sourcebot-dev
diff --git a/‎.github/workflows/license-audit.yml‎
Lines changed: 70 additions & 134 deletions b/‎.github/workflows/license-audit.yml‎
Lines changed: 70 additions & 134 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 4 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 15 additions & 5 deletions b/‎CONTRIBUTING.md‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎docs/api-reference/sourcebot-public.openapi.json‎
Lines changed: 1 addition & 1 deletion b/‎docs/api-reference/sourcebot-public.openapi.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/docs/configuration/idp.mdx‎
Lines changed: 3 additions & 0 deletions b/‎docs/docs/configuration/idp.mdx‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎install-ctags-macos.sh‎
Lines changed: 38 additions & 0 deletions b/‎install-ctags-macos.sh‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎packages/shared/src/env.server.ts‎
Lines changed: 1 addition & 1 deletion b/‎packages/shared/src/env.server.ts‎
Lines changed: 1 addition & 1 deletion
@@ -10,6 +10,8 @@ on:
       - "scripts/fetchLicenses.mjs"
       - "scripts/summarizeLicenses.mjs"
       - "scripts/npmLicenseMap.json"
+      - "scripts/licenseAuditPrompt.txt"
+      - "scripts/runLicenseAudit.sh"
   workflow_dispatch:
 
 jobs:
@@ -40,80 +42,21 @@ jobs:
       - name: Summarize licenses
         run: node scripts/summarizeLicenses.mjs
 
+      - name: Read audit prompt
+        id: read-prompt
+        run: |
+          {
+            echo 'PROMPT<<PROMPT_EOF'
+            cat scripts/licenseAuditPrompt.txt
+            echo 'PROMPT_EOF'
+          } >> "$GITHUB_OUTPUT"
+
       - name: Audit licenses with Claude
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           claude_args: '--allowedTools "Bash,Read,Write,Glob,Grep,WebFetch"'
-          prompt: |
-            You are a license compliance auditor. Your job is to review the OSS dependency
-            licenses in this repository and produce a structured audit result.
-
-            ## Steps
-
-            1. Read the file `oss-licenses.json` in the repo root.
-
-            2. Identify every package whose `license` field is:
-               - `"UNKNOWN"`
-               - A non-standard SPDX string (e.g., `"SEE LICENSE IN LICENSE"`, `"UNLICENSED"`,
-                 `"SEE LICENSE IN ..."`, or any value that is not a recognized SPDX identifier)
-               - An object instead of a string (e.g., `{"type":"MIT","url":"..."}`)
-
-            3. For each such package, try to resolve the actual license:
-               - Use WebFetch to visit `https://www.npmjs.com/package/<package-name>` and look
-                 for license information on the npm page.
-               - If the npm page is inconclusive, check the package's `repository` or `homepage`
-                 URL (from oss-licenses.json) via WebFetch to find a LICENSE file.
-               - If the license field is an object like `{"type":"MIT","url":"..."}`, extract the
-                 `type` field as the resolved license.
-
-            4. Identify all copyleft-licensed packages. Classify them as:
-               - **Strong copyleft**: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0, SSPL-1.0, EUPL-1.1,
-                 EUPL-1.2, CPAL-1.0, OSL-3.0 (and any `-only` or `-or-later` variants)
-               - **Weak copyleft**: LGPL-2.0, LGPL-2.1, LGPL-3.0, MPL-2.0, CC-BY-SA-3.0,
-                 CC-BY-SA-4.0 (and any `-only` or `-or-later` variants)
-
-            5. Write a file called `license-audit-result.json` in the repo root with this structure:
-               ```json
-               {
-                 "status": "PASS or FAIL",
-                 "failReasons": ["list of reasons if FAIL, empty array if PASS"],
-                 "summary": {
-                   "totalPackages": 0,
-                   "resolvedCount": 0,
-                   "unresolvedCount": 0,
-                   "strongCopyleftCount": 0,
-                   "weakCopyleftCount": 0
-                 },
-                 "resolved": [
-                   { "name": "pkg-name", "version": "1.0.0", "originalLicense": "...", "resolvedLicense": "MIT", "source": "npm page / GitHub repo / extracted from object" }
-                 ],
-                 "unresolved": [
-                   { "name": "pkg-name", "version": "1.0.0", "license": "UNKNOWN", "reason": "why it could not be resolved" }
-                 ],
-                 "copyleft": {
-                   "strong": [
-                     { "name": "pkg-name", "version": "1.0.0", "license": "GPL-3.0" }
-                   ],
-                   "weak": [
-                     { "name": "pkg-name", "version": "1.0.0", "license": "MPL-2.0" }
-                   ]
-                 }
-               }
-               ```
-
-            6. Set `status` to `"FAIL"` if `unresolvedCount > 0` OR `strongCopyleftCount > 0`.
-               Otherwise set it to `"PASS"`.
-
-            7. If the status is FAIL, populate `failReasons` with human-readable explanations, e.g.:
-               - "2 packages have unresolvable licenses: pkg-a, pkg-b"
-               - "1 package uses strong copyleft license: pkg-c (GPL-3.0)"
-
-            ## Important Notes
-            - Do NOT modify any source files. Only write `license-audit-result.json`.
-            - Be thorough: check every non-standard license, not just a sample.
-            - If a package's license object has a `type` field, that counts as resolved.
-            - Weak copyleft licenses (LGPL, MPL) are flagged but do NOT cause a FAIL.
+          prompt: ${{ steps.read-prompt.outputs.PROMPT }}
 
       - name: Validate audit result
         run: |
@@ -148,86 +91,79 @@ jobs:
         with:
           script: |
             const fs = require('fs');
-            const path = 'license-audit-result.json';
+            const resultPath = 'license-audit-result.json';
 
-            if (!fs.existsSync(path)) {
-              const body = `## License Audit\n\n:x: Audit failed to produce results. Check the workflow logs for details.`;
-              const comments = await github.rest.issues.listComments({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-              });
-              const existing = comments.data.find(c => c.body.startsWith('## License Audit'));
-              if (existing) {
-                await github.rest.issues.updateComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  comment_id: existing.id,
-                  body,
-                });
-              } else {
-                await github.rest.issues.createComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: context.issue.number,
-                  body,
-                });
-              }
-              return;
-            }
+            // Determine if we should comment
+            let shouldComment = false;
+            let body = '';
 
-            const result = JSON.parse(fs.readFileSync(path, 'utf-8'));
-            const icon = result.status === 'PASS' ? ':white_check_mark:' : ':x:';
+            if (!fs.existsSync(resultPath)) {
+              shouldComment = true;
+              body = `## License Audit\n\n:x: Audit failed to produce results. Check the workflow logs for details.`;
+            } else {
+              const result = JSON.parse(fs.readFileSync(resultPath, 'utf-8'));
+              const hasWeakCopyleft = result.summary.weakCopyleftCount > 0;
+              const isFail = result.status === 'FAIL';
 
-            let body = `## License Audit\n\n`;
-            body += `${icon} **Status: ${result.status}**\n\n`;
-            body += `| Metric | Count |\n|---|---|\n`;
-            body += `| Total packages | ${result.summary.totalPackages} |\n`;
-            body += `| Resolved (non-standard) | ${result.summary.resolvedCount} |\n`;
-            body += `| Unresolved | ${result.summary.unresolvedCount} |\n`;
-            body += `| Strong copyleft | ${result.summary.strongCopyleftCount} |\n`;
-            body += `| Weak copyleft | ${result.summary.weakCopyleftCount} |\n`;
+              if (!isFail && !hasWeakCopyleft) {
+                return;
+              }
 
-            if (result.failReasons && result.failReasons.length > 0) {
-              body += `\n### Fail Reasons\n\n`;
-              for (const reason of result.failReasons) {
-                body += `- ${reason}\n`;
+              shouldComment = true;
+              const icon = isFail ? ':x:' : ':warning:';
+
+              body = `## License Audit\n\n`;
+              body += `${icon} **Status: ${result.status}**\n\n`;
+              body += `| Metric | Count |\n|---|---|\n`;
+              body += `| Total packages | ${result.summary.totalPackages} |\n`;
+              body += `| Resolved (non-standard) | ${result.summary.resolvedCount} |\n`;
+              body += `| Unresolved | ${result.summary.unresolvedCount} |\n`;
+              body += `| Strong copyleft | ${result.summary.strongCopyleftCount} |\n`;
+              body += `| Weak copyleft | ${result.summary.weakCopyleftCount} |\n`;
+
+              if (result.failReasons && result.failReasons.length > 0) {
+                body += `\n### Fail Reasons\n\n`;
+                for (const reason of result.failReasons) {
+                  body += `- ${reason}\n`;
+                }
               }
-            }
 
-            if (result.unresolved && result.unresolved.length > 0) {
-              body += `\n### Unresolved Packages\n\n`;
-              body += `| Package | Version | License | Reason |\n|---|---|---|---|\n`;
-              for (const pkg of result.unresolved) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` | ${pkg.reason} |\n`;
+              if (result.unresolved && result.unresolved.length > 0) {
+                body += `\n### Unresolved Packages\n\n`;
+                body += `| Package | Version | License | Reason |\n|---|---|---|---|\n`;
+                for (const pkg of result.unresolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` | ${pkg.reason} |\n`;
+                }
               }
-            }
 
-            if (result.copyleft && result.copyleft.strong && result.copyleft.strong.length > 0) {
-              body += `\n### Strong Copyleft Packages\n\n`;
-              body += `| Package | Version | License |\n|---|---|---|\n`;
-              for (const pkg of result.copyleft.strong) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+              if (result.copyleft && result.copyleft.strong && result.copyleft.strong.length > 0) {
+                body += `\n### Strong Copyleft Packages\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.strong) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
               }
-            }
 
-            if (result.copyleft && result.copyleft.weak && result.copyleft.weak.length > 0) {
-              body += `\n### Weak Copyleft Packages (informational)\n\n`;
-              body += `| Package | Version | License |\n|---|---|---|\n`;
-              for (const pkg of result.copyleft.weak) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+              if (result.copyleft && result.copyleft.weak && result.copyleft.weak.length > 0) {
+                body += `\n### Weak Copyleft Packages (informational)\n\n`;
+                body += `| Package | Version | License |\n|---|---|---|\n`;
+                for (const pkg of result.copyleft.weak) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.license}\` |\n`;
+                }
               }
-            }
 
-            if (result.resolved && result.resolved.length > 0) {
-              body += `\n<details><summary>Resolved Packages (${result.resolved.length})</summary>\n\n`;
-              body += `| Package | Version | Original | Resolved | Source |\n|---|---|---|---|---|\n`;
-              for (const pkg of result.resolved) {
-                body += `| ${pkg.name} | ${pkg.version} | \`${pkg.originalLicense}\` | \`${pkg.resolvedLicense}\` | ${pkg.source} |\n`;
+              if (result.resolved && result.resolved.length > 0) {
+                body += `\n<details><summary>Resolved Packages (${result.resolved.length})</summary>\n\n`;
+                body += `| Package | Version | Original | Resolved | Source |\n|---|---|---|---|---|\n`;
+                for (const pkg of result.resolved) {
+                  body += `| ${pkg.name} | ${pkg.version} | \`${pkg.originalLicense}\` | \`${pkg.resolvedLicense}\` | ${pkg.source} |\n`;
+                }
+                body += `\n</details>\n`;
               }
-              body += `\n</details>\n`;
             }
 
+            if (!shouldComment) return;
+
             const comments = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
 
@@ -33,6 +33,10 @@ Standard dev commands are documented in `CONTRIBUTING.md` and `package.json`. Ke
 - **Build deps only:** `yarn build:deps` (builds shared packages: schemas, db, shared, query-language)
 - **DB migrations:** `yarn dev:prisma:migrate:dev`
 
+### Deprecated Packages
+
+- **`packages/mcp`** - This standalone MCP package is deprecated. Do NOT modify it. MCP functionality is now handled by the web package at `packages/web/src/features/mcp/`.
+
 ### Non-obvious Caveats
 
 - **Docker must be running** before `yarn dev`. Start it with `docker compose -f docker-compose-dev.yml up -d`. The backend will fail to connect to Redis/PostgreSQL otherwise.
 
@@ -17,8 +17,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed issue where ask responses would sometimes appear in the details panel while generating. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
 
 ### Changed
+- Changed language detection to resolve file extensions with multiple language resolutions (e.g., .md) to the most common resolution. [#1026](https://github.com/sourcebot-dev/sourcebot/pull/1026)
 - Changed the `webUrl` property of the `/api/repos` api to return a URL rather than just a path. [#1014](https://github.com/sourcebot-dev/sourcebot/pull/1014)
 
+## [4.15.11] - 2026-03-20
+
+### Changed
+- Updated JumpCloud SSO documentation to clarify token endpoint authentication method requirement and AUTH_SECRET configuration. [#1022](https://github.com/sourcebot-dev/sourcebot/pull/1022)
+- The `ask_codebase` MCP tool is now hidden when no language model providers are configured. [#1018](https://github.com/sourcebot-dev/sourcebot/pull/1018)
+
+## [4.15.10] - 2026-03-20
+
+### Changed
+- Increased `SOURCEBOT_CHAT_MAX_STEP_COUNT` default from 20 to 100 to allow agents to perform more autonomous steps. [#1017](https://github.com/sourcebot-dev/sourcebot/pull/1017)
+- [EE] Fix error with Jumpcloud SSO state param [#1020](https://github.com/sourcebot-dev/sourcebot/pull/1020)
+
 ## [4.15.9] - 2026-03-17
 
 ### Added
@@ -45,10 +58,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Deprecated `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` in favour of `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS`. The old variable will continue to work as a fallback. [#1007](https://github.com/sourcebot-dev/sourcebot/pull/1007)
 
+### Modified
+- Made OSS license audit runnable locally [#1021](https://github.com/sourcebot-dev/sourcebot/pull/1021)
+
+
 ## [4.15.6] - 2026-03-13
 
 ### Added
 - Added generated OpenAPI documentation for the public search, repo, and file browsing API surface. [#996](https://github.com/sourcebot-dev/sourcebot/pull/996)
+- Added OSS license audit github action. [#1003](https://github.com/sourcebot-dev/sourcebot/pull/1003)
 
 ### Fixed
 - [EE] Fixed account-driven permission sync silently wiping all Bitbucket Server repository permissions when the OAuth token expires on instances with anonymous access enabled. [#998](https://github.com/sourcebot-dev/sourcebot/pull/998)
 
@@ -36,15 +36,25 @@ Want to take on an issue? Leave a comment and a maintainer may assign it to you
 
 1. Install <a href="https://go.dev/doc/install"><img src="https://go.dev/favicon.ico" width="16" height="16"> go</a>, <a href="https://docs.docker.com/get-started/get-docker/"><img src="https://www.docker.com/favicon.ico" width="16" height="16"> docker</a>, and <a href="https://nodejs.org/"><img src="https://nodejs.org/favicon.ico" width="16" height="16"> NodeJS</a>. Note that a NodeJS version of at least `24` is required.
 
-2. Install [ctags](https://github.com/universal-ctags/ctags) (required by zoekt)
+2. Install [universal-ctags](https://github.com/universal-ctags/ctags) v6.1.0 (required by zoekt). Version 6.1.0 is required — newer versions have a known incompatibility with zoekt.
+
+    **macOS:** Run the provided install script:
     ```sh
-    // macOS:
-    brew install universal-ctags
+    ./install-ctags-macos.sh
+    ```
 
-    // Linux:
-    snap install universal-ctags
+    **Linux and other platforms:** Build from source:
+    ```sh
+    curl https://codeload.github.com/universal-ctags/ctags/tar.gz/v6.1.0 | tar xz -C /tmp
+    cd /tmp/ctags-6.1.0
+    ./autogen.sh
+    ./configure --program-prefix=universal- --enable-json
+    make -j$(nproc)
+    sudo make install
     ```
 
+    After installing, set `CTAGS_COMMAND` in your `.env.development.local` to the path of the installed binary (e.g. `/usr/local/bin/universal-ctags`).
+
 3. Install corepack:
     ```sh
     npm install -g corepack
 
@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v4.15.9",
+    "version": "v4.15.11",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing."
   },
   "tags": [
 
@@ -531,6 +531,7 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
 
         When configuring your application:
         - Set the SSO type to "OIDC"
+        - Set the **Token Endpoint Authentication Method** to `client_secret_basic`. JumpCloud defaults to `client_secret_post`, but Sourcebot requires `client_secret_basic`.
         - Add `<sourcebot_url>/api/auth/callback/jumpcloud` to the redirect URIs (ex. https://sourcebot.coolcorp.com/api/auth/callback/jumpcloud)
         - Set the login URL to `<sourcebot_url>/login`
 
@@ -539,6 +540,8 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
     <Step title="Define environment variables">
         The client id, secret, and issuer URL are provided to Sourcebot via environment variables. These can be named whatever you like
         (ex. `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_ID`, `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_SECRET`, and `JUMPCLOUD_IDENTITY_PROVIDER_ISSUER`)
+
+        You must also set the `AUTH_SECRET` environment variable. Generate one with `openssl rand -base64 33` and pass it to your Sourcebot deployment. While `AUTH_SECRET` is auto-generated if not provided, it must be explicitly set for SSO to work reliably across restarts.
     </Step>
     <Step title="Define the identity provider config">
         Create a `identityProvider` object in the [config file](/docs/configuration/config-file) with the following fields:
 
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# This script installs universal-ctags v6.1.0 on macOS.
+# This version is pinned to match the version used in the Sourcebot Docker image.
+# See vendor/zoekt/install-ctags-alpine.sh for the Alpine equivalent.
+
+CTAGS_VERSION=v6.1.0
+CTAGS_ARCHIVE_TOP_LEVEL_DIR=ctags-6.1.0
+INSTALL_DIR=/usr/local/bin
+
+cleanup() {
+  cd /
+  rm -rf /tmp/ctags-$CTAGS_VERSION
+}
+
+trap cleanup EXIT
+
+set -eux
+
+# Ensure required build tools are available
+if ! command -v brew >/dev/null 2>&1; then
+  echo "Homebrew is required to install build dependencies. See https://brew.sh."
+  exit 1
+fi
+
+brew install autoconf automake pkg-config jansson
+
+curl --retry 5 "https://codeload.github.com/universal-ctags/ctags/tar.gz/$CTAGS_VERSION" | tar xz -C /tmp
+cd /tmp/$CTAGS_ARCHIVE_TOP_LEVEL_DIR
+./autogen.sh
+./configure --program-prefix=universal- --enable-json
+make -j"$(sysctl -n hw.ncpu)"
+sudo make install
+
+echo ""
+echo "universal-ctags installed to $INSTALL_DIR/universal-ctags"
+echo "Add the following to your .env.development.local:"
+echo "  CTAGS_COMMAND=$INSTALL_DIR/universal-ctags"
@@ -238,7 +238,7 @@ const options = {
         AWS_REGION: z.string().optional(),
 
         SOURCEBOT_CHAT_MODEL_TEMPERATURE: numberSchema.default(0.3),
-        SOURCEBOT_CHAT_MAX_STEP_COUNT: numberSchema.default(20),
+        SOURCEBOT_CHAT_MAX_STEP_COUNT: numberSchema.default(100),
 
         DEBUG_WRITE_CHAT_MESSAGES_TO_FILE: booleanSchema.default('false'),