Merge remote-tracking branch 'origin/main' into msukkari/fix-bitbucket-cloud-change-2770

# Conflicts:
#	CHANGELOG.md

Author: msukkari

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Fixed issue where repo permissions could go stale when authentication or token refresh related errors occured. [#1215](https://github.com/sourcebot-dev/sourcebot/pull/1215)
+- [EE] Fixed issue where repo permissions could go stale when an upstream endpoint returned HTTP 410 Gone (e.g. Bitbucket Cloud's CHANGE-2770). [#1216](https://github.com/sourcebot-dev/sourcebot/pull/1216)
 - [EE] Fixed Bitbucket Cloud account-driven permission sync after Atlassian's CHANGE-2770 removed `GET /2.0/user/permissions/repositories`. [#1217](https://github.com/sourcebot-dev/sourcebot/pull/1217)
 
 ## [4.17.2] - 2026-05-16

packages/backend/src/bitbucket.ts

@@ -660,38 +660,12 @@ export const getExplicitUserPermissionsForCloudRepo = async (
  * Returns the UUIDs of all repositories accessible to the authenticated Bitbucket Cloud user.
  * Used for account-driven permission syncing.
  *
- * @note Atlassian's CHANGE-2770 removed `GET /2.0/user/permissions/repositories`
- * (the previous single-call cross-workspace endpoint) and has stated there is no
- * direct replacement. The recommended path is two-step: enumerate the workspaces
- * the user is a member of, then enumerate the repositories the user can see
- * within each workspace.
- *
- * `?role=member` returns repositories where the user has at least explicit read
- * access (including access inherited from workspace admin, project membership,
- * or group membership). Bitbucket treats workspace admins as having implicit
- * read on every repo in the workspace, so this query naturally returns the
- * admin's full set without needing a special case. Conversely, a user with no
- * grant on a given repo gets nothing back for it, even if the workspace is
- * shared — Bitbucket enforces the access filter server-side.
- *
- * Visibility (public vs. private) is intentionally not filtered server-side.
- * Sourcebot's read-side prisma extension already short-circuits public repos to
- * org-wide access, so an ACCOUNT_DRIVEN row on a public repo is harmless; but
- * not filtering means that during a public↔private visibility flip, the user
- * never has a window where they're missing an ACCOUNT_DRIVEN row for a repo
- * they can see upstream.
- *
- * @see https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-2770
  * @see https://developer.atlassian.com/cloud/bitbucket/rest/api-group-workspaces/#api-user-workspaces-get
  * @see https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-repositories-workspace-get
  */
 export const getReposForAuthenticatedBitbucketCloudUser = async (
     client: BitbucketClient,
 ): Promise<Array<{ uuid: string }>> => {
-    // The `/user/workspaces` path is not in the openapi-fetch typed surface
-    // (the package's bundled types still describe the deprecated paths under
-    // /user/permissions/*), so we cast to CloudGetRequestPath and narrow the
-    // response shape locally to just the fields we use.
     interface CloudUserWorkspaceAccess {
         readonly workspace?: { readonly slug?: string };
     }

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -17,7 +17,7 @@ import {
 import { createBitbucketCloudClient, createBitbucketServerClient, getReposForAuthenticatedBitbucketCloudUser, getReposForAuthenticatedBitbucketServerUser } from "../bitbucket.js";
 import { Settings } from "../types.js";
 import { setIntervalAsync } from "../utils.js";
-import { isUnauthorized, isForbidden } from "../errors.js";
+import { isUnauthorized, isForbidden, isGone } from "../errors.js";
 
 const LOG_TAG = 'user-permission-syncer';
 const logger = createLogger(LOG_TAG);
@@ -191,22 +191,23 @@ export class AccountPermissionSyncer {
         } catch (error) {
             // Fail-closed: when the code-host layer signals that the upstream
             // account is permanently unauthorized (token revoked, user
-            // deprovisioned, OAuth grant dead), clear the account's existing
-            // permission rows so the read-side filter stops matching through
-            // them.
-            if (
-                isUnauthorized(error) ||
-                isForbidden(error) ||
-                error instanceof RefreshTokenError
-            ) {
-                await this.db.account.update({
-                    where: { id: account.id },
-                    data: {
-                        accessibleRepos: {
-                            deleteMany: {},
-                        },
-                    },
+            // deprovisioned, OAuth grant dead) or that the endpoint we depend
+            // on is gone (e.g. Bitbucket Cloud's CHANGE-2770), clear the
+            // account's existing permission rows so the read-side filter stops
+            // matching through them.
+            const reason =
+                error instanceof RefreshTokenError ? 'token refresh failure' :
+                isUnauthorized(error) ? 'HTTP 401 Unauthorized' :
+                isForbidden(error) ? 'HTTP 403 Forbidden' :
+                isGone(error) ? 'HTTP 410 Gone' :
+                null;
+
+            if (reason !== null) {
+                const { count } = await this.db.accountToRepoPermission.deleteMany({
+                    where: { accountId: account.id },
                 });
+                const message = error instanceof Error ? error.message : String(error);
+                logger.warn(`Cleared ${count} permission row(s) for account ${account.id} (user ${account.user.email ?? 'unknown'}) — fail-closed cleanup triggered by ${reason}: ${message}`);
             }
             throw error;
         }

packages/backend/src/errors.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, test } from 'vitest';
 import { RequestError } from '@octokit/request-error';
 import { GitbeakerRequestError } from '@gitbeaker/requester-utils';
-import { isForbidden, isUnauthorized } from './errors';
+import { isForbidden, isGone, isUnauthorized } from './errors';
 import { throwOnHttpError } from './bitbucket';
 
 // Helper: invoke the openapi-fetch middleware against a synthetic Response and
@@ -148,6 +148,56 @@ describe('isForbidden', () => {
     });
 });
 
+describe('isGone', () => {
+    test('Octokit RequestError with status 410', () => {
+        const err = new RequestError('Gone', 410, {
+            request: { method: 'GET', url: 'https://api.github.com/user/repos', headers: {} },
+        });
+        expect(isGone(err)).toBe(true);
+    });
+
+    test('Octokit RequestError with status 401 is NOT gone', () => {
+        const err = new RequestError('Unauthorized', 401, {
+            request: { method: 'GET', url: 'https://api.github.com/user/repos', headers: {} },
+        });
+        expect(isGone(err)).toBe(false);
+    });
+
+    test('Bitbucket middleware throws an isGone error on 410 Response', async () => {
+        // Real-world case: Bitbucket Cloud's CHANGE-2770 removed
+        // /2.0/user/permissions/repositories and now returns 410 Gone.
+        const err = await invokeMiddleware(new Response('CHANGE-2770 - Functionality has been deprecated', { status: 410 }));
+        expect(err).toBeInstanceOf(Error);
+        expect(isGone(err)).toBe(true);
+    });
+
+    test('real GitbeakerRequestError with response status 410', () => {
+        const err = new GitbeakerRequestError('Gone', {
+            cause: {
+                description: 'Gone',
+                request: new Request('https://gitlab.com/api/v4/projects'),
+                response: new Response(null, { status: 410 }),
+            },
+        });
+        expect(isGone(err)).toBe(true);
+    });
+
+    test('plain Error without status is NOT gone', () => {
+        expect(isGone(new Error('Missing required scope'))).toBe(false);
+    });
+
+    test('null is NOT gone', () => {
+        expect(isGone(null)).toBe(false);
+    });
+
+    test('Octokit RequestError with status 500 is NOT gone', () => {
+        const err = new RequestError('Internal Server Error', 500, {
+            request: { method: 'GET', url: 'https://api.github.com/user/repos', headers: {} },
+        });
+        expect(isGone(err)).toBe(false);
+    });
+});
+
 describe('throwOnHttpError middleware contract', () => {
     test('does not throw on 2xx Response', async () => {
         const err = await invokeMiddleware(new Response('ok', { status: 200 }));

packages/backend/src/errors.ts

@@ -27,3 +27,4 @@ const getStatus = (err: unknown): number | null => {
 
 export const isUnauthorized = (err: unknown): boolean => getStatus(err) === 401;
 export const isForbidden = (err: unknown): boolean => getStatus(err) === 403;
+export const isGone = (err: unknown): boolean => getStatus(err) === 410;