generate skills in plugin skills folder

2026-02-09 10:39:59 +00:00
1300 changed files with 34988 additions and 116221 deletions
--- a/.claude/hooks/guard-main-branch.sh
+++ b/.claude/hooks/guard-main-branch.sh
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-# PreToolUse hook: block destructive git operations when on the main branch.
-# Non-git tool calls and read-only git commands pass through silently.
-
-set -euo pipefail
-
-input="$(cat)"
-tool_name="$(echo "$input" | jq -r '.tool_name // empty')"
-
-# Only care about Bash tool calls
-[[ "$tool_name" == "Bash" ]] || exit 0
-
-command="$(echo "$input" | jq -r '.tool_input.command // empty')"
-
-# Only care about git write commands
-if [[ "$command" =~ ^git\ (push|reset|revert|checkout|merge|rebase|commit|add) ]]; then
-  branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
-  if [[ "$branch" == "main" ]]; then
-    echo "BLOCK: You are on the main branch. Create or switch to a feature branch first."
-  fi
-fi
--- a/.claude/hooks/resolve-symlinks.sh
+++ b/.claude/hooks/resolve-symlinks.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Resolve _ee.rs symlinks to actual files so Claude can read them
+# This script runs before each user prompt is processed
+
+set -e
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-/home/farhad/windmill}"
+MANIFEST_FILE="$PROJECT_DIR/.claude/hooks/.symlink-manifest"
+
+# Find all _ee.rs symlinks and store their targets
+find "$PROJECT_DIR" -name "*_ee.rs" -type l 2>/dev/null | while read -r symlink; do
+    target=$(readlink -f "$symlink" 2>/dev/null) || continue
+
+    # Only process if target file exists
+    if [[ -f "$target" ]]; then
+        # Store symlink path and target in manifest
+        echo "$symlink|$target" >> "$MANIFEST_FILE.tmp"
+
+        # Replace symlink with actual file content
+        rm "$symlink"
+        cp "$target" "$symlink"
+    fi
+done
+
+# Atomically replace manifest
+if [[ -f "$MANIFEST_FILE.tmp" ]]; then
+    mv "$MANIFEST_FILE.tmp" "$MANIFEST_FILE"
+fi
+
+exit 0
--- a/.claude/hooks/restore-symlinks.sh
+++ b/.claude/hooks/restore-symlinks.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Restore _ee.rs symlinks after Claude finishes processing
+# This script runs when Claude stops
+# IMPORTANT: Copies any modifications back to the target before restoring symlinks
+
+set -e
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-/home/farhad/windmill}"
+MANIFEST_FILE="$PROJECT_DIR/.claude/hooks/.symlink-manifest"
+
+# Check if manifest exists
+if [[ ! -f "$MANIFEST_FILE" ]]; then
+    exit 0
+fi
+
+# Read manifest and restore symlinks
+while IFS='|' read -r symlink target; do
+    if [[ -n "$symlink" && -n "$target" ]]; then
+        # If the file exists (not a symlink) and target exists, copy changes back
+        if [[ -f "$symlink" && ! -L "$symlink" && -e "$target" ]]; then
+            # Copy the potentially modified file back to the target
+            cp "$symlink" "$target"
+        fi
+
+        # Remove the regular file (which was a copy)
+        rm -f "$symlink" 2>/dev/null || true
+
+        # Recreate the symlink
+        ln -s "$target" "$symlink" 2>/dev/null || true
+    fi
+done < "$MANIFEST_FILE"
+
+# Clean up manifest
+rm -f "$MANIFEST_FILE"
+
+exit 0
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -1,8 +1,5 @@
 {
  "permissions": {
-    "additionalDirectories": [
-      "../windmill-ee-private"
-    ],
    "allow": [
      "Bash(ls:*)",
      "Bash(grep:*)",
@@ -30,15 +27,7 @@
      "Bash(cargo check:*)",
      "mcp__ide__getDiagnostics",
      "Bash(npm run generate-backend-client:*)",
-      "Bash(npm run check:*)",
-      "Bash(git push:*)",
-      "Bash(git reset:*)",
-      "Bash(git revert:*)",
-      "Bash(git checkout:*)",
-      "Bash(git merge:*)",
-      "Bash(git rebase:*)",
-      "Bash(git add:*)",
-      "Bash(git commit:*)"
+      "Bash(npm run check:*)"
    ],
    "deny": [
      "Read(.env)",
@@ -63,19 +52,46 @@
      "Bash(chown:*)",
      "Bash(truncate:*)",
      "Bash(shred:*)",
-      "Bash(unlink:*)"
+      "Bash(unlink:*)",
+      "Bash(git push:*)",
+      "Bash(git reset:*)",
+      "Bash(git revert:*)",
+      "Bash(git checkout:*)",
+      "Bash(git merge:*)",
+      "Bash(git rebase:*)"
    ]
  },
  "enableAllProjectMcpServers": true,
  "hooks": {
-    "PreToolUse": [
+    "UserPromptSubmit": [
      {
-        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
-            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/guard-main-branch.sh",
-            "timeout": 5
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/resolve-symlinks.sh",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/restore-symlinks.sh",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "SessionEnd": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/restore-symlinks.sh",
+            "timeout": 30
          }
        ]
      }
@@ -110,7 +126,8 @@
    ]
  },
  "enabledPlugins": {
+    "rust-analyzer-lsp@claude-plugins-official": true,
    "typescript-lsp@claude-plugins-official": true,
    "code-review@claude-plugins-official": true
  }
-}
+}
--- a/.claude/skills/native-trigger/SKILL.md
+++ b/.claude/skills/native-trigger/SKILL.md
@@ -1,777 +0,0 @@
-# Skill: Adding Native Trigger Services
-
-This skill provides comprehensive guidance for adding new native trigger services to Windmill. Native triggers allow external services (like Nextcloud, Google Drive, etc.) to trigger Windmill scripts/flows via webhooks or push notifications.
-
-## Architecture Overview
-
-The native trigger system consists of:
-
-1. **Database Layer** - PostgreSQL tables and enum types
-2. **Backend Rust Implementation** - Core trait, handlers, and service modules in the `windmill-native-triggers` crate
-3. **Frontend Svelte Components** - Configuration forms and UI components
-
-### Key Files
-
-| Component | Path |
-|-----------|------|
-| Core module with `External` trait | `backend/windmill-native-triggers/src/lib.rs` |
-| Generic CRUD handlers | `backend/windmill-native-triggers/src/handler.rs` |
-| Background sync logic | `backend/windmill-native-triggers/src/sync.rs` |
-| OAuth/workspace integration | `backend/windmill-native-triggers/src/workspace_integrations.rs` |
-| Re-export shim (windmill-api) | `backend/windmill-api/src/native_triggers/mod.rs` |
-| TriggerKind enum | `backend/windmill-common/src/triggers.rs` |
-| JobTriggerKind enum | `backend/windmill-common/src/jobs.rs` |
-| Frontend service registry | `frontend/src/lib/components/triggers/native/utils.ts` |
-| Frontend trigger utilities | `frontend/src/lib/components/triggers/utils.ts` |
-| Trigger badges (icons + counts) | `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte` |
-| Workspace integrations UI | `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte` |
-| OAuth config form component | `frontend/src/lib/components/workspaceSettings/OAuthClientConfig.svelte` |
-| OpenAPI spec | `backend/windmill-api/openapi.yaml` |
-| Reference: Nextcloud module | `backend/windmill-native-triggers/src/nextcloud/` |
-| Reference: Google module | `backend/windmill-native-triggers/src/google/` |
-
-### Crate Structure
-
-The native trigger code lives in the `windmill-native-triggers` crate (`backend/windmill-native-triggers/`). The `windmill-api` crate re-exports everything via a shim:
-
-```rust
-// backend/windmill-api/src/native_triggers/mod.rs
-pub use windmill_native_triggers::*;
-```
-
-All new service modules go in `backend/windmill-native-triggers/src/`.
-
---
-
-## Core Concepts
-
-### The `External` Trait
-
-Every native trigger service implements the `External` trait defined in `lib.rs`:
-
-```rust
-#[async_trait]
-pub trait External: Send + Sync + 'static {
-    // Associated types:
-    type ServiceConfig: Debug + DeserializeOwned + Serialize + Send + Sync;
-    type TriggerData: Debug + Serialize + Send + Sync;
-    type OAuthData: DeserializeOwned + Serialize + Clone + Send + Sync;
-    type CreateResponse: DeserializeOwned + Send + Sync;
-
-    // Constants:
-    const SUPPORT_WEBHOOK: bool;
-    const SERVICE_NAME: ServiceName;
-    const DISPLAY_NAME: &'static str;
-    const TOKEN_ENDPOINT: &'static str;
-    const REFRESH_ENDPOINT: &'static str;
-    const AUTH_ENDPOINT: &'static str;
-
-    // Required methods:
-    async fn create(&self, w_id, oauth_data, webhook_token, data, db, tx) -> Result<Self::CreateResponse>;
-    async fn update(&self, w_id, oauth_data, external_id, webhook_token, data, db, tx) -> Result<serde_json::Value>;
-    async fn get(&self, w_id, oauth_data, external_id, db, tx) -> Result<Self::TriggerData>;
-    async fn delete(&self, w_id, oauth_data, external_id, db, tx) -> Result<()>;
-    async fn exists(&self, w_id, oauth_data, external_id, db, tx) -> Result<bool>;
-    async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors);
-    fn external_id_and_metadata_from_response(&self, resp) -> (String, Option<serde_json::Value>);
-
-    // Methods with defaults:
-    async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned>;
-    fn service_config_from_create_response(&self, data, resp) -> Option<serde_json::Value>;
-    fn additional_routes(&self) -> axum::Router;
-    async fn http_client_request<T, B>(&self, url, method, workspace_id, tx, db, headers, body) -> Result<T>;
-}
-```
-
-Key design points:
- **`update()` returns `serde_json::Value`** - the resolved service_config to store. Each service is responsible for building the final config.
- **`maintain_triggers()`** - periodic background maintenance. Each service implements its own strategy (Nextcloud: reconcile with external state; Google: renew expiring channels).
- **No `list_all()` in the trait** - services that need it (Nextcloud) implement it privately; services that don't (Google) use different maintenance strategies.
- **No `get_external_id_from_trigger_data()` or `extract_service_config_from_trigger_data()`** - removed in favor of the `maintain_triggers` pattern.
-
-### Create Lifecycle: Two Paths
-
-The `create_native_trigger` handler in `handler.rs` supports two creation flows, controlled by `service_config_from_create_response()`:
-
-**Path A: Short (Google pattern)** - `service_config_from_create_response()` returns `Some(config)`:
-1. `create()` registers on external service
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `service_config_from_create_response()` builds the config directly from input data + response metadata
-4. Stores trigger in DB -- done, no extra round-trip
-
-Use this when the external_id is known before the create call (e.g., Google generates the channel_id as a UUID upfront and includes it in the webhook URL).
-
-**Path B: Long (Nextcloud pattern)** - `service_config_from_create_response()` returns `None` (default):
-1. `create()` registers on external service (webhook URL has no external_id yet)
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `update()` is called to fix the webhook URL with the now-known external_id
-4. `update()` returns the resolved service_config
-5. Stores trigger in DB
-
-Use this when the external_id is assigned by the remote service and the webhook URL needs to be corrected after creation.
-
-### OAuth Token Storage (Three-Table Pattern)
-
-OAuth tokens are stored across three tables, NOT in `workspace_integrations.oauth_data` directly:
-
-| Table | What's Stored |
-|-------|---------------|
-| `workspace_integrations` | `oauth_data` JSON with `base_url`, `client_id`, `client_secret`, `instance_shared` flag; `resource_path` pointing to the variable |
-| `variable` | Encrypted `access_token` (at the path stored in `resource_path`), linked to `account` via `account` column |
-| `account` | `refresh_token`, keyed by `workspace_id` + `client` (service name) + `is_workspace_integration = true` |
-
-The `decrypt_oauth_data()` function in `lib.rs` assembles these into a unified struct:
-```rust
-pub struct OAuthConfig {
-    pub base_url: String,
-    pub access_token: String,      // decrypted from variable
-    pub refresh_token: Option<String>, // from account table
-    pub client_id: String,         // from oauth_data or instance settings
-    pub client_secret: String,     // from oauth_data or instance settings
-}
-```
-
-Instance-level sharing: when `oauth_data.instance_shared == true`, `client_id` and `client_secret` are read from global settings instead of workspace_integrations.
-
-### URL Resolution
-
-The `resolve_endpoint()` helper handles both absolute and relative OAuth URLs:
-
-```rust
-pub fn resolve_endpoint(base_url: &str, endpoint: &str) -> String {
-    if endpoint.starts_with("http://") || endpoint.starts_with("https://") {
-        endpoint.to_string()  // Google: absolute URLs
-    } else {
-        format!("{}{}", base_url, endpoint)  // Nextcloud: relative paths
-    }
-}
-```
-
-### ServiceName Methods
-
-`ServiceName` is the central registry enum. Each variant must implement these match arms:
-
-| Method | Purpose |
-|--------|---------|
-| `as_str()` | Lowercase identifier (e.g., `"google"`) |
-| `as_trigger_kind()` | Maps to `TriggerKind` enum |
-| `as_job_trigger_kind()` | Maps to `JobTriggerKind` enum |
-| `token_endpoint()` | OAuth token endpoint (relative or absolute) |
-| `auth_endpoint()` | OAuth authorization endpoint |
-| `oauth_scopes()` | Space-separated OAuth scopes |
-| `resource_type()` | Resource type for token storage (e.g., `"gworkspace"`) |
-| `extra_auth_params()` | Extra OAuth params (e.g., Google needs `access_type=offline`, `prompt=consent`) |
-| `integration_service()` | Maps to the workspace integration service (usually `*self`) |
-| `TryFrom<String>` | Parse from string |
-| `Display` | Delegates to `as_str()` |
-
---
-
-## Step-by-Step Implementation Guide
-
-### Step 1: Database Migration
-
-Create a new migration file: `backend/migrations/YYYYMMDDHHMMSS_newservice_trigger.up.sql`
-
-```sql
-- Add the service to the native_trigger_service enum
-ALTER TYPE native_trigger_service ADD VALUE IF NOT EXISTS 'newservice';
-
-- Add to TRIGGER_KIND enum (used for trigger tracking)
-ALTER TYPE TRIGGER_KIND ADD VALUE IF NOT EXISTS 'newservice';
-
-- Add to job_trigger_kind enum (used for job tracking)
-ALTER TYPE job_trigger_kind ADD VALUE IF NOT EXISTS 'newservice';
-```
-
-Also create the corresponding down migration.
-
-### Step 2: Update windmill-common Enums
-
-#### `backend/windmill-common/src/triggers.rs`
-
-Add variant to `TriggerKind` enum, and update `to_key()` and `fmt()` implementations.
-
-#### `backend/windmill-common/src/jobs.rs`
-
-Add variant to `JobTriggerKind` enum and update the `Display` implementation.
-
-### Step 3: Backend Service Module
-
-Create a new directory: `backend/windmill-native-triggers/src/newservice/`
-
-#### `mod.rs` - Type Definitions
-
-```rust
-use serde::{Deserialize, Serialize};
-
-pub mod external;
-// pub mod routes; // Only if you need additional service-specific routes
-
-/// OAuth data deserialized from the three-table pattern.
-/// The actual structure is built by decrypt_oauth_data() from variable + account + workspace_integrations.
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct NewServiceOAuthData {
-    pub base_url: String,              // from workspace_integrations.oauth_data
-    pub access_token: String,          // decrypted from variable table
-    pub refresh_token: Option<String>, // from account table
-    // Note: client_id and client_secret are in OAuthConfig, not here
-    // unless the service needs them at runtime for API calls
-}
-
-/// Configuration provided by user when creating/updating a trigger.
-/// Stored as JSON in native_trigger.service_config.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceConfig {
-    // Service-specific configuration fields
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-}
-
-/// Data retrieved from the external service about a trigger.
-/// Returned by the get() method and shown in the UI.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceTriggerData {
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-    // Fields that shouldn't affect service_config comparison should use #[serde(skip_serializing)]
-}
-
-/// Response from external service when creating a trigger/webhook.
-#[derive(Debug, Deserialize)]
-pub struct CreateTriggerResponse {
-    pub id: String,
-}
-
-/// Handler struct (stateless, used for routing)
-#[derive(Copy, Clone)]
-pub struct NewService;
-```
-
-#### `external.rs` - External Trait Implementation
-
-```rust
-use async_trait::async_trait;
-use reqwest::Method;
-use sqlx::PgConnection;
-use std::collections::HashMap;
-use windmill_common::{
-    error::{Error, Result},
-    BASE_URL, DB,
-};
-
-use crate::{
-    generate_webhook_service_url, External, NativeTrigger, NativeTriggerData, ServiceName,
-    sync::{SyncError, TriggerSyncInfo},
-};
-use super::{NewService, NewServiceConfig, NewServiceOAuthData, NewServiceTriggerData, CreateTriggerResponse};
-
-#[async_trait]
-impl External for NewService {
-    type ServiceConfig = NewServiceConfig;
-    type TriggerData = NewServiceTriggerData;
-    type OAuthData = NewServiceOAuthData;
-    type CreateResponse = CreateTriggerResponse;
-
-    const SERVICE_NAME: ServiceName = ServiceName::NewService;
-    const DISPLAY_NAME: &'static str = "New Service";
-    const SUPPORT_WEBHOOK: bool = true;
-    const TOKEN_ENDPOINT: &'static str = "/oauth/token";
-    const REFRESH_ENDPOINT: &'static str = "/oauth/token";
-    const AUTH_ENDPOINT: &'static str = "/oauth/authorize";
-
-    async fn create(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::CreateResponse> {
-        let base_url = &*BASE_URL.read().await;
-
-        // external_id is None during create (we get it from the response)
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            None, Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/create", oauth_data.base_url);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let response: CreateTriggerResponse = self
-            .http_client_request(&url, Method::POST, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        Ok(response)
-    }
-
-    /// Update returns the resolved service_config as JSON.
-    /// For services using the update+get pattern, call self.get() and serialize.
-    async fn update(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<serde_json::Value> {
-        let base_url = &*BASE_URL.read().await;
-
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            Some(external_id), Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let _: serde_json::Value = self
-            .http_client_request(&url, Method::PUT, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        // Fetch back the updated state to get the resolved config
-        let trigger_data = self.get(w_id, oauth_data, external_id, db, tx).await?;
-        serde_json::to_value(&trigger_data)
-            .map_err(|e| Error::InternalErr(format!("Failed to serialize trigger data: {}", e)))
-    }
-
-    async fn get(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::TriggerData> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        self.http_client_request::<_, ()>(&url, Method::GET, w_id, tx, db, None, None).await
-    }
-
-    async fn delete(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<()> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let _: serde_json::Value = self
-            .http_client_request::<_, ()>(&url, Method::DELETE, w_id, tx, db, None, None)
-            .await
-            .or_else(|e| match &e {
-                Error::InternalErr(msg) if msg.contains("404") => Ok(serde_json::Value::Null),
-                _ => Err(e),
-            })?;
-        Ok(())
-    }
-
-    async fn exists(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<bool> {
-        match self.get(w_id, oauth_data, external_id, db, tx).await {
-            Ok(_) => Ok(true),
-            Err(Error::NotFound(_)) => Ok(false),
-            Err(e) => Err(e),
-        }
-    }
-
-    /// Background maintenance. Choose the right pattern for your service:
-    /// - For services with queryable external state: use reconcile_with_external_state()
-    /// - For channel-based services with expiration: implement renewal logic
-    async fn maintain_triggers(
-        &self,
-        db: &DB,
-        workspace_id: &str,
-        triggers: &[NativeTrigger],
-        oauth_data: &Self::OAuthData,
-        synced: &mut Vec<TriggerSyncInfo>,
-        errors: &mut Vec<SyncError>,
-    ) {
-        // Option A: Reconcile with external state (Nextcloud pattern)
-        // Fetch all triggers from external service and compare with DB
-        let external_triggers = match self.list_all(workspace_id, oauth_data, db).await {
-            Ok(triggers) => triggers,
-            Err(e) => {
-                errors.push(SyncError {
-                    resource_path: format!("workspace:{}", workspace_id),
-                    error_message: format!("Failed to list triggers: {}", e),
-                    error_type: "api_error".to_string(),
-                });
-                return;
-            }
-        };
-
-        // Convert to (external_id, config_json) pairs
-        let external_pairs: Vec<(String, serde_json::Value)> = external_triggers
-            .into_iter()
-            .map(|t| (t.id.clone(), serde_json::to_value(&t).unwrap_or_default()))
-            .collect();
-
-        crate::sync::reconcile_with_external_state(
-            db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-        ).await;
-    }
-
-    fn external_id_and_metadata_from_response(
-        &self,
-        resp: &Self::CreateResponse,
-    ) -> (String, Option<serde_json::Value>) {
-        (resp.id.clone(), None)
-    }
-
-    // service_config_from_create_response: NOT overridden (returns None).
-    // This means the handler uses the update+get pattern after create.
-    // Override and return Some(...) to skip the update+get cycle (Google pattern).
-}
-
-impl NewService {
-    /// Private helper to list all triggers from the external service.
-    async fn list_all(
-        &self,
-        w_id: &str,
-        oauth_data: &<Self as External>::OAuthData,
-        db: &DB,
-    ) -> Result<Vec<<Self as External>::TriggerData>> {
-        // Implementation depends on the external service's API
-        todo!()
-    }
-}
-```
-
-### Step 4: Update lib.rs Registry
-
-In `backend/windmill-native-triggers/src/lib.rs`:
-
-```rust
-// Service modules - add new services here:
-#[cfg(feature = "native_trigger")]
-pub mod newservice;  // <-- Add this
-
-// ServiceName enum - add variant:
-pub enum ServiceName {
-    Nextcloud,
-    Google,
-    NewService,  // <-- Add this
-}
-
-// Then add match arms in ALL ServiceName methods:
-// as_str(), as_trigger_kind(), as_job_trigger_kind(), token_endpoint(),
-// auth_endpoint(), oauth_scopes(), resource_type(), extra_auth_params(),
-// integration_service(), TryFrom<String>, Display
-```
-
-### Step 5: Update handler.rs Routes
-
-In `backend/windmill-native-triggers/src/handler.rs`:
-
-```rust
-pub fn generate_native_trigger_routers() -> Router {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-        return router
-            .nest("/nextcloud", service_routes(NextCloud))
-            .nest("/google", service_routes(Google))
-            .nest("/newservice", service_routes(NewService));  // <-- Add this
-    }
-    // ...
-}
-```
-
-### Step 6: Update sync.rs
-
-In `backend/windmill-native-triggers/src/sync.rs`:
-
-```rust
-pub async fn sync_all_triggers(db: &DB) -> Result<BackgroundSyncResult> {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-
-        // ... existing service syncs ...
-
-        // New service sync
-        let (service_name, result) = sync_service_triggers(db, NewService).await;
-        total_synced += result.synced_triggers.len();
-        total_errors += result.errors.len();
-        service_results.insert(service_name, result);
-    }
-    // ...
-}
-```
-
-### Step 7: Frontend Service Registry
-
-In `frontend/src/lib/components/triggers/native/utils.ts`:
-
-Add to `NATIVE_TRIGGER_SERVICES`, `getTriggerIconName()`, and `getServiceIcon()`.
-
-### Step 8: Frontend Trigger Form Component
-
-Create: `frontend/src/lib/components/triggers/native/services/newservice/NewServiceTriggerForm.svelte`
-
-### Step 9: Frontend Icon Component
-
-Create: `frontend/src/lib/components/icons/NewServiceIcon.svelte`
-
-### Step 10: Update NativeTriggerEditor
-
-Check `frontend/src/lib/components/triggers/native/NativeTriggerEditor.svelte` to ensure it dynamically loads form components based on service name.
-
-### Step 11: Workspace Integration UI
-
-Add your service to the `supportedServices` map in `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte`:
-
-```typescript
-const supportedServices: Record<string, ServiceConfig> = {
-    // ... existing services ...
-    newservice: {
-        name: 'newservice',
-        displayName: 'New Service',
-        description: 'Connect to New Service for triggers',
-        icon: NewServiceIcon,
-        docsUrl: 'https://www.windmill.dev/docs/integrations/newservice',
-        requiresBaseUrl: false,  // false for cloud services, true for self-hosted
-        setupInstructions: [
-            'Step 1: Create an OAuth app on the service',
-            'Step 2: Configure the redirect URI shown below',
-            'Step 3: Enter the client credentials below'
-        ]
-    }
-}
-```
-
-### Step 12: Update `frontend/src/lib/components/triggers/utils.ts`
-
-Update ALL of these maps/functions:
-1. `triggerIconMap` - import and add icon
-2. `triggerDisplayNamesMap` - add display name
-3. `triggerTypeOrder` in `sortTriggers()` - add type
-4. `getLightConfig()` - add case for your service
-5. `getTriggerLabel()` - add case for your service
-6. `jobTriggerKinds` - add to array
-7. `countPropertyMap` - add count property
-8. `triggerSaveFunctions` - add save function
-
-### Step 13: Update TriggersBadge Component
-
-In `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte`:
-
-1. Import the icon
-2. Add to `baseConfig` with `countKey` (the dynamic `availableNativeServices` loop does NOT set `countKey`)
-3. Add to the `allTypes` array
-
-### Step 14: Update TriggersWrapper.svelte
-
-In `frontend/src/lib/components/triggers/TriggersWrapper.svelte`:
-
-Add a `{:else if selectedTrigger.type === 'yourservice'}` case that renders `<NativeTriggersPanel service="yourservice" ...>` with the same props pattern as the existing native trigger cases (e.g., `nextcloud`).
-
-### Step 15: Update AddTriggersButton.svelte
-
-In `frontend/src/lib/components/triggers/AddTriggersButton.svelte`:
-
-1. Add `yourserviceAvailable` state variable
-2. Add `setYourserviceState()` async function using `isServiceAvailable('yourservice', $workspaceStore!)`
-3. Call it at module level
-4. Add a dropdown entry to `addTriggerItems` with `hidden: !yourserviceAvailable`
-
-### Step 16: Update TriggersEditor.svelte Delete Handling
-
-In `frontend/src/lib/components/triggers/TriggersEditor.svelte`:
-
-Add your service to the `nativeTriggerServices` map in `deleteDeployedTrigger()`. Native triggers use `NativeTriggerService.deleteNativeTrigger({ workspace, serviceName, externalId })` instead of the standard `path`-based delete.
-
-### Step 17: Update OpenAPI Spec and Regenerate Types
-
-Add to `JobTriggerKind` enum in `backend/windmill-api/openapi.yaml`, then:
-
-```bash
-cd frontend && npm run generate-backend-client
-```
-
---
-
-## Special Patterns
-
-### Unified Service with `trigger_type` (Google Pattern)
-
-When a single service handles multiple trigger types (e.g., Google Drive + Calendar share OAuth and API patterns), use a single `ServiceName` variant with a discriminator field:
-
-```rust
-pub enum GoogleTriggerType { Drive, Calendar }
-
-pub struct GoogleServiceConfig {
-    pub trigger_type: GoogleTriggerType,
-    // Drive-specific fields (only used when trigger_type = Drive)
-    pub resource_id: Option<String>,
-    pub resource_name: Option<String>,
-    // Calendar-specific fields (only used when trigger_type = Calendar)
-    pub calendar_id: Option<String>,
-    pub calendar_name: Option<String>,
-    // Metadata set after creation
-    pub google_resource_id: Option<String>,
-    pub expiration: Option<String>,
-}
-```
-
-Branch in trait methods based on `trigger_type`. Frontend uses a `ToggleButtonGroup` to switch between types. This keeps the codebase simpler (one service, one OAuth flow, one set of routes).
-
-See `backend/windmill-native-triggers/src/google/` for the reference implementation.
-
-### Skipping update+get After Create (Google Pattern)
-
-Override `service_config_from_create_response()` to return `Some(config)` when the external_id is known before the create call:
-
-```rust
-fn service_config_from_create_response(
-    &self,
-    data: &NativeTriggerData<Self::ServiceConfig>,
-    resp: &Self::CreateResponse,
-) -> Option<serde_json::Value> {
-    // Clone input config, add metadata from response
-    let mut config = data.service_config.clone();
-    config.google_resource_id = Some(resp.resource_id.clone());
-    config.expiration = Some(resp.expiration.clone());
-    Some(serde_json::to_value(&config).unwrap())
-}
-```
-
-### Services with Absolute OAuth Endpoints (Google)
-
-Unlike self-hosted services where OAuth endpoints are relative paths appended to `base_url`, services like Google have absolute URLs:
-
-```rust
-// Nextcloud: relative paths
-ServiceName::Nextcloud => "/apps/oauth2/api/v1/token",
-// Google: absolute URLs
-ServiceName::Google => "https://oauth2.googleapis.com/token",
-```
-
-The `resolve_endpoint()` function handles both. For services with absolute endpoints:
- `base_url` can be empty
- `requiresBaseUrl: false` in the frontend workspace integration config
- Add `extra_auth_params()` if needed (Google requires `access_type=offline` and `prompt=consent`)
-
-### Channel-Based Push Notifications with Renewal (Google Pattern)
-
-For services using expiring watch channels instead of persistent webhooks:
-
-1. Store expiration in `service_config` (as part of `ServiceConfig`)
-2. In `maintain_triggers()`, implement renewal logic instead of using `reconcile_with_external_state()`:
-   ```rust
-   async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors) {
-       for trigger in triggers {
-           if should_renew_channel(trigger) {
-               self.renew_channel(db, trigger, oauth_data).await;
-           }
-       }
-   }
-   ```
-3. Renewal: best-effort stop old channel, create new one with same external_id, update service_config with new expiration
-4. Google example: Drive channels expire in 24h (renew when <1h left), Calendar channels expire in 7 days (renew when <1 day left)
-
-### reconcile_with_external_state (Nextcloud Pattern)
-
-The reusable function in `sync.rs` compares external triggers with DB state:
- Triggers missing externally: sets error "Trigger no longer exists on external service"
- Triggers present externally: clears errors, updates service_config if it differs
-
-Usage in `maintain_triggers()`:
-```rust
-let external_pairs: Vec<(String, serde_json::Value)> = /* fetch from external */;
-crate::sync::reconcile_with_external_state(
-    db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-).await;
-```
-
-### Webhook Payload Processing
-
-Override `prepare_webhook()` to parse service-specific payloads into script/flow args:
-
-```rust
-async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned> {
-    let mut args = HashMap::new();
-    args.insert("event_type".to_string(), Box::new(headers.get("x-event-type").cloned()) as _);
-    args.insert("payload".to_string(), Box::new(serde_json::from_str::<serde_json::Value>(&body)?) as _);
-    Ok(PushArgsOwned { extra: None, args })
-}
-```
-
-Then register in `prepare_native_trigger_args()` in `lib.rs`:
-```rust
-pub async fn prepare_native_trigger_args(service_name, db, w_id, headers, body) -> Result<Option<PushArgsOwned>> {
-    match service_name {
-        ServiceName::Google => { /* ... */ Ok(Some(args)) }
-        ServiceName::NewService => { /* ... */ Ok(Some(args)) }
-        ServiceName::Nextcloud => Ok(None), // Uses default body parsing
-    }
-}
-```
-
-### Instance-Level OAuth Credentials
-
-When `workspace_integrations.oauth_data.instance_shared == true`, `decrypt_oauth_data()` reads `client_id` and `client_secret` from instance-level global settings instead of workspace-level. This allows admins to share OAuth app credentials across workspaces.
-
-The frontend handles this via the `generate_instance_connect_url` endpoint in `workspace_integrations.rs`.
-
---
-
-## Testing Checklist
-
- [ ] Database migration runs successfully
- [ ] `cargo check -p windmill-native-triggers --features native_trigger` passes
- [ ] `npx svelte-check --threshold error` passes (in frontend/)
- [ ] Service appears in workspace integrations list
- [ ] OAuth flow completes successfully
- [ ] Can create a new trigger
- [ ] Can view trigger details
- [ ] Can update trigger configuration
- [ ] Can delete trigger
- [ ] Webhook receives and processes payloads
- [ ] Background sync works correctly (reconciliation or channel renewal)
- [ ] Error handling works (expired tokens, service unavailable)
-
---
-
-## Reference Implementations
-
-### Nextcloud (Self-Hosted, Update+Get Pattern)
-
-| File | Purpose |
-|------|---------|
-| `nextcloud/mod.rs` | Types: NextCloudOAuthData, NextcloudServiceConfig, NextCloudTriggerData |
-| `nextcloud/external.rs` | External trait: uses update+get pattern, reconcile_with_external_state for sync |
-| `nextcloud/routes.rs` | Additional route: `GET /events` |
-
-Key patterns: relative OAuth endpoints, base_url required, list_all + reconcile for sync, update returns JSON from get().
-
-### Google (Cloud, Unified Service, Short Create)
-
-| File | Purpose |
-|------|---------|
-| `google/mod.rs` | Types: GoogleServiceConfig with trigger_type discriminator, GoogleTriggerType enum |
-| `google/external.rs` | External trait: overrides service_config_from_create_response, channel renewal for sync |
-| `google/routes.rs` | Additional routes: `GET /calendars`, `GET /drive/files`, `GET /drive/shared_drives` |
-
-Key patterns: absolute OAuth endpoints, empty base_url, trigger_type for Drive/Calendar, expiring watch channels with renewal, service_config_from_create_response skips update+get, get() reconstructs data from stored service_config (no external "get channel" API).
--- a/.claude/skills/refine/SKILL.md
+++ b/.claude/skills/refine/SKILL.md
@@ -1,39 +0,0 @@
---
-name: refine
-user_invocable: true
-description: End-of-session reflection. Reviews friction encountered during the session and proposes updates to docs/ to capture lessons learned.
---
-
-# Refine Skill
-
-Reflect on the current session and update documentation with lessons learned.
-
-## Instructions
-
-1. **Identify friction**: Review what happened in this session:
-   - Run `git diff main...HEAD --stat` to see what files were touched
-   - Think about: what was slow, what failed, what required multiple attempts, what information was missing or hard to find
-
-2. **Read current docs**: Read the docs that were relevant to this session:
-   - `docs/validation.md`
-   - `docs/enterprise.md`
-   - `docs/autonomous-mode.md`
-   - Any skills that were invoked
-
-3. **Propose updates**: For each piece of friction, decide if it warrants a doc update:
-   - **Missing knowledge**: Information you had to discover that should be documented
-   - **Wrong guidance**: Instructions that led you astray
-   - **Missing validation rule**: A check that should be in the validation matrix
-   - **New pattern**: A codebase pattern worth capturing for next time
-
-4. **Apply updates**: Edit the relevant `docs/` files. Keep changes minimal and specific — add only what would have saved time this session.
-
-5. **Report**: Summarize what was added/changed and why.
-
-## Rules
-
- Only add knowledge confirmed by this session — no speculative additions
- Keep docs concise — add a line or two, not a paragraph
- If a whole new doc is needed, create it in `docs/` and add a pointer in `CLAUDE.md`
- Don't update skills unless a coding pattern was genuinely wrong
- Don't add things Claude already knows — only Windmill-specific knowledge
--- a/.claude/skills/rust-backend/SKILL.md
+++ b/.claude/skills/rust-backend/SKILL.md
@@ -3,105 +3,493 @@ name: rust-backend
 description: Rust coding guidelines for the Windmill backend. MUST use when writing or modifying Rust code in the backend directory.
 ---

-# Windmill Rust Patterns
+# Rust Backend Coding Guidelines

-Apply these Windmill-specific patterns when writing Rust code in `backend/`.
+Apply these patterns when writing or modifying Rust code in the `backend/` directory.
+
+## Data Structure Design
+
+Choose between `struct`, `enum`, or `newtype` based on domain needs:
+
+- Use `enum` for state machines instead of boolean flags or loosely related fields
+- Model invariants explicitly using types (e.g., `NonZeroU32`, `Duration`, custom enums)
+- Consider ownership of each field:
+  - Use `&str` vs `String`, slices vs vectors
+  - Use `Arc<T>` when sharing across threads
+  - Use `Cow<'a, T>` for flexible ownership
+
+```rust
+// State machine with enum
+enum JobState {
+    Pending { scheduled_for: DateTime<Utc> },
+    Running { started_at: DateTime<Utc>, worker: String },
+    Completed { result: JobResult, duration_ms: i64 },
+    Failed { error: String, retries: u32 },
+}
+
+// Avoid multiple booleans
+struct Job {
+    is_pending: bool,   // Don't do this
+    is_running: bool,
+    is_completed: bool,
+}
+```
+
+## Impl Block Organization
+
+Place `impl` blocks immediately below the struct/enum they modify. Group methods logically:
+
+```rust
+struct JobQueue {
+    jobs: Vec<Job>,
+    capacity: usize,
+}
+
+impl JobQueue {
+    // Constructors first
+    pub fn new(capacity: usize) -> Self { ... }
+    pub fn with_jobs(jobs: Vec<Job>) -> Self { ... }
+
+    // Getters
+    pub fn len(&self) -> usize { ... }
+    pub fn is_empty(&self) -> bool { ... }
+
+    // Mutation methods
+    pub fn push(&mut self, job: Job) -> Result<()> { ... }
+    pub fn pop(&mut self) -> Option<Job> { ... }
+
+    // Domain logic
+    pub fn next_scheduled(&self) -> Option<&Job> { ... }
+}
+```
+
+## Iterator Chains Over For-Loops
+
+Prefer functional iterator chains (`.filter().map().collect()`) over imperative for-loops:
+
+```rust
+// Preferred
+let results: Vec<_> = items
+    .iter()
+    .filter(|item| item.is_valid())
+    .map(|item| item.transform())
+    .collect();
+
+// Avoid
+let mut results = Vec::new();
+for item in items.iter() {
+    if item.is_valid() {
+        results.push(item.transform());
+    }
+}
+```

 ## Error Handling

-Use `Error` from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>`:
+Use the `Error` type from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>` for fallible functions:

 ```rust
 use windmill_common::error::{Error, Result};

+// Use ? operator for propagation
 pub async fn get_job(db: &DB, id: Uuid) -> Result<Job> {
-    sqlx::query_as!(Job, "SELECT id, workspace_id FROM v2_job WHERE id = $1", id)
+    let job = sqlx::query_as!(Job, "SELECT ... WHERE id = $1", id)
        .fetch_optional(db)
        .await?
        .ok_or_else(|| Error::NotFound("job not found".to_string()))?;
+    Ok(job)
 }
 ```

-Never panic in library code. Reserve `.unwrap()` for compile-time guarantees.
-
-## SQLx Patterns
-
-**Never use `SELECT *`** — always list columns explicitly. Critical for backwards compatibility when workers lag behind API version:
+Prefer `if let` for optional handling. Use `let...else` when early return makes code clearer:

 ```rust
-// Correct
-sqlx::query_as!(Job, "SELECT id, workspace_id, path FROM v2_job WHERE id = $1", id)
-
-// Wrong — breaks when columns are added
-sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", id)
+let Some(config) = get_config() else {
+    return Err(Error::MissingConfig);
+};
 ```

-Use batch operations to avoid N+1:
+Never panic in library code. Reserve `.unwrap()` for cases with compile-time guarantees. Keep functions short to help lifetime inference and clarity.
+
+## Early Returns
+
+Return early to avoid deep nesting. Handle error cases and edge conditions first:

 ```rust
-// Preferred — single query with IN clause
-sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
-```
+// Preferred - early returns
+fn process_job(job: Option<Job>) -> Result<Output> {
+    let Some(job) = job else {
+        return Ok(Output::default());
+    };

-Use transactions for multi-step operations. Parameterize all queries.
+    if !job.is_valid() {
+        return Err(Error::InvalidJob);
+    }

-## JSON Handling
+    if job.is_cached() {
+        return Ok(job.cached_result());
+    }

-Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when storing/passing JSON without inspection:
+    // Main logic at the end, not nested
+    execute_job(job)
+}

-```rust
-pub struct Job {
-    pub args: Option<Box<serde_json::value::RawValue>>,
+// Avoid - deep nesting
+fn process_job(job: Option<Job>) -> Result<Output> {
+    if let Some(job) = job {
+        if job.is_valid() {
+            if !job.is_cached() {
+                execute_job(job)
+            } else {
+                Ok(job.cached_result())
+            }
+        } else {
+            Err(Error::InvalidJob)
+        }
+    } else {
+        Ok(Output::default())
+    }
 }
 ```

-Only use `serde_json::Value` when you need to inspect or modify the JSON.
+## Variable Shadowing

-## Serde Optimizations
+Shadow variables instead of creating new names with prefixes:

 ```rust
-#[derive(Serialize, Deserialize)]
-pub struct Job {
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub parent_job: Option<Uuid>,
-    #[serde(skip_serializing_if = "Vec::is_empty")]
-    pub tags: Vec<String>,
-    #[serde(default)]
-    pub priority: i32,
+// Preferred
+let data = fetch_raw_data();
+let data = parse(data);
+let data = validate(data)?;
+
+// Avoid
+let raw_data = fetch_raw_data();
+let parsed_data = parse(raw_data);
+let validated_data = validate(parsed_data)?;
+```
+
+## Minimal Comments
+
+- No inline comments explaining obvious code
+- No TODO/FIXME comments in committed code
+- Doc comments (`///`) only on public items
+- Let code be self-documenting through clear naming
+
+## Type Safety
+
+Use enums over boolean flags for clarity:
+
+```rust
+// Preferred
+enum JobStatus {
+    Pending,
+    Running,
+    Completed,
+}
+
+// Avoid
+struct Job {
+    is_running: bool,
+    is_completed: bool,
 }
 ```

-## Async & Concurrency
+## Pattern Matching

-Never block the async runtime. Use `spawn_blocking` for CPU-intensive work:
+Prefer explicit matching. Use wildcards strategically for fallback cases or ignored fields:

 ```rust
-let result = tokio::task::spawn_blocking(move || expensive_computation(&data)).await?;
+// Explicit matching preferred
+match status {
+    JobStatus::Pending => handle_pending(),
+    JobStatus::Running => handle_running(),
+    JobStatus::Completed => handle_completed(),
+}
+
+// Wildcards OK for fallback
+match result {
+    Ok(value) => process(value),
+    Err(_) => return default_value(),
+}
+
+// Wildcards OK for ignoring fields in destructuring
+let Point { x, y, .. } = point;
 ```

-**Mutex selection**: Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) for data protection. Only use `tokio::sync::Mutex` when holding locks across `.await` points.
+## Destructuring in Function Signatures

-Use `tokio::sync::mpsc` (bounded) for channels. Avoid `std::thread::sleep` in async contexts.
-
-## Module Structure & Visibility
-
- Use `pub(crate)` instead of `pub` when possible
- Place new code in the appropriate crate based on functionality
- API endpoints go in `windmill-api/src/` organized by domain
- Shared functionality goes in `windmill-common/src/`
-
-## Code Navigation
-
-Always use rust-analyzer LSP for go-to-definition, find-references, and type info. Do not guess at module paths.
-
-## Axum Handlers
-
-Destructure extractors directly in function signatures:
+Destructure structs directly in function parameters:

 ```rust
+// Preferred
 async fn process_job(
    Extension(db): Extension<DB>,
    Path((workspace, job_id)): Path<(String, Uuid)>,
    Query(pagination): Query<Pagination>,
-) -> Result<Json<Job>> { ... }
+) -> Result<Json<Job>> {
+    // ...
+}
+
+// Avoid
+async fn process_job(
+    db_ext: Extension<DB>,
+    path: Path<(String, Uuid)>,
+    query: Query<Pagination>,
+) -> Result<Json<Job>> {
+    let Extension(db) = db_ext;
+    let Path((workspace, job_id)) = path;
+    // ...
+}
 ```
+
+## Trait Implementations
+
+Use standard trait implementations to simplify conversions and reduce boilerplate:
+
+```rust
+// Implement From/Into for type conversions
+impl From<DbJob> for ApiJob {
+    fn from(db: DbJob) -> Self {
+        ApiJob {
+            id: db.id,
+            status: db.status.into(),
+        }
+    }
+}
+
+// Use TryFrom for fallible conversions
+impl TryFrom<String> for JobKind {
+    type Error = Error;
+    fn try_from(s: String) -> Result<Self, Self::Error> { ... }
+}
+```
+
+Apply `derive` macros to reduce boilerplate:
+
+```rust
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Job { ... }
+```
+
+## Module Structure
+
+- Use `pub(crate)` instead of `pub` when possible; expose only what needs exposing
+- Keep APIs small and expressive; avoid leaking internal types
+- Organize code into modules reflecting ownership and domain boundaries
+
+```rust
+// Prefer restricted visibility
+pub(crate) fn internal_helper() { ... }
+
+// Only pub for external API
+pub fn create_job(...) -> Result<Job> { ... }
+```
+
+## Code Navigation
+
+Always use rust-analyzer LSP for:
+- Go to definition
+- Find references
+- Type information
+- Import resolution
+
+Do not guess at module paths or type definitions.
+
+## JSON Handling
+
+Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when:
+- Storing JSON in the database (JSONB columns)
+- Passing JSON through without modification
+- The JSON structure doesn't need inspection
+
+```rust
+// Preferred - avoids parsing/serialization overhead
+pub struct Job {
+    pub id: Uuid,
+    pub args: Option<Box<serde_json::value::RawValue>>,
+}
+
+// Only use Value when you need to inspect/modify JSON
+let value: serde_json::Value = serde_json::from_str(&json)?;
+if let Some(field) = value.get("field") {
+    // modify or inspect
+}
+```
+
+## Serde Optimizations
+
+Use serde attributes to optimize serialization:
+
+```rust
+#[derive(Serialize, Deserialize)]
+pub struct Job {
+    #[serde(rename = "jobId")]
+    pub id: Uuid,
+
+    #[serde(default)]
+    pub priority: i32,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub parent_job: Option<Uuid>,
+
+    #[serde(skip_serializing_if = "Vec::is_empty")]
+    pub tags: Vec<String>,
+}
+```
+
+Prefer borrowing for zero-copy deserialization when lifetimes allow:
+
+```rust
+#[derive(Deserialize)]
+pub struct JobInput<'a> {
+    #[serde(borrow)]
+    pub workspace_id: Cow<'a, str>,
+
+    #[serde(borrow)]
+    pub script_path: &'a str,
+}
+```
+
+## SQLx Patterns
+
+**Never use `SELECT *`** - always list columns explicitly. This is critical for backwards compatibility when workers run behind the API server version:
+
+```rust
+// Preferred - explicit columns
+sqlx::query_as!(
+    Job,
+    "SELECT id, workspace_id, path, created_at FROM v2_job WHERE id = $1",
+    job_id
+)
+
+// Avoid - breaks when columns are added
+sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", job_id)
+```
+
+Use batch operations to minimize round trips:
+
+```rust
+// Preferred - single query with multiple values
+sqlx::query!(
+    "INSERT INTO job_logs (job_id, logs) VALUES ($1, $2), ($3, $4)",
+    id1, log1, id2, log2
+)
+
+// Avoid N+1 queries
+for id in ids {
+    sqlx::query!("SELECT ... WHERE id = $1", id).fetch_one(db).await?;
+}
+
+// Preferred - single query with IN clause
+sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
+```
+
+Use transactions for multi-step operations and parameterize all queries.
+
+## Async & Tokio Patterns
+
+Never block the async runtime. Use `spawn_blocking` for CPU-intensive or blocking I/O:
+
+```rust
+// Preferred - offload blocking work
+let result = tokio::task::spawn_blocking(move || {
+    expensive_computation(&data)
+}).await?;
+
+// Avoid - blocks the runtime
+let result = expensive_computation(&data);  // Don't do this in async
+```
+
+Use tokio primitives for sleep and channels:
+
+```rust
+use tokio::sync::mpsc;
+use tokio::time::sleep;
+
+// Avoid in async contexts
+use std::thread::sleep; // Blocks the runtime
+```
+
+Use bounded channels for backpressure:
+
+```rust
+// Preferred - bounded channel prevents overwhelming
+let (tx, rx) = tokio::sync::mpsc::channel(100);
+
+// Be careful with unbounded
+let (tx, rx) = tokio::sync::mpsc::unbounded_channel();
+```
+
+## Mutex Selection in Async Code
+
+**Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) over `tokio::sync::Mutex`** for protecting data in async code. The async mutex is more expensive and only needed when holding locks across `.await` points.
+
+```rust
+// Preferred for data protection - std mutex is faster
+use std::sync::Mutex;
+
+struct Cache {
+    data: Mutex<HashMap<String, Value>>,
+}
+
+impl Cache {
+    fn get(&self, key: &str) -> Option<Value> {
+        self.data.lock().unwrap().get(key).cloned()
+    }
+
+    fn insert(&self, key: String, value: Value) {
+        self.data.lock().unwrap().insert(key, value);
+    }
+}
+```
+
+**Use `tokio::sync::Mutex` only when you must hold the lock across `.await` points**, typically for IO resources like database connections:
+
+```rust
+use tokio::sync::Mutex;
+use std::sync::Arc;
+
+// Async mutex for IO resources held across await points
+let conn = Arc::new(Mutex::new(db_connection));
+
+async fn execute_query(conn: Arc<Mutex<DbConn>>, query: &str) {
+    let mut lock = conn.lock().await;
+    lock.execute(query).await;  // Lock held across .await
+}
+```
+
+**Common pattern**: Wrap `Arc<Mutex<...>>` in a struct with non-async methods that lock internally, keeping lock scope minimal:
+
+```rust
+struct SharedState {
+    inner: std::sync::Mutex<StateInner>,
+}
+
+impl SharedState {
+    fn update(&self, value: i32) {
+        self.inner.lock().unwrap().value = value;
+    }
+
+    fn get(&self) -> i32 {
+        self.inner.lock().unwrap().value
+    }
+}
+```
+
+**Alternative for IO resources**: Spawn a dedicated task to manage the resource and communicate via message passing:
+
+```rust
+let (tx, mut rx) = tokio::sync::mpsc::channel(32);
+
+tokio::spawn(async move {
+    while let Some(cmd) = rx.recv().await {
+        handle_io_command(&mut resource, cmd).await;
+    }
+});
+```
+
+## Build & Tooling
+
+Build speed tips:
+- Use `cargo check` during rapid iteration over `cargo build`
+- Minimize unnecessary dependencies and feature flags
--- a/.claude/skills/svelte-frontend/SKILL.md
+++ b/.claude/skills/svelte-frontend/SKILL.md
@@ -1,80 +0,0 @@
---
-name: svelte-frontend
-description: Svelte coding guidelines for the Windmill frontend. MUST use when writing or modifying code in the frontend directory.
---
-
-# Windmill Svelte Patterns
-
-Apply these Windmill-specific patterns when writing Svelte code in `frontend/`. For general Svelte 5 syntax (runes, snippets, event handling), use the Svelte MCP server.
-
-## Windmill UI Components (MUST use)
-
-Always use Windmill's design-system components. Never use raw HTML elements.
-
-### Buttons — `<Button>`
-
-```svelte
-<script>
-  import { Button } from '$lib/components/common'
-  import { ChevronLeft } from 'lucide-svelte'
-</script>
-
-<Button variant="default" onclick={handleClick}>Label</Button>
-<Button startIcon={{ icon: ChevronLeft }} iconOnly onclick={prev} />
-```
-
-Props: `variant?: 'accent' | 'accent-secondary' | 'default' | 'subtle'`, `unifiedSize?: 'sm' | 'md' | 'lg'`, `startIcon?: { icon: SvelteComponent }`, `iconOnly?: boolean`, `disabled?: boolean`
-
-### Text inputs — `<TextInput>`
-
-```svelte
-<script>
-  import { TextInput } from '$lib/components/common'
-</script>
-
-<TextInput bind:value={val} placeholder="Enter value" />
-```
-
-Props: `value?: string | number` (bindable), `placeholder?: string`, `disabled?: boolean`, `error?: string | boolean`, `size?: 'sm' | 'md' | 'lg'`
-
-### Selects — `<Select>`
-
-```svelte
-<script>
-  import Select from '$lib/components/select/Select.svelte'
-</script>
-
-<Select items={[{ label: 'Jan', value: 1 }]} bind:value={selected} />
-```
-
-Props: `items?: Array<{ label?: string; value: any }>`, `value` (bindable), `placeholder?: string`, `clearable?: boolean`, `size?: 'sm' | 'md' | 'lg'`
-
-### Icons — `lucide-svelte`
-
-Never write inline SVGs. Import from `lucide-svelte`:
-
-```svelte
-<script>
-  import { ChevronLeft, X } from 'lucide-svelte'
-</script>
-<ChevronLeft size={16} />
-```
-
-## Form Components
-
-Form components (TextInput, Toggle, Select, etc.) should use the unified size system when placed together.
-
-## Styling
-
- Use Tailwind CSS for all styling — no custom CSS
- Use Windmill's theming classes for colors/surfaces (see `frontend/brand-guidelines.md`)
- Read component props JSDoc before using them
-
-## Svelte MCP Server
-
-Use the Svelte MCP tools when working on Svelte code:
-
-1. **list-sections**: Call first to discover available docs
-2. **get-documentation**: Fetch relevant sections based on use_cases
-3. **svelte-autofixer**: MUST use on all Svelte code before finalizing — keep calling until no issues
-4. **playground-link**: Only after user confirms and code was NOT written to project files
--- a/.github/DockerfileBackendTests
+++ b/.github/DockerfileBackendTests
@@ -42,11 +42,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
 RUN /usr/local/bin/python3 -m pip install pip-tools

 # Bun
-COPY --from=oven/bun:1.3.10 /usr/local/bin/bun /usr/bin/bun
-
-# Install windmill CLI
-RUN bun install -g windmill-cli \
-    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill
+COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun

 ARG TARGETPLATFORM

--- a/.github/change-versions-mac.sh
+++ b/.github/change-versions-mac.sh
@@ -15,8 +15,11 @@ sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescrip
 sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
 sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i '' -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
+sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i '' -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
+# sed -i '' -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill_pg/pyproject.toml
 sed -i '' -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
+sed -i '' -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

 sed -i '' -E "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock

--- a/.github/change-versions.sh
+++ b/.github/change-versions.sh
@@ -16,8 +16,11 @@ sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescript-c
 sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
 sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
+sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
+# sed -i -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
+sed -i -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

 sed -i -zE "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock

--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -31,3 +31,9 @@ updates:
    directory: "/python-client/wmill"
    schedule:
      interval: "weekly"
+      
+  # Maintain dependencies for wmill_pg python client
+  - package-ecosystem: "pip"
+    directory: "/python-client/wmill_pg"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/backend-check.yml
+++ b/.github/workflows/backend-check.yml
@@ -23,7 +23,7 @@ jobs:
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          cache: false
-          toolchain: 1.93.0
+          toolchain: 1.90.0
      - name: cargo check
        working-directory: ./backend
        timeout-minutes: 16
@@ -39,12 +39,12 @@ jobs:
      - name: install xmlsec1 and gssapi
        run: |
          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
+          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev mold clang

      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          cache: false
-          toolchain: 1.93.0
+          toolchain: 1.90.0
      - name: cargo check
        working-directory: ./backend
        timeout-minutes: 16
@@ -81,7 +81,7 @@ jobs:
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          cache: false
-          toolchain: 1.93.0
+          toolchain: 1.90.0
      - name: cargo check
        working-directory: ./backend
        timeout-minutes: 16
@@ -109,7 +109,7 @@ jobs:
      - name: install xmlsec1 and gssapi
        run: |
          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
+          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev mold clang

      - name: Substitute EE code (EE logic is behind feature flag)
        run: |
@@ -118,7 +118,7 @@ jobs:
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          cache-workspaces: backend
-          toolchain: 1.93.0
+          toolchain: 1.90.0
      - name: cargo check
        timeout-minutes: 16
        working-directory: ./backend
--- a/.github/workflows/backend-test-windows.yml
+++ b/.github/workflows/backend-test-windows.yml
@@ -1,165 +0,0 @@
-name: Backend integration tests (Windows)
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "ci-windows-tests"
-
-env:
-  CARGO_INCREMENTAL: 0
-  SQLX_OFFLINE: true
-  DISABLE_EMBEDDING: true
-
-jobs:
-  cargo_test_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Read EE repo commit hash
-        shell: pwsh
-        run: |
-          $ee_repo_ref = Get-Content .\backend\ee-repo-ref.txt
-          echo "ee_repo_ref=$ee_repo_ref" | Out-File -FilePath $env:GITHUB_ENV -Append
-
-      - name: Checkout windmill-ee-private repository
-        uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: Substitute EE code
-        shell: bash
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Setup PostgreSQL
-        uses: ikalnytskyi/action-setup-postgres@v6
-        with:
-          username: postgres
-          password: changeme
-          database: windmill
-          port: 5432
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "9.0.x"
-
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.21.5
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.10
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-
-      - uses: astral-sh/setup-uv@v6.2.1
-        with:
-          version: "0.9.24"
-
-      - uses: shivammathur/setup-php@v2
-        with:
-          php-version: "8.3"
-          tools: composer
-
-      - name: Install windmill CLI
-        shell: bash
-        run: |
-          cd cli
-          bash gen_wm_client.sh
-          bun install
-          mkdir -p "$HOME/.local/bin"
-          printf '#!/bin/sh\nexec bun run "%s/cli/src/main.ts" "$@"\n' "$GITHUB_WORKSPACE" > "$HOME/.local/bin/wmill"
-          chmod +x "$HOME/.local/bin/wmill"
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install OpenSSL via vcpkg
-        run: |
-          vcpkg.exe install openssl-windows:x64-windows
-          vcpkg.exe install openssl:x64-windows-static
-          vcpkg.exe integrate install
-
-      - name: Get runtime paths
-        id: runtime-paths
-        shell: pwsh
-        run: |
-          echo "DENO_PATH=$($(Get-Command deno).Source)" >> $env:GITHUB_OUTPUT
-          echo "BUN_PATH=$($(Get-Command bun).Source)" >> $env:GITHUB_OUTPUT
-          echo "NODE_BIN_PATH=$($(Get-Command node).Source)" >> $env:GITHUB_OUTPUT
-          echo "GO_PATH=$($(Get-Command go).Source)" >> $env:GITHUB_OUTPUT
-          echo "UV_PATH=$($(Get-Command uv).Source)" >> $env:GITHUB_OUTPUT
-          echo "PHP_PATH=$($(Get-Command php).Source)" >> $env:GITHUB_OUTPUT
-          echo "COMPOSER_PATH=$($(Get-Command composer).Source)" >> $env:GITHUB_OUTPUT
-          echo "POWERSHELL_PATH=$($(Get-Command pwsh).Source)" >> $env:GITHUB_OUTPUT
-          echo "DOTNET_PATH=$($(Get-Command dotnet).Source)" >> $env:GITHUB_OUTPUT
-
-      - name: Build DuckDB FFI module
-        working-directory: backend/windmill-duckdb-ffi-internal
-        timeout-minutes: 30
-        run: |
-          cargo build --release -p windmill_duckdb_ffi_internal
-          New-Item -ItemType Directory -Path ..\target\debug -Force
-          Copy-Item target\release\windmill_duckdb_ffi_internal.dll ..\target\debug\
-
-      - name: Print runtime versions and env
-        shell: pwsh
-        run: |
-          deno --version
-          bun -v
-          node --version
-          go version
-          python3 --version
-          php --version
-          pwsh --version
-          dotnet --version
-          echo "TEMP=$env:TEMP"
-          echo "TMP=$env:TMP"
-          echo "USERPROFILE=$env:USERPROFILE"
-          echo "HOME=$env:HOME"
-
-      - name: cargo test
-        working-directory: backend
-        timeout-minutes: 60
-        env:
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432/windmill
-          RUST_LOG: "off"
-          RUST_LOG_STYLE: never
-          CARGO_NET_GIT_FETCH_WITH_CLI: true
-          CARGO_BUILD_JOBS: 12
-          VCPKGRS_DYNAMIC: 1
-          OPENSSL_DIR: ${{ env.VCPKG_INSTALLATION_ROOT }}\installed\x64-windows-static
-          DENO_PATH: ${{ steps.runtime-paths.outputs.DENO_PATH }}
-          BUN_PATH: ${{ steps.runtime-paths.outputs.BUN_PATH }}
-          NODE_BIN_PATH: ${{ steps.runtime-paths.outputs.NODE_BIN_PATH }}
-          GO_PATH: ${{ steps.runtime-paths.outputs.GO_PATH }}
-          UV_PATH: ${{ steps.runtime-paths.outputs.UV_PATH }}
-          PHP_PATH: ${{ steps.runtime-paths.outputs.PHP_PATH }}
-          COMPOSER_PATH: ${{ steps.runtime-paths.outputs.COMPOSER_PATH }}
-          POWERSHELL_PATH: ${{ steps.runtime-paths.outputs.POWERSHELL_PATH }}
-          DOTNET_PATH: ${{ steps.runtime-paths.outputs.DOTNET_PATH }}
-          WMDEBUG_FORCE_V0_WORKSPACE_DEPENDENCIES: 1
-          WMDEBUG_FORCE_RUNNABLE_SETTINGS_V0: 1
-          WMDEBUG_FORCE_NO_LEGACY_DEBOUNCING_COMPAT: 1
-        run: >
-          cargo test
-          --no-fail-fast
-          --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,csharp,php,quickjs,mcp,run_inline
-          --all
-          -- --nocapture --test-threads=10
--- a/.github/workflows/backend-test.yml
+++ b/.github/workflows/backend-test.yml
@@ -55,7 +55,7 @@ jobs:
          go-version: 1.21.5
      - uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.10
+          bun-version: 1.3.8
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
@@ -70,24 +70,14 @@ jobs:
        with:
          ruby-version: "3.3"
          bundler-cache: false
-      - name: Install windmill CLI from source
-        run: |
-          cd $GITHUB_WORKSPACE/cli
-          bash gen_wm_client.sh
-          bun install
-          mkdir -p "$HOME/.local/bin"
-          printf '#!/bin/sh\nexec bun run "%s/cli/src/main.ts" "$@"\n' "$GITHUB_WORKSPACE" > "$HOME/.local/bin/wmill"
-          chmod +x "$HOME/.local/bin/wmill"
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-        working-directory: /
      - name: Install PowerShell, mold and clang
        run: |
-          sudo apt-get update && sudo apt-get install -y powershell mold clang libcurl4-openssl-dev
+          sudo apt-get update && sudo apt-get install -y powershell mold clang
        working-directory: /
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
+          cache: false
+          toolchain: 1.90.0
      - name: Read EE repo commit hash
        run: |
          echo "ee_repo_ref=$(cat ./ee-repo-ref.txt)" >> "$GITHUB_ENV"
@@ -175,12 +165,6 @@ jobs:
          fi

          echo "NPM_TOKEN=${NPM_TOKEN}" >> $GITHUB_ENV
-          {
-            echo "TEST_NPMRC<<NPMRC_EOF"
-            echo "@windmill-test:registry=http://localhost:4873/"
-            echo "//localhost:4873/:_authToken=${NPM_TOKEN}"
-            echo "NPMRC_EOF"
-          } >> $GITHUB_ENV
          echo "Got NPM token successfully: ${NPM_TOKEN:0:10}..."

          # Configure npm globally with the auth token
@@ -238,4 +222,4 @@ jobs:
        run: |
          deno --version && bun -v && node --version && go version && python3 --version && php --version && ruby --version && pwsh --version && dotnet --version
          cd windmill-duckdb-ffi-internal && ./build_dev.sh && cd ..
-          DENO_PATH=$(which deno) BUN_PATH=$(which bun) NODE_BIN_PATH=$(which node) GO_PATH=$(which go) UV_PATH=$(which uv) PHP_PATH=$(which php) COMPOSER_PATH=$(which composer) RUBY_PATH=$(which ruby) RUBY_BUNDLE_PATH=$(which bundle) RUBY_GEM_PATH=$(which gem) POWERSHELL_PATH=$(which pwsh) DOTNET_PATH=$(which dotnet) cargo test --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,private_registry_test,csharp,php,ruby,mysql,quickjs,mcp,run_inline --all -- --nocapture --test-threads=10
+          DENO_PATH=$(which deno) BUN_PATH=$(which bun) NODE_BIN_PATH=$(which node) GO_PATH=$(which go) UV_PATH=$(which uv) PHP_PATH=$(which php) COMPOSER_PATH=$(which composer) RUBY_PATH=$(which ruby) RUBY_BUNDLE_PATH=$(which bundle) RUBY_GEM_PATH=$(which gem) POWERSHELL_PATH=$(which pwsh) DOTNET_PATH=$(which dotnet) cargo test --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,private_registry_test,csharp,php,ruby,mysql,quickjs,mcp --all -- --nocapture --test-threads=16
--- a/.github/workflows/build-publish-rh-image.yml
+++ b/.github/workflows/build-publish-rh-image.yml
@@ -9,7 +9,7 @@ permissions: write-all

 jobs:
  build_ee:
-    runs-on: ubicloud-standard-4
+    runs-on: ubicloud
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/build-publish-rh8-image.yml
+++ b/.github/workflows/build-publish-rh8-image.yml
@@ -9,7 +9,7 @@ permissions: write-all

 jobs:
  build_ee:
-    runs-on: ubicloud-standard-4
+    runs-on: ubicloud
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/build_windows_worker_.yml
+++ b/.github/workflows/build_windows_worker_.yml
@@ -11,7 +11,7 @@ env:

 jobs:
  cargo_build_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
+    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

@@ -30,40 +30,33 @@ jobs:
          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
          fetch-depth: 0

-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Setup Rust
+        uses: actions-rs/toolchain@v1
        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
+          toolchain: 1.90.0
+          override: true

      - name: Substitute EE code
        shell: bash
        run: |
          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private

-      - name: Cargo check (fail fast on warnings)
-        timeout-minutes: 60
-        env:
-          RUSTFLAGS: "-D warnings"
-        run: |
-          mkdir frontend/build && cd backend
-          New-Item -Path . -Name "windmill-api/openapi-deref.yaml" -ItemType "File" -Force
-          cargo check --features=ee_windows
-
      - name: Cargo build dynamic libraries windows
-        timeout-minutes: 180
+        timeout-minutes: 90
        run: |
          cd backend/windmill-duckdb-ffi-internal
          cargo build --release -p windmill_duckdb_ffi_internal

      - name: Cargo build binary windows
-        timeout-minutes: 180
+        timeout-minutes: 90
        run: |
          vcpkg.exe install openssl-windows:x64-windows
          vcpkg.exe install openssl:x64-windows-static
          vcpkg.exe integrate install
          $env:VCPKGRS_DYNAMIC=1
          $env:OPENSSL_DIR="${Env:VCPKG_INSTALLATION_ROOT}\installed\x64-windows-static"
-          cd backend
+          mkdir frontend/build && cd backend
+          New-Item -Path . -Name "windmill-api/openapi-deref.yaml" -ItemType "File" -Force
          cargo build --release --features=ee_windows
      - name: Rename binary with corresponding architecture
        run: |
--- a/.github/workflows/check-org-membership.yml
+++ b/.github/workflows/check-org-membership.yml
@@ -4,10 +4,9 @@ on:
  workflow_call:
    inputs:
      commenter:
-        required: false
+        required: true
        type: string
-        default: ''
-        description: 'The username to check. Auto-detected from the event context if not provided.'
+        description: 'The username to check for organization membership'
      organization:
        required: false
        type: string
@@ -33,27 +32,11 @@ jobs:
    outputs:
      is_member: ${{ steps.check-membership.outputs.is_member }}
    steps:
-      - name: Determine commenter
-        id: determine-commenter
-        run: |
-          COMMENTER="${{ inputs.commenter }}"
-          if [[ -z "$COMMENTER" ]]; then
-            if [[ "${{ github.event_name }}" == "issue_comment" || \
-                  "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
-              COMMENTER="${{ github.event.comment.user.login }}"
-            elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
-              COMMENTER="${{ github.event.review.user.login }}"
-            else
-              COMMENTER="${{ github.event.issue.user.login }}"
-            fi
-          fi
-          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
-
      - name: Check organization membership
        id: check-membership
        env:
          ORG_ACCESS_TOKEN: ${{ secrets.access_token }}
-          COMMENTER: ${{ steps.determine-commenter.outputs.commenter }}
+          COMMENTER: ${{ inputs.commenter }}
          ORG: ${{ inputs.organization }}
          TRUSTED_BOT: ${{ inputs.trusted_bot }}
        run: |
--- a/.github/workflows/claude-fast.yml
+++ b/.github/workflows/claude-fast.yml
@@ -11,18 +11,40 @@ on:
    types: [submitted]

 jobs:
-  check-membership:
+  determine-commenter:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai-fast')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai-fast')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai-fast')) ||
      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai-fast'))
+    runs-on: ubicloud-standard-2
+    outputs:
+      commenter: ${{ steps.determine-commenter.outputs.commenter }}
+    steps:
+      - name: Determine commenter
+        id: determine-commenter
+        run: |
+          # Work out who wrote the comment / review
+          if [[ "${{ github.event_name }}" == "issue_comment" || \
+                "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            COMMENTER="${{ github.event.comment.user.login }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            COMMENTER="${{ github.event.review.user.login }}"
+          else
+            COMMENTER="${{ github.event.issue.user.login }}"
+          fi
+          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
+
+  check-membership:
+    needs: determine-commenter
    uses: ./.github/workflows/check-org-membership.yml
+    with:
+      commenter: ${{ needs.determine-commenter.outputs.commenter }}
    secrets:
      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}

  claude-code-action:
-    needs: check-membership
+    needs: [determine-commenter, check-membership]
    if: |
      needs.check-membership.outputs.is_member == 'true'
    runs-on: ubicloud-standard-8
--- a/.github/workflows/claude-plan.yml
+++ b/.github/workflows/claude-plan.yml
@@ -11,18 +11,40 @@ on:
    types: [submitted]

 jobs:
-  check-membership:
+  determine-commenter:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/plan')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/plan')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/plan')) ||
      (github.event_name == 'issues' && contains(github.event.issue.body, '/plan'))
+    runs-on: ubicloud-standard-2
+    outputs:
+      commenter: ${{ steps.determine-commenter.outputs.commenter }}
+    steps:
+      - name: Determine commenter
+        id: determine-commenter
+        run: |
+          # Work out who wrote the comment / review
+          if [[ "${{ github.event_name }}" == "issue_comment" || \
+                "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            COMMENTER="${{ github.event.comment.user.login }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            COMMENTER="${{ github.event.review.user.login }}"
+          else
+            COMMENTER="${{ github.event.issue.user.login }}"
+          fi
+          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
+
+  check-membership:
+    needs: determine-commenter
    uses: ./.github/workflows/check-org-membership.yml
+    with:
+      commenter: ${{ needs.determine-commenter.outputs.commenter }}
    secrets:
      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}

  claude-plan-action:
-    needs: check-membership
+    needs: [determine-commenter, check-membership]
    if: |
      needs.check-membership.outputs.is_member == 'true'
    runs-on: ubicloud-standard-4
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -11,18 +11,40 @@ on:
    types: [submitted]

 jobs:
-  check-membership:
+  determine-commenter:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai')) ||
      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai')) ||
      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai'))
+    runs-on: ubicloud-standard-2
+    outputs:
+      commenter: ${{ steps.determine-commenter.outputs.commenter }}
+    steps:
+      - name: Determine commenter
+        id: determine-commenter
+        run: |
+          # Work out who wrote the comment / review
+          if [[ "${{ github.event_name }}" == "issue_comment" || \
+                "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            COMMENTER="${{ github.event.comment.user.login }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            COMMENTER="${{ github.event.review.user.login }}"
+          else
+            COMMENTER="${{ github.event.issue.user.login }}"
+          fi
+          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
+
+  check-membership:
+    needs: determine-commenter
    uses: ./.github/workflows/check-org-membership.yml
+    with:
+      commenter: ${{ needs.determine-commenter.outputs.commenter }}
    secrets:
      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}

  claude-code-action:
-    needs: check-membership
+    needs: [determine-commenter, check-membership]
    if: |
      needs.check-membership.outputs.is_member == 'true'
    runs-on: ubicloud-standard-8
@@ -56,18 +78,18 @@ jobs:
      - name: install xmlsec1 and gssapi
        run: |
          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
+          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev

      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          cache-workspaces: backend
-          toolchain: 1.93.0
+          toolchain: 1.90.0

      - name: cargo check
        working-directory: ./backend
        timeout-minutes: 16
        run: |
-          SQLX_OFFLINE=true cargo check --features all_sqlx_features
+          SQLX_OFFLINE=true cargo check --features $(./all_features_oss.sh)

      - name: Run Claude PR Action
        uses: anthropics/claude-code-action@v1
@@ -97,7 +119,7 @@ jobs:
            - Fix all warnings and errors before proceeding

            **Backend Changes:**
-            - Run: \`cargo check --features all_sqlx_features\` in the backend directory
+            - Run: \`cargo check --features $(./all_features_oss.sh)\` in the backend directory
            - Fix all warnings and errors before proceeding

            **Pull Request Creation:**
--- a/.github/workflows/cli-tests.yml
+++ b/.github/workflows/cli-tests.yml
@@ -4,13 +4,13 @@ on:
  push:
    branches: [main]
    paths:
-      - "cli/**"
-      - ".github/workflows/cli-tests.yml"
+      - 'cli/**'
+      - '.github/workflows/cli-tests.yml'
  pull_request:
    branches: [main]
    paths:
-      - "cli/**"
-      - ".github/workflows/cli-tests.yml"
+      - 'cli/**'
+      - '.github/workflows/cli-tests.yml'

 env:
  CARGO_TERM_COLOR: always
@@ -23,15 +23,15 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Setup Deno
+        uses: denoland/setup-deno@v2
+        with:
+          deno-version: v2.x
+
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
+          node-version: '20'

      - name: Generate Windmill client
        working-directory: cli
@@ -69,10 +69,15 @@ jobs:
          cache: true
          cache-workspaces: backend

+      - name: Setup Deno
+        uses: denoland/setup-deno@v2
+        with:
+          deno-version: v2.x
+
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: '20'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -85,10 +90,6 @@ jobs:
      - name: Symlink Node to /usr/bin/node
        run: sudo ln -sf $(which node) /usr/bin/node

-      - name: Install dependencies
-        working-directory: cli
-        run: bun install
-
      - name: Generate Windmill clients
        working-directory: cli
        run: |
@@ -100,10 +101,12 @@ jobs:
        env:
          DATABASE_URL: postgres://postgres:changeme@localhost:5432
          CI_MINIMAL_FEATURES: "true"
-        run: bun test --timeout 120000 test/
+        run: |
+          deno test --no-check --allow-all test/ \
+            --ignore=test/cargo_backend_example.test.ts

  test-windows:
-    runs-on: blacksmith-16vcpu-windows-2025
+    runs-on: windows-latest

    steps:
      - name: Checkout code
@@ -123,10 +126,15 @@ jobs:
          cache: true
          cache-workspaces: backend

+      - name: Setup Deno
+        uses: denoland/setup-deno@v2
+        with:
+          deno-version: v2.x
+
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: '20'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -142,10 +150,6 @@ jobs:
          echo "BUN_PATH=$bunPath" >> $env:GITHUB_OUTPUT
          echo "NODE_BIN_PATH=$nodePath" >> $env:GITHUB_OUTPUT

-      - name: Install dependencies
-        working-directory: cli
-        run: bun install
-
      - name: Generate Windmill clients
        working-directory: cli
        shell: bash
@@ -161,7 +165,9 @@ jobs:
          CI_MINIMAL_FEATURES: "true"
          BUN_PATH: ${{ steps.runtime-paths.outputs.BUN_PATH }}
          NODE_BIN_PATH: ${{ steps.runtime-paths.outputs.NODE_BIN_PATH }}
-        run: bun test --timeout 120000 test/
+        run: |
+          deno test --no-check --allow-all test/ `
+            --ignore=test/cargo_backend_example.test.ts

  # Combined summary job for branch protection
  test-summary:
--- a/.github/workflows/create-docs.yml
+++ b/.github/workflows/create-docs.yml
@@ -0,0 +1,39 @@
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check-membership:
+    if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/docs') }}
+    uses: ./.github/workflows/check-org-membership.yml
+    with:
+      commenter: ${{ github.event.comment.user.login }}
+    secrets:
+      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
+
+  generate-token:
+    needs: check-membership
+    if: ${{ needs.check-membership.outputs.is_member == 'true' }}
+    runs-on: ubicloud-standard-2
+    outputs:
+      app_token: ${{ steps.app.outputs.token }}
+    steps:
+      - name: Generate an installation token
+        id: app
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.INTERNAL_APP_ID }}
+          private-key: ${{ secrets.INTERNAL_APP_KEY }}
+          owner: windmill-labs
+
+  trigger-docs:
+    needs: [generate-token, check-membership]
+    if: ${{ needs.check-membership.outputs.is_member == 'true' }}
+    uses: windmill-labs/windmilldocs/.github/workflows/create-docs.yml@main
+    with:
+      pr_number: ${{ github.event.issue.number }}
+      repo: ${{ github.event.repository.name }}
+      comment_text: ${{ github.event.comment.body }}
+    secrets:
+      DOCS_TOKEN: ${{ needs.generate-token.outputs.app_token }}
+      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
--- a/.github/workflows/discord-notification.yml
+++ b/.github/workflows/discord-notification.yml
@@ -6,10 +6,6 @@ on:
      - opened
      - ready_for_review
      - closed
-  issue_comment:
-    types:
-      - created
-      - edited

 jobs:
  notify_discord_when_pr_opened:
@@ -37,22 +33,3 @@ jobs:
      PR_NUMBER: ${{ github.event.pull_request.number }}
    secrets:
      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-  notify_discord_on_comment:
-    if: >
-      github.event_name == 'issue_comment'
-      && github.event.issue.pull_request
-      && github.event.comment.user.login != 'cloudflare-workers-and-pages[bot]'
-      && github.event.comment.user.login != 'ellipsis-dev[bot]'
-    uses: ./.github/workflows/shareable-discord-notification.yml
-    with:
-      PR_STATUS: "comment"
-      PR_NUMBER: ${{ github.event.issue.number }}
-      COMMENT_BODY: ${{ github.event.comment.body }}
-      COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-      COMMENT_URL: ${{ github.event.comment.html_url }}
-      COMMENT_IS_EDIT: ${{ github.event.action == 'edited' }}
-      DISCORD_CHANNEL_ID: "1372204995868491786"
-      DISCORD_GUILD_ID: "930051556043276338"
-    secrets:
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
--- a/.github/workflows/git-commands.yaml
+++ b/.github/workflows/git-commands.yaml
@@ -5,21 +5,8 @@ on:
    types: [created]

 jobs:
-  check-membership:
-    if: >-
-      github.event.issue.pull_request && (
-        startsWith(github.event.comment.body, '/updatesqlx') ||
-        startsWith(github.event.comment.body, '/demo') ||
-        startsWith(github.event.comment.body, '/eeref') ||
-        startsWith(github.event.comment.body, '/docs')
-      )
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
  update-sqlx:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/updatesqlx')
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/updatesqlx')
    runs-on: ubicloud-standard-8
    permissions:
      contents: write
@@ -75,17 +62,17 @@ jobs:
          path: windmill-ee-private
          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}

-      # Setup Rust toolchain
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      # Cache rust dependencies
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
+          workspaces: "./backend -> target"

      - name: Install xmlsec and gssapi build-time deps
        run: |
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends \
-            pkg-config libxml2-dev libssl-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang \
+            pkg-config libxml2-dev libssl-dev libkrb5-dev \
            xmlsec1 libxmlsec1-dev libxmlsec1-openssl

      - name: Run update-sqlx script
@@ -134,8 +121,7 @@ jobs:
            })

  demo:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/demo')
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/demo')
    runs-on: ubicloud-standard-2
    permissions:
      contents: read
@@ -214,8 +200,7 @@ jobs:
          fi

  update-ee-ref:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/eeref')
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/eeref')
    runs-on: ubicloud-standard-2
    permissions:
      contents: write
@@ -298,35 +283,3 @@ jobs:
              repo: context.repo.repo,
              body: 'Successfully updated ee-repo-ref.txt'
            })
-
-  update-docs:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/docs')
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-    steps:
-      - uses: actions/create-github-app-token@v2
-        id: app
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: |
-            windmilldocs
-
-      - name: Trigger docs update
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-          COMMENT_TEXT: ${{ github.event.comment.body }}
-        run: |
-          jq -n \
-            --argjson pr_number ${{ github.event.issue.number }} \
-            --arg repo "${{ github.event.repository.name }}" \
-            --arg comment "$COMMENT_TEXT" \
-            '{event_type: "create-docs", client_payload: {pr_number: $pr_number, repo: $repo, comment_text: $comment}}' | \
-          gh api repos/windmill-labs/windmilldocs/dispatches \
-            --method POST \
-            --input -
--- a/.github/workflows/npm_on_release.yml
+++ b/.github/workflows/npm_on_release.yml
@@ -25,9 +25,9 @@ jobs:
        with:
          node-version: "20.x"
          registry-url: "https://registry.npmjs.org"
-      - uses: oven-sh/setup-bun@v2
+      - uses: denoland/setup-deno@v2
        with:
-          bun-version: latest
+          deno-version: v2.x
      - run: cd cli && ./build.sh && cd npm && npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/publish_windows_worker.yml
+++ b/.github/workflows/publish_windows_worker.yml
@@ -13,7 +13,7 @@ env:

 jobs:
  cargo_build_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
+    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

@@ -32,10 +32,11 @@ jobs:
          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
          fetch-depth: 0

-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Setup Rust
+        uses: actions-rs/toolchain@v1
        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
+          toolchain: 1.90.0
+          override: true

      - name: Substitute EE code
        shell: bash
@@ -43,13 +44,13 @@ jobs:
          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private

      - name: Cargo build dynamic libraries windows
-        timeout-minutes: 180
+        timeout-minutes: 90
        run: |
          cd backend/windmill-duckdb-ffi-internal
          cargo build --release -p windmill_duckdb_ffi_internal

      - name: Cargo build windows
-        timeout-minutes: 180
+        timeout-minutes: 90
        run: |
          vcpkg.exe install openssl-windows:x64-windows
          vcpkg.exe install openssl:x64-windows-static
--- a/.github/workflows/shareable-discord-notification.yml
+++ b/.github/workflows/shareable-discord-notification.yml
@@ -24,26 +24,9 @@ on:
      DISCORD_GUILD_ID:
        description: "The Discord guild ID"
        type: string
-      COMMENT_BODY:
-        description: "The comment body"
-        type: string
-        default: ""
-      COMMENT_AUTHOR:
-        description: "The comment author"
-        type: string
-        default: ""
-      COMMENT_URL:
-        description: "The comment URL"
-        type: string
-        default: ""
-      COMMENT_IS_EDIT:
-        description: "Whether this is an edit of an existing comment"
-        type: string
-        default: "false"
    secrets:
      DISCORD_WEBHOOK_URL:
        description: "Discord Webhook URL"
-        required: false
      DISCORD_BOT_TOKEN:
        description: "Discord Bot Token"

@@ -134,81 +117,3 @@ jobs:
          curl -X PUT \
            -H "Authorization: Bot $BOT_TOKEN" \
            "https://discord.com/api/v10/channels/$thread_id/messages/$message_id/reactions/%E2%9C%85/@me"
-
-  post_comment:
-    runs-on: ubuntu-latest
-    if: ${{ inputs.PR_STATUS == 'comment' }}
-    steps:
-      - name: Post or update comment in Discord thread
-        env:
-          BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
-          CHANNEL_ID: ${{ inputs.DISCORD_CHANNEL_ID }}
-          GUILD_ID: ${{ inputs.DISCORD_GUILD_ID }}
-          PR_NUMBER: ${{ inputs.PR_NUMBER }}
-          COMMENT_BODY: ${{ inputs.COMMENT_BODY }}
-          COMMENT_AUTHOR: ${{ inputs.COMMENT_AUTHOR }}
-          COMMENT_URL: ${{ inputs.COMMENT_URL }}
-          COMMENT_IS_EDIT: ${{ inputs.COMMENT_IS_EDIT }}
-        run: |
-          # 1) Find the thread by PR number
-          threads=$(curl -s -H "Authorization: Bot $BOT_TOKEN" \
-            "https://discord.com/api/v10/guilds/${GUILD_ID}/threads/active")
-          thread_id=$(echo "$threads" | jq -r \
-            --arg cid "$CHANNEL_ID" \
-            --arg pref "#${PR_NUMBER}:" \
-            '.threads[] | select(.parent_id == $cid and (.name | startswith($pref))) | .id')
-
-          if [ -z "$thread_id" ]; then
-            echo "Thread not found for PR #${PR_NUMBER}, skipping"
-            exit 0
-          fi
-
-          # 2) Truncate comment body to fit Discord's 2000 char limit
-          # Reserve space for the author line + link (~100 chars)
-          max_body=1800
-          if [ ${#COMMENT_BODY} -gt $max_body ]; then
-            # For bot comments, show the tail (conclusions/code tend to be at the end)
-            if [[ "$COMMENT_AUTHOR" == *"[bot]"* ]] || [[ "$COMMENT_AUTHOR" == *"-bot"* ]]; then
-              truncated_body="...${COMMENT_BODY: -$max_body}"
-            else
-              truncated_body="${COMMENT_BODY:0:$max_body}..."
-            fi
-          else
-            truncated_body="$COMMENT_BODY"
-          fi
-
-          # 3) Build the message content
-          if [ "$COMMENT_IS_EDIT" = "true" ]; then
-            message=$(printf '**%s** [edited comment](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
-          else
-            message=$(printf '**%s** [commented](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
-          fi
-          payload=$(jq -n --arg content "$message" '{content: $content, flags: 4, allowed_mentions: {parse: []}}')
-
-          # 4) If this is an edit, try to find and update the existing Discord message
-          if [ "$COMMENT_IS_EDIT" = "true" ]; then
-            # Search recent messages in the thread for one containing the comment URL
-            messages=$(curl -s -H "Authorization: Bot $BOT_TOKEN" \
-              "https://discord.com/api/v10/channels/${thread_id}/messages?limit=100")
-            existing_msg_id=$(echo "$messages" | jq -r \
-              --arg url "$COMMENT_URL" \
-              '[.[] | select(.content | contains($url))] | first | .id // empty')
-
-            if [ -n "$existing_msg_id" ]; then
-              echo "Updating existing Discord message $existing_msg_id"
-              curl -s -X PATCH \
-                -H "Authorization: Bot $BOT_TOKEN" \
-                -H "Content-Type: application/json" \
-                -d "$payload" \
-                "https://discord.com/api/v10/channels/${thread_id}/messages/${existing_msg_id}"
-              exit 0
-            fi
-            echo "Original Discord message not found, posting as new message"
-          fi
-
-          # 5) Post a new message to the thread
-          curl -s -X POST \
-            -H "Authorization: Bot $BOT_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d "$payload" \
-            "https://discord.com/api/v10/channels/${thread_id}/messages"
--- a/.github/workflows/spawn-ephemeral-backend.yml
+++ b/.github/workflows/spawn-ephemeral-backend.yml
@@ -13,16 +13,38 @@ on:
        type: number

 jobs:
-  check-membership:
+  determine-commenter:
    if: |
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/spawnbackend')) ||
      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/spawnbackend'))
+    runs-on: ubicloud-standard-2
+    outputs:
+      commenter: ${{ steps.determine-commenter.outputs.commenter }}
+    steps:
+      - name: Determine commenter
+        id: determine-commenter
+        run: |
+          # Work out who wrote the comment / review
+          if [[ "${{ github.event_name }}" == "issue_comment" || \
+                "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            COMMENTER="${{ github.event.comment.user.login }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            COMMENTER="${{ github.event.review.user.login }}"
+          else
+            COMMENTER="${{ github.event.issue.user.login }}"
+          fi
+          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
+
+  check-membership:
+    needs: determine-commenter
    uses: ./.github/workflows/check-org-membership.yml
+    with:
+      commenter: ${{ needs.determine-commenter.outputs.commenter }}
    secrets:
      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}

  spawn-backend:
-    needs: check-membership
+    needs: [determine-commenter, check-membership]
    # Only run on PR comments that contain /spawn-backend, or manual dispatch
    if: |
      github.event_name == 'workflow_dispatch' ||
--- a/.gitignore
+++ b/.gitignore
@@ -14,16 +14,8 @@ backend/.minio-data
 !.aiderignore
 rust-client/Cargo.toml

-# Worktree-generated port isolation
-.env.local
-
-# Worktree-specific Claude Code settings (generated by scripts/worktree-env)
-.claude/settings.local.json
-
 # Symlinked cache directories (for git worktrees)
 backend/target
 frontend/node_modules
 typescript-client/node_modules
 frontend/.svelte-kit
-backend/chrome_profiler.json
-.fast-check/
--- a/.wmdev.yaml
+++ b/.wmdev.yaml
@@ -1,113 +0,0 @@
-name: Windmill
-
-startupEnvs:
-  CARGO_FEATURES: "quickjs"
-  WM_CLONE_DB: false
-  USE_RUST_PLUGIN: false
-
-services:
-  - name: BE
-    portEnv: BACKEND_PORT
-  - name: FE
-    portEnv: FRONTEND_PORT
-
-profiles:
-  default:
-    name: default
-
-  sandbox:
-    name: sandbox
-    image: windmill-sandbox
-    envPassthrough:
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - R2_ENDPOINT
-      - R2_BUCKET
-      - R2_PUBLIC_URL
-    extraMounts:
-      - hostPath: ~/.ssh
-        guestPath: /root/.ssh
-        writable: true
-      - hostPath: ~/.codex
-        guestPath: /root/.codex
-        writable: true
-      - hostPath: ~/windmill-ee-private
-        writable: true
-      - hostPath: ~/windmill-ee-private__worktrees
-        writable: true
-    systemPrompt: >
-      You are running inside a sandboxed container with full permissions.
-      This worktree is configured with the following ports:
-
-      - Backend: port ${BACKEND_PORT}.
-        Start with: cd backend && PORT=${BACKEND_PORT}
-        DATABASE_URL=postgres://postgres:changeme@localhost:5432/windmill
-        cargo watch -x run
-
-      - Frontend: port ${FRONTEND_PORT}.
-        Start with: cd frontend && REMOTE=http://localhost:${BACKEND_PORT}
-        npm run dev -- --port ${FRONTEND_PORT} --host 0.0.0.0
-
-      --- Screenshots ---
-      You can take screenshots of the frontend UI and upload them to R2
-      for use in PR descriptions.
-      1) Take a screenshot:
-         bunx playwright screenshot --browser chromium
-         http://localhost:${FRONTEND_PORT}/path/to/page /tmp/screenshot.png
-      2) Upload to R2:
-         aws s3 cp /tmp/screenshot.png
-         "s3://$(printenv R2_BUCKET)/$(git rev-parse --abbrev-ref HEAD)/screenshot.png"
-         --endpoint-url "$(printenv R2_ENDPOINT)"
-      3) The public URL will be:
-         $(printenv R2_PUBLIC_URL)/<branch>/screenshot.png
-      4) Include in PR descriptions using markdown image syntax.
-
-      --- Terminal Recordings (asciinema) ---
-      You can record terminal sessions and upload them for sharing.
-      asciinema is available on PATH.
-
-      1) Write a shell script with the commands to demo. Add sleep
-          delays for readable pacing:
-          - 0.5s after printing a "$ command" line (lets viewer read it)
-          - 1.5-2s after command output (lets viewer absorb the result)
-          - Set GIT_PAGER=cat and PAGER=cat to prevent pager hangs
-
-      2) Record headlessly:
-          asciinema rec --headless --overwrite \
-            -c "bash /tmp/demo.sh" \
-            --window-size 120x50 \
-            --title "Description of demo" \
-            /tmp/demo.cast
-
-      3) Upload to asciinema.org:
-          XDG_DATA_HOME=/tmp/.local/share \
-            asciinema upload --server-url https://asciinema.org /tmp/demo.cast
-
-      --- Mermaid Diagrams ---
-      You can render Mermaid diagrams to SVG using the pre-installed mmdc CLI.
-      The puppeteer config (no-sandbox + Chromium path) is at /root/.puppeteerrc.json.
-
-      1) Write a .mmd file with your diagram:
-          cat > /tmp/diagram.mmd << 'EOF'
-          graph TD
-            A[Start] --> B[End]
-          EOF
-
-      2) Render to SVG (the -p flag is required):
-          mmdc -i /tmp/diagram.mmd -o /tmp/diagram.svg -p /root/.puppeteerrc.json
-
-      3) Upload to R2:
-          aws s3 cp /tmp/diagram.svg
-          "s3://$(printenv R2_BUCKET)/$(git rev-parse --abbrev-ref HEAD)/diagram.svg"
-          --endpoint-url "$(printenv R2_ENDPOINT)"
-
-      4) The public URL will be:
-          $(printenv R2_PUBLIC_URL)/<branch>/diagram.svg
-
-      5) Include in PR descriptions using markdown image syntax.
-
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
-
-linkedRepos:
-  - repo: windmill-labs/windmill-ee-private
-    alias: ee
--- a/.workmux.yaml
+++ b/.workmux.yaml
@@ -1,73 +0,0 @@
-main_branch: main
-
-merge_strategy: rebase
-# worktree_dir: .worktrees
-
-worktree_naming: basename
-
-worktree_prefix: ""
-
-# Default: "wm-"
-window_prefix: "wm-"
-
-auto_name:
-  model: "gemini-2.5-flash-lite"
-  system_prompt: |
-    Generate a concise git branch name based on the task description.
-
-    Rules:
-    - Use kebab-case (lowercase with hyphens)
-    - Keep it short: 1-3 words, max 4 if necessary
-    - Focus on the core task/feature, not implementation details
-    - No prefixes like feat/, fix/, chore/
-
-    Examples of good branch names:
-    - "Add dark mode toggle" → dark-mode
-    - "Fix the search results not showing" → fix-search
-    - "Refactor the authentication module" → auth-refactor
-    - "Add CSV export to reports" → export-csv
-    - "Shell completion is broken" → shell-completion
-
-    Output ONLY the branch name, nothing else.
-  background: true
-
-
-# Commands to run in new worktree before tmux window opens.
-# These block window creation - use for short tasks only.
-# Use "<global>" to inherit from global config.
-# Set to empty list to disable: `post_create: []`
-# post_create:
-#   - "<global>"
-#   - mise use
-post_create:
-  - ./scripts/worktree-env
-
-pre_remove:
-  - ./scripts/worktree-cleanup
-
-panes:
-  - command: >-
-      claude --dangerously-skip-permissions  --append-system-prompt
-      "You are running inside a tmux session with other panes running services.\n
-      Pane layout (current window):\n
-      - Pane 0: this pane (claude agent)\n
-      - Pane 1: backend (cargo watch -x run)\n
-      - Pane 2: frontend (npm run dev)\n\n
-      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).\n
-      When restarting backend or frontend, make sure to use the ports listed in .env.local.\n
-      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check.\n\n
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work."
-    focus: true
-  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"'
-    split: horizontal
-  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/frontend" && npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0'
-    split: vertical
-
-files:
-  copy:
-    - backend/.env
-    - scripts/
-
-sandbox:
-  enabled: false
-  toolchain: off
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,559 +1,5 @@
 # Changelog

-## [1.651.1](https://github.com/windmill-labs/windmill/compare/v1.651.0...v1.651.1) (2026-03-05)
-
-
-### Bug Fixes
-
-* prevent slow loading toast interval from leaking on promise cancellation ([#8240](https://github.com/windmill-labs/windmill/issues/8240)) ([2e582b1](https://github.com/windmill-labs/windmill/commit/2e582b1bc1c299388a3c97cfddff9d0eb92858f2))
-* suppress unused variable warnings on windows builds ([#8241](https://github.com/windmill-labs/windmill/issues/8241)) ([2d58382](https://github.com/windmill-labs/windmill/commit/2d583826dc065c05684d4cd1d1510f0d1f2d9ae9))
-
-## [1.651.0](https://github.com/windmill-labs/windmill/compare/v1.650.0...v1.651.0) (2026-03-05)
-
-
-### Features
-
-* add sandbox annotations, volume mounts, for AI sandbox starting with claude ([#8058](https://github.com/windmill-labs/windmill/issues/8058)) ([5f0ef93](https://github.com/windmill-labs/windmill/commit/5f0ef936d1d5d07d01c8e07e26ec254feebef8fb))
-* hash-based MCP tool names for long paths ([#8133](https://github.com/windmill-labs/windmill/issues/8133)) ([ce041e8](https://github.com/windmill-labs/windmill/commit/ce041e8a5e7ff105df389875d9981f3843d4ce39))
-
-
-### Bug Fixes
-
-* **python-client:** add delete_s3_object ([#8216](https://github.com/windmill-labs/windmill/issues/8216)) ([90f4c64](https://github.com/windmill-labs/windmill/commit/90f4c64ee12e1d04ce846ff88d6658f667e194e0))
-* update CLI bun template to match UI template ([#8238](https://github.com/windmill-labs/windmill/issues/8238)) ([a8cbe93](https://github.com/windmill-labs/windmill/commit/a8cbe9396ffc51140dce5582d57f4dc59873304e))
-* write fallback package.json for codebase mode nsjail ([#8239](https://github.com/windmill-labs/windmill/issues/8239)) ([d46913b](https://github.com/windmill-labs/windmill/commit/d46913b74a0ffd41d2323e0355cc81954f09e29d))
-
-## [1.650.0](https://github.com/windmill-labs/windmill/compare/v1.649.0...v1.650.0) (2026-03-05)
-
-
-### Features
-
-* add move, delete, and duplicate to flow node context menu ([#8050](https://github.com/windmill-labs/windmill/issues/8050)) ([c0c9388](https://github.com/windmill-labs/windmill/commit/c0c9388415716ce77d841bd08a46f94e0a529685))
-* add variable and resource types to flow env variables ([#8214](https://github.com/windmill-labs/windmill/issues/8214)) ([164e499](https://github.com/windmill-labs/windmill/commit/164e499c64dc5eb76fcfb0f8cefbad2df244f610))
-* Ducklake typechecker ([#8118](https://github.com/windmill-labs/windmill/issues/8118)) ([53caecf](https://github.com/windmill-labs/windmill/commit/53caecf1da8d76e246178dfb9b86d330f0ec52fd))
-* make WINDMILL_DIR configurable via environment variable ([#8215](https://github.com/windmill-labs/windmill/issues/8215)) ([424ca59](https://github.com/windmill-labs/windmill/commit/424ca59dfe3e730f5388d9cac4ea7e69773614d3))
-* make WM_END_USER_EMAIL display users from different workspaces ([#8208](https://github.com/windmill-labs/windmill/issues/8208)) ([baf2bcf](https://github.com/windmill-labs/windmill/commit/baf2bcf14da0c8c95bdbbf511fcaee48be33948b))
-* persistent Db manager state in URI ([#8134](https://github.com/windmill-labs/windmill/issues/8134)) ([4bf827b](https://github.com/windmill-labs/windmill/commit/4bf827bea4d44aca8c5ff7aa67ad449dbcf00673))
-* replace hub error toasts with warning alerts and add disable hub setting ([#8225](https://github.com/windmill-labs/windmill/issues/8225)) ([63ebae8](https://github.com/windmill-labs/windmill/commit/63ebae8829a6dc47a4e23c8670b514f042c9d4be))
-* token expiration notifications ([#8190](https://github.com/windmill-labs/windmill/issues/8190)) ([e56ccd2](https://github.com/windmill-labs/windmill/commit/e56ccd200be29e6ac8ea2b04a341b1ce78a307f6))
-
-
-### Bug Fixes
-
-* handle multipart stream errors gracefully instead of panicking ([#8226](https://github.com/windmill-labs/windmill/issues/8226)) ([19c065b](https://github.com/windmill-labs/windmill/commit/19c065bed5468c484c8e7a50a6b79ab90153cc0e))
-* improve windows compatibility ([077779e](https://github.com/windmill-labs/windmill/commit/077779ec52f7d3e5fcc93951544bf47bd6dc30b6))
-* wrap set_encryption_key in a single database transaction ([#8212](https://github.com/windmill-labs/windmill/issues/8212)) ([62382fd](https://github.com/windmill-labs/windmill/commit/62382fd2869ea0190dd0c0b714f9cbd35ceddd7a))
-
-## [1.649.0](https://github.com/windmill-labs/windmill/compare/v1.648.0...v1.649.0) (2026-03-03)
-
-
-### Features
-
-* **frontend:** add script recorder for offline replay ([#8200](https://github.com/windmill-labs/windmill/issues/8200)) ([c97d8b4](https://github.com/windmill-labs/windmill/commit/c97d8b4715f86ea83ab2c0223ba859ced690829a))
-* move index management out of /srch/, add storage size reporting ([#8169](https://github.com/windmill-labs/windmill/issues/8169)) ([ee01acd](https://github.com/windmill-labs/windmill/commit/ee01acd9a6a2cd68a3f226988bfb46f6a6e64c08))
-
-
-### Bug Fixes
-
-* clean up slow-load toast interval on component destroy ([#8207](https://github.com/windmill-labs/windmill/issues/8207)) ([26f4f2b](https://github.com/windmill-labs/windmill/commit/26f4f2b399b828185b553289d6560e12261030a3))
-* **frontend:** prevent subflow expansion from hiding all insertion points ([#8203](https://github.com/windmill-labs/windmill/issues/8203)) ([e97da86](https://github.com/windmill-labs/windmill/commit/e97da860672171e33054a77d71f4824bb09e540d))
-* gracefully handle malformed OAuth entries in instance config ([#8205](https://github.com/windmill-labs/windmill/issues/8205)) ([cac4bdd](https://github.com/windmill-labs/windmill/commit/cac4bdd54f0c3ea80844ac31f7597f418ff7d8ae))
-* skip stop_after_if evaluation for skipped (identity) flow steps ([#8201](https://github.com/windmill-labs/windmill/issues/8201)) ([e6f7775](https://github.com/windmill-labs/windmill/commit/e6f7775d4d9a052aefc37260c6ed161146841cd7))
-* use exact matching for python requirements directive parsing ([#8199](https://github.com/windmill-labs/windmill/issues/8199)) ([2b2be38](https://github.com/windmill-labs/windmill/commit/2b2be38f129bbe58b6bb3815c4bd94aa03a3da90))
-
-
-### Performance Improvements
-
-* use two-step query in input history to leverage v2_job index ([#8197](https://github.com/windmill-labs/windmill/issues/8197)) ([50defdd](https://github.com/windmill-labs/windmill/commit/50defdded113b4d2cf0991b3fb642d1cd9a462b7))
-
-## [1.648.0](https://github.com/windmill-labs/windmill/compare/v1.647.2...v1.648.0) (2026-03-02)
-
-
-### Features
-
-* add right-click context menu to ObjectViewer ([#8181](https://github.com/windmill-labs/windmill/issues/8181)) ([1855204](https://github.com/windmill-labs/windmill/commit/18552046c29878b5cf115b9364c2ce829ab7aa59))
-* **frontend:** add drag-and-drop node movement in flow editor ([#8076](https://github.com/windmill-labs/windmill/issues/8076)) ([7a5e487](https://github.com/windmill-labs/windmill/commit/7a5e48787860c38aa3589c49ea9a70654d479c8a))
-
-
-### Bug Fixes
-
-* don't insert underscore after digit in PascalCase to snake_case conversion ([#8184](https://github.com/windmill-labs/windmill/issues/8184)) ([a111653](https://github.com/windmill-labs/windmill/commit/a111653c6d32fd1a3d2f45351eceb8d8d7df6f41))
-* **frontend:** preserve keycloak realm url between instance settings saves ([#8189](https://github.com/windmill-labs/windmill/issues/8189)) ([cfd9541](https://github.com/windmill-labs/windmill/commit/cfd9541ab1daf635c7d801cd3a7788db57b98257))
-* preserve debouncing settings for post-preprocessing arg accumulation ([#8191](https://github.com/windmill-labs/windmill/issues/8191)) ([9e92445](https://github.com/windmill-labs/windmill/commit/9e92445faed1a10b2406b97562e8df7a5b2dfd76))
-
-## [1.647.2](https://github.com/windmill-labs/windmill/compare/v1.647.1...v1.647.2) (2026-03-02)
-
-
-### Bug Fixes
-
-* update oracle instant client arm64 download url ([#8179](https://github.com/windmill-labs/windmill/issues/8179)) ([758b35f](https://github.com/windmill-labs/windmill/commit/758b35f8ebbf78e1473a8fd83dbc795d58b23b80))
-
-## [1.647.1](https://github.com/windmill-labs/windmill/compare/v1.647.0...v1.647.1) (2026-03-02)
-
-
-### Bug Fixes
-
-* add missing display_name and tenant fields to instance config OAuthClient ([#8176](https://github.com/windmill-labs/windmill/issues/8176)) ([db44b8b](https://github.com/windmill-labs/windmill/commit/db44b8be74e1709dbf759dd391bdb3861b3c711b))
-* add missing grant_types field to instance config OAuth structs ([#8175](https://github.com/windmill-labs/windmill/issues/8175)) ([fca94f8](https://github.com/windmill-labs/windmill/commit/fca94f88dd796db66e0c5bd0225e23b92efce4a7))
-* show sync endpoint timeout setting on all instances ([#8170](https://github.com/windmill-labs/windmill/issues/8170)) ([c70307d](https://github.com/windmill-labs/windmill/commit/c70307d3f2dfe61a0250dd12234470a25baf2d1b))
-
-## [1.647.0](https://github.com/windmill-labs/windmill/compare/v1.646.0...v1.647.0) (2026-03-01)
-
-
-### Features
-
-* populate baseUrl and userId in Nextcloud resource from OAuth ([#8132](https://github.com/windmill-labs/windmill/issues/8132)) ([5d58a87](https://github.com/windmill-labs/windmill/commit/5d58a87a7f02c4f7775bd02c885071495a5f686d))
-* runScript inline for path and hash ([#8019](https://github.com/windmill-labs/windmill/issues/8019)) ([7d9d16a](https://github.com/windmill-labs/windmill/commit/7d9d16a6a3357981e5692023982ca1e670acfaae))
-* slow stream warnings, batch size control, and fix result/skipped filters ([#8154](https://github.com/windmill-labs/windmill/issues/8154)) ([7a32abe](https://github.com/windmill-labs/windmill/commit/7a32abec96124f96a1dbac11e03162cca68f3286))
-
-
-### Bug Fixes
-
-* : persist show schedules and show future jobs toggles in local storage ([#8125](https://github.com/windmill-labs/windmill/issues/8125)) ([f1d8568](https://github.com/windmill-labs/windmill/commit/f1d8568831bf69ee790def4f90df8f32c59a94e0)), closes [#8123](https://github.com/windmill-labs/windmill/issues/8123)
-* add partial index for fast failure filtering on runs page ([#8150](https://github.com/windmill-labs/windmill/issues/8150)) ([d4673c2](https://github.com/windmill-labs/windmill/commit/d4673c2e91168dcdb0aca9d6c039df0d9c52bb28))
-* copy deps and remove user auto-add on workspace fork ([#8142](https://github.com/windmill-labs/windmill/issues/8142)) ([0776de6](https://github.com/windmill-labs/windmill/commit/0776de6b2173075f533fd59a49efb111000da5df))
-* fix custom TS Monaco worker not reloading on file uri change ([#8130](https://github.com/windmill-labs/windmill/issues/8130)) ([b68ff96](https://github.com/windmill-labs/windmill/commit/b68ff965dd4f67046fae7e8cf756c8b3e15c2643))
-* Handle CTEs and local tables in SQL asset parser ([#8131](https://github.com/windmill-labs/windmill/issues/8131)) ([0955051](https://github.com/windmill-labs/windmill/commit/095505136c2b3e03f656ace20a5c1bbe142fa63f))
-* prevent wm-cursor from hanging on stale cursor IPC sockets ([b9e3e05](https://github.com/windmill-labs/windmill/commit/b9e3e053e4914e753bbb806e6b748c791edb92d2))
-* process deletes before adds in CLI sync push to avoid conflicts ([#8148](https://github.com/windmill-labs/windmill/issues/8148)) ([278983c](https://github.com/windmill-labs/windmill/commit/278983c4fd38d67a14a8c208178c04db05ee1880))
-* remove review comments from discord notifications and support comment edits ([cdc0543](https://github.com/windmill-labs/windmill/commit/cdc0543747680267e30974037a2eb180a19062d9))
-* restore email domain (MX) setting in instance settings UI ([#8152](https://github.com/windmill-labs/windmill/issues/8152)) ([13daebf](https://github.com/windmill-labs/windmill/commit/13daebf88ac1abcb833646490073f922ac7c050e))
-* sync flow on_behalf_of_email on load ([#8149](https://github.com/windmill-labs/windmill/issues/8149)) ([faf190f](https://github.com/windmill-labs/windmill/commit/faf190f12d96cd75ba9eda10ab3e6f26d2eed813))
-* validate tarball URL host against registry to prevent SSRF and token exfiltration ([#8153](https://github.com/windmill-labs/windmill/issues/8153)) ([86182ed](https://github.com/windmill-labs/windmill/commit/86182ed2e999f018fc72343308e7df8e9de6c189))
-
-
-### Performance Improvements
-
-* batch large job list requests and fix loadExtraJobs cursor ([#8151](https://github.com/windmill-labs/windmill/issues/8151)) ([4f5a804](https://github.com/windmill-labs/windmill/commit/4f5a8040912e18f34401a6e3a95dea6f97d1d24c))
-* lazy-load heavy deps (graphql, openapi-parser, sha256) ([#8145](https://github.com/windmill-labs/windmill/issues/8145)) ([ba48d70](https://github.com/windmill-labs/windmill/commit/ba48d7015741eb6bbbe04088a957c37499cd8471))
-* lazy-load markdown in Tooltip components ([#8143](https://github.com/windmill-labs/windmill/issues/8143)) ([bd9ff03](https://github.com/windmill-labs/windmill/commit/bd9ff03010f75557dcc315d10e9208b4e9cafece))
-
-## [1.646.0](https://github.com/windmill-labs/windmill/compare/v1.645.0...v1.646.0) (2026-02-26)
-
-
-### Features
-
-* add force_branch parameter to git sync settings ([#8089](https://github.com/windmill-labs/windmill/issues/8089)) ([4e1ae27](https://github.com/windmill-labs/windmill/commit/4e1ae276b006992e06ae755ec9315dbfadf4f838))
-* add wmill docs CLI command for querying documentation ([#8114](https://github.com/windmill-labs/windmill/issues/8114)) ([01c7270](https://github.com/windmill-labs/windmill/commit/01c7270cdaa0d5dbee2e15aa5dd08551cff60c70))
-* Broad filters for search ([#8112](https://github.com/windmill-labs/windmill/issues/8112)) ([16a6d5e](https://github.com/windmill-labs/windmill/commit/16a6d5e7afe9323b2f2c7a93828518f5d924cc69))
-* change on behalf selector to allow picking any user + select value in target by default if possible ([#8113](https://github.com/windmill-labs/windmill/issues/8113)) ([408c5af](https://github.com/windmill-labs/windmill/commit/408c5af6d8352f1e205e4543772ce5d060556ffc))
-
-
-### Bug Fixes
-
-* remove duplicate job loading on chart zoom ([#8121](https://github.com/windmill-labs/windmill/issues/8121)) ([99c01bc](https://github.com/windmill-labs/windmill/commit/99c01bca3863ac9b2882948bb5914f051a7716a4))
-* runs page date picker query parameter handling ([#8120](https://github.com/windmill-labs/windmill/issues/8120)) ([427bc64](https://github.com/windmill-labs/windmill/commit/427bc6410be7fda132fc91991164e9b38b32c7e3))
-
-## [1.645.0](https://github.com/windmill-labs/windmill/compare/v1.644.0...v1.645.0) (2026-02-26)
-
-
-### Features
-
-* add resume and cancel button text options to Slack approval API + formatted args + typo ([#8095](https://github.com/windmill-labs/windmill/issues/8095)) ([c7c828b](https://github.com/windmill-labs/windmill/commit/c7c828b56e7a5f877ef0a78498018ed930bccb23))
-* Data table as pg resource / trigger ([#8088](https://github.com/windmill-labs/windmill/issues/8088)) ([8e7ba9b](https://github.com/windmill-labs/windmill/commit/8e7ba9b33da2ddba0eba8341219b9a3576a9d95d))
-* option to preserve on_behalf_of and edited_by for admins and users in the new wm_deployers group ([#8079](https://github.com/windmill-labs/windmill/issues/8079)) ([7ac93f6](https://github.com/windmill-labs/windmill/commit/7ac93f6ee30eb8dfa6ddb9c19697cde93bf7e134))
-* per-worktree database isolation and Claude Code auto-trust ([09970cd](https://github.com/windmill-labs/windmill/commit/09970cd22b8f19c6d01351f9a9bf4aac170116c2))
-* show triggers in fork deploy to parent UI. ([#8094](https://github.com/windmill-labs/windmill/issues/8094)) ([935b005](https://github.com/windmill-labs/windmill/commit/935b0058e2b8056e07f8dd8f80ef6de78ca8331f))
-
-
-### Bug Fixes
-
-* **backend:** fix skip check crash when flow-level skip_expr triggers on first module with skip_if ([#8111](https://github.com/windmill-labs/windmill/issues/8111)) ([7bb450e](https://github.com/windmill-labs/windmill/commit/7bb450edbfccd5c21dc5dbc1e7bf2f2ecc4c779c))
-* **backend:** pass parent_path for trigger renames in git sync ([#8059](https://github.com/windmill-labs/windmill/issues/8059)) ([5730009](https://github.com/windmill-labs/windmill/commit/5730009404171cbffb67d0296baf9c0aa2858816))
-* correct asset node x offset inside loops and branches ([#8093](https://github.com/windmill-labs/windmill/issues/8093)) ([1c9ac97](https://github.com/windmill-labs/windmill/commit/1c9ac97f876a82c6ce3b18e30ffdeea79ccd4481))
-* delete non-session tokens on workspace archive and reject token creation for archived workspaces ([#8082](https://github.com/windmill-labs/windmill/issues/8082)) ([bc67255](https://github.com/windmill-labs/windmill/commit/bc672555a77f3b78ff324a26603d2ab7839df77e))
-* improve Anthropic API proxy handling and update default models ([#8105](https://github.com/windmill-labs/windmill/issues/8105)) ([a9968d0](https://github.com/windmill-labs/windmill/commit/a9968d0aed446a090b158c3269ffeb6907330933))
-* optimize slow list_assets query for recents loading ([#8103](https://github.com/windmill-labs/windmill/issues/8103)) ([0c204b6](https://github.com/windmill-labs/windmill/commit/0c204b69bdd319af2706c1add552622678cd343f))
-* remove duplicate num_columns in test_parse_relation test ([cff9e2c](https://github.com/windmill-labs/windmill/commit/cff9e2c5c22b3c1a0b5891839fe59e4058ded888))
-* resolve Vite dependency pre-bundling errors ([#8102](https://github.com/windmill-labs/windmill/issues/8102)) ([07ddcd2](https://github.com/windmill-labs/windmill/commit/07ddcd2a08c103246b2b60f9df1ffb477ff97006))
-* use @-prefixed LIKE pattern for email domain matching ([#8101](https://github.com/windmill-labs/windmill/issues/8101)) ([02d5447](https://github.com/windmill-labs/windmill/commit/02d5447e1d567a18b0d6eb24f3423bd675f6cbe8))
-* use main runtime handle in QuickJS eval to prevent connection pool poisoning ([#8106](https://github.com/windmill-labs/windmill/issues/8106)) ([af2aca5](https://github.com/windmill-labs/windmill/commit/af2aca56b04c7a3fd25f096f2471292489923431))
-
-## [1.644.0](https://github.com/windmill-labs/windmill/compare/v1.643.0...v1.644.0) (2026-02-24)
-
-
-### Features
-
-* **cli:** detect missing folders on sync push and add 'wmill folder add-missing' ([#8011](https://github.com/windmill-labs/windmill/issues/8011)) ([835db5d](https://github.com/windmill-labs/windmill/commit/835db5d290a151f38f4e879ed7ffbda5d1c4b24f))
-
-
-### Bug Fixes
-
-* prevent concurrent index migrations from re-running on every startup ([#8069](https://github.com/windmill-labs/windmill/issues/8069)) ([8ff2340](https://github.com/windmill-labs/windmill/commit/8ff2340c0c08ce49a809c8958a9862ffb1681642))
-
-## [1.643.0](https://github.com/windmill-labs/windmill/compare/v1.642.0...v1.643.0) (2026-02-24)
-
-
-### Features
-
-* add fileset resource type support ([32c4b47](https://github.com/windmill-labs/windmill/commit/32c4b474f92f3dbbd2077fab70bdf9e407581626))
-* add fileset resource type support ([#8063](https://github.com/windmill-labs/windmill/issues/8063)) ([c15b9ab](https://github.com/windmill-labs/windmill/commit/c15b9abe5eb2a1566a7ce4b18784c961d178a669))
-* add light mode for navigation sidebar ([#8057](https://github.com/windmill-labs/windmill/issues/8057)) ([0935bf9](https://github.com/windmill-labs/windmill/commit/0935bf9fc460c03c6d8469b93036e43714517ef2))
-* **aiagent:** handle ai agent as tool ([#8031](https://github.com/windmill-labs/windmill/issues/8031)) ([de6fd16](https://github.com/windmill-labs/windmill/commit/de6fd160d56c1037adbbe785f195483c25982e1c))
-* Unified filters and new runs page ([#8027](https://github.com/windmill-labs/windmill/issues/8027)) ([9b28c85](https://github.com/windmill-labs/windmill/commit/9b28c85469d6b2a8590810b313b030d9f00ee9e3))
-
-
-### Bug Fixes
-
-* address code review findings for fileset feature ([1b4489a](https://github.com/windmill-labs/windmill/commit/1b4489acac3b050f0a783548bacfc9bdf33ee593))
-* address second round of review findings ([753c05a](https://github.com/windmill-labs/windmill/commit/753c05a03089b95b4ade68d3bf61c8818de422ce))
-* **backend:** decimal between 0 and -1  in mssql ([#8051](https://github.com/windmill-labs/windmill/issues/8051)) ([9686608](https://github.com/windmill-labs/windmill/commit/9686608355615a50c8395f6e2fd51dcc25498226))
-* **backend:** use filename instead of content_type to detect file fields in multipart form data ([#8054](https://github.com/windmill-labs/windmill/issues/8054)) ([0aa885d](https://github.com/windmill-labs/windmill/commit/0aa885db67d77202205fc1609e841b8ffd9a8121))
-* exclude app_theme resources from workspace tab ([9c513b2](https://github.com/windmill-labs/windmill/commit/9c513b2c62acc369179fb9e404e1f4007cd854c6))
-* fileset editor takes full height with matching header ([9ac0789](https://github.com/windmill-labs/windmill/commit/9ac07897cf99f3af27801e435c7376a46ef760c9))
-* prevent iframe from overriding file selection after file creation ([7f3ddd7](https://github.com/windmill-labs/windmill/commit/7f3ddd7edd3ea993642aadd55cdba0ac2ea1eb9f))
-* resolve svelte warnings and type error in fileset components ([4c06d74](https://github.com/windmill-labs/windmill/commit/4c06d74bd01ca2dda848be421d70dd5268520992))
-* restore full-width file tree items in raw app sidebar ([5bac8b0](https://github.com/windmill-labs/windmill/commit/5bac8b093dbe913a563b02573959c64dd405ff61))
-* suppress iframe setActiveDocument during file population ([1abfeea](https://github.com/windmill-labs/windmill/commit/1abfeea81a645c59934d62257ad869ed7b475634))
-* update git sync init script to hub version 28158 ([#8061](https://github.com/windmill-labs/windmill/issues/8061)) ([705e186](https://github.com/windmill-labs/windmill/commit/705e186f3d4c7d8f8a88fc84b379ed9fe800a6b2))
-* use correct column name completed_at instead of ended_at in count_completed_jobs_detail ([#8066](https://github.com/windmill-labs/windmill/issues/8066)) ([3aba0ed](https://github.com/windmill-labs/windmill/commit/3aba0ed2508debdc78a6631e49b074a97635f21d))
-
-## [1.642.0](https://github.com/windmill-labs/windmill/compare/v1.641.0...v1.642.0) (2026-02-22)
-
-
-### Features
-
-* **cli:** add consistent get/list/new subcommands for all item types ([#8047](https://github.com/windmill-labs/windmill/issues/8047)) ([4fedfdf](https://github.com/windmill-labs/windmill/commit/4fedfdfd11aa8ca7fff6f7aed5ae2b313888f878))
-
-
-### Bug Fixes
-
-* make WM_FLOW_PATH available in flow step previews ([#8042](https://github.com/windmill-labs/windmill/issues/8042)) ([a91c532](https://github.com/windmill-labs/windmill/commit/a91c532ecadce63cea965c497351fa1a6f39697a))
-* preserve debouncing settings for flows with preprocessors ([#8043](https://github.com/windmill-labs/windmill/issues/8043)) ([a00927b](https://github.com/windmill-labs/windmill/commit/a00927b3008a2d953fde1d461723a3c92f375eb4))
-
-## [1.641.0](https://github.com/windmill-labs/windmill/compare/v1.640.0...v1.641.0) (2026-02-21)
-
-
-### Features
-
-* add .npmrc support for private npm registries ([#8039](https://github.com/windmill-labs/windmill/issues/8039)) ([9eb1531](https://github.com/windmill-labs/windmill/commit/9eb15312f663aa6d700e8ac562d7b5c75c2221f7))
-
-
-### Bug Fixes
-
-* add created_by ownership check to update/delete saved inputs ([#8038](https://github.com/windmill-labs/windmill/issues/8038)) ([e8a13ed](https://github.com/windmill-labs/windmill/commit/e8a13edde7c0ba2ef80344ab7c7288e7bb2eb6b5))
-* run substitute_ee_code.sh after creating EE worktree ([b330f38](https://github.com/windmill-labs/windmill/commit/b330f388894ecd9cc6b64297420ac6f032d32f72))
-* tag bunnative dependency jobs as bun instead of nativets ([#8045](https://github.com/windmill-labs/windmill/issues/8045)) ([fd5ebc2](https://github.com/windmill-labs/windmill/commit/fd5ebc2fda589c022074c3bb4dcdb447c7f86cf0))
-
-## [1.640.0](https://github.com/windmill-labs/windmill/compare/v1.639.0...v1.640.0) (2026-02-20)
-
-
-### Features
-
-* add windmill-ee-private worktree support to workmux ([#8034](https://github.com/windmill-labs/windmill/issues/8034)) ([9f3dd0b](https://github.com/windmill-labs/windmill/commit/9f3dd0bf2b2ba7c622093c54b7b6b5e7ebb26b74))
-* **cli:** add --locks-required flag to wmill lint and sync push ([#8026](https://github.com/windmill-labs/windmill/issues/8026)) ([4abe589](https://github.com/windmill-labs/windmill/commit/4abe58939787f375ccfef5b2dbcfbd7e86cff076))
-* dedicated nativets ([#8021](https://github.com/windmill-labs/windmill/issues/8021)) ([37c9acb](https://github.com/windmill-labs/windmill/commit/37c9acb232c64c98ecfb64754f5b69b31047c625))
-* Support column detection on S3 objects in DuckDB ([#8018](https://github.com/windmill-labs/windmill/issues/8018)) ([87f3de9](https://github.com/windmill-labs/windmill/commit/87f3de9ae5975c88b6748e297f84a539aec4c0ca))
-
-
-### Bug Fixes
-
-* Fix DuckDB incorrect pg password encoding ([#8028](https://github.com/windmill-labs/windmill/issues/8028)) ([90b1a7a](https://github.com/windmill-labs/windmill/commit/90b1a7a531bce5621ea4de4792a8c9d3d3beec3d))
-* **frontend:** use completed_at instead of created_at for job history ([#8022](https://github.com/windmill-labs/windmill/issues/8022)) ([24d7921](https://github.com/windmill-labs/windmill/commit/24d7921bcf23543759719ffd2463959c627b61b8))
-
-
-### Performance Improvements
-
-* lazy-load JSZip in RawAppEditorHeader ([#8012](https://github.com/windmill-labs/windmill/issues/8012)) ([a1ba10a](https://github.com/windmill-labs/windmill/commit/a1ba10a29e12ab5f553bd9aad74067cc5b3ead9e))
-
-## [1.639.0](https://github.com/windmill-labs/windmill/compare/v1.638.4...v1.639.0) (2026-02-18)
-
-
-### Features
-
-* improve FolderPicker with edit icon pattern ([#7995](https://github.com/windmill-labs/windmill/issues/7995)) ([db8aa8a](https://github.com/windmill-labs/windmill/commit/db8aa8a0839b5729f0bb847e7a71766c7883ff36))
-
-
-### Bug Fixes
-
-* default automate_username_creation to true when setting is missing ([#8006](https://github.com/windmill-labs/windmill/issues/8006)) ([d2d08f8](https://github.com/windmill-labs/windmill/commit/d2d08f8817e6e7818eb4b6f092e66ae039f0c756))
-* handle raw app folder deletion in sync push without yaml parse error ([#7994](https://github.com/windmill-labs/windmill/issues/7994)) ([f6d99dd](https://github.com/windmill-labs/windmill/commit/f6d99dd18c06a7f5aea93122276dd68c45772b43))
-
-
-### Performance Improvements
-
-* **cli:** skip relock more accurate ([#7993](https://github.com/windmill-labs/windmill/issues/7993)) ([cd4151a](https://github.com/windmill-labs/windmill/commit/cd4151a84b2c1e0f2e616079091d0429bf469f4e))
-
-## [1.638.4](https://github.com/windmill-labs/windmill/compare/v1.638.3...v1.638.4) (2026-02-17)
-
-
-### Bug Fixes
-
-* **frontend:** add folder picker validation, error handling, and loading state ([#7987](https://github.com/windmill-labs/windmill/issues/7987)) ([4ea1692](https://github.com/windmill-labs/windmill/commit/4ea1692ee27adbba583d8ead753fa8a19099183f))
-* **frontend:** improve folder picker with sticky create button and drawer flow ([#7985](https://github.com/windmill-labs/windmill/issues/7985)) ([a46924a](https://github.com/windmill-labs/windmill/commit/a46924a0f21314826c00fa4ac61885bdf3700421))
-
-## [1.638.3](https://github.com/windmill-labs/windmill/compare/v1.638.2...v1.638.3) (2026-02-17)
-
-
-### Bug Fixes
-
-* always create guidance files during wmill init ([#7974](https://github.com/windmill-labs/windmill/issues/7974)) ([f387daa](https://github.com/windmill-labs/windmill/commit/f387daa2a6c7eb260981a19c58374062f652fca6))
-* **frontend:** incorrect job result on the runs page ([#7982](https://github.com/windmill-labs/windmill/issues/7982)) ([2d53939](https://github.com/windmill-labs/windmill/commit/2d5393941cf17d45d1d4ff840766f07bd482f70b))
-* **frontend:** preserve user config when trimming oneOf non-selected keys ([b094649](https://github.com/windmill-labs/windmill/commit/b0946495863e206d12922536d2cae24cb78b55fc))
-
-## [1.638.2](https://github.com/windmill-labs/windmill/compare/v1.638.1...v1.638.2) (2026-02-17)
-
-
-### Bug Fixes
-
-* **backend:** gcp private key parsing ([#7979](https://github.com/windmill-labs/windmill/issues/7979)) ([5b7bb2f](https://github.com/windmill-labs/windmill/commit/5b7bb2fb84a12433c48f1cdfc022edff0cbc88ea))
-* yaml settings UI mask rsa_keys and jwt_secret ([71608bf](https://github.com/windmill-labs/windmill/commit/71608bf669658241b4ce4e1da3a83f1045dea1f6))
-
-## [1.638.1](https://github.com/windmill-labs/windmill/compare/v1.638.0...v1.638.1) (2026-02-17)
-
-
-### Bug Fixes
-
-* **operator:** improve configmap handling of older license keys ([b7bec1a](https://github.com/windmill-labs/windmill/commit/b7bec1a83d97a823ff6fc7d7fa549b975f848066))
-
-## [1.638.0](https://github.com/windmill-labs/windmill/compare/v1.637.0...v1.638.0) (2026-02-17)
-
-
-### Features
-
-* add native_mode as typed field on WorkerGroupConfig ([3e313cc](https://github.com/windmill-labs/windmill/commit/3e313cc4e864108d7dee866e784dff428883cadf))
-* show all settings in YAML UI and protect from empty overwrites ([#7976](https://github.com/windmill-labs/windmill/issues/7976)) ([b3eeee4](https://github.com/windmill-labs/windmill/commit/b3eeee413114cb54b5932542b14d8904a3c6c93c))
-
-
-### Bug Fixes
-
-* add missing google native triggers to triggers panel ([#7966](https://github.com/windmill-labs/windmill/issues/7966)) ([bb03c62](https://github.com/windmill-labs/windmill/commit/bb03c62c2819d40acd676d10cc586958f4117b5d))
-* download audit logs ([#7965](https://github.com/windmill-labs/windmill/issues/7965)) ([bba319b](https://github.com/windmill-labs/windmill/commit/bba319b2826f4d264ecebef3258d3c3f16237cc5))
-* improve operator ConfigMap settings handling ([#7975](https://github.com/windmill-labs/windmill/issues/7975)) ([2019aec](https://github.com/windmill-labs/windmill/commit/2019aecf4253edcf7b33e30862f642b303948440))
-
-## [1.637.0](https://github.com/windmill-labs/windmill/compare/v1.636.0...v1.637.0) (2026-02-17)
-
-
-### Features
-
-* **frontend:** inline edit summary & path from header ([#7968](https://github.com/windmill-labs/windmill/issues/7968)) ([eb5a8da](https://github.com/windmill-labs/windmill/commit/eb5a8dab74822eb3e43557cf1c85bf14d6e1910f))
-* native mode ([#7939](https://github.com/windmill-labs/windmill/issues/7939)) ([535e108](https://github.com/windmill-labs/windmill/commit/535e108cbf5070a6a23183389007db63fb07a58f))
-
-## [1.636.0](https://github.com/windmill-labs/windmill/compare/v1.635.1...v1.636.0) (2026-02-16)
-
-
-### Features
-
-* allow adding workspace scripts and flows as AI chat context ([#7882](https://github.com/windmill-labs/windmill/issues/7882)) ([5b8ec50](https://github.com/windmill-labs/windmill/commit/5b8ec502fef8fb439200e18b8c610d0f5998b6df))
-* google native triggers ([#7837](https://github.com/windmill-labs/windmill/issues/7837)) ([6f24f19](https://github.com/windmill-labs/windmill/commit/6f24f1939d75a597acc74c1589794d511e041baa))
-
-
-### Bug Fixes
-
-* mark base_url as unsaved when using browser fallback ([#7964](https://github.com/windmill-labs/windmill/issues/7964)) ([e7b0b00](https://github.com/windmill-labs/windmill/commit/e7b0b00f5696828dec094155298d0c9dc033b355))
-
-## [1.635.1](https://github.com/windmill-labs/windmill/compare/v1.635.0...v1.635.1) (2026-02-15)
-
-
-### Bug Fixes
-
-* pin strum_macros to 0.27 to match strum version ([#7957](https://github.com/windmill-labs/windmill/issues/7957)) ([68f766e](https://github.com/windmill-labs/windmill/commit/68f766e1ae54dbe2fe42769559d81d4d76a409ef))
-
-## [1.635.0](https://github.com/windmill-labs/windmill/compare/v1.634.6...v1.635.0) (2026-02-15)
-
-
-### Features
-
-* add Kubernetes operator and instance settings YAML editor ([#7836](https://github.com/windmill-labs/windmill/issues/7836)) ([82e5f6d](https://github.com/windmill-labs/windmill/commit/82e5f6de48e246a49b25e7d4ea7be65122e8772c))
-* add maven settings.xml support for java private registries ([#7940](https://github.com/windmill-labs/windmill/issues/7940)) ([581dde8](https://github.com/windmill-labs/windmill/commit/581dde8d0bc4428a5e95fcb5341239231ab36ef6))
-* **cli:** add `lint` command ([#7917](https://github.com/windmill-labs/windmill/issues/7917)) ([37d1277](https://github.com/windmill-labs/windmill/commit/37d1277b91d1b8a03e327b0585f547037482498d))
-* handle $var: and $res: in arrays for transform_json_value ([#7949](https://github.com/windmill-labs/windmill/issues/7949)) ([e4a34d0](https://github.com/windmill-labs/windmill/commit/e4a34d031b2bdb1b73a2a7ca68544fa34f83ed0f))
-* IaC hints, YAML editor for worker configs ([#7956](https://github.com/windmill-labs/windmill/issues/7956)) ([8b8e33e](https://github.com/windmill-labs/windmill/commit/8b8e33e2dc1a2b4c0effab70463f6d4b402a0f7f))
-* open-source worker group configuration UI ([#7954](https://github.com/windmill-labs/windmill/issues/7954)) ([6cf3f5f](https://github.com/windmill-labs/windmill/commit/6cf3f5f4a35a6139b5cdf9f44af29c3941f19645))
-
-
-### Bug Fixes
-
-* allow renaming of backend runnables in the UI ([6215760](https://github.com/windmill-labs/windmill/commit/6215760b1294d55245909a1c1de6c4cc8cef320a))
-* **go:** preserve proxy envs for go mod tidy/download ([#7946](https://github.com/windmill-labs/windmill/issues/7946)) ([8410b59](https://github.com/windmill-labs/windmill/commit/8410b59a8f23d62c57e497d170449643b46595a0))
-* Missing app policy for datatable ([#7944](https://github.com/windmill-labs/windmill/issues/7944)) ([a9dbd1f](https://github.com/windmill-labs/windmill/commit/a9dbd1f73fca9100b64106281802c43881181e78))
-* strip slack_oauth_client_secret from get_settings for non-admins ([#7950](https://github.com/windmill-labs/windmill/issues/7950)) ([43218c6](https://github.com/windmill-labs/windmill/commit/43218c62852490d0efafa8f94385bfe0e8f2ad82))
-
-## [1.634.6](https://github.com/windmill-labs/windmill/compare/v1.634.5...v1.634.6) (2026-02-13)
-
-
-### Bug Fixes
-
-* full build fix with new rustup config ([caccdd5](https://github.com/windmill-labs/windmill/commit/caccdd553ad72ff26c2c7c45f0ff3a25bd19a49f))
-
-## [1.634.5](https://github.com/windmill-labs/windmill/compare/v1.634.4...v1.634.5) (2026-02-13)
-
-
-### Bug Fixes
-
-* rust + java works with just /tmp mounted ([e144432](https://github.com/windmill-labs/windmill/commit/e144432a168178a531aa146def0aff478f3d1586))
-
-## [1.634.4](https://github.com/windmill-labs/windmill/compare/v1.634.3...v1.634.4) (2026-02-13)
-
-
-### Bug Fixes
-
-* improve style panel reactivity and CSS defaults ([#7935](https://github.com/windmill-labs/windmill/issues/7935)) ([eacbee3](https://github.com/windmill-labs/windmill/commit/eacbee38cb51d11b051612ac66994e6444e81bf2))
-* java + rust only relies on /tmp, + https proxy improvement for java ([791cb3e](https://github.com/windmill-labs/windmill/commit/791cb3e225ebda4b2f6f7181bc8265c378150d4e))
-
-## [1.634.3](https://github.com/windmill-labs/windmill/compare/v1.634.2...v1.634.3) (2026-02-13)
-
-
-### Bug Fixes
-
-* fix incorrect oauth base url refresh error ([b3a1629](https://github.com/windmill-labs/windmill/commit/b3a1629e56217605d059d1dceca43c9999a58592))
-
-## [1.634.2](https://github.com/windmill-labs/windmill/compare/v1.634.1...v1.634.2) (2026-02-13)
-
-
-### Bug Fixes
-
-* fix hub schedule not set at on-boarding ([beeb19d](https://github.com/windmill-labs/windmill/commit/beeb19db04e8e9059c63007d2402981c3e81f1e2))
-
-## [1.634.1](https://github.com/windmill-labs/windmill/compare/v1.634.0...v1.634.1) (2026-02-13)
-
-
-### Bug Fixes
-
-* conditionally skip relock on dep job ([#7860](https://github.com/windmill-labs/windmill/issues/7860)) ([d6c72df](https://github.com/windmill-labs/windmill/commit/d6c72df99a0a500bdd925fcdcba8abd8bbe537f5))
-* improve on-boarding experience ([4e38a4f](https://github.com/windmill-labs/windmill/commit/4e38a4f1083d880b0814e336d5e27cb40187fc28))
-
-## [1.634.0](https://github.com/windmill-labs/windmill/compare/v1.633.1...v1.634.0) (2026-02-12)
-
-
-### Features
-
-* add force_sandboxing global setting and #sandbox bash annotation ([#7816](https://github.com/windmill-labs/windmill/issues/7816)) ([2646629](https://github.com/windmill-labs/windmill/commit/2646629194f260d0be3a809be421bbab1307f927))
-* support for datatables in App Db studio ([#7930](https://github.com/windmill-labs/windmill/issues/7930)) ([6cee34a](https://github.com/windmill-labs/windmill/commit/6cee34a81da389faebb1474957a3989c4aadb00f))
-
-## [1.633.1](https://github.com/windmill-labs/windmill/compare/v1.633.0...v1.633.1) (2026-02-12)
-
-
-### Bug Fixes
-
-* add private registries support for RUST + java home nit ([e2c28e4](https://github.com/windmill-labs/windmill/commit/e2c28e42dbda0f7bf119efc8d587da0d30636a44))
-
-## [1.633.0](https://github.com/windmill-labs/windmill/compare/v1.632.0...v1.633.0) (2026-02-12)
-
-
-### Features
-
-* /health endpoints ([#7727](https://github.com/windmill-labs/windmill/issues/7727)) ([7df4aa4](https://github.com/windmill-labs/windmill/commit/7df4aa4fec021fc728950fc10db4d0401a205087))
-
-
-### Bug Fixes
-
-* save deployment msg in CE ([#7923](https://github.com/windmill-labs/windmill/issues/7923)) ([e9be616](https://github.com/windmill-labs/windmill/commit/e9be616d3c079a0c6fd98733c66560f2cc1ee40d))
-
-## [1.632.0](https://github.com/windmill-labs/windmill/compare/v1.631.2...v1.632.0) (2026-02-12)
-
-
-### Features
-
-* **ai:** add AWS bedrock session token support ([#7908](https://github.com/windmill-labs/windmill/issues/7908)) ([d95e4db](https://github.com/windmill-labs/windmill/commit/d95e4db8f31e70a645a5f41e287557933b257db8))
-
-
-### Bug Fixes
-
-* add kafka kerberos runtime packages ([#7918](https://github.com/windmill-labs/windmill/issues/7918)) ([22f22c2](https://github.com/windmill-labs/windmill/commit/22f22c26612b904c2b82b415ec9337213ef593c3))
-* **frontend:** redesign instance settings ([#7916](https://github.com/windmill-labs/windmill/issues/7916)) ([dd419ad](https://github.com/windmill-labs/windmill/commit/dd419ade94a992073dfd1a979bfeb8a5fadfb051))
-* hash long dedicated worker tags ([#7914](https://github.com/windmill-labs/windmill/issues/7914)) ([aaa1b92](https://github.com/windmill-labs/windmill/commit/aaa1b92300bdc0794de5356ef6750bab5d8d81a0))
-
-## [1.631.2](https://github.com/windmill-labs/windmill/compare/v1.631.1...v1.631.2) (2026-02-11)
-
-
-### Bug Fixes
-
-* **frontend:** revert CloseButton refactor that broke tag removal in MultiSelect ([#7909](https://github.com/windmill-labs/windmill/issues/7909)) ([b11d6ed](https://github.com/windmill-labs/windmill/commit/b11d6ed7940faddfe74a22b25bcb132527cbcec8))
-* nix flake libz.so for deno_core ([#7905](https://github.com/windmill-labs/windmill/issues/7905)) ([900c76c](https://github.com/windmill-labs/windmill/commit/900c76ccad09f58fc6adcfa8151db780249617f6))
-* strip unsupported schema fields for Google AI ([#7894](https://github.com/windmill-labs/windmill/issues/7894)) ([5effb87](https://github.com/windmill-labs/windmill/commit/5effb87a36793e20d17e678619091ef458fe8f0a)), closes [#7759](https://github.com/windmill-labs/windmill/issues/7759)
-
-## [1.631.1](https://github.com/windmill-labs/windmill/compare/v1.631.0...v1.631.1) (2026-02-11)
-
-
-### Bug Fixes
-
-* add kafka-gssapi support to ee builds ([2815cfa](https://github.com/windmill-labs/windmill/commit/2815cfae1a5eefb2c553e893dc926e62ad1df528))
-
-## [1.631.0](https://github.com/windmill-labs/windmill/compare/v1.630.2...v1.631.0) (2026-02-11)
-
-
-### Features
-
-* **ai:** support 1M context window for Anthropic resources ([#7891](https://github.com/windmill-labs/windmill/issues/7891)) ([f22eb96](https://github.com/windmill-labs/windmill/commit/f22eb964e47defe9922ecdb6ab471dd4ca267952))
-* **uv:** index resolve strategy ([#7885](https://github.com/windmill-labs/windmill/issues/7885)) ([097d928](https://github.com/windmill-labs/windmill/commit/097d9288c58076882f1991e2fb33e4441fe332d3))
-
-
-### Bug Fixes
-
-* **frontend:** improve time picker ([#7893](https://github.com/windmill-labs/windmill/issues/7893)) ([31bfccc](https://github.com/windmill-labs/windmill/commit/31bfccc74588af10fc11fbbb0bc4833d65ff6421))
-* otel gracefully handle no native ts ([92c6018](https://github.com/windmill-labs/windmill/commit/92c601860f1e1211aa34838cd08900ba7334a20c))
-* waitJob getJob and streamJob in raw apps ([#7901](https://github.com/windmill-labs/windmill/issues/7901)) ([754b48c](https://github.com/windmill-labs/windmill/commit/754b48cb898dffe196339cea1c1598c9e1765cdc))
-* worker do not apply migrations anymore but wait for servers to do so ([7eb239f](https://github.com/windmill-labs/windmill/commit/7eb239f1e2eb1b71234a8d4265c7c5813e5861ae))
-
-## [1.630.2](https://github.com/windmill-labs/windmill/compare/v1.630.1...v1.630.2) (2026-02-11)
-
-
-### Bug Fixes
-
-* bump rust version from 1.90.0 to 1.93.0 ([1a109a7](https://github.com/windmill-labs/windmill/commit/1a109a7797d1a50a0d85f3fff236d707b2cfb81d))
-
-## [1.630.1](https://github.com/windmill-labs/windmill/compare/v1.630.0...v1.630.1) (2026-02-10)
-
-
-### Bug Fixes
-
-* enforce self-approval check on flow resume owner endpoint ([#7886](https://github.com/windmill-labs/windmill/issues/7886)) ([7147dde](https://github.com/windmill-labs/windmill/commit/7147dde5118d7b3a179e4b310c74b148838b5afe))
-
-## [1.630.0](https://github.com/windmill-labs/windmill/compare/v1.629.1...v1.630.0) (2026-02-10)
-
-
-### Features
-
-* add workspace search and runnable details tools to AI chat modes ([#7874](https://github.com/windmill-labs/windmill/issues/7874)) ([a7e269f](https://github.com/windmill-labs/windmill/commit/a7e269f9f3c82db0d7e6a70e174ac19d3df730d2))
-* **aiagent:** add prompt caching for Anthropic models ([#7878](https://github.com/windmill-labs/windmill/issues/7878)) ([6272cd1](https://github.com/windmill-labs/windmill/commit/6272cd17a4f1300e22e7f0ae27b1a57571deb203))
-* download encrypted usage ([#7804](https://github.com/windmill-labs/windmill/issues/7804)) ([8363ff1](https://github.com/windmill-labs/windmill/commit/8363ff1eeef06f284e6d165fbf2dfb190ead573d))
-* **mcp:** add endpoint tools for scripts, flows, apps, and jobs ([#7859](https://github.com/windmill-labs/windmill/issues/7859)) ([03eb16a](https://github.com/windmill-labs/windmill/commit/03eb16a7c6c3cd9411840814940d09e22ce23305))
-* restriction rulesets for workspaces ([#7879](https://github.com/windmill-labs/windmill/issues/7879)) ([2851b6b](https://github.com/windmill-labs/windmill/commit/2851b6b7caac4a55f5202ace82aba68fd157c52a))
-
-
-### Bug Fixes
-
-* **backend:** correct early return with stream + prevent delta miss ([#7872](https://github.com/windmill-labs/windmill/issues/7872)) ([1150eec](https://github.com/windmill-labs/windmill/commit/1150eec7571d5828d10b295cb61cca8edfbdffe0))
-* gate Permissions import behind #[cfg(unix)] for Windows build ([cf596f3](https://github.com/windmill-labs/windmill/commit/cf596f370ae7cc232ca63f4752d7727a74cd449b))
-* retry js eval up to 3 times on timeout from slow DB ([#7890](https://github.com/windmill-labs/windmill/issues/7890)) ([4c87e7a](https://github.com/windmill-labs/windmill/commit/4c87e7ac2e09ec83cfb998a1cebcb9b9c5ef8027))
-
-## [1.629.1](https://github.com/windmill-labs/windmill/compare/v1.629.0...v1.629.1) (2026-02-10)
-
-
-### Bug Fixes
-
-* remove unecessary drop index on labeled_jobs_on_jobs ([0803164](https://github.com/windmill-labs/windmill/commit/08031640a02ebd5971793942e8534d69f4f71d28))
-
-## [1.629.0](https://github.com/windmill-labs/windmill/compare/v1.628.3...v1.629.0) (2026-02-09)
-
-
-### Features
-
-* customer portal extra workspace stats ([#7841](https://github.com/windmill-labs/windmill/issues/7841)) ([153dd32](https://github.com/windmill-labs/windmill/commit/153dd32187a3e32e3f26ab88b62195a0f9a359b9))
-
-
-### Bug Fixes
-
-* adapt mysql and ruby test assertions ([477832d](https://github.com/windmill-labs/windmill/commit/477832dbeeafb88fd16c174d5d1df8ed042e6f31))
-* add missing :name param to groups/is_owner route ([fa53a87](https://github.com/windmill-labs/windmill/commit/fa53a87107158c9e8a7e5b522242b0076a78ce46))
-* **backend:** prevent sqs hanging ([#7857](https://github.com/windmill-labs/windmill/issues/7857)) ([a3fc27b](https://github.com/windmill-labs/windmill/commit/a3fc27b23224aef2949c19f7c123d28e6cfaf968))
-* box push() future to prevent stack overflow in nested async chains ([67c8aef](https://github.com/windmill-labs/windmill/commit/67c8aef9faea5afe8ce330b477f16b4aed1779a5))
-* **frontend:** reorganize workspace settings ([#7788](https://github.com/windmill-labs/windmill/issues/7788)) ([dd42184](https://github.com/windmill-labs/windmill/commit/dd421845ba148bba70bcbafbc6a39f3012eb037c))
-* improve scheduling reliability in extreme pool contention conditions ([#7825](https://github.com/windmill-labs/windmill/issues/7825)) ([bbb397b](https://github.com/windmill-labs/windmill/commit/bbb397b6ad954052f0bd33cc4ff8897eed66e4db))
-* improve tracing behavior with NO_PROXY ([4cce13f](https://github.com/windmill-labs/windmill/commit/4cce13f5228a05da1bbce43bed7e856ce0bcf979))
-* incorrect raw app public workspaceStore derived ([edb0d4a](https://github.com/windmill-labs/windmill/commit/edb0d4a05da567b3b0be5d94c9b2856d68ecb0ff))
-* increase test thread stack size to 8MB in CI ([5548098](https://github.com/windmill-labs/windmill/commit/5548098e083af76a0b7d6f645a5458592d9c8ddc))
-* install mold+clang in Docker for cargo linker config ([99bc383](https://github.com/windmill-labs/windmill/commit/99bc383f9e94a415ff1dcef1c45ccc4c8dab1a9e))
-* make V8 runtime init idempotent and auto-initialize before isolate creation ([aa9f3da](https://github.com/windmill-labs/windmill/commit/aa9f3da429da92a059aaabb28481d33b8dacd37b))
-* parse Python datetime.datetime and datetime.date type annotations ([#7856](https://github.com/windmill-labs/windmill/issues/7856)) ([ff70a4e](https://github.com/windmill-labs/windmill/commit/ff70a4e9d105cac58c0fb0aba8fbec9875533aa4))
-* prevent V8 SIGSEGV by serializing isolate creation and fixing use-after-free ([05106d7](https://github.com/windmill-labs/windmill/commit/05106d7deeda92b7ae0e1708554f6dcb088c4a08))
-* reduce DB pool contention by eliminating dual-connection patterns ([#7861](https://github.com/windmill-labs/windmill/issues/7861)) ([4343b73](https://github.com/windmill-labs/windmill/commit/4343b73485843c3b482c21e60052f171ada9b843))
-* remove mold linker config that breaks Docker builds ([fea0954](https://github.com/windmill-labs/windmill/commit/fea0954f20f9f7c5a43b25b23df530faeac94999))
-* restart after empty branchone + improve UI ([#7838](https://github.com/windmill-labs/windmill/issues/7838)) ([b1d6ac9](https://github.com/windmill-labs/windmill/commit/b1d6ac91bd3af073feac0b31d97f7b4414d8786e))
-* use unprotected V8 platform to prevent SIGSEGV on x86_64 Linux ([90d0103](https://github.com/windmill-labs/windmill/commit/90d010347c65086b17f9802dd9a7d2da90dc68eb))
-* wmill workspace list to list local profiles ([#7843](https://github.com/windmill-labs/windmill/issues/7843)) ([f924a82](https://github.com/windmill-labs/windmill/commit/f924a8268461c49a0fec26e3216ec9546601b8de))
-
 ## [1.628.3](https://github.com/windmill-labs/windmill/compare/v1.628.2...v1.628.3) (2026-02-06)


--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,33 +1,35 @@
-# Windmill
+# Windmill Development Guide

-Open-source platform for internal tools, workflows, API integrations, background jobs, and UIs. Rust backend + Svelte 5 frontend.
+## Overview

-## Workflow
+Windmill is an open-source developer platform for building internal tools, workflows, API integrations, background jobs, workflows, and user interfaces. See @windmill-overview.mdc for full platform details.

-1. **Understand**: Before coding, read relevant docs from `docs/` to understand the area you're changing
-2. **Plan**: For non-trivial changes, use plan mode. For large features, break into reviewable stages
-3. **Execute**: Follow coding patterns from skills (`rust-backend`, `svelte-frontend`)
-4. **Validate**: After every change, run the appropriate checks per `docs/validation.md`
+## New Feature Implementation Guidelines

-## Documentation
+When implementing new features in Windmill, follow these best practices:

- **Validation**: `docs/validation.md` — what checks to run based on what you changed
- **Enterprise**: `docs/enterprise.md` — EE file conventions and PR workflow
- **Backend patterns**: use the `rust-backend` skill when writing Rust code
- **Frontend patterns**: use the `svelte-frontend` skill when writing Svelte code
- **Domain guides**: `.claude/skills/native-trigger/` and `frontend/tutorial-system-guide.mdc`
- **Brand/UI guidelines**: `frontend/brand-guidelines.md`
+- **Clean Code First**: Write clean, readable, and maintainable code. Prioritize clarity over cleverness.
+- **Avoid Duplication at All Costs**: Before writing new code, thoroughly search for existing implementations that can be reused or extended.
+- **Adapt Existing Code**: Refactor and generalize existing code when necessary to avoid logic duplication. Extract common patterns into reusable utilities.
+- **Follow Established Patterns**: Study existing code patterns in the codebase and maintain consistency with established conventions.
+- **Single Responsibility**: Each function, component, and module should have a single, well-defined responsibility.
+- **Incremental Implementation**: Break large features into smaller, reviewable chunks that can be implemented and tested incrementally.

-## Dev Environment
+## Language-Specific Guides

- **Backend**: `cargo run` from `backend/` (API at http://localhost:8000)
- **Frontend**: `REMOTE=http://localhost:8000 npm run dev` from `frontend/` (port 3000+)
- **DB**: `psql postgres://postgres:changeme@localhost:5432/windmill`
- **Login**: `admin@windmill.dev` / `changeme`
- **Instance settings**: navigate to `/#superadmin-settings`
+- Backend (Rust): @backend/rust-best-practices.mdc + @backend/summarized_schema.txt
+- Frontend (Svelte 5): @frontend/svelte5-best-practices.mdc

-## Core Principles
+## Querying the Database

- Search for existing code to reuse before writing new code
- Follow established patterns in the codebase
- Keep changes focused — don't refactor beyond what's asked
+To query the database directly, use psql with the following connection string:
+
+```bash
+psql postgres://postgres:changeme@localhost:5432/windmill
+```
+
+This can be helpful for:
+
+- Inspecting database state during development
+- Testing queries before implementing them in Rust
+- Debugging data-related issues
--- a/30
+++ b/30
@@ -1,5 +1,5 @@
 ARG DEBIAN_IMAGE=debian:bookworm-slim
-ARG RUST_IMAGE=rust:1.93-slim-bookworm
+ARG RUST_IMAGE=rust:1.90-slim-bookworm

 FROM debian:bookworm-slim AS nsjail

@@ -58,7 +58,7 @@ FROM node:24-alpine as frontend

 # install dependencies
 WORKDIR /frontend
-COPY ./frontend/package.json ./frontend/package-lock.json ./frontend/.npmrc ./
+COPY ./frontend/package.json ./frontend/package-lock.json ./
 COPY ./frontend/scripts/ ./scripts/
 RUN npm ci

@@ -97,7 +97,7 @@ ARG features=""

 COPY --from=planner /windmill/recipe.json recipe.json

-RUN apt-get update && apt-get install -y libxml2-dev=2.9.* libxmlsec1-dev=1.2.* libkrb5-dev libsasl2-dev libcurl4-openssl-dev clang=1:14.0-55.* libclang-dev=1:14.0-55.* cmake=3.25.* && \
+RUN apt-get update && apt-get install -y libxml2-dev=2.9.* libxmlsec1-dev=1.2.* libkrb5-dev libsasl2-dev clang=1:14.0-55.* libclang-dev=1:14.0-55.* cmake=3.25.* && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

@@ -126,13 +126,12 @@ ARG POWERSHELL_DEB_VERSION=7.5.0-1
 ARG KUBECTL_VERSION=1.28.7
 ARG HELM_VERSION=3.14.3
 # NOTE: If changing, also change go version in workspace dependencies template at WorkspaceDependenciesEditor.svelte
-ARG GO_VERSION=1.26.0
+ARG GO_VERSION=1.25.0
 ARG APP=/usr/src/app
 ARG WITH_POWERSHELL=true
 ARG WITH_KUBECTL=true
 ARG WITH_HELM=true
 ARG WITH_GIT=true
-ARG features=""

 # To change latest stable version:
 # 1. Change placeholder in instanceSettings.ts
@@ -150,8 +149,7 @@ ENV PATH /usr/local/bin:/root/.local/bin:/tmp/.local/bin:$PATH


 RUN apt-get update \
-    && apt-get install -y --no-install-recommends netbase tzdata ca-certificates wget curl jq unzip build-essential unixodbc xmlsec1 software-properties-common tini \
-    && if echo "$features" | grep -q "ee"; then apt-get install -y --no-install-recommends libsasl2-modules-gssapi-mit krb5-user; fi \
+    && apt-get install -y --no-install-recommends netbase tzdata ca-certificates wget curl jq unzip build-essential unixodbc xmlsec1 software-properties-common tini libsasl2-modules-gssapi-mit \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

@@ -241,7 +239,7 @@ RUN mkdir -p /tmp/windmill/cache && \
    cp -r /tmp/build_cache/* /tmp/windmill/cache/ && \
    chmod -R a+rw /tmp/windmill/cache && \
    rm -rf /tmp/build_cache && \
-    mkdir -p -m 777 /tmp/windmill/cache/uv /tmp/windmill/cache/go /tmp/windmill/cache/rustup /tmp/windmill/cache/cargo
+    mkdir -p -m 777 /tmp/windmill/cache/uv /tmp/windmill/cache/go

 # Runtime cache locations
 ENV UV_CACHE_DIR=/tmp/windmill/cache/uv
@@ -256,17 +254,7 @@ COPY --from=windmill_duckdb_ffi_internal_builder /windmill-duckdb-ffi-internal/t

 COPY --from=denoland/deno:2.2.1 --chmod=755 /usr/bin/deno /usr/bin/deno

-COPY --from=oven/bun:1.3.10 /usr/local/bin/bun /usr/bin/bun
-
-# Install windmill CLI
-RUN bun install -g windmill-cli \
-    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill
-
-# Install Claude Code CLI (used by claude sandbox scripts)
-# The installer puts the binary in ~/.local/bin/claude (symlink to ~/.local/share/claude/versions/*)
-# Copy it to /usr/bin/claude so it's accessible inside nsjail sandbox (which mounts /usr but not /root)
-RUN curl -fsSL https://claude.ai/install.sh | bash \
-    && cp /root/.local/share/claude/versions/* /usr/bin/claude
+COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun

 COPY --from=php:8.3.7-cli /usr/local/bin/php /usr/bin/php
 COPY --from=composer:2.7.6 /usr/bin/composer /usr/bin/composer
@@ -274,8 +262,8 @@ COPY --from=composer:2.7.6 /usr/bin/composer /usr/bin/composer
 # add the docker client to call docker from a worker if enabled
 COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/

-ENV RUSTUP_HOME="/tmp/windmill/cache/rustup"
-ENV CARGO_HOME="/tmp/windmill/cache/cargo"
+ENV RUSTUP_HOME="/usr/local/rustup"
+ENV CARGO_HOME="/usr/local/cargo"
 ENV LD_LIBRARY_PATH="."

 # nsjail runtime deps and binary
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Scripts are turned into sharable UIs automatically, and can be composed together
 </p>

 <p align="center">
-  <a href="https://app.windmill.dev">Try it</a> - <a href="https://www.windmill.dev/">Website</a> - <a href="https://www.windmill.dev/docs/intro/">Docs</a> - <a href="https://discord.gg/V7PM2YHsPB">Discord</a> - <a href="https://hub.windmill.dev">Hub</a> - <a href="https://www.windmill.dev/docs/misc/contributing">Contributor's guide</a>
+  <a href="https://app.windmill.dev">Try it</a> - <a href="https://www.windmill.dev/docs/intro/">Docs</a> - <a href="https://discord.gg/V7PM2YHsPB">Discord</a> - <a href="https://hub.windmill.dev">Hub</a> - <a href="https://www.windmill.dev/docs/misc/contributing">Contributor's guide</a>
 </p>

 # Windmill - Developer platform for APIs, background jobs, workflows and UIs
@@ -257,7 +257,6 @@ On self-hosted instances, you might want to import all the approved resource typ
 | BASE_URL                            | http://localhost:8000            | The base url that is exposed publicly to access your instance. Is overriden by the instance settings if any.                                                                                       | Server                |
 | ZOMBIE_JOB_TIMEOUT                  | 30                               | The timeout after which a job is considered to be zombie if the worker did not send pings about processing the job (every server check for zombie jobs every 30s)                                  | Server                |
 | RESTART_ZOMBIE_JOBS                 | true                             | If true then a zombie job is restarted (in-place with the same uuid and some logs), if false the zombie job is failed                                                                              | Server                |
-| NATIVE_MODE                         | false                            | Enable native mode: sets NUM_WORKERS=8, rejects non-native jobs (nativets, postgresql, mysql, etc.)                                                                                                | Worker                |
 | SLEEP_QUEUE                         | 50                               | The number of ms to sleep in between the last check for new jobs in the DB. It is multiplied by NUM_WORKERS such that in average, for one worker instance, there is one pull every SLEEP_QUEUE ms. | Worker                |
 | KEEP_JOB_DIR                        | false                            | Keep the job directory after the job is done. Useful for debugging.                                                                                                                                | Worker                |
 | LICENSE_KEY (EE only)               | None                             | License key checked at startup for the Enterprise Edition of Windmill                                                                                                                              | Worker                |
--- a/README_WORKMUX_DEV.md
+++ b/README_WORKMUX_DEV.md
@@ -1,289 +0,0 @@
-# Windmill Development with workmux
-
-This guide covers the workmux-based development setup for Windmill. Each worktree gets its own tmux window with a Claude Code agent, a backend server (with auto-reload), and a frontend dev server — all on isolated ports.
-
-## Prerequisites
-
- tmux
- Rust toolchain (rustup)
- Node.js + npm
- PostgreSQL running locally (see `backend/.env`)
-
-## Installation
-
-### 1. Install workmux
-
-```bash
-cargo install workmux
-```
-
-### 2. Install the Claude Code plugin
-
-```bash
-workmux claude install
-```
-
-This lets workmux manage Claude Code agents in worktree panes.
-
-### 3. Install cargo-watch
-
-Used for auto-recompiling the backend on file changes:
-
-```bash
-cargo install cargo-watch
-```
-
-### 4. Install llm CLI (required for auto branch naming)
-
-workmux uses the `llm` CLI to automatically generate branch names from prompts. Install it with:
-
-```bash
-uv tool install llm
-llm install llm-anthropic
-```
-
-Then set your Anthropic API key:
-
-```bash
-llm keys set anthropic
-# paste your API key when prompted
-```
-
-### 5. Recommended: shell alias and autocomplete
-
-Set up a `wm` alias for convenience:
-
-```bash
-# Add to your ~/.zshrc
-alias wm="workmux"
-```
-
-Setting up zsh autocomplete is also recommended — see the [workmux docs](https://github.com/rubenfiszel/workmux) for instructions.
-
-## Port Slot System
-
-Each worktree is assigned a **slot** that determines its ports:
-
-| Slot | Backend | Frontend |
-| ---- | ------- | -------- |
-| 0    | 8000    | 3000     |
-| 1    | 8010    | 3010     |
-| 2    | 8020    | 3020     |
-| 3    | 8030    | 3030     |
-| ...  | ...     | ...      |
-
- **Slot 0** is reserved for the main worktree (default `cargo run` / `npm run dev`).
- Without `WM_SLOT`, the script auto-assigns the first available slot (starting from 1) and prints it.
- With `WM_SLOT=N`, it uses that slot and errors if the ports are taken.
-
-## SSH Port Forwarding
-
-If you develop over SSH, add this to `~/.ssh/config` on your **local machine** to pre-configure tunnels for each slot:
-
-```
-Host windmill-dev
-  HostName <remote-ip>
-  User <username>
-  # Slot 0 (main worktree)
-  LocalForward 8000 localhost:8000
-  LocalForward 3000 localhost:3000
-  # Slot 1
-  LocalForward 8010 localhost:8010
-  LocalForward 3010 localhost:3010
-  # Slot 2
-  LocalForward 8020 localhost:8020
-  LocalForward 3020 localhost:3020
-  # Slot 3
-  LocalForward 8030 localhost:8030
-  LocalForward 3030 localhost:3030
-```
-
-Then connect once and all tunnels are active:
-
-```bash
-ssh windmill-dev
-```
-
-Access the frontend at `http://localhost:<frontend-port>` in your local browser.
-
-## Quickstart
-
-```bash
-# Create a new worktree (auto-assigns slot, prints ports)
-workmux add my-feature
-
-# Or with an explicit slot
-WM_SLOT=2 workmux add my-feature
-
-# Create a worktree and immediately send a prompt to the agent
-workmux add -A -p "fix the login bug in auth.rs"
-```
-
-The `add` command creates the worktree but does **not** open it. To open the tmux window and start working:
-
-```bash
-workmux open my-feature
-```
-
-This will open a tmux window with three panes:
-
- **Claude Code agent** (focused)
- **Backend**: `cargo watch -x run` on the assigned port (auto-reloads on save)
- **Frontend**: `npm run dev` proxying to the backend
-
-When using `-A` with `add`, the worktree is created and opened automatically, and the prompt is sent to the agent right away.
-
-Check which ports were assigned:
-
-```bash
-cat <worktree-path>/.env.local
-```
-
-### Sending work to the agent
-
-```bash
-# Send a prompt to the agent in a worktree
-workmux send my-feature "fix the login bug in auth.rs"
-
-# Check agent status
-workmux status
-```
-
-### Merging and cleaning up
-
-We never merge worktrees directly — always create a PR on GitHub and let it be merged there. Once the PR is merged, clean up the worktree:
-
-```bash
-# Close the tmux window but keep the worktree
-workmux close my-feature
-
-# After your PR is merged, remove the worktree, branch, and tmux window
-workmux rm my-feature
-```
-
-> **Note**: Do not use `workmux merge`. Always go through a PR to get your changes into main. You can ask the Claude Code agent in the worktree to create the PR for you.
-
-## Configuration
-
-The setup is defined in `.workmux.yaml` at the repo root. Key sections:
-
- **`post_create`**: Runs `scripts/worktree-env` to generate `.env.local` with port assignments
- **`panes`**: Defines the tmux layout (agent, backend, frontend)
- **`files.copy`**: Copies `backend/.env` and `scripts/` into each worktree
-
-The `post_create` hook also copies `frontend/node_modules` using `cp -a` (preserves `.bin/` symlinks that `cp -r` would dereference).
-
-## Enterprise (EE) Code Access
-
-The enterprise source code lives in the `windmill-ee-private` repository (sibling to this repo). When you create a worktree, `scripts/worktree-env` automatically creates a matching EE worktree on the same branch and configures Claude Code's `additionalDirectories` to grant access.
-
-### Sandbox setup
-
-When using sandbox mode, the container needs explicit mounts to access the EE repo. Add the following to your global workmux config (`~/.config/workmux/config.yaml`):
-
-```yaml
-sandbox:
-  extra_mounts:
-    - host_path: ~/windmill-ee-private
-      writable: true
-    - host_path: ~/windmill-ee-private__worktrees
-      writable: true
-```
-
-This mounts both the main EE repo (used by the main worktree) and the EE worktrees directory (used by feature worktrees) into every sandbox container.
-
-## Cursor SSH Integration (`wmc`)
-
-`wm-cursor` (aliased as `wmc`) gives each worktree its own Cursor SSH remote window with an independently-focused tmux session. All windows are visible in the status bar across all Cursor terminals, but each one is focused on its own worktree.
-
-This uses **grouped tmux sessions** — multiple sessions that share the same window list but track focus independently:
-
-```
-tmux session: main          <-- your main Cursor terminal
-tmux session: cursor-feat-a <-- Cursor window for feat-a (focused on wm-feat-a)
-tmux session: cursor-feat-b <-- Cursor window for feat-b (focused on wm-feat-b)
-    \__ all three share the same windows in the status bar
-```
-
-### Setup
-
-Run once from inside tmux on the remote:
-
-```bash
-./scripts/wm-cursor setup /home/hugo/projects/windmill
-```
-
-This:
-
-1. **Merges `.vscode/settings.json`** — adds the `wm-tmux` terminal profile (auto-attaches to the `main` tmux session), disables auto port forwarding, configures forwarding for ports 8000/3000/5432, and stops rust-analyzer from auto-starting. Existing settings are preserved.
-2. **Creates `.vscode/tasks.json`** — auto-starts the dev database (`start-dev-db.sh`) when the folder opens.
-3. **Adds `wmc` alias to `~/.zshrc`** — so you can use `wmc` from any tmux window.
-4. **Adds `eval "$(wmc completions)"`** to `~/.zshrc` — provides tab-completion for subcommands and worktree names (for `open`, `open-ee`, and `close`).
-
-After setup, reopen Cursor's terminal to pick up the new profile.
-
-### Usage
-
-All commands run from inside a tmux session (i.e., from Cursor's integrated terminal after setup).
-
-**Create a new worktree + open Cursor:**
-
-```bash
-wmc add -A -p "implement feature X"
-```
-
-This runs `workmux add`, creates a grouped tmux session, writes `.vscode/settings.json` in the worktree (with port forwarding matching the worktree's assigned ports), and opens a new Cursor window.
-
-**Open Cursor for an existing worktree:**
-
-```bash
-wmc open my-feature
-```
-
-**Open the EE worktree in Cursor (no tmux session):**
-
-```bash
-wmc open-ee my-feature
-```
-
-This finds the matching `windmill-ee-private__worktrees/<name>` directory and opens it in a new Cursor window.
-
-**Close a worktree's Cursor window and tmux window (keeps the worktree):**
-
-```bash
-wmc close my-feature
-```
-
-This kills the grouped tmux session and calls `workmux close` to close the tmux window. The worktree and branch are preserved. Grouped sessions are also automatically cleaned up when you `workmux rm` a worktree (via `scripts/worktree-cleanup`).
-
-## Cargo Features
-
-To build the backend with specific Cargo features (e.g., `enterprise`, `parquet`), pass them via `CARGO_FEATURES`. The backend pane reads this from `.env.local` and appends `--features <value>` to the `cargo watch` command.
-
-**With `wm` (workmux):**
-
-Set `CARGO_FEATURES` as an environment variable before creating the worktree:
-
-```bash
-CARGO_FEATURES="enterprise,parquet" wm add my-feature
-```
-
-This gets written to `.env.local` by the `post_create` hook (`scripts/worktree-env`), and the backend pane picks it up automatically.
-
-**With `wmc` (wm-cursor):**
-
-Use the `--features` flag:
-
-```bash
-# Create a new worktree with features
-wmc add --features "enterprise,parquet" -A -p "implement feature X"
-
-# Open an existing worktree with different features
-wmc open my-feature --features "enterprise,parquet"
-```
-
-The `--features` flag exports `CARGO_FEATURES` so the `post_create` hook writes it to `.env.local`. When using `wmc open`, it updates the existing `.env.local` with the new features.
-
-## Login
-
-Default credentials: `admin@windmill.dev` / `changeme`
--- a/backend/.sqlx/query-00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f.json
+++ b/backend/.sqlx/query-00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = now() + interval '60 seconds'\n                         WHERE workspace_id = $1 AND name = $2 AND leased_by = $3 AND lease_until > now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f"
-}
--- a/backend/.sqlx/query-015a8551c646f9b027fc23752c5c5c81e520e3ca97dd1cd1e4ebfe3e46c4ad11.json
+++ b/backend/.sqlx/query-015a8551c646f9b027fc23752c5c5c81e520e3ca97dd1cd1e4ebfe3e46c4ad11.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT group_ FROM usr_to_group WHERE usr = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "group_",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "015a8551c646f9b027fc23752c5c5c81e520e3ca97dd1cd1e4ebfe3e46c4ad11"
-}
--- a/backend/.sqlx/query-02e526146f3584cd599dec708e1be48db3b0cd1c74adbfa2e4039377daa016f0.json
+++ b/backend/.sqlx/query-02e526146f3584cd599dec708e1be48db3b0cd1c74adbfa2e4039377daa016f0.json
@@ -20,8 +20,7 @@
                      "resource",
                      "variable",
                      "ducklake",
-                      "datatable",
-                      "volume"
+                      "datatable"
                    ]
                  }
                }
--- a/backend/.sqlx/query-03d63d2e64b012f624d2731b5bcb8849c74a9474777be61edf0ed43ddda07ef3.json
+++ b/backend/.sqlx/query-03d63d2e64b012f624d2731b5bcb8849c74a9474777be61edf0ed43ddda07ef3.json
@@ -37,11 +37,6 @@
        "ordinal": 6,
        "name": "format_extension",
        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 7,
-        "name": "is_fileset",
-        "type_info": "Bool"
      }
    ],
    "parameters": {
@@ -57,8 +52,7 @@
      true,
      true,
      true,
-      true,
-      false
+      true
    ]
  },
  "hash": "03d63d2e64b012f624d2731b5bcb8849c74a9474777be61edf0ed43ddda07ef3"
--- a/backend/.sqlx/query-052d42b46d5faba6b41f1fdcbf6a012db51b9e5a255ec0da9a8a0999d668d336.json
+++ b/backend/.sqlx/query-052d42b46d5faba6b41f1fdcbf6a012db51b9e5a255ec0da9a8a0999d668d336.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT COUNT(*) FROM worker_ping WHERE ping_at > now() - interval '5 minutes'",
+  "query": "SELECT COUNT(*) as count FROM variable WHERE is_secret = true AND value != 'CLEARED'",
  "describe": {
    "columns": [
      {
@@ -16,5 +16,5 @@
      null
    ]
  },
-  "hash": "bbf166552ba15ce7cd76f812cdf7223414fa5c8a4860f3fe829d649baa1c5465"
+  "hash": "052d42b46d5faba6b41f1fdcbf6a012db51b9e5a255ec0da9a8a0999d668d336"
 }
--- a/backend/.sqlx/query-05e05a9b979941c7a11cd881da652f459e4a0444d63a96deba4a879fbe1124ff.json
+++ b/backend/.sqlx/query-05e05a9b979941c7a11cd881da652f459e4a0444d63a96deba4a879fbe1124ff.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM resource WHERE workspace_id = $1 AND path = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "05e05a9b979941c7a11cd881da652f459e4a0444d63a96deba4a879fbe1124ff"
-}
--- a/backend/.sqlx/query-06072cfe26abe58629623a8b38382b33947c5a5c702ce586e6e6ea51430380bf.json
+++ b/backend/.sqlx/query-06072cfe26abe58629623a8b38382b33947c5a5c702ce586e6e6ea51430380bf.json
@@ -1,12 +1,12 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n            SELECT service_config\n            FROM native_trigger\n            WHERE external_id = $1 AND service_name = $2 AND workspace_id = $3\n            ",
+  "query": "\n        SELECT EXISTS(\n            SELECT 1\n            FROM native_trigger\n            WHERE\n                workspace_id = $1 AND\n                service_name = $2 AND\n                external_id = $3\n        )\n        ",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "service_config",
-        "type_info": "Jsonb"
+        "name": "exists",
+        "type_info": "Bool"
      }
    ],
    "parameters": {
@@ -27,8 +27,8 @@
      ]
    },
    "nullable": [
-      true
+      null
    ]
  },
-  "hash": "8a4d42e373043bc509985ab320894bf3e6afa7b2019cc4739baac9165f7ead9e"
+  "hash": "06072cfe26abe58629623a8b38382b33947c5a5c702ce586e6e6ea51430380bf"
 }
--- a/backend/.sqlx/query-0681b850c033619e1b9498376263681f875a5aba22170ca50ec8b578f7fa478b.json
+++ b/backend/.sqlx/query-0681b850c033619e1b9498376263681f875a5aba22170ca50ec8b578f7fa478b.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job_queue (id, workspace_id, scheduled_for, tag)\n                 SELECT unnest($1::uuid[]), 'test-workspace', now(), 'flow'",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "UuidArray"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "0681b850c033619e1b9498376263681f875a5aba22170ca50ec8b578f7fa478b"
-}
--- a/backend/.sqlx/query-07168aaf14cb6beff0ad4274b441f7f387f5055c47f493271d26731336257384.json
+++ b/backend/.sqlx/query-07168aaf14cb6beff0ad4274b441f7f387f5055c47f493271d26731336257384.json
@@ -46,11 +46,11 @@
      ]
    },
    "nullable": [
-      false,
-      false,
-      false,
-      false,
-      false,
+      true,
+      true,
+      true,
+      true,
+      true,
      true,
      true
    ]
--- a/backend/.sqlx/query-075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a.json
+++ b/backend/.sqlx/query-075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a.json
@@ -1,29 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email, edited_by FROM websocket_trigger WHERE path = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "edited_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a"
-}
--- a/backend/.sqlx/query-07f5290e90533eac50b890a0d7f4a5e73ac111c838f687fe8647636827aae8b5.json
+++ b/backend/.sqlx/query-07f5290e90533eac50b890a0d7f4a5e73ac111c838f687fe8647636827aae8b5.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO flow_version (workspace_id, path, value, schema, created_by)\n        VALUES ($1, $2, $3, $4::text::json, $5)\n        RETURNING id",
+  "query": "INSERT INTO flow_version (workspace_id, path, value, schema, created_by) \n        VALUES ($1, $2, $3, $4::text::json, $5)\n        RETURNING id",
  "describe": {
    "columns": [
      {
@@ -22,5 +22,5 @@
      false
    ]
  },
-  "hash": "a9c805423e700b0acceb7c3dc43d1d3f9d4f56da25f588d281638e449d99a0d9"
+  "hash": "07f5290e90533eac50b890a0d7f4a5e73ac111c838f687fe8647636827aae8b5"
 }
--- a/backend/.sqlx/query-083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e.json
+++ b/backend/.sqlx/query-083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT large_file_storage->>'volume_storage' FROM workspace_settings WHERE workspace_id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "?column?",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e"
-}
--- a/backend/.sqlx/query-08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7.json
+++ b/backend/.sqlx/query-08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7.json
@@ -0,0 +1,202 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT * FROM workspace_settings WHERE teams_team_id = $1 AND teams_command_script IS NOT NULL",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "workspace_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 1,
+        "name": "slack_team_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 2,
+        "name": "slack_name",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 3,
+        "name": "slack_command_script",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 4,
+        "name": "slack_email",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 5,
+        "name": "customer_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 6,
+        "name": "plan",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 7,
+        "name": "webhook",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 8,
+        "name": "deploy_to",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 9,
+        "name": "ai_config",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 10,
+        "name": "large_file_storage",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 11,
+        "name": "git_sync",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 12,
+        "name": "default_app",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 13,
+        "name": "default_scripts",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 14,
+        "name": "deploy_ui",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 15,
+        "name": "mute_critical_alerts",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 16,
+        "name": "color",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 17,
+        "name": "operator_settings",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 18,
+        "name": "teams_command_script",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 19,
+        "name": "teams_team_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "teams_team_name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 21,
+        "name": "git_app_installations",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 22,
+        "name": "ducklake",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 23,
+        "name": "slack_oauth_client_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 24,
+        "name": "slack_oauth_client_secret",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 25,
+        "name": "datatable",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 26,
+        "name": "teams_team_guid",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 27,
+        "name": "auto_invite",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 28,
+        "name": "error_handler",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 29,
+        "name": "success_handler",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 30,
+        "name": "public_app_execution_limit_per_minute",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      true,
+      true,
+      true,
+      false,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      false,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true
+    ]
+  },
+  "hash": "08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7"
+}
--- a/backend/.sqlx/query-0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4.json
+++ b/backend/.sqlx/query-0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT extra_perms FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "extra_perms",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4"
-}
--- a/backend/.sqlx/query-0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750.json
+++ b/backend/.sqlx/query-0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT created_by FROM volume WHERE name = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "created_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750"
-}
--- a/backend/.sqlx/query-0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba.json
+++ b/backend/.sqlx/query-0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT email FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%@', $2::text)) AND NOT EXISTS (\n                    SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n                )",
+  "query": "SELECT email FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%', $2::text)) AND NOT EXISTS (\n                    SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n                )",
  "describe": {
    "columns": [
      {
@@ -19,5 +19,5 @@
      false
    ]
  },
-  "hash": "886a921adc115f0a9c6f3a68381bd8f5a16866135120175d9073b9b2c41bbd51"
+  "hash": "0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba"
 }
--- a/backend/.sqlx/query-1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77.json
+++ b/backend/.sqlx/query-1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77.json
@@ -1,21 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO email_trigger (\n            path, local_part, workspaced_local_part, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77"
-}
--- a/backend/.sqlx/query-11e24f758a70cd5f3a240bc81a05f40754826db0ee1194409227597a98603e92.json
+++ b/backend/.sqlx/query-11e24f758a70cd5f3a240bc81a05f40754826db0ee1194409227597a98603e92.json
@@ -0,0 +1,26 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n                        SELECT\n                            path,\n                            custom_path\n                        FROM \n                            app\n                        WHERE \n                            custom_path IN (\n                                SELECT \n                                    custom_path\n                                FROM \n                                    app\n                                GROUP \n                                    BY custom_path\n                                HAVING COUNT(*) > 1\n                            )\n                        ORDER BY custom_path\n                        ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "path",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 1,
+        "name": "custom_path",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": [
+      false,
+      true
+    ]
+  },
+  "hash": "11e24f758a70cd5f3a240bc81a05f40754826db0ee1194409227597a98603e92"
+}
--- a/backend/.sqlx/query-12c3101e02f197ad731b66f539fe677ad25520fcc9c5a2378a293122956bed4c.json
+++ b/backend/.sqlx/query-12c3101e02f197ad731b66f539fe677ad25520fcc9c5a2378a293122956bed4c.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT error_handler->>'path' FROM workspace_settings WHERE workspace_id = 'test-workspace'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "?column?",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "12c3101e02f197ad731b66f539fe677ad25520fcc9c5a2378a293122956bed4c"
-}
--- a/backend/.sqlx/query-14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6.json
+++ b/backend/.sqlx/query-14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6.json
@@ -1,25 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, lease_until, leased_by)\n                     VALUES ($1, $2, 0, $3, now() + interval '60 seconds', $4)\n                     ON CONFLICT (workspace_id, name) DO UPDATE\n                     SET lease_until = now() + interval '60 seconds', leased_by = $4\n                     WHERE volume.lease_until IS NULL OR volume.lease_until < now()\n                     RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6"
-}
--- a/backend/.sqlx/query-1437b432d2c23e30eb05443e83069cdb049f65ec299b0778ce14677728cf6346.json
+++ b/backend/.sqlx/query-1437b432d2c23e30eb05443e83069cdb049f65ec299b0778ce14677728cf6346.json
@@ -1,26 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        WITH completed AS (\n            INSERT INTO v2_job_completed\n                (workspace_id, id, started_at, duration_ms, result,\n                 flow_status, workflow_as_code_status, status, worker)\n            SELECT\n                q.workspace_id, q.id, q.started_at,\n                (EXTRACT('epoch' FROM now()) - EXTRACT('epoch' FROM COALESCE(q.started_at, now()))) * 1000,\n                CASE WHEN q.running\n                    THEN $3::text::jsonb\n                    ELSE $4::text::jsonb\n                END,\n                s.flow_status,\n                s.workflow_as_code_status,\n                'skipped'::job_status,\n                q.worker\n            FROM v2_job_queue q\n            LEFT JOIN v2_job_status s ON s.id = q.id\n            WHERE q.id = $1\n            ON CONFLICT (id) DO UPDATE SET status = EXCLUDED.status, result = EXCLUDED.result\n            RETURNING 1 AS x\n        ), _deleted AS (\n            DELETE FROM v2_job_queue WHERE id = $1\n        ), _logged AS (\n            INSERT INTO job_logs (logs, job_id, workspace_id)\n            VALUES ($5, $1, $2)\n            ON CONFLICT (job_id) DO UPDATE SET logs = concat(job_logs.logs, EXCLUDED.logs)\n        )\n        SELECT x FROM completed\n        ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "x",
-        "type_info": "Int4"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "1437b432d2c23e30eb05443e83069cdb049f65ec299b0778ce14677728cf6346"
-}
--- a/backend/.sqlx/query-17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c.json
+++ b/backend/.sqlx/query-17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c.json
@@ -1,29 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "edited_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c"
-}
--- a/backend/.sqlx/query-181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051.json
+++ b/backend/.sqlx/query-181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, runnable_path, preprocessed)\n             VALUES ($1, 'flow', 'flow', 'test-user', 'u/test-user', 'test@windmill.dev', $2, $3, $4)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Varchar",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051"
-}
--- a/backend/.sqlx/query-18b6262a60400f2b58ab26615466c23b4c1a7805c66b70b0fcfb7d33b122a7bf.json
+++ b/backend/.sqlx/query-18b6262a60400f2b58ab26615466c23b4c1a7805c66b70b0fcfb7d33b122a7bf.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT result::text FROM v2_job_completed WHERE id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "result",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "18b6262a60400f2b58ab26615466c23b4c1a7805c66b70b0fcfb7d33b122a7bf"
-}
--- a/backend/.sqlx/query-18d1a6ac94f2c87d5ea8c48a228f061135be4065dca33fbc429d8b0186c5ccb3.json
+++ b/backend/.sqlx/query-18d1a6ac94f2c87d5ea8c48a228f061135be4065dca33fbc429d8b0186c5ccb3.json
@@ -1,12 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        UPDATE workspace_settings\n        SET error_handler = '{\"path\": \"script/f/test/error_handler\", \"extra_args\": {\"notify\": true}, \"muted_on_cancel\": true, \"muted_on_user_path\": false}'::jsonb\n        WHERE workspace_id = 'test-workspace'\n        ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": []
-  },
-  "hash": "18d1a6ac94f2c87d5ea8c48a228f061135be4065dca33fbc429d8b0186c5ccb3"
-}
--- a/backend/.sqlx/query-19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed.json
+++ b/backend/.sqlx/query-19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email FROM token WHERE token = $1 AND (expiration > NOW() OR expiration IS NULL)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed"
-}
--- a/backend/.sqlx/query-1af6885dbc5055281acb82b3e57f7dba2e4b04d9535058fab695660a14bf8890.json
+++ b/backend/.sqlx/query-1af6885dbc5055281acb82b3e57f7dba2e4b04d9535058fab695660a14bf8890.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job_queue (id, workspace_id, scheduled_for, tag)\n             VALUES ($1, $2, now(), 'flow')",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1af6885dbc5055281acb82b3e57f7dba2e4b04d9535058fab695660a14bf8890"
-}
--- a/backend/.sqlx/query-1bceaf6e9f25745b7f70128054ca81d68f3d56d4782e99e05b4f1cb362683514.json
+++ b/backend/.sqlx/query-1bceaf6e9f25745b7f70128054ca81d68f3d56d4782e99e05b4f1cb362683514.json
@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "WITH inserted_concurrency_counter AS (\n                INSERT INTO concurrency_counter (concurrency_id, job_uuids) \n                VALUES ($1, '{}'::jsonb)\n                ON CONFLICT DO NOTHING\n            )\n            INSERT INTO concurrency_key(key, job_id) VALUES ($1, $2)",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "1bceaf6e9f25745b7f70128054ca81d68f3d56d4782e99e05b4f1cb362683514"
+}
--- a/backend/.sqlx/query-1c2157ce14e90f0751d7f0a9f2dbb3c5a5789a32423e75260098a5300a4af986.json
+++ b/backend/.sqlx/query-1c2157ce14e90f0751d7f0a9f2dbb3c5a5789a32423e75260098a5300a4af986.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO resource_type (workspace_id, name, schema, description, edited_at, created_by, format_extension, is_fileset)\n         SELECT $2, name, schema, description, edited_at, created_by, format_extension, is_fileset\n         FROM resource_type\n         WHERE workspace_id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1c2157ce14e90f0751d7f0a9f2dbb3c5a5789a32423e75260098a5300a4af986"
-}
--- a/backend/.sqlx/query-1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e.json
+++ b/backend/.sqlx/query-1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET last_used_at = now() WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e"
-}
--- a/backend/.sqlx/query-1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab.json
+++ b/backend/.sqlx/query-1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, last_used_at)\n         VALUES ($1, $2, $3, $4, now())\n         ON CONFLICT (workspace_id, name) DO UPDATE\n         SET size_bytes = $3, last_used_at = now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Int8",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab"
-}
--- a/backend/.sqlx/query-1ea97f9085ec018f779e77e0fdbda3d4ecd67b3fbee9a58228ef577f846607ae.json
+++ b/backend/.sqlx/query-1ea97f9085ec018f779e77e0fdbda3d4ecd67b3fbee9a58228ef577f846607ae.json
@@ -1,24 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT EXISTS(SELECT 1 FROM resource_type WHERE workspace_id = 'admins' AND name = $1 AND schema IS NOT DISTINCT FROM $2 AND description IS NOT DISTINCT FROM $3)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "exists",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Jsonb",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "1ea97f9085ec018f779e77e0fdbda3d4ecd67b3fbee9a58228ef577f846607ae"
-}
--- a/backend/.sqlx/query-2031c5138a785367e5127180ccb6734efa41ee6cb3b4819c1c517798b2b23e4a.json
+++ b/backend/.sqlx/query-2031c5138a785367e5127180ccb6734efa41ee6cb3b4819c1c517798b2b23e4a.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE email_trigger SET script_path = $1, local_part = $2 WHERE workspace_id = $3 AND path = $4",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "2031c5138a785367e5127180ccb6734efa41ee6cb3b4819c1c517798b2b23e4a"
-}
--- a/backend/.sqlx/query-212553c83e4dcdc6d045eb2fe2dadbb2860ce52d37a56b2861de1215260ecff8.json
+++ b/backend/.sqlx/query-212553c83e4dcdc6d045eb2fe2dadbb2860ce52d37a56b2861de1215260ecff8.json
@@ -1,87 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n            SELECT id, runnable_path, trigger_kind AS \"trigger_kind: String\",\n                   args AS \"args: sqlx::types::Json<serde_json::Value>\"\n            FROM v2_job\n            WHERE runnable_path = $1\n              AND trigger_kind = $2::job_trigger_kind\n            ORDER BY created_at DESC\n            LIMIT 1\n            ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Uuid"
-      },
-      {
-        "ordinal": 1,
-        "name": "runnable_path",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 2,
-        "name": "trigger_kind: String",
-        "type_info": {
-          "Custom": {
-            "name": "job_trigger_kind",
-            "kind": {
-              "Enum": [
-                "webhook",
-                "http",
-                "websocket",
-                "kafka",
-                "email",
-                "nats",
-                "schedule",
-                "app",
-                "ui",
-                "postgres",
-                "sqs",
-                "gcp",
-                "mqtt",
-                "nextcloud",
-                "google"
-              ]
-            }
-          }
-        }
-      },
-      {
-        "ordinal": 3,
-        "name": "args: sqlx::types::Json<serde_json::Value>",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        {
-          "Custom": {
-            "name": "job_trigger_kind",
-            "kind": {
-              "Enum": [
-                "webhook",
-                "http",
-                "websocket",
-                "kafka",
-                "email",
-                "nats",
-                "schedule",
-                "app",
-                "ui",
-                "postgres",
-                "sqs",
-                "gcp",
-                "mqtt",
-                "nextcloud",
-                "google"
-              ]
-            }
-          }
-        }
-      ]
-    },
-    "nullable": [
-      false,
-      true,
-      true,
-      true
-    ]
-  },
-  "hash": "212553c83e4dcdc6d045eb2fe2dadbb2860ce52d37a56b2861de1215260ecff8"
-}
--- a/backend/.sqlx/query-23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc.json
+++ b/backend/.sqlx/query-23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc.json
@@ -1,25 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, lease_until, leased_by)\n         VALUES ($1, $2, 0, $3, now() + interval '60 seconds', $4)\n         ON CONFLICT (workspace_id, name) DO UPDATE\n         SET lease_until = now() + interval '60 seconds', leased_by = $4\n         WHERE volume.lease_until IS NULL OR volume.lease_until < now()\n         RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc"
-}
--- a/backend/.sqlx/query-25bf3956b4365a4d4f96368bcc6e33817ae284ab26c195eee53d988d74263e86.json
+++ b/backend/.sqlx/query-25bf3956b4365a4d4f96368bcc6e33817ae284ab26c195eee53d988d74263e86.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT (error_handler->>'muted_on_cancel')::boolean FROM workspace_settings WHERE workspace_id = 'test-workspace'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "bool",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "25bf3956b4365a4d4f96368bcc6e33817ae284ab26c195eee53d988d74263e86"
-}
--- a/backend/.sqlx/query-2602402bedcdbc45cdc0d64a76ce075c6ae51404037b0a7d4d33faf6a7d6a6d8.json
+++ b/backend/.sqlx/query-2602402bedcdbc45cdc0d64a76ce075c6ae51404037b0a7d4d33faf6a7d6a6d8.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO workspace_integrations (\n            workspace_id,\n            service_name,\n            oauth_data,\n            resource_path,\n            created_by,\n            created_at,\n            updated_at\n        ) VALUES (\n            $1, $2, $3, $4, $5, now(), now()\n        )\n        ON CONFLICT (workspace_id, service_name)\n        DO UPDATE SET\n            oauth_data = $3,\n            resource_path = $4,\n            updated_at = now()\n        ",
+  "query": "\n        INSERT INTO workspace_integrations (\n            workspace_id,\n            service_name,\n            oauth_data,\n            created_by,\n            created_at,\n            updated_at\n        ) VALUES (\n            $1, $2, $3, $4, now(), now()\n        )\n        ON CONFLICT (workspace_id, service_name)\n        DO UPDATE SET\n            oauth_data = $3,\n            updated_at = now()\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -18,11 +18,10 @@
          }
        },
        "Jsonb",
-        "Text",
        "Varchar"
      ]
    },
    "nullable": []
  },
-  "hash": "a588f4caa014008b50eccd09122b09f8a098e58791893bacaaf2ff67a30c031c"
+  "hash": "2602402bedcdbc45cdc0d64a76ce075c6ae51404037b0a7d4d33faf6a7d6a6d8"
 }
--- a/backend/.sqlx/query-26b35cf50959b1b1fd7e1cb33c65da40d29e20fd16b02355ba073f420c03a767.json
+++ b/backend/.sqlx/query-26b35cf50959b1b1fd7e1cb33c65da40d29e20fd16b02355ba073f420c03a767.json
@@ -1,26 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n                        SELECT\n                            path,\n                            custom_path\n                        FROM\n                            app\n                        WHERE\n                            custom_path IN (\n                                SELECT\n                                    custom_path\n                                FROM\n                                    app\n                                GROUP\n                                    BY custom_path\n                                HAVING COUNT(*) > 1\n                            )\n                        ORDER BY custom_path\n                        ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "path",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "custom_path",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false,
-      true
-    ]
-  },
-  "hash": "26b35cf50959b1b1fd7e1cb33c65da40d29e20fd16b02355ba073f420c03a767"
-}
--- a/backend/.sqlx/query-26beff5e94b68703ad81ef9dd2d08869eb3bb7659efd9bac04cdf98ae963063d.json
+++ b/backend/.sqlx/query-26beff5e94b68703ad81ef9dd2d08869eb3bb7659efd9bac04cdf98ae963063d.json
@@ -1,25 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO account (workspace_id, client, expires_at, refresh_token, is_workspace_integration)\n         VALUES ($1, $2, now() + ($3 || ' seconds')::interval, $4, true)\n         RETURNING id",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Int4"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Text",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "26beff5e94b68703ad81ef9dd2d08869eb3bb7659efd9bac04cdf98ae963063d"
-}
--- a/backend/.sqlx/query-27065225c6affd26f1533dacffe1c38321511b5a7dd2a7e9435c04868188fd44.json
+++ b/backend/.sqlx/query-27065225c6affd26f1533dacffe1c38321511b5a7dd2a7e9435c04868188fd44.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM account WHERE workspace_id = $1 AND client = $2 AND is_workspace_integration = true RETURNING id",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Int4"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "27065225c6affd26f1533dacffe1c38321511b5a7dd2a7e9435c04868188fd44"
-}
--- a/backend/.sqlx/query-27f70ebe788cca2e88732d8bf978883037bebca4cf75ba459858e4fb197f940b.json
+++ b/backend/.sqlx/query-27f70ebe788cca2e88732d8bf978883037bebca4cf75ba459858e4fb197f940b.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, runnable_path)\n             VALUES ($1, 'flow', 'flow', 'test-user', 'u/test-user', 'test@windmill.dev', $2, $3)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "27f70ebe788cca2e88732d8bf978883037bebca4cf75ba459858e4fb197f940b"
-}
--- a/backend/.sqlx/query-28b8264a427e8c19be823d2b8e40736a7b7675780672b503d91737cd0c617657.json
+++ b/backend/.sqlx/query-28b8264a427e8c19be823d2b8e40736a7b7675780672b503d91737cd0c617657.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT (error_handler->>'muted_on_user_path')::boolean FROM workspace_settings WHERE workspace_id = 'test-workspace'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "bool",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "28b8264a427e8c19be823d2b8e40736a7b7675780672b503d91737cd0c617657"
-}
--- a/backend/.sqlx/query-28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98.json
+++ b/backend/.sqlx/query-28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = NULL, leased_by = NULL\n                 WHERE workspace_id = $1 AND name = $2 AND leased_by = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98"
-}
--- a/backend/.sqlx/query-2a95f18e80c55a7e8178a4bd2b781d41fa47efd4da5bb9bc2d72b9aa1e33617f.json
+++ b/backend/.sqlx/query-2a95f18e80c55a7e8178a4bd2b781d41fa47efd4da5bb9bc2d72b9aa1e33617f.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT debounce_batch FROM v2_job_debounce_batch WHERE id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "debounce_batch",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "2a95f18e80c55a7e8178a4bd2b781d41fa47efd4da5bb9bc2d72b9aa1e33617f"
-}
--- a/backend/.sqlx/query-2b3b634b15eb58b95ce26b5a591258b54fb7bf21ae85e7a390ad73489c2247ac.json
+++ b/backend/.sqlx/query-2b3b634b15eb58b95ce26b5a591258b54fb7bf21ae85e7a390ad73489c2247ac.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT worker, worker_instance, worker_group, vcpus, memory, ping_at, started_at, custom_tags, occupancy_rate_15s, occupancy_rate_5m, occupancy_rate_30m, native_mode FROM worker_ping WHERE ping_at > now() - interval '30 days' ORDER BY started_at",
+  "query": "SELECT worker, worker_instance, worker_group, vcpus, memory, ping_at, started_at, custom_tags, occupancy_rate_15s, occupancy_rate_5m, occupancy_rate_30m FROM worker_ping WHERE ping_at > now() - interval '30 days' ORDER BY started_at",
  "describe": {
    "columns": [
      {
@@ -57,11 +57,6 @@
        "ordinal": 10,
        "name": "occupancy_rate_30m",
        "type_info": "Float4"
-      },
-      {
-        "ordinal": 11,
-        "name": "native_mode",
-        "type_info": "Bool"
      }
    ],
    "parameters": {
@@ -78,9 +73,8 @@
      true,
      true,
      true,
-      true,
-      false
+      true
    ]
  },
-  "hash": "dcc6928bc273fcbe52bcef43f9d06d8bb8c68a1b04b3c2cce7491dde5d727446"
+  "hash": "2b3b634b15eb58b95ce26b5a591258b54fb7bf21ae85e7a390ad73489c2247ac"
 }
--- a/backend/.sqlx/query-2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1.json
+++ b/backend/.sqlx/query-2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT value FROM variable WHERE workspace_id = $1 AND path = $2 AND is_secret = true",
+  "query": "SELECT value FROM variable WHERE workspace_id = $1 AND path = $2",
  "describe": {
    "columns": [
      {
@@ -19,5 +19,5 @@
      false
    ]
  },
-  "hash": "302bc55d0c227c5b12458ccde6569c4b531ff494d1ede0a655872ae05215f8a6"
+  "hash": "2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1"
 }
--- a/backend/.sqlx/query-2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0.json
+++ b/backend/.sqlx/query-2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job_queue (id, workspace_id, scheduled_for, tag, running)\n             VALUES ($1, $2, now(), 'flow', false)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0"
-}
--- a/backend/.sqlx/query-2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09.json
+++ b/backend/.sqlx/query-2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO workspace_invite\n            (workspace_id, email, is_admin, operator)\n            SELECT $1::text, email, false, $3 FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%@', $2::text)) AND NOT EXISTS (\n                SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n            )\n            ON CONFLICT DO NOTHING",
+  "query": "INSERT INTO workspace_invite\n            (workspace_id, email, is_admin, operator)\n            SELECT $1::text, email, false, $3 FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%', $2::text)) AND NOT EXISTS (\n                SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n            )\n            ON CONFLICT DO NOTHING",
  "describe": {
    "columns": [],
    "parameters": {
@@ -12,5 +12,5 @@
    },
    "nullable": []
  },
-  "hash": "c0fad64e5d707ffa29d236f558e23b608168dc3a1b3857d2ad33ec20627acbff"
+  "hash": "2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09"
 }
--- a/backend/.sqlx/query-2e5dd992b0bfd7550d6f4cb5424a1c14352527b98249bce286790641bf56491e.json
+++ b/backend/.sqlx/query-2e5dd992b0bfd7550d6f4cb5424a1c14352527b98249bce286790641bf56491e.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT count(*) FROM native_trigger WHERE workspace_id = 'test-workspace' AND service_name = 'google'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "count",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "2e5dd992b0bfd7550d6f4cb5424a1c14352527b98249bce286790641bf56491e"
-}
--- a/backend/.sqlx/query-2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943.json
+++ b/backend/.sqlx/query-2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943.json
@@ -1,24 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n                SELECT\n                    CASE\n                        WHEN flow_version.id IS NOT NULL THEN\n                            flow_version.value -> 'flow_env' -> $3\n                        ELSE\n                            root_job.raw_flow -> 'flow_env' -> $3\n                    END AS \"flow_env: sqlx::types::Json<Box<RawValue>>\"\n                FROM\n                    v2_job current_job\n                JOIN\n                    v2_job root_job ON root_job.id = COALESCE(current_job.root_job, current_job.flow_innermost_root_job, current_job.parent_job, current_job.id)\n                    AND root_job.workspace_id = current_job.workspace_id\n                LEFT JOIN\n                    flow_version ON flow_version.id = root_job.runnable_id\n                    AND flow_version.path = root_job.runnable_path\n                    AND flow_version.workspace_id = root_job.workspace_id\n            WHERE\n                    current_job.id = $1 AND\n                    current_job.workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "flow_env: sqlx::types::Json<Box<RawValue>>",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943"
-}
--- a/backend/.sqlx/query-33fff66efe810ad7e92b36ca9b287938437182d7817387707e800519d9f5bafc.json
+++ b/backend/.sqlx/query-33fff66efe810ad7e92b36ca9b287938437182d7817387707e800519d9f5bafc.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE variable SET value = $1 WHERE workspace_id = $2 AND path = $3 AND is_secret = true",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "33fff66efe810ad7e92b36ca9b287938437182d7817387707e800519d9f5bafc"
-}
--- a/backend/.sqlx/query-34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc.json
+++ b/backend/.sqlx/query-34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc.json
@@ -1,28 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT workspace_id, teams_command_script FROM workspace_settings WHERE teams_team_id = $1 AND teams_command_script IS NOT NULL",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "workspace_id",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "teams_command_script",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      true
-    ]
-  },
-  "hash": "34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc"
-}
--- a/backend/.sqlx/query-3481e65196e500ad914f10b87884c19d8a3636ae955788c3366365194fe2ef57.json
+++ b/backend/.sqlx/query-3481e65196e500ad914f10b87884c19d8a3636ae955788c3366365194fe2ef57.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM mqtt_trigger WHERE workspace_id = $1 AND path = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "3481e65196e500ad914f10b87884c19d8a3636ae955788c3366365194fe2ef57"
-}
--- a/backend/.sqlx/query-380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d.json
+++ b/backend/.sqlx/query-380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO global_settings (name, value) VALUES ('indexer_settings', $1)\n         ON CONFLICT (name) DO UPDATE SET value = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d"
-}
--- a/backend/.sqlx/query-3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34.json
+++ b/backend/.sqlx/query-3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34.json
@@ -1,18 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume\n         SET size_bytes = $3, file_count = $4,\n             updated_at = now(), updated_by = $5, last_used_at = now(),\n             lease_until = NULL, leased_by = NULL\n         WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Int8",
-        "Int4",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34"
-}
--- a/backend/.sqlx/query-3b3f60623126626b52ca0a4a188655ddf728cd3f21ee308db7393694ccc5c7b3.json
+++ b/backend/.sqlx/query-3b3f60623126626b52ca0a4a188655ddf728cd3f21ee308db7393694ccc5c7b3.json
@@ -1,10 +1,11 @@
 {
  "db_name": "PostgreSQL",
-  "query": "DELETE FROM native_trigger WHERE workspace_id = $1 AND service_name = $2",
+  "query": "\n            UPDATE workspace_integrations\n            SET oauth_data = $1, updated_at = now()\n            WHERE workspace_id = $2 AND service_name = $3\n            ",
  "describe": {
    "columns": [],
    "parameters": {
      "Left": [
+        "Jsonb",
        "Text",
        {
          "Custom": {
@@ -21,5 +22,5 @@
    },
    "nullable": []
  },
-  "hash": "1af48c42255f1c973b4a9c9a58050bf5ec1ee6f93f0a90c1c7d0c0fcd816702d"
+  "hash": "3b3f60623126626b52ca0a4a188655ddf728cd3f21ee308db7393694ccc5c7b3"
 }
--- a/backend/.sqlx/query-3b5295a7c4b99aefa52c9a8ae1e0dd12bf4a0be1bf755caf7a1fa863e7950562.json
+++ b/backend/.sqlx/query-3b5295a7c4b99aefa52c9a8ae1e0dd12bf4a0be1bf755caf7a1fa863e7950562.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT count(*) FROM volume WHERE workspace_id = $1",
+  "query": "SELECT COUNT(*) FROM raw_app WHERE workspace_id = $1",
  "describe": {
    "columns": [
      {
@@ -18,5 +18,5 @@
      null
    ]
  },
-  "hash": "712092e5033bc6894025a55ebc58bca8450d09982e582266d215dff521256fa6"
+  "hash": "3b5295a7c4b99aefa52c9a8ae1e0dd12bf4a0be1bf755caf7a1fa863e7950562"
 }
--- a/backend/.sqlx/query-3cc7ecab48c379cd845b22012ef1fe1573fc332c9f1c44960084f3784ddb3f54.json
+++ b/backend/.sqlx/query-3cc7ecab48c379cd845b22012ef1fe1573fc332c9f1c44960084f3784ddb3f54.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT logs FROM job_logs WHERE created_at > $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "logs",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Timestamptz"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "3cc7ecab48c379cd845b22012ef1fe1573fc332c9f1c44960084f3784ddb3f54"
-}
--- a/backend/.sqlx/query-3e5bdc2e071fc2f1e3c7971736272f20bb5a0aa921a614bd02898d3f162660c2.json
+++ b/backend/.sqlx/query-3e5bdc2e071fc2f1e3c7971736272f20bb5a0aa921a614bd02898d3f162660c2.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            workspace_id,\n            service_name AS \"service_name!: ServiceName\",\n            oauth_data,\n            resource_path,\n            created_at,\n            updated_at,\n            created_by\n        FROM\n            workspace_integrations\n        WHERE\n            workspace_id = $1\n            AND service_name = $2\n        ",
+  "query": "\n        SELECT\n            workspace_id,\n            service_name AS \"service_name!: ServiceName\",\n            oauth_data,\n            created_at,\n            updated_at,\n            created_by\n        FROM\n            workspace_integrations\n        WHERE\n            workspace_id = $1\n            AND service_name = $2\n        ",
  "describe": {
    "columns": [
      {
@@ -30,21 +30,16 @@
      },
      {
        "ordinal": 3,
-        "name": "resource_path",
-        "type_info": "Text"
-      },
-      {
-        "ordinal": 4,
        "name": "created_at",
        "type_info": "Timestamptz"
      },
      {
-        "ordinal": 5,
+        "ordinal": 4,
        "name": "updated_at",
        "type_info": "Timestamptz"
      },
      {
-        "ordinal": 6,
+        "ordinal": 5,
        "name": "created_by",
        "type_info": "Varchar"
      }
@@ -68,12 +63,11 @@
    "nullable": [
      false,
      false,
-      true,
-      true,
+      false,
      false,
      false,
      false
    ]
  },
-  "hash": "7443ba1f922e190bb9a0ca313847f8d27c35a6ee3aff20157d6285e73aa923ef"
+  "hash": "3e5bdc2e071fc2f1e3c7971736272f20bb5a0aa921a614bd02898d3f162660c2"
 }
--- a/backend/.sqlx/query-3e8afd021088a99a24f27fa6f0a1b7f3edba3e9b834c814b464305bc2eb6ba80.json
+++ b/backend/.sqlx/query-3e8afd021088a99a24f27fa6f0a1b7f3edba3e9b834c814b464305bc2eb6ba80.json
@@ -1,26 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO worker_ping (worker_instance, worker, ip, custom_tags, worker_group, dedicated_worker, dedicated_workers, wm_version, vcpus, memory, job_isolation, native_mode, uses_batch_http_pull) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13) ON CONFLICT (worker)\n        DO UPDATE set ip = EXCLUDED.ip, custom_tags = EXCLUDED.custom_tags, worker_group = EXCLUDED.worker_group, dedicated_workers = EXCLUDED.dedicated_workers, native_mode = EXCLUDED.native_mode, uses_batch_http_pull = EXCLUDED.uses_batch_http_pull",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "TextArray",
-        "Varchar",
-        "Varchar",
-        "TextArray",
-        "Varchar",
-        "Int8",
-        "Int8",
-        "Text",
-        "Bool",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "3e8afd021088a99a24f27fa6f0a1b7f3edba3e9b834c814b464305bc2eb6ba80"
-}
--- a/backend/.sqlx/query-4010328a9f1611064f497726b69c08625a55a4dab25c3d9b5ece07e44d14915b.json
+++ b/backend/.sqlx/query-4010328a9f1611064f497726b69c08625a55a4dab25c3d9b5ece07e44d14915b.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, runnable_path)\n             VALUES ($1, 'flow', 'flow', 'test-user', 'u/test-user', 'test@windmill.dev', 'ws2', 'f/test/flow')",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "4010328a9f1611064f497726b69c08625a55a4dab25c3d9b5ece07e44d14915b"
-}
--- a/backend/.sqlx/query-40971d637c5b4d2af8e67872722880058cc067fca5e807ab3e1ed17d180cb7f7.json
+++ b/backend/.sqlx/query-40971d637c5b4d2af8e67872722880058cc067fca5e807ab3e1ed17d180cb7f7.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM email_trigger WHERE workspace_id = $1 AND path = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "40971d637c5b4d2af8e67872722880058cc067fca5e807ab3e1ed17d180cb7f7"
-}
--- a/Show More
+++ b/Show More