feat(web): Ask share links (#888)

Author: brendan-kellam

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added chat duplication to create copies of existing chats. [#888](https://github.com/sourcebot-dev/sourcebot/pull/888)
+- Added Open Graph metadata and image generation for shared chat links. [#888](https://github.com/sourcebot-dev/sourcebot/pull/888)
+- [EE] Added chat sharing with specific users, allowing chat owners to invite org members to view private chats. [#888](https://github.com/sourcebot-dev/sourcebot/pull/888)
+
+### Changed
+- Changed chat permissions model from read-only flag to ownership-based access control. [#888](https://github.com/sourcebot-dev/sourcebot/pull/888)
+- Improved anonymous chat experience: anonymous users can now create chats and claim them upon signing in. [#888](https://github.com/sourcebot-dev/sourcebot/pull/888)
+
 ### Fixed
 - Fixed issue where local repos with URL-encoded spaces in remote URLs would fail to load tree preview and index correctly. [#899](https://github.com/sourcebot-dev/sourcebot/pull/899)
 

CLAUDE.md

@@ -18,6 +18,26 @@ To build a specific package:
 yarn workspace @sourcebot/<package-name> build
 ```
 
+## File Naming
+
+Files should use camelCase starting with a lowercase letter:
+
+```
+// Correct
+shareChatPopover.tsx
+userAvatar.tsx
+apiClient.ts
+
+// Incorrect
+ShareChatPopover.tsx
+UserAvatar.tsx
+share-chat-popover.tsx
+```
+
+Exceptions:
+- Special files like `README.md`, `CHANGELOG.md`, `LICENSE`
+- Next.js conventions: `page.tsx`, `layout.tsx`, `loading.tsx`, etc.
+
 ## Tailwind CSS
 
 Use Tailwind color classes directly instead of CSS variable syntax:
@@ -30,6 +50,138 @@ className="border-border bg-card text-foreground text-muted-foreground bg-muted
 className="border-[var(--border)] bg-[var(--card)] text-[var(--foreground)]"
 ```
 
+## API Route Handlers
+
+Route handlers should validate inputs using Zod schemas.
+
+**Query parameters** (GET requests):
+
+```ts
+import { queryParamsSchemaValidationError, serviceErrorResponse } from "@/lib/serviceError";
+import { z } from "zod";
+
+const myQueryParamsSchema = z.object({
+    q: z.string().default(''),
+    page: z.coerce.number().int().positive().default(1),
+});
+
+export const GET = apiHandler(async (request: NextRequest) => {
+    const rawParams = Object.fromEntries(
+        Object.keys(myQueryParamsSchema.shape).map(key => [
+            key,
+            request.nextUrl.searchParams.get(key) ?? undefined
+        ])
+    );
+    const parsed = myQueryParamsSchema.safeParse(rawParams);
+
+    if (!parsed.success) {
+        return serviceErrorResponse(
+            queryParamsSchemaValidationError(parsed.error)
+        );
+    }
+
+    const { q, page } = parsed.data;
+    // ... rest of handler
+});
+```
+
+**Request body** (POST/PUT/PATCH requests):
+
+```ts
+import { requestBodySchemaValidationError, serviceErrorResponse } from "@/lib/serviceError";
+import { z } from "zod";
+
+const myRequestBodySchema = z.object({
+    name: z.string(),
+    count: z.number().optional(),
+});
+
+export const POST = apiHandler(async (request: NextRequest) => {
+    const body = await request.json();
+    const parsed = myRequestBodySchema.safeParse(body);
+
+    if (!parsed.success) {
+        return serviceErrorResponse(
+            requestBodySchemaValidationError(parsed.error)
+        );
+    }
+
+    const { name, count } = parsed.data;
+    // ... rest of handler
+});
+```
+
+## Data Fetching
+
+For GET requests, prefer using API routes with react-query over server actions. This provides caching benefits and better control over data refetching.
+
+```tsx
+// Preferred: API route + react-query
+import { useQuery } from "@tanstack/react-query";
+
+const { data, isLoading } = useQuery({
+    queryKey: ["items", id],
+    queryFn: () => fetch(`/api/items/${id}`).then(res => res.json()),
+});
+```
+
+Server actions should be used for mutations (POST/PUT/DELETE operations), not for data fetching.
+
+## Authentication
+
+Use `withAuthV2` or `withOptionalAuthV2` from `@/withAuthV2` to protect server actions and API routes.
+
+- **`withAuthV2`** - Requires authentication. Returns `notAuthenticated()` if user is not logged in.
+- **`withOptionalAuthV2`** - Allows anonymous access if the org has anonymous access enabled. `user` may be `undefined`.
+- **`withMinimumOrgRole`** - Wrap inside auth context to require a minimum role (e.g., `OrgRole.OWNER`).
+
+**Important:** Always use the `prisma` instance provided by the auth context. This instance has `userScopedPrismaClientExtension` applied, which enforces repository visibility rules (e.g., filtering repos based on user permissions). Do NOT import `prisma` directly from `@/prisma` in actions or routes that return data to the client.
+
+**Server actions** - Wrap with `sew()` for error handling:
+
+```ts
+'use server';
+
+import { sew } from "@/actions";
+import { withAuthV2 } from "@/withAuthV2";
+
+export const myProtectedAction = async ({ id }: { id: string }) => sew(() =>
+    withAuthV2(async ({ org, user, prisma }) => {
+        // user is guaranteed to be defined
+        // prisma is scoped to the user
+        return { success: true };
+    })
+);
+
+export const myPublicAction = async ({ id }: { id: string }) => sew(() =>
+    withOptionalAuthV2(async ({ org, user, prisma }) => {
+        // user may be undefined for anonymous access
+        return { success: true };
+    })
+);
+```
+
+**API routes** - Check `isServiceError` and return `serviceErrorResponse`:
+
+```ts
+import { serviceErrorResponse } from "@/lib/serviceError";
+import { isServiceError } from "@/lib/utils";
+import { withAuthV2 } from "@/withAuthV2";
+
+export const GET = apiHandler(async (request: NextRequest) => {
+    const result = await withAuthV2(async ({ org, user, prisma }) => {
+        // ... your logic
+        return data;
+    });
+
+    if (isServiceError(result)) {
+        return serviceErrorResponse(result);
+    }
+
+    return Response.json(result);
+});
+```
+
 ## Branches and Pull Requests
 
 When creating a branch or opening a PR, ask the user for:

docs/docs.json

@@ -46,6 +46,7 @@
                                 "group": "Ask Sourcebot",
                                 "pages": [
                                     "docs/features/ask/overview",
+                                    "docs/features/ask/chat-sharing",
                                     "docs/features/ask/add-model-providers"
                                 ]
                             },

docs/docs/configuration/auth/faq.mdx

@@ -30,7 +30,7 @@ This page covers a range of frequently asked questions about Sourcebot's built-i
     Sourcebot supports connecting your identity proxy directly into the built-in auth system using an IAP bridge. This allows Sourcebot to
     register and authenticate automatically on a successful identity proxy log in.
 
-    Sourcebot currently supports [GCP IAP](/docs/configuration/auth/providers#gcp-iap). If you're using a different IAP
+    Sourcebot currently supports [GCP IAP](/docs/configuration/idp). If you're using a different IAP
     and require support, please [reach out](https://www.sourcebot.dev/contact)
 </Accordion>
 

docs/docs/configuration/transactional-emails.mdx

@@ -7,7 +7,7 @@ To enable transactional emails in your deployment, set the following environment
 
 - Send emails when new members are invited
 - Send emails when organization join requests are created/accepted
-- Log into the Sourcebot deployment using [email codes](/docs/configuration/auth/overview#email-codes)
+- Log into the Sourcebot deployment using [email codes](/docs/configuration/auth/providers#email-codes)
 
 | Variable | Description |
 | :------- | :---------- |

docs/docs/connections/generic-git-host.mdx

@@ -5,7 +5,7 @@ icon: git-alt
 
 import GenericGitHost from '/snippets/schemas/v3/genericGitHost.schema.mdx'
 
-Sourcebot can sync code from any Git host (by clone url). This is helpful when you want to search code that not in a [supported code host](/docs/connections/overview#supported-code-hosts).
+Sourcebot can sync code from any Git host (by clone url). This is helpful when you want to search code that not in a [supported code host](/docs/connections/overview#platform-connection-guides).
 
 If you're not familiar with Sourcebot [connections](/docs/connections/overview), please read that overview first.
 

docs/docs/features/ask/chat-sharing.mdx

@@ -0,0 +1,66 @@
+---
+title: Chat Sharing
+---
+
+Chat sharing allows you to share Ask Sourcebot conversations with others. Whether you want to share insights with your team or make a conversation publicly accessible, Sourcebot provides flexible sharing options.
+
+<Frame>
+  <img src="/images/chat-sharing-dialog.png" alt="Chat sharing dialog" />
+</Frame>
+
+## Visibility Options
+
+Every chat has a visibility setting that controls who can access it:
+
+<Frame>
+  <img src="/images/chat-visibility-dropdown.png" alt="Chat visibility dropdown" />
+</Frame>
+
+### Private (Default)
+- Only the chat owner can view the conversation
+- Other users cannot access the chat, even with the link
+- You can explicitly invite specific org members to view the chat (requires [Enterprise license](/docs/license-key))
+
+### Public
+- Anyone with the link can view the conversation
+- If [anonymous access](/docs/configuration/auth/access-settings) is enabled, no authentication is required to view
+- Useful for sharing insights with your team or creating reference documentation
+- Public chats can be duplicated by others
+
+## Sharing with Specific Users
+
+<Note>Sharing with specific users requires an [Enterprise license](/docs/license-key).</Note>
+
+<Frame>
+  <img src="/images/chat-invite-users.png" alt="Invite users dialog" />
+</Frame>
+
+Chat owners can invite specific organization members to view their private chats:
+
+1. Open the chat you want to share
+2. Click the **Share** button in the top-right corner
+3. Search for users by name or email
+4. Select the users you want to invite
+5. Click **Invite** to grant them access
+
+Invited users will be able to:
+- View the full conversation
+- See all messages and code citations
+- Navigate through referenced code snippets
+
+Invited users **cannot**:
+- Edit or delete the chat
+- Send new messages
+- Invite other users
+
+### Removing Access
+
+<Frame>
+  <img src="/images/chat-remove-user.png" alt="Remove user from chat" />
+</Frame>
+
+To remove a user's access to your chat:
+
+1. Open the Share dialog
+2. Find the user in the "People with access" list
+3. Click the **X** button next to their name

docs/docs/license-key.mdx

@@ -33,7 +33,7 @@ docker run \
 | [Agents](/docs/features/agents/overview) | ✅ | ✅ |
 | [Login with credentials](/docs/configuration/auth/overview) | ✅ | ✅ |
 | [Login with email codes](/docs/configuration/auth/overview) | ✅ | ✅ |
-| [Login with SSO](/docs/configuration/auth/overview#enterprise-authentication-providers) | 🛑 | ✅ |
+| [Login with SSO](/docs/configuration/auth/providers#enterprise-authentication-providers) | 🛑 | ✅ |
 | [Permission syncing](/docs/features/permission-syncing) | 🛑 | ✅ |
 | [Code navigation](/docs/features/code-navigation) | 🛑 | ✅ |
 | [Search contexts](/docs/features/search/search-contexts) | 🛑 | ✅ |

docs/docs/overview.mdx

@@ -124,7 +124,7 @@ Connect your code from multiple code-host platforms and search across all of the
 
 ### Authentication
 
-Sourcebot comes with built-in support for authentication via [email/password](/docs/configuration/auth/overview#email-%2F-password), [email codes](/docs/configuration/auth/overview#email-codes), and various [SSO providers](/docs/configuration/auth/overview#enterprise-authentication-providers).
+Sourcebot comes with built-in support for authentication via [email/password](/docs/configuration/auth/providers#email-%2F-password), [email codes](/docs/configuration/auth/providers#email-codes), and various [SSO providers](/docs/configuration/auth/providers#enterprise-authentication-providers).
 
 <Accordion title="Key benefits">
 - **Configurable auth providers:** Configure the auth providers that are available to your team.

docs/docs/upgrade/v3-to-v4-guide.mdx

@@ -36,7 +36,7 @@ Please note that the following features are no longer supported in v4:
 
         ![Pending Approval Page](/images/pending_approval.png)
 
-        The owner can view and approve join requests by navigating to **Settings -> Members**. Automatic provisioning of accounts is supported when using SSO/Oauth providers, check out the [auth docs](/docs/configuration/auth/overview#enterprise-authentication-providers) for more info
+        The owner can view and approve join requests by navigating to **Settings -> Members**. Automatic provisioning of accounts is supported when using SSO/Oauth providers, check out the [auth docs](/docs/configuration/auth/providers#enterprise-authentication-providers) for more info
 
     </Step>
     <Step title="You're done!">