Merge branch 'main' into v5

Author: brendan-kellam

.github/workflows/vulnerability-triage.yml

@@ -546,8 +546,8 @@ jobs:
           STRUCTURED_OUTPUT: ${{ steps.claude.outputs.structured_output }}
           REPOSITORY: ${{ github.repository }}
         run: |
-          # Look up the "CVE" label ID and "Triage" state ID for the team
-          METADATA_QUERY='query($teamId: String!) { team(id: $teamId) { id labels(filter: { name: { eq: "CVE" } }) { nodes { id } } states(filter: { name: { eq: "Triage" } }) { nodes { id } } } }'
+          # Look up the "CVE" label ID, "Triage" state ID, and the API key owner's user ID
+          METADATA_QUERY='query($teamId: String!) { team(id: $teamId) { id labels(filter: { name: { eq: "CVE" } }) { nodes { id } } states(filter: { name: { eq: "Triage" } }) { nodes { id } } } viewer { id } }'
           METADATA_PAYLOAD=$(jq -n --arg query "$METADATA_QUERY" --arg teamId "$LINEAR_TEAM_ID" \
             '{query: $query, variables: {teamId: $teamId}}')
           METADATA_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
@@ -559,6 +559,7 @@ jobs:
           TEAM_UUID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.id // empty')
           LABEL_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.labels.nodes[0].id // empty')
           STATE_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.states.nodes[0].id // empty')
+          VIEWER_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.viewer.id // empty')
 
           if [ -z "$TEAM_UUID" ]; then
             echo "::error::Could not resolve team UUID from LINEAR_TEAM_ID. Check the secret value."
@@ -571,6 +572,9 @@ jobs:
           if [ -z "$STATE_ID" ]; then
             echo "::warning::Could not find 'Triage' state in Linear team. Using default state."
           fi
+          if [ -z "$VIEWER_ID" ]; then
+            echo "::warning::Could not resolve Linear API key owner. Issues will be created unassigned."
+          fi
 
           # Map severity to Linear priority
           severity_to_priority() {
@@ -594,7 +598,7 @@ jobs:
           # Write CVEs to temp file so the while loop doesn't run in a pipe subshell
           echo "$STRUCTURED_OUTPUT" | jq -c '.cves[]' > /tmp/cves.jsonl
 
-          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String, $priority: Int, $labelIds: [String!], $stateId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId }) { success issue { id identifier url } } }'
+          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String, $priority: Int, $labelIds: [String!], $stateId: String, $assigneeId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId, assigneeId: $assigneeId }) { success issue { id identifier url } } }'
 
           while IFS= read -r cve; do
             CVE_ID=$(echo "$cve" | jq -r '.cveId')
@@ -624,11 +628,14 @@ jobs:
                 continue
               fi
 
-              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!) { issueUpdate(id: $issueId, input: { stateId: $stateId }) { success issue { id identifier url } } }'
+              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!, $assigneeId: String) { issueUpdate(id: $issueId, input: { stateId: $stateId, assigneeId: $assigneeId }) { success issue { id identifier url } } }'
               REOPEN_VARIABLES=$(jq -n \
                 --arg issueId "$LINEAR_ISSUE_ID" \
                 --arg stateId "$STATE_ID" \
                 '{issueId: $issueId, stateId: $stateId}')
+              if [ -n "$VIEWER_ID" ]; then
+                REOPEN_VARIABLES=$(echo "$REOPEN_VARIABLES" | jq --arg aid "$VIEWER_ID" '. + {assigneeId: $aid}')
+              fi
               REOPEN_PAYLOAD=$(jq -n --arg query "$REOPEN_MUTATION" --argjson vars "$REOPEN_VARIABLES" '{query: $query, variables: $vars}')
 
               REOPEN_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
@@ -669,6 +676,9 @@ jobs:
             if [ -n "$STATE_ID" ]; then
               VARIABLES=$(echo "$VARIABLES" | jq --arg sid "$STATE_ID" '. + {stateId: $sid}')
             fi
+            if [ -n "$VIEWER_ID" ]; then
+              VARIABLES=$(echo "$VARIABLES" | jq --arg aid "$VIEWER_ID" '. + {assigneeId: $aid}')
+            fi
 
             PAYLOAD=$(jq -n --arg query "$MUTATION" --argjson vars "$VARIABLES" '{query: $query, variables: $vars}')
 

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
+- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
+
+## [4.17.2] - 2026-05-16
+
 ### Added
 - Added warning message that fires on startup when host environment contains env vars that simple-git flags as unsafe. [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193)
 - Added a loading skeleton to the latest commit info bar in the code browser. [#1195](https://github.com/sourcebot-dev/sourcebot/pull/1195)
@@ -20,13 +26,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 - Upgraded `ip-address` to `^10.2.0` to address CVE-2026-42338. [#1189](https://github.com/sourcebot-dev/sourcebot/pull/1189)
 - Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184)
+- Fixed file citations from the `get_diff` tool not being reliably citable in chat answers. [#1205](https://github.com/sourcebot-dev/sourcebot/pull/1205)
+- Upgraded `next` to `^16.2.6` to address CVE-2026-45109. [#1203](https://github.com/sourcebot-dev/sourcebot/pull/1203)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)
 - [EE] Switched symbol hover detection to use Lezer highlight tags, broadening identifier coverage. [#1194](https://github.com/sourcebot-dev/sourcebot/pull/1194)
 - Improved git history and blame performance on large repositories. [#1198](https://github.com/sourcebot-dev/sourcebot/pull/1198)
-- Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
-- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
+- Upgraded `react-email` to `^6.1.4`. [#1206](https://github.com/sourcebot-dev/sourcebot/pull/1206)
+- Upgraded `@posthog/ai` to `^7.18.7`. [#1207](https://github.com/sourcebot-dev/sourcebot/pull/1207)
 
 ## [4.17.1] - 2026-05-04
 

CLAUDE.md

@@ -278,9 +278,7 @@ When fixing a CVE in a transitive dependency, prefer a real top-level upgrade ov
 2. **Check whether the existing ranges already allow a patched version.** Often the lockfile is just stale: every `^x.y.z` range in the chain still admits the patched version, but `yarn.lock` was written before that version existed. In that case, refresh the lockfile entry — no `package.json` change, no `resolutions` override:
 
    ```bash
-   yarn up <intermediate-or-vulnerable-pkg>
-   # or, to refresh many at once:
-   yarn dedupe
+   yarn up -R <vulnerable-pkg>
    ```
 
    This is the lightest-weight fix: it doesn't force a version, it just bumps the lock to the latest version that satisfies the constraints already in the tree. Verify with `yarn why <vulnerable-package>` afterward — if every instance is now patched, you're done.

docs/api-reference/sourcebot-public.openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v4.17.1",
+    "version": "v4.17.2",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing. Authentication is instance-dependent: API keys are the standard integration mechanism, OAuth bearer tokens are EE-only, and some instances may allow anonymous access."
   },
   "tags": [

package.json

@@ -30,6 +30,7 @@
     },
     "packageManager": "yarn@4.7.0",
     "resolutions": {
+        "@protobufjs/inquire": "1.1.0",
         "prettier": "3.5.3",
         "@lezer/common": "1.3.0",
         "qs": "^6.14.2",
@@ -42,17 +43,15 @@
         "path-to-regexp@0.1.12": "0.1.13",
         "path-to-regexp@^8": "^8.4.0",
         "picomatch@^4": "^4.0.4",
-        "esbuild": "^0.27.3",
+        "esbuild": "^0.28.0",
         "js-yaml@npm:^4.1.0": "^4.1.1",
         "ajv@npm:^8.0.0": "^8.18.0",
         "ajv@npm:^8.17.1": "^8.18.0",
         "brace-expansion@npm:^2.0.2": "^2.0.3",
         "brace-expansion@npm:^5.0.2": "^5.0.5",
         "brace-expansion@npm:^1.1.7": "^1.1.13",
-        "@react-email/preview-server/next": "^16.2.3",
         "@modelcontextprotocol/sdk/hono": "^4.12.18",
         "@modelcontextprotocol/sdk/@hono/node-server": "^1.19.13",
-        "langsmith@npm:>=0.5.0 <1.0.0": "^0.5.19",
         "markdown-it@npm:^14.1.0": "^14.1.1",
         "yaml@npm:^2.3.4": "^2.8.3",
         "yaml@npm:^2.8.0": "^2.8.3",

packages/shared/src/version.ts

@@ -1,2 +1,2 @@
 // This file is auto-generated by .github/workflows/release-sourcebot.yml
-export const SOURCEBOT_VERSION = "v4.17.1";
+export const SOURCEBOT_VERSION = "v4.17.2";

packages/web/package.json

@@ -67,7 +67,7 @@
     "@opentelemetry/api-logs": "^0.203.0",
     "@opentelemetry/instrumentation": "^0.203.0",
     "@opentelemetry/sdk-logs": "^0.203.0",
-    "@posthog/ai": "^7.15.0",
+    "@posthog/ai": "^7.18.7",
     "@radix-ui/react-accordion": "^1.2.11",
     "@radix-ui/react-alert-dialog": "^1.1.5",
     "@radix-ui/react-avatar": "^1.1.2",
@@ -90,8 +90,8 @@
     "@radix-ui/react-toggle": "^1.1.10",
     "@radix-ui/react-toggle-group": "^1.1.11",
     "@radix-ui/react-tooltip": "^1.2.8",
-    "@react-email/components": "^1.0.2",
-    "@react-email/render": "^2.0.0",
+    "@react-email/components": "^1.0.12",
+    "@react-email/render": "^2.0.8",
     "@replit/codemirror-lang-csharp": "^6.2.0",
     "@replit/codemirror-lang-nix": "^6.0.1",
     "@replit/codemirror-lang-solidity": "^6.0.2",
@@ -157,7 +157,7 @@
     "lucide-react": "^1.7.0",
     "micromatch": "^4.0.8",
     "minidenticons": "^4.2.1",
-    "next": "^16.2.3",
+    "next": "^16.2.6",
     "next-auth": "^5.0.0-beta.30",
     "next-navigation-guard": "^0.2.0",
     "next-themes": "^0.3.0",
@@ -202,7 +202,7 @@
   "devDependencies": {
     "@asteasolutions/zod-to-openapi": "7.3.4",
     "@eslint/eslintrc": "^3",
-    "@react-email/preview-server": "5.2.10",
+    "@react-email/ui": "6.1.4",
     "@react-grab/mcp": "^0.1.23",
     "@tanstack/eslint-plugin-query": "^5.74.7",
     "@testing-library/dom": "^10.4.1",
@@ -226,7 +226,7 @@
     "npm-run-all": "^4.1.5",
     "postcss": "^8.5.10",
     "raw-loader": "^4.0.2",
-    "react-email": "^5.2.10",
+    "react-email": "^6.1.4",
     "react-grab": "^0.1.23",
     "react-scan": "^0.5.3",
     "tailwindcss": "^3.4.1",

packages/web/src/features/chat/components/chatThread/answerCard.tsx

@@ -18,12 +18,14 @@ import useCaptureEvent from "@/hooks/useCaptureEvent";
 import { LangfuseWeb } from "langfuse";
 import { env } from "@sourcebot/shared/client";
 import isEqual from "fast-deep-equal/react";
+import { FileSource } from "../../types";
 
 interface AnswerCardProps {
     answerText: string;
     messageId: string;
     chatId: string;
     traceId?: string;
+    sources: FileSource[];
 }
 
 const langfuseWeb = env.NEXT_PUBLIC_LANGFUSE_PUBLIC_KEY ? new LangfuseWeb({
@@ -36,6 +38,7 @@ const AnswerCardComponent = forwardRef<HTMLDivElement, AnswerCardProps>(({
     messageId,
     chatId,
     traceId,
+    sources,
 }, forwardedRef) => {
     const markdownRendererRef = useRef<HTMLDivElement>(null);
     // eslint-disable-next-line react-hooks/refs -- ref.current is passed to a custom hook, not used directly in render output
@@ -53,14 +56,14 @@ const AnswerCardComponent = forwardRef<HTMLDivElement, AnswerCardProps>(({
 
     const onCopyAnswer = useCallback(() => {
         const baseUrl = typeof window !== 'undefined' ? window.location.origin : '';
-        const markdownText = convertLLMOutputToPortableMarkdown(answerText, baseUrl);
+        const markdownText = convertLLMOutputToPortableMarkdown(answerText, baseUrl, sources);
         navigator.clipboard.writeText(markdownText);
         toast({
             description: "✅ Copied to clipboard",
         });
         captureEvent('wa_chat_copy_answer_pressed', { chatId });
         return true;
-    }, [answerText, chatId, captureEvent, toast]);
+    }, [answerText, sources, chatId, captureEvent, toast]);
 
     const onFeedback = useCallback(async (feedbackType: 'like' | 'dislike') => {
         setIsSubmittingFeedback(true);

packages/web/src/features/chat/components/chatThread/chatThreadListItem.tsx

@@ -371,6 +371,7 @@ const ChatThreadListItemComponent = forwardRef<HTMLDivElement, ChatThreadListIte
                                 chatId={chatId}
                                 messageId={assistantMessage.id}
                                 traceId={assistantMessage.metadata?.traceId}
+                                sources={referencedFileSources}
                             />
                         ) : !isStreaming && (
                             <p className="text-destructive">Error: No answer response was provided</p>

packages/web/src/features/chat/utils.ts

@@ -244,13 +244,23 @@ export const createFileReference = ({ repo, path, startLine, endLine }: { repo:
  * Markdown format. Practically, this means converting references into Markdown
  * links and removing the answer tag.
  */
-export const convertLLMOutputToPortableMarkdown = (text: string, baseUrl: string): string => {
+export const convertLLMOutputToPortableMarkdown = (text: string, baseUrl: string, sources: FileSource[]): string => {
     return text
         .replace(ANSWER_TAG, '')
         .replace(FILE_REFERENCE_REGEX, (_, repo, fileName, startLine, endLine) => {
-            const displayName = fileName.split('/').pop() || fileName;
+            const reference = createFileReference({
+                repo,
+                path: fileName,
+                startLine,
+                endLine
+            });
+
+            const source = tryResolveFileReference(reference, sources);
+            if (!source) {
+                return fileName;
+            }
 
-            let linkText = displayName;
+            let linkText = source.name;
             if (startLine) {
                 if (endLine && startLine !== endLine) {
                     linkText += `:${startLine}-${endLine}`;
@@ -268,6 +278,7 @@ export const convertLLMOutputToPortableMarkdown = (text: string, baseUrl: string
             // Construct full browse URL
             const browsePath = getBrowsePath({
                 repoName: repo,
+                revisionName: source.revision,
                 path: fileName,
                 pathType: 'blob',
                 highlightRange,