lighthouse

.env.development

@@ -71,3 +71,5 @@ SOURCEBOT_TELEMETRY_DISABLED=true # Disables telemetry collection
 NODE_ENV=development
 
 DEBUG_WRITE_CHAT_MESSAGES_TO_FILE=true
+
+SOURCEBOT_LIGHTHOUSE_URL=http://localhost:3003

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
+- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
 
 ## [4.16.9] - 2026-04-15
 

docs/api-reference/sourcebot-public.openapi.json

@@ -1025,8 +1025,7 @@
             "type": "string",
             "enum": [
               "OWNER",
-              "MEMBER",
-              "GUEST"
+              "MEMBER"
             ]
           },
           "createdAt": {

docs/docs.json

@@ -126,6 +126,7 @@
                                 ]
                             },
                             "docs/license-key",
+                            "docs/billing",
                             "docs/configuration/transactional-emails",
                             "docs/configuration/structured-logging",
                             "docs/configuration/audit-logs"

docs/docs/billing.mdx

@@ -0,0 +1,38 @@
+---
+title: Billing
+sidebarTitle: Billing
+---
+
+Sourcebot Enterprise is available on monthly and yearly plans. Both are seat-based. This page explains how seats are billed, how changes mid-term are handled, and what happens at renewal.
+
+## Seat count
+Your seat count is the number of active users in your Sourcebot instance. Seat usage is reported to Sourcebot on a daily interval, and your subscription quantity is kept in sync with that number.
+
+## Monthly plans
+Monthly subscriptions are billed at the start of each billing cycle. Users added mid-cycle are prorated across the remaining days and appear on your next invoice. Users removed mid-cycle take effect at the next cycle. There is no refund for the remainder of the current one.
+
+In short: you can scale up at any time and pay the prorated difference. Scaling down is effectively free until the cycle rolls over.
+
+## Yearly plans
+
+Yearly subscriptions are billed upfront for a committed seat count. As users are added during the term, the seat count rises but you aren't charged immediately. Every three months we reconcile. Any seats added that quarter are billed, prorated across the quarters remaining in the term.
+
+Seats only move upward during the term. Shrinking the user count does not refund, and does not reduce the seat count until renewal. At renewal, you're invoiced at your current seat count, and that number becomes the committed baseline for the next year.
+
+### Example
+
+Suppose you start a yearly plan in January with 100 seats.
+
+- In Q1, your user count grows to 110. At the end of Q1, you're invoiced for 10 seats prorated across the 3 remaining quarters.
+- In Q2, your user count stays at 110. No reconciliation invoice is generated.
+- In Q3, your user count grows to 120. At the end of Q3, you're invoiced for 10 seats prorated across the 1 remaining quarter.
+- In Q4, reconciliation does not generate a charge (there are no remaining quarters to prorate across).
+- At renewal in January, you're invoiced at 120 seats for the next year. 120 becomes the new committed baseline.
+
+## Cancellation
+
+Cancelling a subscription takes effect at the end of the current billing cycle (monthly) or term (yearly). You retain access to Sourcebot Enterprise features until that point.
+
+## Questions?
+
+For billing questions, [contact us](mailto:support@sourcebot.dev).

docs/docs/license-key.mdx

@@ -45,4 +45,6 @@ docker run \
 
 ## Questions?
 
-If you have any questions regarding licensing, please [contact us](https://www.sourcebot.dev/contact).
+For how seats are priced and reconciled across billing cycles, see [Billing](/docs/billing).
+
+For any other licensing questions, please [contact us](https://www.sourcebot.dev/contact).

packages/backend/src/__mocks__/prisma.ts

@@ -0,0 +1,7 @@
+import { vi } from 'vitest';
+
+export const prisma = {
+    license: {
+        findUnique: vi.fn().mockResolvedValue(null),
+    },
+};

packages/backend/src/api.ts

@@ -1,5 +1,6 @@
 import { PrismaClient, RepoIndexingJobType } from '@sourcebot/db';
-import { createLogger, env, hasEntitlement, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from '@sourcebot/shared';
+import { createLogger, env, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from '@sourcebot/shared';
+import { hasEntitlement } from './entitlements.js';
 import express, { Request, Response } from 'express';
 import 'express-async-errors';
 import * as http from "http";
@@ -100,7 +101,7 @@ export class Api {
     }
 
     private async triggerAccountPermissionSync(req: Request, res: Response) {
-        if (env.PERMISSION_SYNC_ENABLED !== 'true' || !hasEntitlement('permission-syncing')) {
+        if (env.PERMISSION_SYNC_ENABLED !== 'true' || !await hasEntitlement('permission-syncing')) {
             res.status(403).json({ error: 'Permission syncing is not enabled.' });
             return;
         }

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -1,6 +1,7 @@
 import * as Sentry from "@sentry/node";
 import { PrismaClient, AccountPermissionSyncJobStatus, Account, PermissionSyncSource} from "@sourcebot/db";
-import { env, hasEntitlement, createLogger, loadConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
+import { env, createLogger, loadConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { ensureFreshAccountToken } from "./tokenRefresh.js";
 import { Job, Queue, Worker } from "bullmq";
 import { Redis } from "ioredis";
@@ -50,8 +51,8 @@ export class AccountPermissionSyncer {
         this.worker.on('failed', this.onJobFailed.bind(this));
     }
 
-    public startScheduler() {
-        if (!hasEntitlement('permission-syncing')) {
+    public async startScheduler() {
+        if (!await hasEntitlement('permission-syncing')) {
             throw new Error('Permission syncing is not supported in current plan.');
         }
 

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -1,7 +1,8 @@
 import * as Sentry from "@sentry/node";
 import { PermissionSyncSource, PrismaClient, Repo, RepoPermissionSyncJobStatus } from "@sourcebot/db";
 import { createLogger, PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "@sourcebot/shared";
-import { env, hasEntitlement } from "@sourcebot/shared";
+import { env } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { Job, Queue, Worker } from 'bullmq';
 import { Redis } from 'ioredis';
 import { createOctokitFromToken, getRepoCollaborators, GITHUB_CLOUD_HOSTNAME } from "../github.js";
@@ -44,8 +45,8 @@ export class RepoPermissionSyncer {
         this.worker.on('failed', this.onJobFailed.bind(this));
     }
 
-    public startScheduler() {
-        if (!hasEntitlement('permission-syncing')) {
+    public async startScheduler() {
+        if (!await hasEntitlement('permission-syncing')) {
             throw new Error('Permission syncing is not supported in current plan.');
         }
 

packages/backend/src/ee/syncSearchContexts.test.ts

@@ -12,12 +12,15 @@ vi.mock('@sourcebot/shared', async (importOriginal) => {
             error: vi.fn(),
             debug: vi.fn(),
         })),
-        hasEntitlement: vi.fn(() => true),
-        getPlan: vi.fn(() => 'enterprise'),
         SOURCEBOT_SUPPORT_EMAIL: 'support@sourcebot.dev',
     };
 });
 
+vi.mock('../entitlements.js', () => ({
+    hasEntitlement: vi.fn(() => Promise.resolve(true)),
+    getPlan: vi.fn(() => Promise.resolve('enterprise')),
+}));
+
 import { syncSearchContexts } from './syncSearchContexts.js';
 
 // Helper to build a repo record with GitLab topics stored in metadata.

packages/backend/src/ee/syncSearchContexts.ts

@@ -1,7 +1,8 @@
 import micromatch from "micromatch";
 import { createLogger } from "@sourcebot/shared";
 import { PrismaClient } from "@sourcebot/db";
-import { getPlan, hasEntitlement, repoMetadataSchema, SOURCEBOT_SUPPORT_EMAIL } from "@sourcebot/shared";
+import { repoMetadataSchema, SOURCEBOT_SUPPORT_EMAIL } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { SearchContext } from "@sourcebot/schemas/v3/index.type";
 
 const logger = createLogger('sync-search-contexts');
@@ -15,10 +16,9 @@ interface SyncSearchContextsParams {
 export const syncSearchContexts = async (params: SyncSearchContextsParams) => {
     const { contexts, orgId, db } = params;
 
-    if (!hasEntitlement("search-contexts")) {
+    if (!await hasEntitlement("search-contexts")) {
         if (contexts) {
-            const plan = getPlan();
-            logger.warn(`Skipping search context sync. Reason: "Search contexts are not supported in your current plan: ${plan}. If you have a valid enterprise license key, pass it via SOURCEBOT_EE_LICENSE_KEY. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}."`);
+            logger.warn(`Skipping search context sync. Reason: "Search contexts are not supported in your current plan. If you have a valid enterprise license key, pass it via SOURCEBOT_EE_LICENSE_KEY. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}."`);
         }
         return false;
     }

packages/backend/src/entitlements.ts

@@ -0,0 +1,23 @@
+import {
+    Entitlement,
+    _hasEntitlement,
+    _getEntitlements,
+} from "@sourcebot/shared";
+import { prisma } from "./prisma.js";
+import { SINGLE_TENANT_ORG_ID } from "./constants.js";
+
+const getLicense = async () => {
+    return prisma.license.findUnique({
+        where: { orgId: SINGLE_TENANT_ORG_ID },
+    });
+}
+
+export const hasEntitlement = async (entitlement: Entitlement): Promise<boolean> => {
+    const license = await getLicense();
+    return _hasEntitlement(entitlement, license);
+}
+
+export const getEntitlements = async (): Promise<Entitlement[]> => {
+    const license = await getLicense();
+    return _getEntitlements(license);
+}

packages/backend/src/github.ts

@@ -4,7 +4,8 @@ import * as Sentry from "@sentry/node";
 import { getTokenFromConfig } from "@sourcebot/shared";
 import { createLogger } from "@sourcebot/shared";
 import { GithubConnectionConfig } from "@sourcebot/schemas/v3/github.type";
-import { env, hasEntitlement } from "@sourcebot/shared";
+import { env } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
 import micromatch from "micromatch";
 import pLimit from "p-limit";
 import { processPromiseResults, throwIfAnyFailed } from "./connectionUtils.js";
@@ -124,7 +125,7 @@ const getOctokitWithGithubApp = async (
     url: string | undefined,
     context: string
 ): Promise<Octokit> => {
-    if (!hasEntitlement('github-app') || !GithubAppManager.getInstance().appsConfigured()) {
+    if (!await hasEntitlement('github-app') || !GithubAppManager.getInstance().appsConfigured()) {
         return octokit;
     }
 

packages/backend/src/index.ts

@@ -1,8 +1,9 @@
 import "./instrument.js";
 
 import * as Sentry from "@sentry/node";
-import { PrismaClient } from "@sourcebot/db";
-import { createLogger, env, getConfigSettings, getDBConnectionString, hasEntitlement } from "@sourcebot/shared";
+import { createLogger, env, getConfigSettings } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
+import { prisma } from "./prisma.js";
 import 'express-async-errors';
 import { existsSync } from 'fs';
 import { mkdir } from 'fs/promises';
@@ -31,13 +32,6 @@ if (!existsSync(indexPath)) {
     await mkdir(indexPath, { recursive: true });
 }
 
-const prisma = new PrismaClient({
-    datasources: {
-        db: {
-            url: getDBConnectionString(),
-        },
-    },
-});
 
 try {
     await redis.ping();
@@ -51,7 +45,7 @@ const promClient = new PromClient();
 
 const settings = await getConfigSettings(env.CONFIG_PATH);
 
-if (hasEntitlement('github-app')) {
+if (await hasEntitlement('github-app')) {
     await GithubAppManager.getInstance().init(prisma);
 }
 
@@ -66,11 +60,11 @@ connectionManager.startScheduler();
 await repoIndexManager.startScheduler();
 auditLogPruner.startScheduler();
 
-if (env.PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('permission-syncing')) {
+if (env.PERMISSION_SYNC_ENABLED === 'true' && !await hasEntitlement('permission-syncing')) {
     logger.error('Permission syncing is not supported in current plan. Please contact team@sourcebot.dev for assistance.');
     process.exit(1);
 }
-else if (env.PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
+else if (env.PERMISSION_SYNC_ENABLED === 'true' && await hasEntitlement('permission-syncing')) {
     if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {
         repoPermissionSyncer.startScheduler();
     }

packages/backend/src/prisma.ts

@@ -0,0 +1,10 @@
+import { PrismaClient } from "@sourcebot/db";
+import { getDBConnectionString } from "@sourcebot/shared";
+
+export const prisma = new PrismaClient({
+    datasources: {
+        db: {
+            url: getDBConnectionString(),
+        },
+    },
+});

packages/backend/src/utils.ts

@@ -5,7 +5,7 @@ import { getTokenFromConfig } from "@sourcebot/shared";
 import * as Sentry from "@sentry/node";
 import { GithubConnectionConfig, GitlabConnectionConfig, GiteaConnectionConfig, BitbucketConnectionConfig, AzureDevOpsConnectionConfig } from '@sourcebot/schemas/v3/connection.type';
 import { GithubAppManager } from "./ee/githubAppManager.js";
-import { hasEntitlement } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
 import { StatusCodes } from "http-status-codes";
 import { isOctokitRequestError } from "./github.js";
 
@@ -116,7 +116,7 @@ export const fetchWithRetry = async <T>(
 // may technically cause syncing to fail if that connection's token just so happens to not have access to the repo it's referencing.
 export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logger?: Logger): Promise<RepoAuthCredentials | undefined> => {
     // If we have github apps configured we assume that we must use them for github service auth
-    if (repo.external_codeHostType === 'github' && hasEntitlement('github-app') && GithubAppManager.getInstance().appsConfigured()) {
+    if (repo.external_codeHostType === 'github' && await hasEntitlement('github-app') && GithubAppManager.getInstance().appsConfigured()) {
         logger?.debug(`Using GitHub App for service auth for repo ${repo.displayName} hosted at ${repo.external_codeHostUrl}`);
 
         const owner = repo.displayName?.split('/')[0];

packages/backend/vitest.config.ts

@@ -1,11 +1,15 @@
 import { defineConfig } from 'vitest/config';
+import path from 'path';
 
 export default defineConfig({
     test: {
         environment: 'node',
         watch: false,
         env: {
             DATA_CACHE_DIR: 'test-data'
-        }
+        },
+        alias: {
+            './prisma.js': path.resolve(__dirname, 'src/__mocks__/prisma.ts'),
+        },
     }
 });

packages/db/prisma/migrations/20260417011834_add_license_table/migration.sql

@@ -0,0 +1,20 @@
+-- CreateTable
+CREATE TABLE "License" (
+    "id" TEXT NOT NULL,
+    "orgId" INTEGER NOT NULL,
+    "activationCode" TEXT NOT NULL,
+    "entitlements" TEXT[],
+    "seats" INTEGER,
+    "status" TEXT,
+    "lastSyncAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "License_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "License_orgId_key" ON "License"("orgId");
+
+-- AddForeignKey
+ALTER TABLE "License" ADD CONSTRAINT "License_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

packages/db/prisma/migrations/20260417224042_remove_guest_org_role/migration.sql

@@ -0,0 +1,21 @@
+/*
+  Warnings:
+
+  - The values [GUEST] on the enum `OrgRole` will be removed. If these variants are still used in the database, this will fail.
+
+*/
+
+-- Remove the guest user and its membership (only holder of GUEST role)
+DELETE FROM "UserToOrg" WHERE "role" = 'GUEST';
+DELETE FROM "User" WHERE id = '1';
+
+-- AlterEnum
+BEGIN;
+CREATE TYPE "OrgRole_new" AS ENUM ('OWNER', 'MEMBER');
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" DROP DEFAULT;
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" TYPE "OrgRole_new" USING ("role"::text::"OrgRole_new");
+ALTER TYPE "OrgRole" RENAME TO "OrgRole_old";
+ALTER TYPE "OrgRole_new" RENAME TO "OrgRole";
+DROP TYPE "OrgRole_old";
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" SET DEFAULT 'MEMBER';
+COMMIT;

packages/db/prisma/migrations/20260418213423_add_billing_details_to_license/migration.sql

@@ -0,0 +1,8 @@
+-- AlterTable
+ALTER TABLE "License" ADD COLUMN     "currency" TEXT,
+ADD COLUMN     "interval" TEXT,
+ADD COLUMN     "intervalCount" INTEGER,
+ADD COLUMN     "nextRenewalAmount" INTEGER,
+ADD COLUMN     "nextRenewalAt" TIMESTAMP(3),
+ADD COLUMN     "planName" TEXT,
+ADD COLUMN     "unitAmount" INTEGER;

packages/db/prisma/migrations/20260421184633_add_cancel_at_to_license/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "License" ADD COLUMN     "cancelAt" TIMESTAMP(3);

packages/db/prisma/migrations/20260422203048_add_trial_fields/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "License" ADD COLUMN     "trialEnd" TIMESTAMP(3);
+
+-- AlterTable
+ALTER TABLE "Org" ADD COLUMN     "trialUsedAt" TIMESTAMP(3);

packages/db/prisma/migrations/20260422204809_add_has_payment_method/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "License" ADD COLUMN     "hasPaymentMethod" BOOLEAN;