers = async (domain: string) => sew(() =>
     withAuth(async (userId) =>