I see why we alias (I think that's the correct terminology?) to add the additional methods, but I wonder if we could just implement those on the codersdk type? Or would that then be a dependency issue? It would just be nice to have a single type if possible, but not required.

@f0ssel techincally it's a type definition.

Aliasing istype RoleSyncSettings = codersdk.RoleSyncSettings. If you alias, it means the types are equivalent, and the alias is essentially replaced with the source at compile time. With a type definition, you create a new type.

I agree the aliasing is a bit strange. It exists because of an import cycle, and it also made sense to export via CoderSDK since the UI needs to consume it.

It felt strange for theidpsync package to not fully self contain it's own types. It is strange it depends on codersdk, but it is a consequence of our import cycles and not wanting to copy + paste a struct definition.

Ideallycodersdk would type alias of the theidpsync.

Maybe we can change this in the future, I just didn't spend a ton of time on this. Kayla implemented this idea first, and it felt good enough to me for now.

Yeah the import cycle is the nail in the coffin then, no worries this is still good.

Will this break any existing usages?

Nope, it makes it more permissive, rather then restrictive. So it used to be gated by our experiment and premium licensing, but sync is an enterprise feature.

It makes sense to allow even single org deployments to configure this at runtime, so I dropped the entitlement requirements.

There is an entitlement check on the actual sync code, so tbd if we should also gate thepatch endpoint, or just defer to some warning like "These settings require enterprise to function".

Can we change this to let org admins change this value? If this is a user action it feels weird to drop into system here. We usually just do that for non-user actors.

Follow up would be fine

Yes, I do want to. Just with the timelines, I did this as a stop gap.

I want to solve RBAC and runtime config fields in a more general reusable pattern. Until then, I just require a system context. And I use a system context so no one else can use these sync settings incorrectly. The dbauthz layer is currently pretty strict, and when this is fixed, we will make it more permissive. Always an easier way to move forward then the other way around.