lighthouse

.env.development

@@ -71,3 +71,5 @@ SOURCEBOT_TELEMETRY_DISABLED=true # Disables telemetry collection
 NODE_ENV=development
 
 DEBUG_WRITE_CHAT_MESSAGES_TO_FILE=true
+
+SOURCEBOT_LIGHTHOUSE_URL=http://localhost:3003

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
+- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
 
 ## [4.16.9] - 2026-04-15
 

docs/api-reference/sourcebot-public.openapi.json

@@ -1025,8 +1025,7 @@
             "type": "string",
             "enum": [
               "OWNER",
-              "MEMBER",
-              "GUEST"
+              "MEMBER"
             ]
           },
           "createdAt": {

packages/backend/src/__mocks__/prisma.ts

@@ -0,0 +1,7 @@
+import { vi } from 'vitest';
+
+export const prisma = {
+    license: {
+        findUnique: vi.fn().mockResolvedValue(null),
+    },
+};

packages/backend/src/api.ts

@@ -1,5 +1,6 @@
 import { PrismaClient, RepoIndexingJobType } from '@sourcebot/db';
-import { createLogger, env, hasEntitlement, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from '@sourcebot/shared';
+import { createLogger, env, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from '@sourcebot/shared';
+import { hasEntitlement } from './entitlements.js';
 import express, { Request, Response } from 'express';
 import 'express-async-errors';
 import * as http from "http";
@@ -100,7 +101,7 @@ export class Api {
     }
 
     private async triggerAccountPermissionSync(req: Request, res: Response) {
-        if (env.PERMISSION_SYNC_ENABLED !== 'true' || !hasEntitlement('permission-syncing')) {
+        if (env.PERMISSION_SYNC_ENABLED !== 'true' || !await hasEntitlement('permission-syncing')) {
             res.status(403).json({ error: 'Permission syncing is not enabled.' });
             return;
         }

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -1,6 +1,7 @@
 import * as Sentry from "@sentry/node";
 import { PrismaClient, AccountPermissionSyncJobStatus, Account, PermissionSyncSource} from "@sourcebot/db";
-import { env, hasEntitlement, createLogger, loadConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
+import { env, createLogger, loadConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { ensureFreshAccountToken } from "./tokenRefresh.js";
 import { Job, Queue, Worker } from "bullmq";
 import { Redis } from "ioredis";
@@ -50,8 +51,8 @@ export class AccountPermissionSyncer {
         this.worker.on('failed', this.onJobFailed.bind(this));
     }
 
-    public startScheduler() {
-        if (!hasEntitlement('permission-syncing')) {
+    public async startScheduler() {
+        if (!await hasEntitlement('permission-syncing')) {
             throw new Error('Permission syncing is not supported in current plan.');
         }
 

packages/backend/src/ee/repoPermissionSyncer.ts

@@ -1,7 +1,8 @@
 import * as Sentry from "@sentry/node";
 import { PermissionSyncSource, PrismaClient, Repo, RepoPermissionSyncJobStatus } from "@sourcebot/db";
 import { createLogger, PERMISSION_SYNC_SUPPORTED_CODE_HOST_TYPES } from "@sourcebot/shared";
-import { env, hasEntitlement } from "@sourcebot/shared";
+import { env } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { Job, Queue, Worker } from 'bullmq';
 import { Redis } from 'ioredis';
 import { createOctokitFromToken, getRepoCollaborators, GITHUB_CLOUD_HOSTNAME } from "../github.js";
@@ -44,8 +45,8 @@ export class RepoPermissionSyncer {
         this.worker.on('failed', this.onJobFailed.bind(this));
     }
 
-    public startScheduler() {
-        if (!hasEntitlement('permission-syncing')) {
+    public async startScheduler() {
+        if (!await hasEntitlement('permission-syncing')) {
             throw new Error('Permission syncing is not supported in current plan.');
         }
 

packages/backend/src/ee/syncSearchContexts.test.ts

@@ -12,12 +12,15 @@ vi.mock('@sourcebot/shared', async (importOriginal) => {
             error: vi.fn(),
             debug: vi.fn(),
         })),
-        hasEntitlement: vi.fn(() => true),
-        getPlan: vi.fn(() => 'enterprise'),
         SOURCEBOT_SUPPORT_EMAIL: 'support@sourcebot.dev',
     };
 });
 
+vi.mock('../entitlements.js', () => ({
+    hasEntitlement: vi.fn(() => Promise.resolve(true)),
+    getPlan: vi.fn(() => Promise.resolve('enterprise')),
+}));
+
 import { syncSearchContexts } from './syncSearchContexts.js';
 
 // Helper to build a repo record with GitLab topics stored in metadata.

packages/backend/src/ee/syncSearchContexts.ts

@@ -1,7 +1,8 @@
 import micromatch from "micromatch";
 import { createLogger } from "@sourcebot/shared";
 import { PrismaClient } from "@sourcebot/db";
-import { getPlan, hasEntitlement, repoMetadataSchema, SOURCEBOT_SUPPORT_EMAIL } from "@sourcebot/shared";
+import { repoMetadataSchema, SOURCEBOT_SUPPORT_EMAIL } from "@sourcebot/shared";
+import { hasEntitlement } from "../entitlements.js";
 import { SearchContext } from "@sourcebot/schemas/v3/index.type";
 
 const logger = createLogger('sync-search-contexts');
@@ -15,10 +16,9 @@ interface SyncSearchContextsParams {
 export const syncSearchContexts = async (params: SyncSearchContextsParams) => {
     const { contexts, orgId, db } = params;
 
-    if (!hasEntitlement("search-contexts")) {
+    if (!await hasEntitlement("search-contexts")) {
         if (contexts) {
-            const plan = getPlan();
-            logger.warn(`Skipping search context sync. Reason: "Search contexts are not supported in your current plan: ${plan}. If you have a valid enterprise license key, pass it via SOURCEBOT_EE_LICENSE_KEY. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}."`);
+            logger.warn(`Skipping search context sync. Reason: "Search contexts are not supported in your current plan. If you have a valid enterprise license key, pass it via SOURCEBOT_EE_LICENSE_KEY. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}."`);
         }
         return false;
     }

packages/backend/src/entitlements.ts

@@ -0,0 +1,23 @@
+import {
+    Entitlement,
+    _hasEntitlement,
+    _getEntitlements,
+} from "@sourcebot/shared";
+import { prisma } from "./prisma.js";
+import { SINGLE_TENANT_ORG_ID } from "./constants.js";
+
+const getLicense = async () => {
+    return prisma.license.findUnique({
+        where: { orgId: SINGLE_TENANT_ORG_ID },
+    });
+}
+
+export const hasEntitlement = async (entitlement: Entitlement): Promise<boolean> => {
+    const license = await getLicense();
+    return _hasEntitlement(entitlement, license);
+}
+
+export const getEntitlements = async (): Promise<Entitlement[]> => {
+    const license = await getLicense();
+    return _getEntitlements(license);
+}

packages/backend/src/github.ts

@@ -4,7 +4,8 @@ import * as Sentry from "@sentry/node";
 import { getTokenFromConfig } from "@sourcebot/shared";
 import { createLogger } from "@sourcebot/shared";
 import { GithubConnectionConfig } from "@sourcebot/schemas/v3/github.type";
-import { env, hasEntitlement } from "@sourcebot/shared";
+import { env } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
 import micromatch from "micromatch";
 import pLimit from "p-limit";
 import { processPromiseResults, throwIfAnyFailed } from "./connectionUtils.js";
@@ -124,7 +125,7 @@ const getOctokitWithGithubApp = async (
     url: string | undefined,
     context: string
 ): Promise<Octokit> => {
-    if (!hasEntitlement('github-app') || !GithubAppManager.getInstance().appsConfigured()) {
+    if (!await hasEntitlement('github-app') || !GithubAppManager.getInstance().appsConfigured()) {
         return octokit;
     }
 

packages/backend/src/index.ts

@@ -1,8 +1,9 @@
 import "./instrument.js";
 
 import * as Sentry from "@sentry/node";
-import { PrismaClient } from "@sourcebot/db";
-import { createLogger, env, getConfigSettings, getDBConnectionString, hasEntitlement } from "@sourcebot/shared";
+import { createLogger, env, getConfigSettings } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
+import { prisma } from "./prisma.js";
 import 'express-async-errors';
 import { existsSync } from 'fs';
 import { mkdir } from 'fs/promises';
@@ -31,13 +32,6 @@ if (!existsSync(indexPath)) {
     await mkdir(indexPath, { recursive: true });
 }
 
-const prisma = new PrismaClient({
-    datasources: {
-        db: {
-            url: getDBConnectionString(),
-        },
-    },
-});
 
 try {
     await redis.ping();
@@ -51,7 +45,7 @@ const promClient = new PromClient();
 
 const settings = await getConfigSettings(env.CONFIG_PATH);
 
-if (hasEntitlement('github-app')) {
+if (await hasEntitlement('github-app')) {
     await GithubAppManager.getInstance().init(prisma);
 }
 
@@ -66,11 +60,11 @@ connectionManager.startScheduler();
 await repoIndexManager.startScheduler();
 auditLogPruner.startScheduler();
 
-if (env.PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('permission-syncing')) {
+if (env.PERMISSION_SYNC_ENABLED === 'true' && !await hasEntitlement('permission-syncing')) {
     logger.error('Permission syncing is not supported in current plan. Please contact team@sourcebot.dev for assistance.');
     process.exit(1);
 }
-else if (env.PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
+else if (env.PERMISSION_SYNC_ENABLED === 'true' && await hasEntitlement('permission-syncing')) {
     if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {
         repoPermissionSyncer.startScheduler();
     }

packages/backend/src/prisma.ts

@@ -0,0 +1,10 @@
+import { PrismaClient } from "@sourcebot/db";
+import { getDBConnectionString } from "@sourcebot/shared";
+
+export const prisma = new PrismaClient({
+    datasources: {
+        db: {
+            url: getDBConnectionString(),
+        },
+    },
+});

packages/backend/src/utils.ts

@@ -5,7 +5,7 @@ import { getTokenFromConfig } from "@sourcebot/shared";
 import * as Sentry from "@sentry/node";
 import { GithubConnectionConfig, GitlabConnectionConfig, GiteaConnectionConfig, BitbucketConnectionConfig, AzureDevOpsConnectionConfig } from '@sourcebot/schemas/v3/connection.type';
 import { GithubAppManager } from "./ee/githubAppManager.js";
-import { hasEntitlement } from "@sourcebot/shared";
+import { hasEntitlement } from "./entitlements.js";
 import { StatusCodes } from "http-status-codes";
 import { isOctokitRequestError } from "./github.js";
 
@@ -116,7 +116,7 @@ export const fetchWithRetry = async <T>(
 // may technically cause syncing to fail if that connection's token just so happens to not have access to the repo it's referencing.
 export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, logger?: Logger): Promise<RepoAuthCredentials | undefined> => {
     // If we have github apps configured we assume that we must use them for github service auth
-    if (repo.external_codeHostType === 'github' && hasEntitlement('github-app') && GithubAppManager.getInstance().appsConfigured()) {
+    if (repo.external_codeHostType === 'github' && await hasEntitlement('github-app') && GithubAppManager.getInstance().appsConfigured()) {
         logger?.debug(`Using GitHub App for service auth for repo ${repo.displayName} hosted at ${repo.external_codeHostUrl}`);
 
         const owner = repo.displayName?.split('/')[0];

packages/backend/vitest.config.ts

@@ -1,11 +1,15 @@
 import { defineConfig } from 'vitest/config';
+import path from 'path';
 
 export default defineConfig({
     test: {
         environment: 'node',
         watch: false,
         env: {
             DATA_CACHE_DIR: 'test-data'
-        }
+        },
+        alias: {
+            './prisma.js': path.resolve(__dirname, 'src/__mocks__/prisma.ts'),
+        },
     }
 });

packages/db/prisma/migrations/20260417011834_add_license_table/migration.sql

@@ -0,0 +1,20 @@
+-- CreateTable
+CREATE TABLE "License" (
+    "id" TEXT NOT NULL,
+    "orgId" INTEGER NOT NULL,
+    "activationCode" TEXT NOT NULL,
+    "entitlements" TEXT[],
+    "seats" INTEGER,
+    "status" TEXT,
+    "lastSyncAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "License_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "License_orgId_key" ON "License"("orgId");
+
+-- AddForeignKey
+ALTER TABLE "License" ADD CONSTRAINT "License_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

packages/db/prisma/migrations/20260417224042_remove_guest_org_role/migration.sql

@@ -0,0 +1,21 @@
+/*
+  Warnings:
+
+  - The values [GUEST] on the enum `OrgRole` will be removed. If these variants are still used in the database, this will fail.
+
+*/
+
+-- Remove the guest user and its membership (only holder of GUEST role)
+DELETE FROM "UserToOrg" WHERE "role" = 'GUEST';
+DELETE FROM "User" WHERE id = '1';
+
+-- AlterEnum
+BEGIN;
+CREATE TYPE "OrgRole_new" AS ENUM ('OWNER', 'MEMBER');
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" DROP DEFAULT;
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" TYPE "OrgRole_new" USING ("role"::text::"OrgRole_new");
+ALTER TYPE "OrgRole" RENAME TO "OrgRole_old";
+ALTER TYPE "OrgRole_new" RENAME TO "OrgRole";
+DROP TYPE "OrgRole_old";
+ALTER TABLE "UserToOrg" ALTER COLUMN "role" SET DEFAULT 'MEMBER';
+COMMIT;

packages/db/prisma/migrations/20260418213423_add_billing_details_to_license/migration.sql

@@ -0,0 +1,8 @@
+-- AlterTable
+ALTER TABLE "License" ADD COLUMN     "currency" TEXT,
+ADD COLUMN     "interval" TEXT,
+ADD COLUMN     "intervalCount" INTEGER,
+ADD COLUMN     "nextRenewalAmount" INTEGER,
+ADD COLUMN     "nextRenewalAt" TIMESTAMP(3),
+ADD COLUMN     "planName" TEXT,
+ADD COLUMN     "unitAmount" INTEGER;

packages/db/prisma/schema.prisma

@@ -291,12 +291,33 @@ model Org {
   searchContexts SearchContext[]
 
   chats Chat[]
+
+  license License?
+}
+
+model License {
+  id                String      @id @default(cuid())
+  orgId             Int      @unique
+  org               Org      @relation(fields: [orgId], references: [id])
+  activationCode    String
+  entitlements      String[]
+  seats             Int?
+  status            String? /// See LicenseStatus in packages/shared/src/types.ts
+  planName          String?
+  unitAmount        Int?
+  currency          String?
+  interval          String?
+  intervalCount     Int?
+  nextRenewalAt     DateTime?
+  nextRenewalAmount Int?
+  lastSyncAt        DateTime?
+  createdAt         DateTime @default(now())
+  updatedAt         DateTime @updatedAt
 }
 
 enum OrgRole {
   OWNER
   MEMBER
-  GUEST
 }
 
 model UserToOrg {

packages/shared/src/constants.ts

@@ -12,8 +12,6 @@ export const API_KEY_PREFIX = 'sbk_';
 export const OAUTH_ACCESS_TOKEN_PREFIX = 'sboa_';
 export const OAUTH_REFRESH_TOKEN_PREFIX = 'sbor_';
 
-export const SOURCEBOT_UNLIMITED_SEATS = -1;
-
 /**
  * Default settings.
  */