feat(backend): add env vars to independently enable/disable user and repo driven permission syncing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

docs/docs/configuration/environment-variables.mdx

@@ -46,6 +46,8 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
+| `PERMISSION_SYNC_USER_DRIVEN_ENABLED` | `true` | <p>Enables/disables [user-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 

docs/docs/features/permission-syncing.mdx

@@ -134,7 +134,15 @@ Permission syncing works by periodically syncing ACLs from the code host(s) to S
 - **User driven** : fetches the list of all repositories that a given user has access to.
 - **Repo driven** : fetches the list of all users that have access to a given repository.
 
-User driven and repo driven syncing occurs every 24 hours by default. These intervals can be configured using the following settings in the [config file](/docs/configuration/config-file):
+User driven and repo driven syncing occurs every 24 hours by default. Each sync direction can be independently enabled or disabled using the following environment variables:
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `PERMISSION_SYNC_USER_DRIVEN_ENABLED` | `true` | Enables/disables user-driven syncing. |
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | Enables/disables repo-driven syncing. |
+
+The sync intervals can be configured using the following settings in the [config file](/docs/configuration/config-file):
+
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
 | `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |

packages/backend/src/index.ts

@@ -76,8 +76,12 @@ if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('per
     process.exit(1);
 }
 else if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
-    repoPermissionSyncer.startScheduler();
-    accountPermissionSyncer.startScheduler();
+    if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {
+        repoPermissionSyncer.startScheduler();
+    }
+    if (env.PERMISSION_SYNC_USER_DRIVEN_ENABLED === 'true') {
+        accountPermissionSyncer.startScheduler();
+    }
 }
 
 const api = new Api(

packages/shared/src/env.server.ts

@@ -247,6 +247,8 @@ export const env = createEnv({
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
         EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
+        PERMISSION_SYNC_USER_DRIVEN_ENABLED: booleanSchema.default('true'),
+        PERMISSION_SYNC_REPO_DRIVEN_ENABLED: booleanSchema.default('true'),
         EXPERIMENT_ASK_GH_ENABLED: booleanSchema.default('false'),
 
         SOURCEBOT_ENCRYPTION_KEY: z.string(),