* fix: support special flow modules in evals
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: extract shared flow helper logic
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: make special flow tools openai-compatible
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: improve flow eval prompts and validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* test: relax flow benchmark overfits
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* test: record updated flow benchmark history
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address flow review findings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: source flow chat special module prompt
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: narrow rawscript helper return type
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: dedupe flow chat prompt guidance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: relax flow test10 validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add backend preview validation to ai evals
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: refresh shared preview workspace assets
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: harden shared backend preview validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat: cascade trigger script_path updates on script/flow rename + fix trigger permissioned_as
Backend: When a script or flow path is renamed, automatically update script_path
across all trigger tables (http, email, kafka, websocket, postgres, mqtt, nats,
sqs, gcp, native). Long-running triggers get server_id reset to force restart.
Native triggers additionally get async webhook URL re-registration with external
services (Google, Nextcloud) via token rotation + handler.update().
Frontend: Fix permissioned_as handling across all trigger/schedule editors:
- Allow setting permissioned_as on trigger creation (not just edit) for admins
- Fix hasChanged detection for permissioned_as changes
- Fix FolderEditor group selector showing usernames instead of group names
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: rename script_rename -> runnable_rename for consistency
"Runnable" is the correct term for both scripts and flows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: remove native trigger re-registration from runnable rename
Keep it simple — only update script_path in the DB for non-native triggers.
Native triggers require external service re-registration (token rotation +
webhook URL update) which adds significant complexity; defer to a future PR.
sqlx files for the updated CTE query need regenerating.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* sqlx
* refactor: call update_triggers_script_path directly, remove windmill-trigger wrapper
No need for the extra module/dep — the common function is called directly
from scripts.rs and flows.rs with inline error mapping.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: reject empty principal in folder default permissioned_as validation
`u/` and `g/` (no name after prefix) were passing validation. Use regex
to require at least one character after the prefix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: prevent async folder-default load from overwriting user's permissioned_as choice
Split the initialization effect into two: one that resets on trigger switch
(tracks permissionedAs), and one that handles folder default loading (tracks
folderDefault.value). The second effect is guarded by a userHasSelected flag
set in handleSelect, so a late-arriving folder default doesn't wipe the
user's explicit selection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* lock
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Flow substeps that inherit the parent flow's tag were re-validated
against CUSTOM_TAGS, which rejected dedicated flow tags
(`{workspace_id}:flow/{path}`) since they are never user-registered.
The parent flow's tag was already validated at push time, so skip the
redundant check when the substep simply inherits it.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: improve permissions drawer UX and auto-share resource variables
- When sharing a resource, automatically detect linked variables ($var: refs)
and offer to apply the same permission changes via a toggle (on by default)
- Rename "Share" to "Permissions" across all dropdown menus (resources, variables,
scripts, flows, apps, schedules, triggers)
- Replace Share icon with Shield icon for consistency
- Show default permissions (folder/user/group) as a separate section in the drawer
- Move item path into drawer title ("Permissions for {path}")
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: guard async results against stale drawer state and null-safe extra_perms
- Add path staleness check in loadLinkedVarPaths and loadDefaultPerms
to prevent late async responses from overwriting state when the drawer
was reopened for a different item
- Use ?? {} fallback for folder.extra_perms which can be undefined
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The total duration of a for-loop/branchall group was computed as the
naive sum of all iteration durations. This is wrong for parallel
execution and doesn't account for orchestration overhead. Instead,
compute actual wall-clock time as max(completed_at) - min(started_at).
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: extract load helpers from reload_setting family
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: convert atomic primitive globals to AtomicBool/AtomicI64
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: convert CRITICAL_*/HUB_API_SECRET/INSTANCE_EVENTS_WEBHOOK/JWT_SECRET to ArcSwap
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: pin ee-repo-ref to arcswap-refactor EE branch commit
* refactor: convert BASE_URL/HUB_BASE_URL/MIN_VERSION/LICENSE_KEY*/LICENSE_KEY_ID to ArcSwap
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: convert worker hot-path globals to ArcSwap (WORKER_CONFIG et al)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: pin ee-repo-ref to combined arcswap-urls+worker EE commit
* chore: update ee-repo-ref to d8be8f88cb8898c8f6b27421989d53528223815d
This commit updates the EE repository reference after PR #532 was merged in windmill-ee-private.
Previous ee-repo-ref: c375aaaac9ec0fc0480993627d0defc8054c31a4
New ee-repo-ref: d8be8f88cb8898c8f6b27421989d53528223815d
Automated by sync-ee-ref workflow.
* fix: cleanup unused imports + fix 2 missed WORKER_CONFIG readers
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to ce0f8fbbbde09c4a858312d2d8716d224e99042c
This commit updates the EE repository reference after PR #534 was merged in windmill-ee-private.
Previous ee-repo-ref: 450b601b5aba0ca0b2045f4b5071aa8701b4bfb7
New ee-repo-ref: ce0f8fbbbde09c4a858312d2d8716d224e99042c
Automated by sync-ee-ref workflow.
* fix: secret_backend_integration test — BASE_URL.write().await → .store()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: convert APP_WORKSPACED_ROUTE to AtomicBool for symmetry with HTTP_ROUTE_WORKSPACED_ROUTE
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to e587df8 (post-#535 merge)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
* fix: persist indexer max_index_time_window_secs setting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: toggle UX for indexer time window cap
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
is_wac_v2_py required both @workflow and @task, so a workflow using
only inline step() calls fell through to the regular Python path and
returned the raw coroutine object instead of its awaited result. Match
the TS detector and accept @workflow alone.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The response schema used `oneOf: [$ref, {type: null}]` which is
OpenAPI 3.1 syntax, but the spec is declared as 3.0.3. Both
oapi-codegen (Go) and openapi-python-client rejected it, breaking
the client release jobs. Switched to the standard 3.0 pattern
(`nullable: true` + `allOf: [$ref]`), matching existing usage at
openapi.yaml:21410.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: enrich OTEL log records with per-request LogContext
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: add otlp_smoke example for manual OTEL log bridge verification
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to 5d6b713b74fc46735807f5c32883002e8d976fbc
This commit updates the EE repository reference after PR #529 was merged in windmill-ee-private.
Previous ee-repo-ref: 45959d063bc941c567488d330b5819601cdd2d3d
New ee-repo-ref: 5d6b713b74fc46735807f5c32883002e8d976fbc
Automated by sync-ee-ref workflow.
* refactor: store LogContext in ArcSwap instead of Mutex
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: pin ee-repo-ref to ArcSwap branch commit
* chore: update ee-repo-ref to be2f3d4d11bb7110200524d7157caab3aac53996
This commit updates the EE repository reference after PR #530 was merged in windmill-ee-private.
Previous ee-repo-ref: 45b4d7963a9ebcd583d1a87abe7d07d3d521584a
New ee-repo-ref: be2f3d4d11bb7110200524d7157caab3aac53996
Automated by sync-ee-ref workflow.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
* refactor: extract flow delete helpers
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: unify flow delete planning
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: stabilize flow delete execution
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: simplify flow delete plan execution
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat: allow non-admin users to create HTTP triggers with forced workspaced routes
Non-admin users can now create and fully edit HTTP triggers, but are forced
to use workspaced routes (workspace-prefixed URLs). Instance-wide routes
remain admin-only to prevent cross-workspace URL conflicts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add missing RLS INSERT/DELETE policies for http_trigger table
Non-admin users were blocked by row-level security when creating HTTP triggers.
Added INSERT, DELETE, see_own, and see_member policies matching other trigger tables.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: allow user paths for HTTP triggers
Remove the hideUser restriction on the Path component so HTTP triggers
can be created under user paths (u/username/...) in addition to folder paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: remove added note from instance settings description
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: allow non-admins to edit non-workspaced routes without changing route config
Non-admins can now open and edit existing non-workspaced HTTP triggers
(created by admins) as long as they don't modify route_path, http_method,
or workspaced_route. The workspaced prefix is only forced on new triggers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: allow non-admins to change route_path on workspaced routes
The prevent_route_path_change DB trigger blocked all route_path changes
for windmill_user, even on workspaced routes. Now only instance-wide
(non-workspaced) routes are protected.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add explicit GRANT and force workspaced routes in OpenAPI generator
- Add explicit GRANT INSERT, DELETE on http_trigger to windmill_user
for safety on customer instances
- Force workspaced_route: true for non-admins in OpenAPI route generator
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add deploy restriction rule and fork review requests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref.txt for fork review requests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address PR review comments on fork review requests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: rename fork review requests to deployment requests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref.txt for deployment request rename
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: inline deployment request panel into deploy layout
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: place Request deployment button to the left of Deploy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: inline fork triggers into main deploy list
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: open real trigger detail drawer for inline fork triggers
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: email notifications for merge completion and reply pings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: update deployment_request + protection_rule tables on workspace id rename
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to 972893c3870e4c4a70a35748abed282d88904805
This commit updates the EE repository reference after PR #528 was merged in windmill-ee-private.
Previous ee-repo-ref: 5684d1c17d930b17849c1e5d7577891e64682d45
New ee-repo-ref: 972893c3870e4c4a70a35748abed282d88904805
Automated by sync-ee-ref workflow.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
* feat: add instance-level ruff config auto-pulled by LSP container
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: move ruff config to new LSP tab in instance settings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: silence user-facing toast for non-critical hub script tracking error
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* n
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat: display message and web search content in agent graph node status
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: use markdown renderer for agent message output
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: revert web search output display — content not useful
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: improve web search alert text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: align message title styling with other node status sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add folder default_permissioned_as rules for ownership defaults on deploy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove unnecessary auth guard on default_permissioned_as — rules are advisory only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: regenerate system prompts with new CLI commands
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CI review findings — TOCTOU, race condition, email validation, type coercion
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add sqlx offline cache for test queries (fixes cargo_test CI)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address remaining review findings — incomplete request bodies, dead code, redundant import
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address remaining review findings — full script fields, reactive stores, catch-all validation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: app/schedule/trigger set-permissioned-as fetch remote first to avoid data loss
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: app set-permissioned-as avoid creating redundant app version
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: compact user/group toggle + select for folder default_permissioned_as rules
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: collapse default_permissioned_as section by default in folder editor
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: include default_permissioned_as in FolderFile CLI type for YAML round-trip
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: process folder.meta changes before items in push to apply new rules immediately
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: clone default_permissioned_as on fork/rename + add full lifecycle tests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test: add no-op guarantee test — folder without rules behaves like before
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: rename cliBehavior to syncBehavior — more accurate scope
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: enrich hanging flow error with worker and service log info
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address PR review on hanging flow diagnostics
- Widen log_file lookup window to [-90s, +30s] around worker last ping
so the batch containing the crash is captured (log files are
minute-aligned; looking forward only was missing the relevant bucket).
- Log a warning on log_file query errors instead of silently swallowing,
so a misconfigured table is not reported as "no log files found".
- Note that service log download URLs require S3/parquet collection.
- Fix memory display when only worker_memory_total is known.
- Regenerate sqlx offline cache for the new/modified queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Git sync runs as a DeploymentCallback job. When the OTEL MITM tracing
proxy is enabled, all HTTP/HTTPS traffic from the script is rerouted
through a local intercepting proxy that chains to the corporate upstream
proxy. Git's HTTPS to GitHub fails in this setup (TLS interception with
chained CONNECT tunneling is fragile, and git's CA env handling diverges
from what the proxy injects), so customers see "GitHub.com URL couldn't
be reached" until they disable OTEL.
Detect DeploymentCallback jobs in get_proxy_envs_for_lang and fall back
to the stock PROXY_ENVS so git talks to the corporate proxy directly,
unmodified. The git sync script is system code; we don't need HTTP spans
for it.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CiTestResult was defined between the INLINE START/END markers, which
python-client/build.sh strips and replaces with a wildcard $ref to
openflow.openapi.yaml, breaking the PyPI publish job.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [ee] feat: add instance onboarding telemetry
Update ee-repo-ref to include instance_onboarding telemetry field
in the daily stats payload.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to 5f912375340225876a8c1740c3301f39cd6cbd6d
This commit updates the EE repository reference after PR #527 was merged in windmill-ee-private.
Previous ee-repo-ref: b0b10d81060ab6dabee81a5a067ffadc6b48e074
New ee-repo-ref: 5f912375340225876a8c1740c3301f39cd6cbd6d
Automated by sync-ee-ref workflow.
* sqlx
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
Co-authored-by: Ruben Fiszel <ruben@windmill.dev>
* feat: thread concurrency semaphore through dedicated worker executors
Pass the concurrency_semaphore parameter through bun, deno, and python
start_worker functions to handle_dedicated_process. Also fix the
DedicatedWorkersSelector to use listWorkspacesAsSuperAdmin (so all
workspaces including admins are visible) and skip loading when disabled.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to limit-workers-one-job branch
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: update ee-repo-ref to 54037e77cdd37777560755fef7075d35906c96d8
This commit updates the EE repository reference after PR #523 was merged in windmill-ee-private.
Previous ee-repo-ref: 56890ea8fca2c1c44a1338a27011b4dd1137d9c9
New ee-repo-ref: 54037e77cdd37777560755fef7075d35906c96d8
Automated by sync-ee-ref workflow.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
Co-authored-by: Ruben Fiszel <ruben@windmill.dev>
