chore: remove deprecated env-var identity provider configuration

[brendan-kellam]

Summary

Removes support for configuring identity providers via the deprecated AUTH_EE_* environment variables for GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID. These providers must now be configured through the identityProviders section of the config file, which is already a complete replacement (every one of these providers is supported there).

GCP IAP is intentionally unaffected — AUTH_EE_GCP_IAP_ENABLED and AUTH_EE_GCP_IAP_AUDIENCE remain supported (they're also read in layout.tsx / onboard/page.tsx to drive the IAP bridge sign-in). AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING is also untouched (it's a behavioral flag, not a provider credential).

Changes

• packages/web/src/ee/features/sso/sso.ts — removed the deprecated env-var provider blocks from the identityProviders.length == 0 path (kept GCP IAP).
• packages/backend/src/ee/tokenRefresh.ts — removed getDeprecatedEnvCredentials and its fallback in refreshOAuthToken; token refresh now relies solely on config-file provider credentials.
• packages/shared/src/env.server.ts — removed the deprecated AUTH_EE_{GITHUB,GITLAB,GOOGLE,OKTA,KEYCLOAK,MICROSOFT_ENTRA_ID}_* env var declarations.

Breaking change

Deployments configuring any of the six providers via AUTH_EE_* environment variables must migrate to the identityProviders config-file section. No functionality is lost — only the configuration mechanism changes.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Breaking Changes

  • Removed support for configuring GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID via deprecated AUTH_EE_* environment variables. These providers must be configured in the config file’s identityProviders section; providers still configured only via env vars will stop appearing on the login screen. GCP IAP env vars remain supported.

• Documentation

  • Upgrade guide updated with migration steps, examples, and a GitHub config example.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5a150cfa-3476-4776-a4c7-88ca95465523

📥 Commits

Reviewing files that changed from the base of the PR and between 89dbcd5 and 0cc3bb8.

📒 Files selected for processing (1)

• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (1)

• CHANGELOG.md

---

Walkthrough

This PR removes deprecated AUTH_EE_* identity-provider environment variables from the server schema, removes env-var fallback from token refresh and SSO initialization, and adds a breaking-change note and upgrade guidance directing users to the config file identityProviders section.

Changes

Remove deprecated OAuth environment variable fallback

Layer / File(s)	Summary
Environment schema removal packages/shared/src/env.server.ts	The deprecated AUTH_EE_* identity provider environment variable block is removed from the server schema, eliminating all legacy OAuth provider credential definitions for GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID.
Token refresh and SSO cleanup packages/backend/src/ee/tokenRefresh.ts, packages/web/src/ee/features/sso/sso.ts	The getDeprecatedEnvCredentials helper is removed and refreshOAuthToken now logs an error and returns null instead of falling back to deprecated env vars when no provider config exists; SSO initialization no longer constructs providers from env.AUTH_EE_* variables when config providers are empty.
Changelog and upgrade guide updates CHANGELOG.md, docs/docs/upgrade/v4-to-v5-guide.mdx	A breaking-change note documents the removal of AUTH_EE_* environment variable support and the upgrade guide adds migration steps and examples to move provider configuration into the config file identityProviders array.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#841: Directly modifies the token refresh back-compat flow by adding the deprecated AUTH_EE_* env-variable fallback that this PR removes.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removal of deprecated environment variable-based identity provider configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bkellam/remove-deprecated-sso-env-vars

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/backend/src/ee/tokenRefresh.ts (1)

52-62: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update docstring to remove outdated reference to deprecated env vars.

Line 57 still mentions that token refresh attempts use "client credentials from the config file (or deprecated env vars)." Since this PR removes the deprecated env-var fallback, the docstring should be updated.

📝 Proposed fix

 /**
  * Ensures the OAuth access token for a given account is fresh.
  *
  * - If the token is not expired (or has no expiry), decrypts and returns it as-is.
  * - If the token is expired or near expiry, attempts a refresh using the OAuth
- *   client credentials from the config file (or deprecated env vars).
+ *   client credentials from the config file.
  * - On successful refresh: persists the new tokens to the DB, clears any
  *   tokenRefreshErrorMessage, and returns the fresh access token.
  * - On failure: sets tokenRefreshErrorMessage on the account and throws, so
  *   the calling job fails with a clear error.
  */

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/ee/tokenRefresh.ts` around lines 52 - 62, Update the top
docstring in tokenRefresh.ts to remove the outdated mention of deprecated env
vars: change the line that currently reads that refresh attempts use "client
credentials from the config file (or deprecated env vars)" to state they use
OAuth client credentials from the config file only; ensure any other bullets in
the same comment no longer reference deprecated env vars so the docstring
accurately reflects the removed fallback.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/backend/src/ee/tokenRefresh.ts`:
- Around line 52-62: Update the top docstring in tokenRefresh.ts to remove the
outdated mention of deprecated env vars: change the line that currently reads
that refresh attempts use "client credentials from the config file (or
deprecated env vars)" to state they use OAuth client credentials from the config
file only; ensure any other bullets in the same comment no longer reference
deprecated env vars so the docstring accurately reflects the removed fallback.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 14ff19a4-9283-4e79-9b87-a8c834bd0b71

📥 Commits

Reviewing files that changed from the base of the PR and between cfab0cf and 014d1b4.

📒 Files selected for processing (4)

• CHANGELOG.md
• packages/backend/src/ee/tokenRefresh.ts
• packages/shared/src/env.server.ts
• packages/web/src/ee/features/sso/sso.ts

💤 Files with no reviewable changes (2)

• packages/web/src/ee/features/sso/sso.ts
• packages/shared/src/env.server.ts

[coderabbitai]

🧹 Nitpick comments (1)

docs/docs/upgrade/v4-to-v5-guide.mdx (1)

186-186: ⚡ Quick win

Break this paragraph into shorter chunks.

This paragraph contains 5 sentences. As per coding guidelines, documentation should prefer short paragraphs (1-3 sentences) to improve readability. Consider breaking this into 2-3 shorter paragraphs to align with the guideline.

♻️ Suggested restructuring

-In v4, you could configure these identity providers using `AUTH_EE_*` environment variables (for example `AUTH_EE_GITHUB_CLIENT_ID`). Those variables were deprecated in favor of the [`identityProviders`](/docs/configuration/idp) section of the config file. Starting in v5.0.2, the environment variable path has been removed. Sourcebot no longer reads these variables, and any provider configured only through them will stop appearing on the login screen. This also applies if you are upgrading from an earlier v5 release (v5.0.0 or v5.0.1), where these variables were still supported.
+In v4, you could configure these identity providers using `AUTH_EE_*` environment variables (for example `AUTH_EE_GITHUB_CLIENT_ID`). Those variables were deprecated in favor of the [`identityProviders`](/docs/configuration/idp) section of the config file.
+
+Starting in v5.0.2, the environment variable path has been removed. Sourcebot no longer reads these variables, and any provider configured only through them will stop appearing on the login screen.
+
+This also applies if you are upgrading from an earlier v5 release (v5.0.0 or v5.0.1), where these variables were still supported.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/docs/upgrade/v4-to-v5-guide.mdx` at line 186, The paragraph about
deprecation of AUTH_EE_* env vars should be split into two or three shorter
paragraphs to improve readability: first, state that AUTH_EE_* (e.g.,
AUTH_EE_GITHUB_CLIENT_ID) were deprecated in favor of the identityProviders
config section; second, explain that starting in v5.0.2 the env var path was
removed and Sourcebot no longer reads those vars; and optionally add a third
short sentence noting that upgrades from v5.0.0 or v5.0.1 are affected if
providers were only configured via those env vars. Keep each paragraph to 1–3
sentences and preserve the references to AUTH_EE_*, identityProviders, and
v5.0.2.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/docs/upgrade/v4-to-v5-guide.mdx`:
- Line 186: The paragraph about deprecation of AUTH_EE_* env vars should be
split into two or three shorter paragraphs to improve readability: first, state
that AUTH_EE_* (e.g., AUTH_EE_GITHUB_CLIENT_ID) were deprecated in favor of the
identityProviders config section; second, explain that starting in v5.0.2 the
env var path was removed and Sourcebot no longer reads those vars; and
optionally add a third short sentence noting that upgrades from v5.0.0 or v5.0.1
are affected if providers were only configured via those env vars. Keep each
paragraph to 1–3 sentences and preserve the references to AUTH_EE_*,
identityProviders, and v5.0.2.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a29743a-acff-4895-ab84-3f55dfe2cb34

📥 Commits

Reviewing files that changed from the base of the PR and between 014d1b4 and 89dbcd5.

📒 Files selected for processing (2)

• CHANGELOG.md
• docs/docs/upgrade/v4-to-v5-guide.mdx

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md