chore: add deliberate type error to fail frontend CI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chore: add test.txt
2026-02-25 20:27:21 +01:00 · 2026-02-25 20:24:31 +01:00
1144 changed files with 18800 additions and 51646 deletions
--- a/.claude/hooks/format-backend.sh
+++ b/.claude/hooks/format-backend.sh
@@ -13,10 +13,8 @@ fi
 # Check if the file is in the backend directory and is a Rust file
 if [[ "$FILE_PATH" == *"/backend/"* ]] && [[ "$FILE_PATH" =~ \.rs$ ]]; then
    cd "$CLAUDE_PROJECT_DIR/backend" || exit 0
-    # Run rustfmt, surface errors as context but don't block Claude
-    if rustfmt --config-path rustfmt.toml "$FILE_PATH" 2>&1; then
-        echo "Formatted $(basename "$FILE_PATH")"
-    fi
+    # Run rustfmt with config from rustfmt.toml (edition=2021)
+    rustfmt --config-path rustfmt.toml "$FILE_PATH" 2>/dev/null || true
 fi

 exit 0
--- a/.claude/hooks/format-frontend.sh
+++ b/.claude/hooks/format-frontend.sh
@@ -15,10 +15,8 @@ if [[ "$FILE_PATH" == *"/frontend/"* ]]; then
    # Check if it's a formattable file type
    if [[ "$FILE_PATH" =~ \.(ts|js|svelte|json|css|html|md)$ ]]; then
        cd "$CLAUDE_PROJECT_DIR/frontend" || exit 0
-        # Run prettier, surface errors as context but don't block Claude
-        if ./node_modules/.bin/prettier --plugin prettier-plugin-svelte --write "$FILE_PATH" 2>&1; then
-            echo "Formatted $(basename "$FILE_PATH")"
-        fi
+        # Run prettier silently, don't fail the hook if prettier fails
+        npx prettier --write "$FILE_PATH" 2>/dev/null || true
    fi
 fi

--- a/.claude/hooks/guard-main-branch.sh
+++ b/.claude/hooks/guard-main-branch.sh
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-# PreToolUse hook: block destructive git operations when on the main branch.
-# Non-git tool calls and read-only git commands pass through silently.
-
-set -euo pipefail
-
-input="$(cat)"
-tool_name="$(echo "$input" | jq -r '.tool_name // empty')"
-
-# Only care about Bash tool calls
-[[ "$tool_name" == "Bash" ]] || exit 0
-
-command="$(echo "$input" | jq -r '.tool_input.command // empty')"
-
-# Only care about git write commands
-if [[ "$command" =~ ^git\ (push|reset|revert|checkout|merge|rebase|commit|add) ]]; then
-  branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
-  if [[ "$branch" == "main" ]]; then
-    echo "BLOCK: You are on the main branch. Create or switch to a feature branch first."
-  fi
-fi
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -28,23 +28,9 @@
      "Bash(git show:*)",
      "Bash(git blame:*)",
      "Bash(cargo check:*)",
-      "Bash(cargo build --release:*)",
-      "Bash(sh wm-ts-nav/nav:*)",
-      "Bash(wm-ts-nav/nav:*)",
-      "Bash(./wm-ts-nav/nav:*)",
-      "Bash(wm-ts-nav/target/release/wm-ts-nav:*)",
-      "Bash(./wm-ts-nav/target/release/wm-ts-nav:*)",
      "mcp__ide__getDiagnostics",
      "Bash(npm run generate-backend-client:*)",
-      "Bash(npm run check:*)",
-      "Bash(git push:*)",
-      "Bash(git reset:*)",
-      "Bash(git revert:*)",
-      "Bash(git checkout:*)",
-      "Bash(git merge:*)",
-      "Bash(git rebase:*)",
-      "Bash(git add:*)",
-      "Bash(git commit:*)"
+      "Bash(npm run check:*)"
    ],
    "deny": [
      "Read(.env)",
@@ -69,23 +55,17 @@
      "Bash(chown:*)",
      "Bash(truncate:*)",
      "Bash(shred:*)",
-      "Bash(unlink:*)"
+      "Bash(unlink:*)",
+      "Bash(git push:*)",
+      "Bash(git reset:*)",
+      "Bash(git revert:*)",
+      "Bash(git checkout:*)",
+      "Bash(git merge:*)",
+      "Bash(git rebase:*)"
    ]
  },
  "enableAllProjectMcpServers": true,
  "hooks": {
-    "PreToolUse": [
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/guard-main-branch.sh",
-            "timeout": 5
-          }
-        ]
-      }
-    ],
    "PostToolUse": [
      {
        "matcher": "Edit|Write",
@@ -116,6 +96,7 @@
    ]
  },
  "enabledPlugins": {
+    "rust-analyzer-lsp@claude-plugins-official": true,
    "typescript-lsp@claude-plugins-official": true,
    "code-review@claude-plugins-official": true
  }
--- a/.claude/skills/local-review/SKILL.md
+++ b/.claude/skills/local-review/SKILL.md
@@ -1,98 +0,0 @@
---
-name: local-review
-user_invocable: true
-description: Code review a pull request for bugs and CLAUDE.md compliance. MUST use when asked to review code.
---
-
-# Local Code Review Skill
-
-Review a pull request for real bugs and CLAUDE.md compliance violations. This review targets HIGH SIGNAL issues only.
-
-## Review Philosophy
-
- **Only flag issues you are certain about.** If you are not sure an issue is real, do not flag it. False positives erode trust and waste reviewer time.
- Think like a senior engineer doing a final review — flag things that would cause incidents, not things that are merely imperfect.
-
-## What to Flag
-
- Code that won't compile or parse (syntax errors, type errors, missing imports)
- Code that will definitely produce wrong results regardless of inputs
- Clear, unambiguous CLAUDE.md violations (quote the exact rule being violated)
- Security issues in introduced code (injection, auth bypass, data exposure)
- Incorrect logic that will fail in production
-
-## What NOT to Flag
-
- Code style or quality concerns
- Potential issues that depend on specific inputs or runtime state
- Subjective suggestions or improvements
- Pre-existing issues not introduced by this PR
- Pedantic nitpicks a senior engineer wouldn't flag
- Issues a linter or type checker will catch
- General quality concerns unless explicitly prohibited in CLAUDE.md
- Issues silenced via lint ignore comments
-
-## Execution Steps
-
-1. **Determine the PR scope**:
-   - If an argument is provided, use it as the PR number or branch
-   - Otherwise, detect from the current branch vs main
-   - Run `gh pr view` if a PR exists, or use `git diff main...HEAD`
-
-2. **Find relevant CLAUDE.md files**:
-   - Read the root `CLAUDE.md`
-   - Check for CLAUDE.md files in directories containing changed files
-
-3. **Get the diff and metadata**:
-   - `gh pr diff` or `git diff main...HEAD` for the full diff
-   - `gh pr view` or `git log main..HEAD --oneline` for context
-
-4. **Read changed files** where the diff alone is insufficient to understand context
-
-5. **Review for**:
-   - CLAUDE.md compliance — check each rule against the changed code
-   - Bugs and logic errors — will this code work correctly?
-   - Security issues — injection, auth, data exposure in new code
-
-6. **Self-validate each finding**: Before reporting, ask yourself:
-   - "Is this definitely a real issue, not a false positive?"
-   - "Would a senior engineer flag this in review?"
-   - If the answer to either is no, discard the finding
-
-7. **Output findings** to the terminal (default) or post as PR comments (with `--comment` flag)
-
-## Output Format
-
-```
-## Code review
-
-Found N issues:
-
-1. <description> (<reason: CLAUDE.md adherence | bug | security>)
-   <file_path:line_number>
-
-2. <description> (<reason>)
-   <file_path:line_number>
-```
-
-If no issues are found:
-
-```
-## Code review
-
-No issues found. Checked for bugs and CLAUDE.md compliance.
-```
-
-## Posting Comments (--comment flag)
-
-If the user passes `--comment`, post findings as inline PR comments using:
-
-```bash
-gh pr review --comment --body "<summary>"
-```
-
-Or for inline comments on specific lines:
-
-```bash
-gh api repos/{owner}/{repo}/pulls/{pr}/reviews -f body="<summary>" -f event="COMMENT" -f comments="[...]"
-```
--- a/.claude/skills/pr/SKILL.md
+++ b/.claude/skills/pr/SKILL.md
@@ -33,7 +33,6 @@ Follow conventional commit format for the PR title:
 - Keep under 70 characters
 - Use lowercase, imperative mood
 - No period at the end
- If `*_ee.rs` files were modified, prefix with `[ee]`: `[ee] <type>: <description>`

 ## PR Body Format

@@ -86,25 +85,3 @@ Generated with [Claude Code](https://claude.com/claude-code)
   )"
   ```
 7. Return the PR URL to the user
-
-## EE Companion PR (when `*_ee.rs` files were modified)
-
-The `*_ee.rs` files in the windmill repo are **symlinks** to `windmill-ee-private` — changes won't appear in `git diff` of the windmill repo. Instead, check the EE repo for uncommitted or unpushed changes.
-
-Follow the full EE PR workflow in `docs/enterprise.md`. The key PR-specific details:
-
-1. Find the EE repo/worktree: see "Finding the EE Repo" in `docs/enterprise.md`
-2. Check for changes: `git -C <ee-path> status --short`
-   - If there are no changes in the EE repo, skip this entire section
-3. Follow steps 1–5 from the "EE PR Workflow" in `docs/enterprise.md`
-4. Create the companion PR (title does NOT get the `[ee]` prefix):
-   ```bash
-   gh pr create --draft --repo windmill-labs/windmill-ee-private --title "<type>: <description>" --body "$(cat <<'EOF'
-   Companion PR for windmill-labs/windmill#<PR_NUMBER>
-
-   ---
-   Generated with [Claude Code](https://claude.com/claude-code)
-   EOF
-   )"
-   ```
-5. Commit `ee-repo-ref.txt` and push the updated windmill branch
--- a/.claude/skills/refine/SKILL.md
+++ b/.claude/skills/refine/SKILL.md
@@ -1,39 +0,0 @@
---
-name: refine
-user_invocable: true
-description: End-of-session reflection. Reviews friction encountered during the session and proposes updates to docs/ to capture lessons learned.
---
-
-# Refine Skill
-
-Reflect on the current session and update documentation with lessons learned.
-
-## Instructions
-
-1. **Identify friction**: Review what happened in this session:
-   - Run `git diff main...HEAD --stat` to see what files were touched
-   - Think about: what was slow, what failed, what required multiple attempts, what information was missing or hard to find
-
-2. **Read current docs**: Read the docs that were relevant to this session:
-   - `docs/validation.md`
-   - `docs/enterprise.md`
-   - `docs/autonomous-mode.md`
-   - Any skills that were invoked
-
-3. **Propose updates**: For each piece of friction, decide if it warrants a doc update:
-   - **Missing knowledge**: Information you had to discover that should be documented
-   - **Wrong guidance**: Instructions that led you astray
-   - **Missing validation rule**: A check that should be in the validation matrix
-   - **New pattern**: A codebase pattern worth capturing for next time
-
-4. **Apply updates**: Edit the relevant `docs/` files. Keep changes minimal and specific — add only what would have saved time this session.
-
-5. **Report**: Summarize what was added/changed and why.
-
-## Rules
-
- Only add knowledge confirmed by this session — no speculative additions
- Keep docs concise — add a line or two, not a paragraph
- If a whole new doc is needed, create it in `docs/` and add a pointer in `CLAUDE.md`
- Don't update skills unless a coding pattern was genuinely wrong
- Don't add things Claude already knows — only Windmill-specific knowledge
--- a/.claude/skills/rust-backend/SKILL.md
+++ b/.claude/skills/rust-backend/SKILL.md
@@ -3,105 +3,493 @@ name: rust-backend
 description: Rust coding guidelines for the Windmill backend. MUST use when writing or modifying Rust code in the backend directory.
 ---

-# Windmill Rust Patterns
+# Rust Backend Coding Guidelines

-Apply these Windmill-specific patterns when writing Rust code in `backend/`.
+Apply these patterns when writing or modifying Rust code in the `backend/` directory.
+
+## Data Structure Design
+
+Choose between `struct`, `enum`, or `newtype` based on domain needs:
+
+- Use `enum` for state machines instead of boolean flags or loosely related fields
+- Model invariants explicitly using types (e.g., `NonZeroU32`, `Duration`, custom enums)
+- Consider ownership of each field:
+  - Use `&str` vs `String`, slices vs vectors
+  - Use `Arc<T>` when sharing across threads
+  - Use `Cow<'a, T>` for flexible ownership
+
+```rust
+// State machine with enum
+enum JobState {
+    Pending { scheduled_for: DateTime<Utc> },
+    Running { started_at: DateTime<Utc>, worker: String },
+    Completed { result: JobResult, duration_ms: i64 },
+    Failed { error: String, retries: u32 },
+}
+
+// Avoid multiple booleans
+struct Job {
+    is_pending: bool,   // Don't do this
+    is_running: bool,
+    is_completed: bool,
+}
+```
+
+## Impl Block Organization
+
+Place `impl` blocks immediately below the struct/enum they modify. Group methods logically:
+
+```rust
+struct JobQueue {
+    jobs: Vec<Job>,
+    capacity: usize,
+}
+
+impl JobQueue {
+    // Constructors first
+    pub fn new(capacity: usize) -> Self { ... }
+    pub fn with_jobs(jobs: Vec<Job>) -> Self { ... }
+
+    // Getters
+    pub fn len(&self) -> usize { ... }
+    pub fn is_empty(&self) -> bool { ... }
+
+    // Mutation methods
+    pub fn push(&mut self, job: Job) -> Result<()> { ... }
+    pub fn pop(&mut self) -> Option<Job> { ... }
+
+    // Domain logic
+    pub fn next_scheduled(&self) -> Option<&Job> { ... }
+}
+```
+
+## Iterator Chains Over For-Loops
+
+Prefer functional iterator chains (`.filter().map().collect()`) over imperative for-loops:
+
+```rust
+// Preferred
+let results: Vec<_> = items
+    .iter()
+    .filter(|item| item.is_valid())
+    .map(|item| item.transform())
+    .collect();
+
+// Avoid
+let mut results = Vec::new();
+for item in items.iter() {
+    if item.is_valid() {
+        results.push(item.transform());
+    }
+}
+```

 ## Error Handling

-Use `Error` from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>`:
+Use the `Error` type from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>` for fallible functions:

 ```rust
 use windmill_common::error::{Error, Result};

+// Use ? operator for propagation
 pub async fn get_job(db: &DB, id: Uuid) -> Result<Job> {
-    sqlx::query_as!(Job, "SELECT id, workspace_id FROM v2_job WHERE id = $1", id)
+    let job = sqlx::query_as!(Job, "SELECT ... WHERE id = $1", id)
        .fetch_optional(db)
        .await?
        .ok_or_else(|| Error::NotFound("job not found".to_string()))?;
+    Ok(job)
 }
 ```

-Never panic in library code. Reserve `.unwrap()` for compile-time guarantees.
-
-## SQLx Patterns
-
-**Never use `SELECT *`** — always list columns explicitly. Critical for backwards compatibility when workers lag behind API version:
+Prefer `if let` for optional handling. Use `let...else` when early return makes code clearer:

 ```rust
-// Correct
-sqlx::query_as!(Job, "SELECT id, workspace_id, path FROM v2_job WHERE id = $1", id)
-
-// Wrong — breaks when columns are added
-sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", id)
+let Some(config) = get_config() else {
+    return Err(Error::MissingConfig);
+};
 ```

-Use batch operations to avoid N+1:
+Never panic in library code. Reserve `.unwrap()` for cases with compile-time guarantees. Keep functions short to help lifetime inference and clarity.
+
+## Early Returns
+
+Return early to avoid deep nesting. Handle error cases and edge conditions first:

 ```rust
-// Preferred — single query with IN clause
-sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
-```
+// Preferred - early returns
+fn process_job(job: Option<Job>) -> Result<Output> {
+    let Some(job) = job else {
+        return Ok(Output::default());
+    };

-Use transactions for multi-step operations. Parameterize all queries.
+    if !job.is_valid() {
+        return Err(Error::InvalidJob);
+    }

-## JSON Handling
+    if job.is_cached() {
+        return Ok(job.cached_result());
+    }

-Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when storing/passing JSON without inspection:
+    // Main logic at the end, not nested
+    execute_job(job)
+}

-```rust
-pub struct Job {
-    pub args: Option<Box<serde_json::value::RawValue>>,
+// Avoid - deep nesting
+fn process_job(job: Option<Job>) -> Result<Output> {
+    if let Some(job) = job {
+        if job.is_valid() {
+            if !job.is_cached() {
+                execute_job(job)
+            } else {
+                Ok(job.cached_result())
+            }
+        } else {
+            Err(Error::InvalidJob)
+        }
+    } else {
+        Ok(Output::default())
+    }
 }
 ```

-Only use `serde_json::Value` when you need to inspect or modify the JSON.
+## Variable Shadowing

-## Serde Optimizations
+Shadow variables instead of creating new names with prefixes:

 ```rust
-#[derive(Serialize, Deserialize)]
-pub struct Job {
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub parent_job: Option<Uuid>,
-    #[serde(skip_serializing_if = "Vec::is_empty")]
-    pub tags: Vec<String>,
-    #[serde(default)]
-    pub priority: i32,
+// Preferred
+let data = fetch_raw_data();
+let data = parse(data);
+let data = validate(data)?;
+
+// Avoid
+let raw_data = fetch_raw_data();
+let parsed_data = parse(raw_data);
+let validated_data = validate(parsed_data)?;
+```
+
+## Minimal Comments
+
+- No inline comments explaining obvious code
+- No TODO/FIXME comments in committed code
+- Doc comments (`///`) only on public items
+- Let code be self-documenting through clear naming
+
+## Type Safety
+
+Use enums over boolean flags for clarity:
+
+```rust
+// Preferred
+enum JobStatus {
+    Pending,
+    Running,
+    Completed,
+}
+
+// Avoid
+struct Job {
+    is_running: bool,
+    is_completed: bool,
 }
 ```

-## Async & Concurrency
+## Pattern Matching

-Never block the async runtime. Use `spawn_blocking` for CPU-intensive work:
+Prefer explicit matching. Use wildcards strategically for fallback cases or ignored fields:

 ```rust
-let result = tokio::task::spawn_blocking(move || expensive_computation(&data)).await?;
+// Explicit matching preferred
+match status {
+    JobStatus::Pending => handle_pending(),
+    JobStatus::Running => handle_running(),
+    JobStatus::Completed => handle_completed(),
+}
+
+// Wildcards OK for fallback
+match result {
+    Ok(value) => process(value),
+    Err(_) => return default_value(),
+}
+
+// Wildcards OK for ignoring fields in destructuring
+let Point { x, y, .. } = point;
 ```

-**Mutex selection**: Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) for data protection. Only use `tokio::sync::Mutex` when holding locks across `.await` points.
+## Destructuring in Function Signatures

-Use `tokio::sync::mpsc` (bounded) for channels. Avoid `std::thread::sleep` in async contexts.
-
-## Module Structure & Visibility
-
- Use `pub(crate)` instead of `pub` when possible
- Place new code in the appropriate crate based on functionality
- API endpoints go in `windmill-api/src/` organized by domain
- Shared functionality goes in `windmill-common/src/`
-
-## Code Navigation
-
-Always use rust-analyzer LSP for go-to-definition, find-references, and type info. Do not guess at module paths.
-
-## Axum Handlers
-
-Destructure extractors directly in function signatures:
+Destructure structs directly in function parameters:

 ```rust
+// Preferred
 async fn process_job(
    Extension(db): Extension<DB>,
    Path((workspace, job_id)): Path<(String, Uuid)>,
    Query(pagination): Query<Pagination>,
-) -> Result<Json<Job>> { ... }
+) -> Result<Json<Job>> {
+    // ...
+}
+
+// Avoid
+async fn process_job(
+    db_ext: Extension<DB>,
+    path: Path<(String, Uuid)>,
+    query: Query<Pagination>,
+) -> Result<Json<Job>> {
+    let Extension(db) = db_ext;
+    let Path((workspace, job_id)) = path;
+    // ...
+}
 ```
+
+## Trait Implementations
+
+Use standard trait implementations to simplify conversions and reduce boilerplate:
+
+```rust
+// Implement From/Into for type conversions
+impl From<DbJob> for ApiJob {
+    fn from(db: DbJob) -> Self {
+        ApiJob {
+            id: db.id,
+            status: db.status.into(),
+        }
+    }
+}
+
+// Use TryFrom for fallible conversions
+impl TryFrom<String> for JobKind {
+    type Error = Error;
+    fn try_from(s: String) -> Result<Self, Self::Error> { ... }
+}
+```
+
+Apply `derive` macros to reduce boilerplate:
+
+```rust
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Job { ... }
+```
+
+## Module Structure
+
+- Use `pub(crate)` instead of `pub` when possible; expose only what needs exposing
+- Keep APIs small and expressive; avoid leaking internal types
+- Organize code into modules reflecting ownership and domain boundaries
+
+```rust
+// Prefer restricted visibility
+pub(crate) fn internal_helper() { ... }
+
+// Only pub for external API
+pub fn create_job(...) -> Result<Job> { ... }
+```
+
+## Code Navigation
+
+Always use rust-analyzer LSP for:
+- Go to definition
+- Find references
+- Type information
+- Import resolution
+
+Do not guess at module paths or type definitions.
+
+## JSON Handling
+
+Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when:
+- Storing JSON in the database (JSONB columns)
+- Passing JSON through without modification
+- The JSON structure doesn't need inspection
+
+```rust
+// Preferred - avoids parsing/serialization overhead
+pub struct Job {
+    pub id: Uuid,
+    pub args: Option<Box<serde_json::value::RawValue>>,
+}
+
+// Only use Value when you need to inspect/modify JSON
+let value: serde_json::Value = serde_json::from_str(&json)?;
+if let Some(field) = value.get("field") {
+    // modify or inspect
+}
+```
+
+## Serde Optimizations
+
+Use serde attributes to optimize serialization:
+
+```rust
+#[derive(Serialize, Deserialize)]
+pub struct Job {
+    #[serde(rename = "jobId")]
+    pub id: Uuid,
+
+    #[serde(default)]
+    pub priority: i32,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub parent_job: Option<Uuid>,
+
+    #[serde(skip_serializing_if = "Vec::is_empty")]
+    pub tags: Vec<String>,
+}
+```
+
+Prefer borrowing for zero-copy deserialization when lifetimes allow:
+
+```rust
+#[derive(Deserialize)]
+pub struct JobInput<'a> {
+    #[serde(borrow)]
+    pub workspace_id: Cow<'a, str>,
+
+    #[serde(borrow)]
+    pub script_path: &'a str,
+}
+```
+
+## SQLx Patterns
+
+**Never use `SELECT *`** - always list columns explicitly. This is critical for backwards compatibility when workers run behind the API server version:
+
+```rust
+// Preferred - explicit columns
+sqlx::query_as!(
+    Job,
+    "SELECT id, workspace_id, path, created_at FROM v2_job WHERE id = $1",
+    job_id
+)
+
+// Avoid - breaks when columns are added
+sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", job_id)
+```
+
+Use batch operations to minimize round trips:
+
+```rust
+// Preferred - single query with multiple values
+sqlx::query!(
+    "INSERT INTO job_logs (job_id, logs) VALUES ($1, $2), ($3, $4)",
+    id1, log1, id2, log2
+)
+
+// Avoid N+1 queries
+for id in ids {
+    sqlx::query!("SELECT ... WHERE id = $1", id).fetch_one(db).await?;
+}
+
+// Preferred - single query with IN clause
+sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
+```
+
+Use transactions for multi-step operations and parameterize all queries.
+
+## Async & Tokio Patterns
+
+Never block the async runtime. Use `spawn_blocking` for CPU-intensive or blocking I/O:
+
+```rust
+// Preferred - offload blocking work
+let result = tokio::task::spawn_blocking(move || {
+    expensive_computation(&data)
+}).await?;
+
+// Avoid - blocks the runtime
+let result = expensive_computation(&data);  // Don't do this in async
+```
+
+Use tokio primitives for sleep and channels:
+
+```rust
+use tokio::sync::mpsc;
+use tokio::time::sleep;
+
+// Avoid in async contexts
+use std::thread::sleep; // Blocks the runtime
+```
+
+Use bounded channels for backpressure:
+
+```rust
+// Preferred - bounded channel prevents overwhelming
+let (tx, rx) = tokio::sync::mpsc::channel(100);
+
+// Be careful with unbounded
+let (tx, rx) = tokio::sync::mpsc::unbounded_channel();
+```
+
+## Mutex Selection in Async Code
+
+**Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) over `tokio::sync::Mutex`** for protecting data in async code. The async mutex is more expensive and only needed when holding locks across `.await` points.
+
+```rust
+// Preferred for data protection - std mutex is faster
+use std::sync::Mutex;
+
+struct Cache {
+    data: Mutex<HashMap<String, Value>>,
+}
+
+impl Cache {
+    fn get(&self, key: &str) -> Option<Value> {
+        self.data.lock().unwrap().get(key).cloned()
+    }
+
+    fn insert(&self, key: String, value: Value) {
+        self.data.lock().unwrap().insert(key, value);
+    }
+}
+```
+
+**Use `tokio::sync::Mutex` only when you must hold the lock across `.await` points**, typically for IO resources like database connections:
+
+```rust
+use tokio::sync::Mutex;
+use std::sync::Arc;
+
+// Async mutex for IO resources held across await points
+let conn = Arc::new(Mutex::new(db_connection));
+
+async fn execute_query(conn: Arc<Mutex<DbConn>>, query: &str) {
+    let mut lock = conn.lock().await;
+    lock.execute(query).await;  // Lock held across .await
+}
+```
+
+**Common pattern**: Wrap `Arc<Mutex<...>>` in a struct with non-async methods that lock internally, keeping lock scope minimal:
+
+```rust
+struct SharedState {
+    inner: std::sync::Mutex<StateInner>,
+}
+
+impl SharedState {
+    fn update(&self, value: i32) {
+        self.inner.lock().unwrap().value = value;
+    }
+
+    fn get(&self) -> i32 {
+        self.inner.lock().unwrap().value
+    }
+}
+```
+
+**Alternative for IO resources**: Spawn a dedicated task to manage the resource and communicate via message passing:
+
+```rust
+let (tx, mut rx) = tokio::sync::mpsc::channel(32);
+
+tokio::spawn(async move {
+    while let Some(cmd) = rx.recv().await {
+        handle_io_command(&mut resource, cmd).await;
+    }
+});
+```
+
+## Build & Tooling
+
+Build speed tips:
+- Use `cargo check` during rapid iteration over `cargo build`
+- Minimize unnecessary dependencies and feature flags
--- a/.claude/skills/svelte-frontend/SKILL.md
+++ b/.claude/skills/svelte-frontend/SKILL.md
@@ -3,78 +3,316 @@ name: svelte-frontend
 description: Svelte coding guidelines for the Windmill frontend. MUST use when writing or modifying code in the frontend directory.
 ---

-# Windmill Svelte Patterns
+# Svelte 5 Best Practices

-Apply these Windmill-specific patterns when writing Svelte code in `frontend/`. For general Svelte 5 syntax (runes, snippets, event handling), use the Svelte MCP server.
+This guide outlines best practices for developing with Svelte 5, incorporating the new Runes API and other modern Svelte features. These rules MUST NOT be applied on svelte 4 files unless explicitly asked to do so.

-## Windmill UI Components (MUST use)
+## Reactivity with Runes

-Always use Windmill's design-system components. Never use raw HTML elements.
+Svelte 5 introduces Runes for more explicit and flexible reactivity.

-### Buttons — `<Button>`
+1.  **Embrace Runes for State Management**:
+    *   Use `$state` for reactive local component state.
+        ```svelte
+        <script>
+          let count = $state(0);
+
+          function increment() {
+            count += 1;
+          }
+        </script>
+
+        <button onclick={increment}>
+          Clicked {count} {count === 1 ? 'time' : 'times'}
+        </button>
+        ```
+    *   Use `$derived` for computed values based on other reactive state.
+        ```svelte
+        <script>
+          let count = $state(0);
+          const doubled = $derived(count * 2);
+        </script>
+
+        <p>{count} * 2 = {doubled}</p>
+        ```
+    *   Use `$effect` for side effects that need to run when reactive values change (e.g., logging, manual DOM manipulation, data fetching). Remember `$effect` does not run on the server.
+        ```svelte
+        <script>
+          let count = $state(0);
+
+          $effect(() => {
+            console.log('The count is now', count);
+            if (count > 5) {
+              alert('Count is too high!');
+            }
+          });
+        </script>
+        ```
+
+2.  **Props with `$props`**:
+    *   Declare component props using `$props()`. This offers better clarity and flexibility compared to `export let`.
+        ```svelte
+        <script>
+          // ChildComponent.svelte
+          let { name, age = $state(30) } = $props();
+        </script>
+
+        <p>Name: {name}</p>
+        <p>Age: {age}</p>
+        ```
+    *   For bindable props, use `$bindable`.
+        ```svelte
+        <script>
+          // MyInput.svelte
+          let { value = $bindable() } = $props();
+        </script>
+
+        <input bind:value />
+        ```
+
+## Event Handling
+
+*   **Use direct event attributes**: Svelte 5 moves away from `on:` directives for DOM events.
+    *   **Do**: `<button onclick={handleClick}>...</button>`
+    *   **Don't**: `<button on:click={handleClick}>...</button>`
+*   **For component events, prefer callback props**: Instead of `createEventDispatcher`, pass functions as props.
+    ```svelte
+    <!-- Parent.svelte -->
+    <script>
+      import Child from './Child.svelte';
+      let message = $state('');
+      function handleChildEvent(detail) {
+        message = detail;
+      }
+    </script>
+    <Child onCustomEvent={handleChildEvent} />
+    <p>Message from child: {message}</p>
+
+    <!-- Child.svelte -->
+    <script>
+      let { onCustomEvent } = $props();
+      function emitEvent() {
+        onCustomEvent('Hello from child!');
+      }
+    </script>
+    <button onclick={emitEvent}>Send Event</button>
+    ```
+
+## Snippets for Content Projection
+
+*   **Use `{#snippet ...}` and `{@render ...}` instead of slots**: Snippets are more powerful and flexible.
+    ```svelte
+    <!-- Parent.svelte -->
+    <script>
+      import Card from './Card.svelte';
+    </script>
+
+    <Card>
+      {#snippet title()}
+        My Awesome Title
+      {/snippet}
+      {#snippet content()}
+        <p>Some interesting content here.</p>
+      {/snippet}
+    </Card>
+
+    <!-- Card.svelte -->
+    <script>
+      let { title, content } = $props();
+    </script>
+
+    <article>
+      <header>{@render title()}</header>
+      <div>{@render content()}</div>
+    </article>
+    ```
+*   Default content is passed via the `children` prop (which is a snippet).
+    ```svelte
+    <!-- Wrapper.svelte -->
+    <script>
+      let { children } = $props();
+    </script>
+    <div>
+      {@render children?.()}
+    </div>
+    ```
+
+## Component Design
+
+1.  **Create Small, Reusable Components**: Break down complex UIs into smaller, focused components. Each component should have a single responsibility. This also aids performance by limiting the scope of reactivity updates.
+2.  **Descriptive Naming**: Use clear and descriptive names for variables, functions, and components.
+3.  **Minimize Logic in Components**: Move complex business logic to utility functions or services. Keep components focused on presentation and interaction.
+
+## State Management (Stores)
+
+1.  **Segment Stores**: Avoid a single global store. Create multiple stores, each responsible for a specific piece of global state (e.g., `userStore.js`, `themeStore.js`). This can help limit reactivity updates to only the parts of the UI that depend on specific state segments.
+2.  **Use Custom Stores for Complex Logic**: For stores with related methods, create custom stores.
+    ```javascript
+    // counterStore.js
+    import { writable } from 'svelte/store';
+
+    function createCounter() {
+      const { subscribe, set, update } = writable(0);
+
+      return {
+        subscribe,
+        increment: () => update(n => n + 1),
+        decrement: () => update(n => n - 1),
+        reset: () => set(0)
+      };
+    }
+    export const counter = createCounter();
+    ```
+3.  **Use Context API for Localized State**: For state shared within a component subtree, consider Svelte's context API (`setContext`, `getContext`) instead of global stores when the state doesn't need to be truly global.
+
+## Performance Optimizations (Svelte 5)
+
+When generating Svelte 5 code, prioritize frontend performance by applying the following principles:
+
+### General Svelte 5 Principles
+
+-   **Leverage the Compiler:** Trust Svelte's compiler to generate optimized JavaScript. Avoid manual DOM manipulation (`document.querySelector`, etc.) unless absolutely necessary for integrating third-party libraries that lack Svelte adapters.
+-   **Keep Components Small and Focused:** Reinforcing from Component Design, smaller components lead to less complex reactivity graphs and more targeted, efficient updates.
+
+### Reactivity & State Management
+
+-   **Optimize Computations with `$derived`:** Always use `$derived` for computed values that depend on other state. This ensures the computation only runs when its specific dependencies change, avoiding unnecessary work compared to recomputing derived values in `$effect` or less efficient methods.
+-   **Minimize `$effect` Usage:** Use `$effect` sparingly and only for true side effects that interact with the outside world or non-Svelte state. Avoid putting complex logic or state updates *within* an `$effect` unless those updates are explicitly intended as a reaction to external changes or non-Svelte state. Excessive or complex effects can impact rendering performance.
+-   **Structure State for Fine-Grained Updates:** Design your `$state` objects or variables such that updates affect only the necessary parts of the UI. Avoid putting too much unrelated state into a single large object that gets frequently updated, as this can potentially trigger broader updates than necessary. Consider normalizing complex, nested state.
+
+### List Rendering (`{#each}`)
+
+-   **Mandate `key` Attribute:** Always use a `key` attribute (`{#each items as item (item.id)}`) that refers to a unique, stable identifier for each item in a list. This is critical for allowing Svelte to efficiently update, reorder, add, or remove list items without destroying and re-creating unnecessary DOM elements and component instances.
+
+### Component Loading & Bundling
+
+-   **Implement Lazy Loading/Code Splitting:** For routes, components, or modules that are not immediately needed on page load, use dynamic imports (`import(...)`) to split the code bundle. SvelteKit handles this automatically for routes, but it can be applied manually to components using helper patterns if needed.
+-   **Be Mindful of Third-Party Libraries:** When incorporating external libraries, import only the necessary functions or components to minimize the final bundle size. Prefer libraries designed to be tree-shakeable.
+
+### Rendering & DOM
+
+-   **Use CSS for Animations/Transitions:** Prefer CSS animations or transitions where possible for performance. Svelte's built-in `transition:` directive is also highly optimized and should be used for complex state-driven transitions, but simple cases can often use plain CSS.
+-   **Optimize Image Loading:** Implement best practices for images: use optimized formats (WebP, AVIF), lazy loading (`loading="lazy"`), and responsive images (`<picture>`, `srcset`) to avoid loading unnecessarily large images.
+
+### Server-Side Rendering (SSR) & Hydration
+
+-   **Ensure SSR Compatibility:** Write components that can be rendered on the server for faster initial page loads. Avoid relying on browser-specific APIs (like `window` or `document`) in the main `<script>` context. If necessary, use `$effect` or check `if (browser)` inside effects to run browser-specific code only on the client.
+-   **Minimize Work During Hydration:** Structure components and data fetching such that minimal complex setup or computation is required when the client-side Svelte code takes over from the server-rendered HTML. Heavy synchronous work during hydration can block the main thread.
+
+## General Clean Code Practices
+
+1.  **Organized File Structure**: Group related files together. A common structure:
+    ```
+    /src
+    |-- /routes      // Page components (if using a router like SvelteKit)
+    |-- /lib         // Utility functions, services, constants (SvelteKit often uses this)
+    |   |-- /stores
+    |   |-- /utils
+    |   |-- /services
+    |   |-- /components  // Reusable UI components
+    |-- App.svelte
+    |-- main.js (or main.ts)
+    ```
+2.  **Scoped Styles**: Keep CSS scoped to components to avoid unintended side effects and improve maintainability. Avoid `:global` where possible.
+3.  **Immutability**: With Svelte 5 and `$state`, direct assignments to properties of `$state` objects (`obj.prop = value;`) are generally fine as Svelte's reactivity system handles updates. However, for non-rune state or when interacting with other systems, understanding and sometimes preferring immutable updates (creating new objects/arrays) can still be relevant.
+4.  **Use `class:` and `style:` directives**: For dynamic classes and styles, use Svelte's built-in directives for cleaner templates and potentially optimized updates.
+    ```svelte
+    <script>
+      let isActive = $state(true);
+      let color = $state('blue');
+    </script>
+
+    <div class:active={isActive} style:color={color}>
+      Hello
+    </div>
+    ```
+5.  **Stay Updated**: Keep Svelte and its related packages up to date to benefit from the latest features, performance improvements, and security fixes.
+
+## Windmill UI Component Rules (MUST follow)
+
+Always use Windmill's own design-system components instead of raw HTML elements. Using raw HTML elements produces inconsistent styling and breaks the design language.
+
+### Icons — use `lucide-svelte`
+
+**Never** write inline SVGs. Import icons from `lucide-svelte`.
+
+```svelte
+<script>
+  import { ChevronLeft, ChevronRight, X } from 'lucide-svelte'
+</script>
+
+<ChevronLeft size={16} />
+```
+
+### Buttons — use `<Button>`
+
+**Never** use `<button>`. Import and use `Button` from `$lib/components/common`.

 ```svelte
 <script>
  import { Button } from '$lib/components/common'
-  import { ChevronLeft } from 'lucide-svelte'
+  import { ChevronLeft, ChevronRight } from 'lucide-svelte'
 </script>

+<!-- Regular button -->
 <Button variant="default" onclick={handleClick}>Label</Button>
-<Button startIcon={{ icon: ChevronLeft }} iconOnly onclick={prev} />
+
+<!-- Icon-only button (no label) -->
+<Button startIcon={{ icon: ChevronLeft }} iconOnly onclick={prevMonth} />
+<Button startIcon={{ icon: ChevronRight }} iconOnly onclick={nextMonth} />
 ```

-Props: `variant?: 'accent' | 'accent-secondary' | 'default' | 'subtle'`, `unifiedSize?: 'sm' | 'md' | 'lg'`, `startIcon?: { icon: SvelteComponent }`, `iconOnly?: boolean`, `disabled?: boolean`
+Key `Button` props:
+- `variant?: 'accent' | 'accent-secondary' | 'default' | 'subtle'`
+- `unifiedSize?: 'sm' | 'md' | 'lg'`
+- `startIcon?: { icon: SvelteComponent }` — renders an icon before the label
+- `iconOnly?: boolean` — renders icon with no surrounding label text
+- `disabled?: boolean`

-### Text inputs — `<TextInput>`
+### Text inputs — use `<TextInput>`
+
+**Never** use `<input>`. Import and use `TextInput` from `$lib/components/common`.

 ```svelte
 <script>
  import { TextInput } from '$lib/components/common'
+  let val = $state('')
 </script>

 <TextInput bind:value={val} placeholder="Enter value" />
 ```

-Props: `value?: string | number` (bindable), `placeholder?: string`, `disabled?: boolean`, `error?: string | boolean`, `size?: 'sm' | 'md' | 'lg'`
+Key `TextInput` props:
+- `value?: string | number` (bindable)
+- `placeholder?: string`
+- `disabled?: boolean`
+- `error?: string | boolean`
+- `size?: 'sm' | 'md' | 'lg'`
+- `inputProps?` — forwarded to the underlying `<input>`

-### Selects — `<Select>`
+### Selects — use `<Select>`
+
+**Never** use `<select>`. Import and use `Select` from `$lib/components/select/Select.svelte`.

 ```svelte
 <script>
  import Select from '$lib/components/select/Select.svelte'
+
+  const monthItems = [
+    { label: 'January', value: 1 },
+    { label: 'February', value: 2 },
+    // ...
+  ]
+  let selectedMonth = $state(1)
 </script>

-<Select items={[{ label: 'Jan', value: 1 }]} bind:value={selected} />
+<Select items={monthItems} bind:value={selectedMonth} />
 ```

-Props: `items?: Array<{ label?: string; value: any }>`, `value` (bindable), `placeholder?: string`, `clearable?: boolean`, `size?: 'sm' | 'md' | 'lg'`
-
-### Icons — `lucide-svelte`
-
-Never write inline SVGs. Import from `lucide-svelte`:
-
-```svelte
-<script>
-  import { ChevronLeft, X } from 'lucide-svelte'
-</script>
-<ChevronLeft size={16} />
-```
-
-## Form Components
-
-Form components (TextInput, Toggle, Select, etc.) should use the unified size system when placed together.
-
-## Styling
-
- Use Tailwind CSS for all styling — no custom CSS
- Use Windmill's theming classes for colors/surfaces (see `frontend/brand-guidelines.md`)
- Read component props JSDoc before using them
-
-## Svelte MCP Server
-
-Use the Svelte MCP tools when working on Svelte code:
-
-1. **list-sections**: Call first to discover available docs
-2. **get-documentation**: Fetch relevant sections based on use_cases
-3. **svelte-autofixer**: MUST use on all Svelte code before finalizing — keep calling until no issues
-4. **playground-link**: Only after user confirms and code was NOT written to project files
+Key `Select` props:
+- `items?: Array<{ label?: string; value: any; subtitle?: string; disabled?: boolean }>`
+- `value` (bindable) — the currently selected `.value`
+- `placeholder?: string`
+- `clearable?: boolean`
+- `disabled?: boolean`
+- `size?: 'sm' | 'md' | 'lg'`
--- a/.github/DockerfileBackendTests
+++ b/.github/DockerfileBackendTests
@@ -42,7 +42,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
 RUN /usr/local/bin/python3 -m pip install pip-tools

 # Bun
-COPY --from=oven/bun:1.3.10 /usr/local/bin/bun /usr/bin/bun
+COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun

 # Install windmill CLI
 RUN bun install -g windmill-cli \
--- a/.github/change-versions-mac.sh
+++ b/.github/change-versions-mac.sh
@@ -15,8 +15,11 @@ sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescrip
 sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
 sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i '' -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
+sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i '' -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
+# sed -i '' -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill_pg/pyproject.toml
 sed -i '' -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
+sed -i '' -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

 sed -i '' -E "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock

--- a/.github/change-versions.sh
+++ b/.github/change-versions.sh
@@ -16,8 +16,11 @@ sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescript-c
 sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
 sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
+sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
+# sed -i -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
+sed -i -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

 sed -i -zE "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock

--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -31,3 +31,9 @@ updates:
    directory: "/python-client/wmill"
    schedule:
      interval: "weekly"
+      
+  # Maintain dependencies for wmill_pg python client
+  - package-ecosystem: "pip"
+    directory: "/python-client/wmill_pg"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/backend-check.yml
+++ b/.github/workflows/backend-check.yml
@@ -119,18 +119,6 @@ jobs:
        with:
          cache-workspaces: backend
          toolchain: 1.93.0
-      - name: Fix stale v8 build cache
-        working-directory: ./backend
-        run: |
-          # Cargo cache may preserve v8 build fingerprints without the actual
-          # librusty_v8.a library. Since fingerprints look valid, cargo skips
-          # build.rs re-run, causing "could not find native static library rusty_v8".
-          for profile in debug release; do
-            if [ -d "target/$profile/.fingerprint" ] && [ ! -f "target/$profile/gn_out/obj/librusty_v8.a" ]; then
-              echo "Cleaning stale v8 build artifacts in target/$profile"
-              rm -rf "target/$profile/build/v8-"* "target/$profile/.fingerprint/v8-"*
-            fi
-          done
      - name: cargo check
        timeout-minutes: 16
        working-directory: ./backend
--- a/.github/workflows/backend-test-windows.yml
+++ b/.github/workflows/backend-test-windows.yml
@@ -1,165 +0,0 @@
-name: Backend integration tests (Windows)
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "ci-windows-tests"
-
-env:
-  CARGO_INCREMENTAL: 0
-  SQLX_OFFLINE: true
-  DISABLE_EMBEDDING: true
-
-jobs:
-  cargo_test_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Read EE repo commit hash
-        shell: pwsh
-        run: |
-          $ee_repo_ref = Get-Content .\backend\ee-repo-ref.txt
-          echo "ee_repo_ref=$ee_repo_ref" | Out-File -FilePath $env:GITHUB_ENV -Append
-
-      - name: Checkout windmill-ee-private repository
-        uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: Substitute EE code
-        shell: bash
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Setup PostgreSQL
-        uses: ikalnytskyi/action-setup-postgres@v6
-        with:
-          username: postgres
-          password: changeme
-          database: windmill
-          port: 5432
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "9.0.x"
-
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.21.5
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.10
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-
-      - uses: astral-sh/setup-uv@v6.2.1
-        with:
-          version: "0.9.24"
-
-      - uses: shivammathur/setup-php@v2
-        with:
-          php-version: "8.3"
-          tools: composer
-
-      - name: Install windmill CLI
-        shell: bash
-        run: |
-          cd cli
-          bash gen_wm_client.sh
-          bun install
-          mkdir -p "$HOME/.local/bin"
-          printf '#!/bin/sh\nexec bun run "%s/cli/src/main.ts" "$@"\n' "$GITHUB_WORKSPACE" > "$HOME/.local/bin/wmill"
-          chmod +x "$HOME/.local/bin/wmill"
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install OpenSSL via vcpkg
-        run: |
-          vcpkg.exe install openssl-windows:x64-windows
-          vcpkg.exe install openssl:x64-windows-static
-          vcpkg.exe integrate install
-
-      - name: Get runtime paths
-        id: runtime-paths
-        shell: pwsh
-        run: |
-          echo "DENO_PATH=$($(Get-Command deno).Source)" >> $env:GITHUB_OUTPUT
-          echo "BUN_PATH=$($(Get-Command bun).Source)" >> $env:GITHUB_OUTPUT
-          echo "NODE_BIN_PATH=$($(Get-Command node).Source)" >> $env:GITHUB_OUTPUT
-          echo "GO_PATH=$($(Get-Command go).Source)" >> $env:GITHUB_OUTPUT
-          echo "UV_PATH=$($(Get-Command uv).Source)" >> $env:GITHUB_OUTPUT
-          echo "PHP_PATH=$($(Get-Command php).Source)" >> $env:GITHUB_OUTPUT
-          echo "COMPOSER_PATH=$($(Get-Command composer).Source)" >> $env:GITHUB_OUTPUT
-          echo "POWERSHELL_PATH=$($(Get-Command pwsh).Source)" >> $env:GITHUB_OUTPUT
-          echo "DOTNET_PATH=$($(Get-Command dotnet).Source)" >> $env:GITHUB_OUTPUT
-
-      - name: Build DuckDB FFI module
-        working-directory: backend/windmill-duckdb-ffi-internal
-        timeout-minutes: 30
-        run: |
-          cargo build --release -p windmill_duckdb_ffi_internal
-          New-Item -ItemType Directory -Path ..\target\debug -Force
-          Copy-Item target\release\windmill_duckdb_ffi_internal.dll ..\target\debug\
-
-      - name: Print runtime versions and env
-        shell: pwsh
-        run: |
-          deno --version
-          bun -v
-          node --version
-          go version
-          python3 --version
-          php --version
-          pwsh --version
-          dotnet --version
-          echo "TEMP=$env:TEMP"
-          echo "TMP=$env:TMP"
-          echo "USERPROFILE=$env:USERPROFILE"
-          echo "HOME=$env:HOME"
-
-      - name: cargo test
-        working-directory: backend
-        timeout-minutes: 60
-        env:
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432/windmill
-          RUST_LOG: "off"
-          RUST_LOG_STYLE: never
-          CARGO_NET_GIT_FETCH_WITH_CLI: true
-          CARGO_BUILD_JOBS: 12
-          VCPKGRS_DYNAMIC: 1
-          OPENSSL_DIR: ${{ env.VCPKG_INSTALLATION_ROOT }}\installed\x64-windows-static
-          DENO_PATH: ${{ steps.runtime-paths.outputs.DENO_PATH }}
-          BUN_PATH: ${{ steps.runtime-paths.outputs.BUN_PATH }}
-          NODE_BIN_PATH: ${{ steps.runtime-paths.outputs.NODE_BIN_PATH }}
-          GO_PATH: ${{ steps.runtime-paths.outputs.GO_PATH }}
-          UV_PATH: ${{ steps.runtime-paths.outputs.UV_PATH }}
-          PHP_PATH: ${{ steps.runtime-paths.outputs.PHP_PATH }}
-          COMPOSER_PATH: ${{ steps.runtime-paths.outputs.COMPOSER_PATH }}
-          POWERSHELL_PATH: ${{ steps.runtime-paths.outputs.POWERSHELL_PATH }}
-          DOTNET_PATH: ${{ steps.runtime-paths.outputs.DOTNET_PATH }}
-          WMDEBUG_FORCE_V0_WORKSPACE_DEPENDENCIES: 1
-          WMDEBUG_FORCE_RUNNABLE_SETTINGS_V0: 1
-          WMDEBUG_FORCE_NO_LEGACY_DEBOUNCING_COMPAT: 1
-        run: >
-          cargo test
-          --no-fail-fast
-          --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,csharp,php,quickjs,mcp,run_inline
-          --all
-          -- --nocapture --test-threads=10
--- a/.github/workflows/backend-test.yml
+++ b/.github/workflows/backend-test.yml
@@ -1,7 +1,6 @@
 name: Backend only integration tests

 on:
-  workflow_dispatch:
  push:
    branches:
      - "main"
@@ -56,7 +55,7 @@ jobs:
          go-version: 1.21.5
      - uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.10
+          bun-version: 1.3.8
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
@@ -89,18 +88,6 @@ jobs:
        with:
          cache-workspaces: backend
          toolchain: 1.93.0
-      - name: Fix stale v8 build cache
-        working-directory: ./backend
-        run: |
-          # Cargo cache may preserve v8 build fingerprints without the actual
-          # librusty_v8.a library. Since fingerprints look valid, cargo skips
-          # build.rs re-run, causing "could not find native static library rusty_v8".
-          for profile in debug release; do
-            if [ -d "target/$profile/.fingerprint" ] && [ ! -f "target/$profile/gn_out/obj/librusty_v8.a" ]; then
-              echo "Cleaning stale v8 build artifacts in target/$profile"
-              rm -rf "target/$profile/build/v8-"* "target/$profile/.fingerprint/v8-"*
-            fi
-          done
      - name: Read EE repo commit hash
        run: |
          echo "ee_repo_ref=$(cat ./ee-repo-ref.txt)" >> "$GITHUB_ENV"
@@ -251,4 +238,4 @@ jobs:
        run: |
          deno --version && bun -v && node --version && go version && python3 --version && php --version && ruby --version && pwsh --version && dotnet --version
          cd windmill-duckdb-ffi-internal && ./build_dev.sh && cd ..
-          DENO_PATH=$(which deno) BUN_PATH=$(which bun) NODE_BIN_PATH=$(which node) GO_PATH=$(which go) UV_PATH=$(which uv) PHP_PATH=$(which php) COMPOSER_PATH=$(which composer) RUBY_PATH=$(which ruby) RUBY_BUNDLE_PATH=$(which bundle) RUBY_GEM_PATH=$(which gem) POWERSHELL_PATH=$(which pwsh) DOTNET_PATH=$(which dotnet) cargo test --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,private_registry_test,csharp,php,ruby,mysql,quickjs,mcp,run_inline --all -- --nocapture --test-threads=10
+          DENO_PATH=$(which deno) BUN_PATH=$(which bun) NODE_BIN_PATH=$(which node) GO_PATH=$(which go) UV_PATH=$(which uv) PHP_PATH=$(which php) COMPOSER_PATH=$(which composer) RUBY_PATH=$(which ruby) RUBY_BUNDLE_PATH=$(which bundle) RUBY_GEM_PATH=$(which gem) POWERSHELL_PATH=$(which pwsh) DOTNET_PATH=$(which dotnet) cargo test --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,private_registry_test,csharp,php,ruby,mysql,quickjs,mcp --all -- --nocapture --test-threads=10
--- a/.github/workflows/check-system-prompts.yml
+++ b/.github/workflows/check-system-prompts.yml
@@ -1,37 +0,0 @@
-name: Check system prompts freshness
-
-on:
-  push:
-    paths:
-      - "system_prompts/**"
-      - "typescript-client/**"
-      - "python-client/wmill/wmill/client.py"
-      - "openflow.openapi.yaml"
-      - "backend/windmill-api/openapi.yaml"
-      - "cli/src/main.ts"
-      - "cli/src/commands/**"
-  pull_request:
-    paths:
-      - "system_prompts/**"
-      - "typescript-client/**"
-      - "python-client/wmill/wmill/client.py"
-      - "openflow.openapi.yaml"
-      - "backend/windmill-api/openapi.yaml"
-      - "cli/src/main.ts"
-      - "cli/src/commands/**"
-
-jobs:
-  check-freshness:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-
-      - name: Install dependencies
-        run: pip install pyyaml
-
-      - name: Check auto-generated files are up-to-date
-        run: bash system_prompts/check-freshness.sh
--- a/.github/workflows/cli-tests.yml
+++ b/.github/workflows/cli-tests.yml
@@ -4,13 +4,13 @@ on:
  push:
    branches: [main]
    paths:
-      - "cli/**"
-      - ".github/workflows/cli-tests.yml"
+      - 'cli/**'
+      - '.github/workflows/cli-tests.yml'
  pull_request:
    branches: [main]
    paths:
-      - "cli/**"
-      - ".github/workflows/cli-tests.yml"
+      - 'cli/**'
+      - '.github/workflows/cli-tests.yml'

 env:
  CARGO_TERM_COLOR: always
@@ -26,7 +26,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: '20'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -72,7 +72,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: '20'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -126,7 +126,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: '20'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
@@ -163,6 +163,11 @@ jobs:
          NODE_BIN_PATH: ${{ steps.runtime-paths.outputs.NODE_BIN_PATH }}
        run: bun test --timeout 120000 test/

+      - name: Keep runner alive for SSH debug
+        if: failure()
+        shell: pwsh
+        run: Start-Sleep -Seconds 3600
+
  # Combined summary job for branch protection
  test-summary:
    runs-on: ubuntu-latest
--- a/.github/workflows/discord-notification.yml
+++ b/.github/workflows/discord-notification.yml
@@ -9,7 +9,9 @@ on:
  issue_comment:
    types:
      - created
-      - edited
+  pull_request_review_comment:
+    types:
+      - created

 jobs:
  notify_discord_when_pr_opened:
@@ -51,7 +53,23 @@ jobs:
      COMMENT_BODY: ${{ github.event.comment.body }}
      COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
      COMMENT_URL: ${{ github.event.comment.html_url }}
-      COMMENT_IS_EDIT: ${{ github.event.action == 'edited' }}
+      DISCORD_CHANNEL_ID: "1372204995868491786"
+      DISCORD_GUILD_ID: "930051556043276338"
+    secrets:
+      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
+
+  notify_discord_on_review_comment:
+    if: >
+      github.event_name == 'pull_request_review_comment'
+      && github.event.comment.user.login != 'cloudflare-workers-and-pages[bot]'
+      && github.event.comment.user.login != 'ellipsis-dev[bot]'
+    uses: ./.github/workflows/shareable-discord-notification.yml
+    with:
+      PR_STATUS: "comment"
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      COMMENT_BODY: ${{ github.event.comment.body }}
+      COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
+      COMMENT_URL: ${{ github.event.comment.html_url }}
      DISCORD_CHANNEL_ID: "1372204995868491786"
      DISCORD_GUILD_ID: "930051556043276338"
    secrets:
--- a/.github/workflows/git-sync-test.yml
+++ b/.github/workflows/git-sync-test.yml
@@ -1,209 +0,0 @@
-name: Git Sync Integration Tests
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [main]
-    paths:
-      - "backend/windmill-git-sync/**"
-      - "backend/windmill-api-integration-tests/tests/git_sync*"
-      - "backend/ee-repo-ref.txt"
-      - "integration_tests/test/git_sync_test.py"
-      - ".github/workflows/git-sync-test.yml"
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - "backend/windmill-git-sync/**"
-      - "backend/windmill-api-integration-tests/tests/git_sync*"
-      - "backend/ee-repo-ref.txt"
-      - "integration_tests/test/git_sync_test.py"
-      - ".github/workflows/git-sync-test.yml"
-
-concurrency:
-  group: git-sync-test-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  check-relevance:
-    runs-on: ubuntu-latest
-    outputs:
-      should_run: ${{ steps.check.outputs.should_run }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Check if git sync related files changed
-        id: check
-        env:
-          WINDMILL_EE_PRIVATE_ACCESS: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-        run: |
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            BASE=${{ github.event.pull_request.base.sha }}
-          else
-            BASE=${{ github.event.before }}
-          fi
-
-          CHANGED_FILES=$(git diff --name-only "$BASE"..HEAD 2>/dev/null || echo "")
-          echo "Changed files:"
-          echo "$CHANGED_FILES"
-
-          # Direct git sync file changes — always relevant
-          if echo "$CHANGED_FILES" | grep -qE '^(backend/windmill-git-sync/|backend/windmill-api-integration-tests/tests/git_sync|integration_tests/test/git_sync|\.github/workflows/git-sync-test\.yml)'; then
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "Relevant: direct git sync file changes"
-            exit 0
-          fi
-
-          # If ee-repo-ref.txt changed, check if the EE diff touches windmill-git-sync/
-          if echo "$CHANGED_FILES" | grep -q '^backend/ee-repo-ref.txt$'; then
-            NEW_REF=$(cat backend/ee-repo-ref.txt)
-            OLD_REF=$(git show "$BASE:backend/ee-repo-ref.txt" 2>/dev/null || echo "")
-
-            if [ -n "$OLD_REF" ] && [ "$OLD_REF" != "$NEW_REF" ]; then
-              # Clone EE repo and check diff
-              git clone --bare "https://x-access-token:${WINDMILL_EE_PRIVATE_ACCESS}@github.com/windmill-labs/windmill-ee-private.git" /tmp/ee-repo 2>/dev/null
-              EE_CHANGED=$(git -C /tmp/ee-repo diff --name-only "$OLD_REF".."$NEW_REF" 2>/dev/null || echo "")
-              echo "EE changed files:"
-              echo "$EE_CHANGED"
-
-              if echo "$EE_CHANGED" | grep -q '^windmill-git-sync/'; then
-                echo "should_run=true" >> "$GITHUB_OUTPUT"
-                echo "Relevant: EE git sync files changed"
-                exit 0
-              fi
-            fi
-          fi
-
-          echo "should_run=false" >> "$GITHUB_OUTPUT"
-          echo "No git sync relevant changes detected, skipping tests"
-
-  git_sync_e2e:
-    needs: [check-relevance]
-    if: needs.check-relevance.outputs.should_run == 'true'
-    runs-on: ubicloud-standard-16
-    services:
-      postgres:
-        image: postgres:14
-        ports:
-          - 5432:5432
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: Substitute EE code
-        run: |
-          cd backend && ./substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.10
-
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-
-      - name: Install wmill CLI
-        run: |
-          cd cli && bash gen_wm_client.sh && bun install
-          mkdir -p "$HOME/.local/bin"
-          printf '#!/bin/sh\nexec bun run "%s/cli/src/main.ts" "$@"\n' "$GITHUB_WORKSPACE" > "$HOME/.local/bin/wmill"
-          chmod +x "$HOME/.local/bin/wmill"
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Build Windmill
-        working-directory: ./backend
-        env:
-          SQLX_OFFLINE: true
-          CARGO_BUILD_JOBS: 12
-          RUSTFLAGS: ""
-        run: |
-          cargo build --features enterprise,private,license,zip
-
-      - name: Start Gitea
-        run: |
-          docker run -d --name gitea \
-            -e GITEA__database__DB_TYPE=sqlite3 \
-            -e GITEA__security__INSTALL_LOCK=true \
-            -e GITEA__server__HTTP_PORT=3000 \
-            -e GITEA__server__ROOT_URL=http://localhost:3000 \
-            -e GITEA__service__DISABLE_REGISTRATION=false \
-            -p 3000:3000 \
-            gitea/gitea:1.22-rootless
-          echo "Waiting for Gitea to be ready..."
-          for i in $(seq 1 30); do
-            if curl -sf http://localhost:3000/api/v1/version > /dev/null 2>&1; then
-              echo "Gitea is ready"
-              break
-            fi
-            sleep 2
-          done
-          curl -sf http://localhost:3000/api/v1/version > /dev/null || { echo "Gitea failed to start"; exit 1; }
-
-      - name: Start Windmill
-        working-directory: ./backend
-        env:
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          DENO_PATH: deno
-          BUN_PATH: bun
-          NODE_BIN_PATH: node
-        run: |
-          ./target/debug/windmill &
-          echo "Waiting for Windmill to be ready..."
-          for i in $(seq 1 60); do
-            if curl -sf http://localhost:8000/api/version > /dev/null 2>&1; then
-              echo "Windmill is ready"
-              break
-            fi
-            sleep 2
-          done
-          curl -sf http://localhost:8000/api/version > /dev/null || { echo "Windmill failed to start"; exit 1; }
-
-      - name: Run git sync E2E tests
-        timeout-minutes: 10
-        env:
-          GITEA_DOCKER_URL: http://localhost:3000
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-        run: |
-          python3 -m venv .venv
-          .venv/bin/pip install -r integration_tests/requirements.txt
-          cd integration_tests && ../.venv/bin/python -m unittest -v test.git_sync_test
-
-      - name: Archive logs
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: Git Sync Integration Tests Logs
-          path: |
-            integration_tests/logs
--- a/.github/workflows/npm_on_release.yml
+++ b/.github/workflows/npm_on_release.yml
@@ -14,7 +14,7 @@ jobs:
        with:
          node-version: "20.x"
          registry-url: "https://registry.npmjs.org"
-      - run: cd typescript-client && ./publish.sh --access public && cd ..
+      - run: cd typescript-client && ./publish.sh && cd ..
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  publish_cli:
@@ -28,6 +28,6 @@ jobs:
      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest
-      - run: cd cli && ./build.sh && cd npm && npm publish --access public
+      - run: cd cli && ./build.sh && cd npm && npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/shareable-discord-notification.yml
+++ b/.github/workflows/shareable-discord-notification.yml
@@ -36,10 +36,6 @@ on:
        description: "The comment URL"
        type: string
        default: ""
-      COMMENT_IS_EDIT:
-        description: "Whether this is an edit of an existing comment"
-        type: string
-        default: "false"
    secrets:
      DISCORD_WEBHOOK_URL:
        description: "Discord Webhook URL"
@@ -139,7 +135,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ inputs.PR_STATUS == 'comment' }}
    steps:
-      - name: Post or update comment in Discord thread
+      - name: Post comment to Discord thread
        env:
          BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
          CHANNEL_ID: ${{ inputs.DISCORD_CHANNEL_ID }}
@@ -148,7 +144,6 @@ jobs:
          COMMENT_BODY: ${{ inputs.COMMENT_BODY }}
          COMMENT_AUTHOR: ${{ inputs.COMMENT_AUTHOR }}
          COMMENT_URL: ${{ inputs.COMMENT_URL }}
-          COMMENT_IS_EDIT: ${{ inputs.COMMENT_IS_EDIT }}
        run: |
          # 1) Find the thread by PR number
          threads=$(curl -s -H "Authorization: Bot $BOT_TOKEN" \
@@ -177,36 +172,10 @@ jobs:
            truncated_body="$COMMENT_BODY"
          fi

-          # 3) Build the message content
-          if [ "$COMMENT_IS_EDIT" = "true" ]; then
-            message=$(printf '**%s** [edited comment](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
-          else
-            message=$(printf '**%s** [commented](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
-          fi
+          # 3) Post the comment to the thread
+          message=$(printf '**%s** [commented](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
          payload=$(jq -n --arg content "$message" '{content: $content, flags: 4, allowed_mentions: {parse: []}}')

-          # 4) If this is an edit, try to find and update the existing Discord message
-          if [ "$COMMENT_IS_EDIT" = "true" ]; then
-            # Search recent messages in the thread for one containing the comment URL
-            messages=$(curl -s -H "Authorization: Bot $BOT_TOKEN" \
-              "https://discord.com/api/v10/channels/${thread_id}/messages?limit=100")
-            existing_msg_id=$(echo "$messages" | jq -r \
-              --arg url "$COMMENT_URL" \
-              '[.[] | select(.content | contains($url))] | first | .id // empty')
-
-            if [ -n "$existing_msg_id" ]; then
-              echo "Updating existing Discord message $existing_msg_id"
-              curl -s -X PATCH \
-                -H "Authorization: Bot $BOT_TOKEN" \
-                -H "Content-Type: application/json" \
-                -d "$payload" \
-                "https://discord.com/api/v10/channels/${thread_id}/messages/${existing_msg_id}"
-              exit 0
-            fi
-            echo "Original Discord message not found, posting as new message"
-          fi
-
-          # 5) Post a new message to the thread
          curl -s -X POST \
            -H "Authorization: Bot $BOT_TOKEN" \
            -H "Content-Type: application/json" \
--- a/.gitignore
+++ b/.gitignore
@@ -27,4 +27,3 @@ typescript-client/node_modules
 frontend/.svelte-kit
 backend/chrome_profiler.json
 .fast-check/
-__pycache__/
--- a/.webmux.yaml
+++ b/.webmux.yaml
@@ -1,105 +0,0 @@
-# Project display name in the dashboard
-name: Windmill
-
-workspace:
-  mainBranch: main
-  worktreeRoot: ../windmill__worktrees
-  defaultAgent: claude
-
-startupEnvs:
-  CARGO_FEATURES: "quickjs"
-  WM_CLONE_DB: false
-  USE_RUST_PLUGIN: false
-
-lifecycleHooks:
-  postCreate: bash ./scripts/post-create.sh
-  preRemove: bash ./scripts/pre-remove.sh
-
-auto_name:
-  provider: claude
-  model: haiku
-
-# Each service defines a port env var that webmux injects into pane and agent
-# process environments when creating a worktree. Ports are auto-assigned:
-# base + (slot x step).
-services:
-  - name: backend
-    portEnv: BACKEND_PORT
-    portStart: 8000
-    portStep: 10
-  - name: frontend
-    portEnv: FRONTEND_PORT
-    portStart: 3000
-    portStep: 10
-
-profiles:
-  full:
-    runtime: host
-    yolo: true
-    envPassthrough: []
-    systemPrompt: >
-      You are running inside a tmux session with other panes running services.
-      Pane layout (current window):
-      - Pane 0: this pane (claude agent)
-      - Pane 1: backend (cargo watch -x run)
-      - Pane 2: frontend (npm run dev)
-      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).
-      When restarting backend or frontend, make sure to use ${BACKEND_PORT} and ${FRONTEND_PORT}.
-      To connect to the database, use this connection string: ${DATABASE_URL}
-      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check.
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
-    panes:
-      - id: agent
-        kind: agent
-        focus: true
-      - id: backend
-        kind: command
-        split: right
-        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"
-      - id: frontend
-        kind: command
-        split: bottom
-        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/frontend" && npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0
-        
-  frontendOnly:
-    runtime: host
-    yolo: true
-    envPassthrough: []
-    systemPrompt: >
-      You are running inside a tmux session with other panes running services.
-      Pane layout (current window):
-      - Pane 0: this pane (claude agent)
-      - Pane 1: frontend (npm run dev)
-      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (frontend).
-      When restarting frontend, make sure to use ${FRONTEND_PORT}.
-      To connect to the database, use this connection string: ${DATABASE_URL}
-      Because we are running frontend with npm run dev, to verify your changes, just check the logs in the frontend pane. No need for npm run build.
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
-    panes:
-      - id: agent
-        kind: agent
-        focus: true
-      - id: frontend
-        kind: command
-        split: right
-        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/frontend" && npm run generate-backend-client && npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0
-
-  agentOnly:
-    runtime: host
-    yolo: true
-    envPassthrough: []
-    systemPrompt: >
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
-    panes:
-      - id: agent
-        kind: agent
-        focus: true
-
-integrations:
-  github:
-    linkedRepos:
-      - repo: windmill-labs/windmill-ee-private
-        alias: ee-private
-        dir: ../windmill-ee-private__worktrees
-  linear:
-    enabled: true
--- a/.wmdev.yaml
+++ b/.wmdev.yaml
@@ -0,0 +1,79 @@
+services:
+  - name: BE
+    portEnv: BACKEND_PORT
+  - name: FE
+    portEnv: FRONTEND_PORT
+
+profiles:
+  default:
+    name: default
+
+  sandbox:
+    name: sandbox
+    image: windmill-sandbox
+    envPassthrough:
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY
+      - R2_ENDPOINT
+      - R2_BUCKET
+      - R2_PUBLIC_URL
+    extraMounts:
+      - hostPath: ~/.codex
+        guestPath: /root/.codex
+        writable: true
+      - hostPath: ~/windmill-ee-private
+        writable: true
+      - hostPath: ~/windmill-ee-private__worktrees
+        writable: true
+    systemPrompt: >
+      You are running inside a sandboxed container with full permissions.
+      This worktree is configured with the following ports:
+
+      - Backend: port ${BACKEND_PORT}.
+        Start with: cd backend && PORT=${BACKEND_PORT}
+        DATABASE_URL=postgres://postgres:changeme@localhost:5432/windmill
+        cargo watch -x run
+
+      - Frontend: port ${FRONTEND_PORT}.
+        Start with: cd frontend && REMOTE=http://localhost:${BACKEND_PORT}
+        npm run dev -- --port ${FRONTEND_PORT} --host 0.0.0.0
+
+      --- Screenshots ---
+      You can take screenshots of the frontend UI and upload them to R2
+      for use in PR descriptions.
+      1) Take a screenshot:
+         bunx playwright screenshot --browser chromium
+         http://localhost:${FRONTEND_PORT}/path/to/page /tmp/screenshot.png
+      2) Upload to R2:
+         aws s3 cp /tmp/screenshot.png
+         "s3://$(printenv R2_BUCKET)/$(git rev-parse --abbrev-ref HEAD)/screenshot.png"
+         --endpoint-url "$(printenv R2_ENDPOINT)"
+      3) The public URL will be:
+         $(printenv R2_PUBLIC_URL)/<branch>/screenshot.png
+      4) Include screenshots in PR descriptions as markdown images:
+         ![description]($(printenv R2_PUBLIC_URL)/<branch>/screenshot.png)
+
+      --- Terminal Recordings (asciinema) ---
+      You can record terminal sessions and upload them for sharing.
+      asciinema is pre-installed at /usr/local/bin/asciinema.
+
+      1) Write a shell script with the commands to demo. Add sleep
+          delays for readable pacing:
+          - 0.5s after printing a "$ command" line (lets viewer read it)
+          - 1.5-2s after command output (lets viewer absorb the result)
+          - Set GIT_PAGER=cat and PAGER=cat to prevent pager hangs
+
+      2) Record headlessly:
+          asciinema rec --headless --overwrite \
+            -c "bash /tmp/demo.sh" \
+            --window-size 120x50 \
+            --title "Description of demo" \
+            /tmp/demo.cast
+
+      3) Upload to asciinema.org:
+          XDG_DATA_HOME=/tmp/.local/share \
+            asciinema upload --server-url https://asciinema.org /tmp/demo.cast
+
+linkedRepos:
+  - repo: windmill-labs/windmill-ee-private
+    alias: ee
--- a/.workmux.yaml
+++ b/.workmux.yaml
@@ -55,8 +55,7 @@ panes:
      - Pane 2: frontend (npm run dev)\n\n
      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).\n
      When restarting backend or frontend, make sure to use the ports listed in .env.local.\n
-      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check.\n\n
-      IMPORTANT: Read docs/autonomous-mode.md before starting any work."
+      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check."
    focus: true
  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"'
    split: horizontal
@@ -67,7 +66,6 @@ files:
  copy:
    - backend/.env
    - scripts/
-    - wm-ts-nav/target/release/wm-ts-nav

 sandbox:
  enabled: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,291 +1,5 @@
 # Changelog

-## [1.657.0](https://github.com/windmill-labs/windmill/compare/v1.656.0...v1.657.0) (2026-03-14)
-
-
-### Features
-
-* add datatable config support to CLI settings sync and backend export ([#8024](https://github.com/windmill-labs/windmill/issues/8024)) ([5df37fb](https://github.com/windmill-labs/windmill/commit/5df37fb0dbf9190a430f066cf2d3c48914782e53))
-
-## [1.656.0](https://github.com/windmill-labs/windmill/compare/v1.655.0...v1.656.0) (2026-03-13)
-
-
-### Features
-
-* add GitHub Enterprise Server (GHES) support for GitHub App git sync ([#8344](https://github.com/windmill-labs/windmill/issues/8344)) ([2e430c4](https://github.com/windmill-labs/windmill/commit/2e430c4c0b8540df7b6997434a7a9f9134858026))
-* **cli:** add unified generate-metadata command ([#8335](https://github.com/windmill-labs/windmill/issues/8335)) ([4c2c165](https://github.com/windmill-labs/windmill/commit/4c2c165a5b757bd5f2f49074bb290407bce3b2fb))
-
-
-### Bug Fixes
-
-* **ci:** add NODE_AUTH_TOKEN for npm publish authentication ([2a8e276](https://github.com/windmill-labs/windmill/commit/2a8e276b6d2761bb2798b6bc5f8d90ab34fbb403))
-* **ci:** remove provenance flag and use NPM_TOKEN for npm publish ([44dd3ee](https://github.com/windmill-labs/windmill/commit/44dd3ee8cd05d288828d1d46c84cbcdf40f8fa78))
-* **cli:** exclude raw app backend files from script metadata generation ([#8362](https://github.com/windmill-labs/windmill/issues/8362)) ([060687b](https://github.com/windmill-labs/windmill/commit/060687b1fa6b627a7b06fbdc4b3f4eb0b63411c0))
-* **cli:** normalize path separators in generate-metadata folder filter for Windows ([#8358](https://github.com/windmill-labs/windmill/issues/8358)) ([404ae09](https://github.com/windmill-labs/windmill/commit/404ae09d429fb545610ba17d747e1903c542d4a3))
-* **cli:** suppress verbose lock generation messages in generate-metadata ([#8357](https://github.com/windmill-labs/windmill/issues/8357)) ([51933be](https://github.com/windmill-labs/windmill/commit/51933be3cabd853960d384cd358c7bcaef6bfa86))
-* **frontend:** collapse flow topbar buttons to icon-only in narrow panes ([#8322](https://github.com/windmill-labs/windmill/issues/8322)) ([b585dee](https://github.com/windmill-labs/windmill/commit/b585dee64dfd63d20812ca969b17ff9ee9989493))
-* **frontend:** filter webhook/email tokens by scope instead of label ([#8363](https://github.com/windmill-labs/windmill/issues/8363)) ([0d31c35](https://github.com/windmill-labs/windmill/commit/0d31c35f3e12d637c757a95fe350294002cbf640))
-* **frontend:** improve native mode alert message and fix workspaced tag detection ([#8361](https://github.com/windmill-labs/windmill/issues/8361)) ([fb12b31](https://github.com/windmill-labs/windmill/commit/fb12b31df081b2f1ac63becea6e6538ca80f8c46))
-* **frontend:** prevent duplicate and reserved agent tool names ([#8367](https://github.com/windmill-labs/windmill/issues/8367)) ([c431053](https://github.com/windmill-labs/windmill/commit/c431053a1e24ef29cd551a86de4d013fd7f158be))
-* graceful shutdown instead of panic on job completion channel failure ([#8345](https://github.com/windmill-labs/windmill/issues/8345)) ([724d135](https://github.com/windmill-labs/windmill/commit/724d1350d070fcf078034a52166d3048fb74e6f3))
-* Linked resources and vars not triggering both sync jobs on delete ([#8342](https://github.com/windmill-labs/windmill/issues/8342)) ([8e3b8bd](https://github.com/windmill-labs/windmill/commit/8e3b8bdfd2ded9652bc7e876c6bcd0ac2cfae148))
-* lower default indexer memory/batch settings to prevent OOM ([#8347](https://github.com/windmill-labs/windmill/issues/8347)) ([d9d45cf](https://github.com/windmill-labs/windmill/commit/d9d45cf2f9235b0e7118d0fc97ccdc0776ca9726))
-
-## [1.655.0](https://github.com/windmill-labs/windmill/compare/v1.654.0...v1.655.0) (2026-03-12)
-
-
-### Features
-
-* add auto_commit option to Kafka triggers with advanced UI badges ([#8317](https://github.com/windmill-labs/windmill/issues/8317)) ([ec20d76](https://github.com/windmill-labs/windmill/commit/ec20d76216492086842c4f5e4e3b36727a5631e9))
-* partition audit log table by day with configurable retention ([#8292](https://github.com/windmill-labs/windmill/issues/8292)) ([2aef01d](https://github.com/windmill-labs/windmill/commit/2aef01d18c0723aedcc626f4f3991195620774ab))
-* support minimal telemetry mode ([#8243](https://github.com/windmill-labs/windmill/issues/8243)) ([fe1519f](https://github.com/windmill-labs/windmill/commit/fe1519f1284aadd67d5dce46cf0cb52ab351f789))
-
-
-### Bug Fixes
-
-* **cli:** instruct agent to tell user about generate-metadata and sync push instead of running them ([#8318](https://github.com/windmill-labs/windmill/issues/8318)) ([7fb729c](https://github.com/windmill-labs/windmill/commit/7fb729cc8483a2e6966a8e8995678929f4d451a0))
-* fix saved inputs popover infinite loop ([#8311](https://github.com/windmill-labs/windmill/issues/8311)) ([425a75e](https://github.com/windmill-labs/windmill/commit/425a75e030b15fe65676169f9069fbb7da19828e))
-* native mode now properly sets DB pool size and sleep queue ([#8332](https://github.com/windmill-labs/windmill/issues/8332)) ([d8b4132](https://github.com/windmill-labs/windmill/commit/d8b4132b9ae90af759c6655f4f69479f6738e60a))
-* prevent zombie jobs from looping forever ([#8313](https://github.com/windmill-labs/windmill/issues/8313)) ([48bc3e2](https://github.com/windmill-labs/windmill/commit/48bc3e244558dccb1f08f455b299600861788b0d))
-* set min_connections(0) to prevent sqlx pool spin loop ([#8334](https://github.com/windmill-labs/windmill/issues/8334)) ([bf4340f](https://github.com/windmill-labs/windmill/commit/bf4340f40c1eb9cacee4c32e07ba44f2c92bf7c4))
-* show diff editor content for resources without a language ([#8331](https://github.com/windmill-labs/windmill/issues/8331)) ([cbc7e78](https://github.com/windmill-labs/windmill/commit/cbc7e78f8a60bff1d8730a6183cdbc9125d8e2b1))
-* skip python preinstall on native workers ([#8329](https://github.com/windmill-labs/windmill/issues/8329)) ([4306c9e](https://github.com/windmill-labs/windmill/commit/4306c9e4fef317e298a76924edb4f20aa7ced105))
-* skip token expiry notifications for debugger and mcp-oauth tokens ([#8316](https://github.com/windmill-labs/windmill/issues/8316)) ([8667329](https://github.com/windmill-labs/windmill/commit/86673291100fd16aaf216ed33ca9b648b8a2b7a5))
-* use !inline ref for scripts inside flows (preproc, error, ai tool) ([#8319](https://github.com/windmill-labs/windmill/issues/8319)) ([ca8a627](https://github.com/windmill-labs/windmill/commit/ca8a6274bc81ad49fa0c6166694ae4d65a4048cb))
-
-## [1.654.0](https://github.com/windmill-labs/windmill/compare/v1.653.0...v1.654.0) (2026-03-10)
-
-
-### Features
-
-* add git sync support for workspace dependencies ([#8144](https://github.com/windmill-labs/windmill/issues/8144)) ([4f29e05](https://github.com/windmill-labs/windmill/commit/4f29e05e3ae725e0be7ab797f8fa2186d8c5c0a5))
-* add kafka trigger offset reset and auto.offset.reset config ([#8283](https://github.com/windmill-labs/windmill/issues/8283)) ([b02f9e5](https://github.com/windmill-labs/windmill/commit/b02f9e5c2426bff2356e1aaaa18e05b18c5efc6b))
-* add preprocessor support for dedicated workers and bunnative scripts ([#8284](https://github.com/windmill-labs/windmill/issues/8284)) ([dc0e59f](https://github.com/windmill-labs/windmill/commit/dc0e59f432a0e3a53606adb8ac76d2dd2d365ace))
-* add Vertex AI support for Google Gemini models ([#8303](https://github.com/windmill-labs/windmill/issues/8303)) ([cb349cb](https://github.com/windmill-labs/windmill/commit/cb349cb3d1b7561fb70a8c23fa83dc1c9441821c))
-* **frontend:** replace flat sugiyama with recursive compound layout for flow graph ([#8204](https://github.com/windmill-labs/windmill/issues/8204)) ([cad4436](https://github.com/windmill-labs/windmill/commit/cad44365ac17029a2257f12cef061219b0265570))
-
-
-### Bug Fixes
-
-* **cli:** fail when passing an invalid --workspace arg ([#8294](https://github.com/windmill-labs/windmill/issues/8294)) ([f291b1c](https://github.com/windmill-labs/windmill/commit/f291b1cc19689e69e7aa008c19ce747e9c56240e))
-* debounce webhook arg accumulation with max_count/max_time limits ([#8307](https://github.com/windmill-labs/windmill/issues/8307)) ([83be59e](https://github.com/windmill-labs/windmill/commit/83be59e0e866ebd091f1e27c0571710a989fd2e4))
-* delete debounce_key on post-preprocessing limit exceeded ([#8299](https://github.com/windmill-labs/windmill/issues/8299)) ([438f609](https://github.com/windmill-labs/windmill/commit/438f609a78325ee5c2493079ca27bf587fa0d5ff))
-* explicilty fail when --base-url --token --workspace are invalid ([#8302](https://github.com/windmill-labs/windmill/issues/8302)) ([5baeb8c](https://github.com/windmill-labs/windmill/commit/5baeb8c842a392c21457b7561e30b385e02a6a48))
-* handle missing schema in RunnableByPath during wmill.d.ts generation ([#8300](https://github.com/windmill-labs/windmill/issues/8300)) ([b841e0a](https://github.com/windmill-labs/windmill/commit/b841e0a0384941079f37374f8fbbe2dd7fb51897))
-* optimize flow lock generation and add rt.d.ts guidance for TS resource types ([#8295](https://github.com/windmill-labs/windmill/issues/8295)) ([b40cf80](https://github.com/windmill-labs/windmill/commit/b40cf80fdd62cbc31db0872ada551ce213b9dac8))
-* preserve teams oauth tenant on settings page reload ([#8308](https://github.com/windmill-labs/windmill/issues/8308)) ([dbfa271](https://github.com/windmill-labs/windmill/commit/dbfa271b8962fe7b3d2aa8bf494e9557047fc8b3))
-* resync custom_instance_user password on startup ([#8297](https://github.com/windmill-labs/windmill/issues/8297)) ([53ac43f](https://github.com/windmill-labs/windmill/commit/53ac43f5ee34570a9bb7b3441c73095e23690300))
-* show meaningful error messages in database manager schema fetch ([#8296](https://github.com/windmill-labs/windmill/issues/8296)) ([cda8439](https://github.com/windmill-labs/windmill/commit/cda843922dcfd9a02ef9926751cbf8f544d2d4b6))
-* skip loading flow preview history for new flows ([#8293](https://github.com/windmill-labs/windmill/issues/8293)) ([ac8c668](https://github.com/windmill-labs/windmill/commit/ac8c668cb93e56bc2a247bbdbbec14e5608125d2))
-* teams selection not sticking in workspace settings ([#8309](https://github.com/windmill-labs/windmill/issues/8309)) ([fefc8c6](https://github.com/windmill-labs/windmill/commit/fefc8c62a00fe7a39f3104091e08087cd7c37afb))
-
-## [1.653.0](https://github.com/windmill-labs/windmill/compare/v1.652.0...v1.653.0) (2026-03-10)
-
-
-### Features
-
-* add indexer time window setting (default 7 days) ([#8290](https://github.com/windmill-labs/windmill/issues/8290)) ([0c4d72c](https://github.com/windmill-labs/windmill/commit/0c4d72cfe38d61cf3f6e9bc31056005f1adb494d))
-* add slack connection fields to workspace settings export/import ([#8287](https://github.com/windmill-labs/windmill/issues/8287)) ([39e77ec](https://github.com/windmill-labs/windmill/commit/39e77ecd002b41630fa8d146ee0f15369656acda))
-
-
-### Performance Improvements
-
-* optimize job_stats storage for timestamps and zero-memory jobs ([#8289](https://github.com/windmill-labs/windmill/issues/8289)) ([2d8335d](https://github.com/windmill-labs/windmill/commit/2d8335dc43a7cb182eb5a058119d8b0be067cdfd))
-
-## [1.652.0](https://github.com/windmill-labs/windmill/compare/v1.651.1...v1.652.0) (2026-03-09)
-
-
-### Features
-
-* add secretKeyRef support for package registry and storage credentials ([#8275](https://github.com/windmill-labs/windmill/issues/8275)) ([73d27e9](https://github.com/windmill-labs/windmill/commit/73d27e92dd6ced1602f6328f245fec0fa96860e1))
-* expose OTEL trace context as env vars in job execution ([#8277](https://github.com/windmill-labs/windmill/issues/8277)) ([93f75ad](https://github.com/windmill-labs/windmill/commit/93f75ada5e49036f0d998e3d3d53de4dc2c2e83f))
-* workflow-as-code (WAC) v2 ([#8172](https://github.com/windmill-labs/windmill/issues/8172)) ([a6d4390](https://github.com/windmill-labs/windmill/commit/a6d4390790d21d535df1e9d525bffd577c50d8dc))
-
-
-### Bug Fixes
-
-* cli: support deleting linked resources-variables without throwing ([#8248](https://github.com/windmill-labs/windmill/issues/8248)) ([7859bca](https://github.com/windmill-labs/windmill/commit/7859bca6ae80d32a73a46910960afc6812e64115))
-* Database studio fixes ([#8251](https://github.com/windmill-labs/windmill/issues/8251)) ([1d78589](https://github.com/windmill-labs/windmill/commit/1d785899404e8636a206cda9a2914df32a1a5269))
-* **frontend:** unsaved changes dialog when flow already saved ([#8259](https://github.com/windmill-labs/windmill/issues/8259)) ([0330993](https://github.com/windmill-labs/windmill/commit/0330993cb66cdabffcd6e552a0f85a9a3931c62d))
-* gracefully handle uninitialized OTEL tracing proxy port ([#8274](https://github.com/windmill-labs/windmill/issues/8274)) ([8b1fe8f](https://github.com/windmill-labs/windmill/commit/8b1fe8f9de7b0c03655558d0c46cfff71a4b2047))
-* guard iteration picker VirtualList against empty items array ([#8273](https://github.com/windmill-labs/windmill/issues/8273)) ([c97cf60](https://github.com/windmill-labs/windmill/commit/c97cf604ab4a902d89fe873b90dbeb9dabc940eb)), closes [#8272](https://github.com/windmill-labs/windmill/issues/8272)
-* mask secrets in OAuth config debug/log output ([#8269](https://github.com/windmill-labs/windmill/issues/8269)) ([e75763d](https://github.com/windmill-labs/windmill/commit/e75763dbe5ffe08e6cde082203596d510c2c3b29))
-* parallel branchall hang on bad stop_after_all_iters_if + results.x.length null ([#8276](https://github.com/windmill-labs/windmill/issues/8276)) ([41e523f](https://github.com/windmill-labs/windmill/commit/41e523f827c4e3d5db525a1f14e24936b0b8af46))
-* redact secrets in set_global_setting log line ([#8270](https://github.com/windmill-labs/windmill/issues/8270)) ([6a0473c](https://github.com/windmill-labs/windmill/commit/6a0473c5783dc0fef2ae82dc5345a5f0596f124d))
-* remove $bindable() fallback values causing props_invalid_value error in oauth settings ([#8265](https://github.com/windmill-labs/windmill/issues/8265)) ([037035e](https://github.com/windmill-labs/windmill/commit/037035e094937827305dad29bd76a495d78bc46f))
-* skip down migrations in potentially_stale checksum comparison ([#8271](https://github.com/windmill-labs/windmill/issues/8271)) ([5ba4029](https://github.com/windmill-labs/windmill/commit/5ba4029d8692b2e6054fca7f45ed4cfded4738ef))
-* sql input horizontal scroll missing after switching flow steps ([#8249](https://github.com/windmill-labs/windmill/issues/8249)) ([ce8ac9c](https://github.com/windmill-labs/windmill/commit/ce8ac9cf52dc17061673b9b72556279c48c26f8e))
-* wmill workspace whoami output ([#8246](https://github.com/windmill-labs/windmill/issues/8246)) ([1ac391a](https://github.com/windmill-labs/windmill/commit/1ac391a795585747fe5911ac41b157556569fedb))
-
-## [1.651.1](https://github.com/windmill-labs/windmill/compare/v1.651.0...v1.651.1) (2026-03-05)
-
-
-### Bug Fixes
-
-* prevent slow loading toast interval from leaking on promise cancellation ([#8240](https://github.com/windmill-labs/windmill/issues/8240)) ([2e582b1](https://github.com/windmill-labs/windmill/commit/2e582b1bc1c299388a3c97cfddff9d0eb92858f2))
-* suppress unused variable warnings on windows builds ([#8241](https://github.com/windmill-labs/windmill/issues/8241)) ([2d58382](https://github.com/windmill-labs/windmill/commit/2d583826dc065c05684d4cd1d1510f0d1f2d9ae9))
-
-## [1.651.0](https://github.com/windmill-labs/windmill/compare/v1.650.0...v1.651.0) (2026-03-05)
-
-
-### Features
-
-* add sandbox annotations, volume mounts, for AI sandbox starting with claude ([#8058](https://github.com/windmill-labs/windmill/issues/8058)) ([5f0ef93](https://github.com/windmill-labs/windmill/commit/5f0ef936d1d5d07d01c8e07e26ec254feebef8fb))
-* hash-based MCP tool names for long paths ([#8133](https://github.com/windmill-labs/windmill/issues/8133)) ([ce041e8](https://github.com/windmill-labs/windmill/commit/ce041e8a5e7ff105df389875d9981f3843d4ce39))
-
-
-### Bug Fixes
-
-* **python-client:** add delete_s3_object ([#8216](https://github.com/windmill-labs/windmill/issues/8216)) ([90f4c64](https://github.com/windmill-labs/windmill/commit/90f4c64ee12e1d04ce846ff88d6658f667e194e0))
-* update CLI bun template to match UI template ([#8238](https://github.com/windmill-labs/windmill/issues/8238)) ([a8cbe93](https://github.com/windmill-labs/windmill/commit/a8cbe9396ffc51140dce5582d57f4dc59873304e))
-* write fallback package.json for codebase mode nsjail ([#8239](https://github.com/windmill-labs/windmill/issues/8239)) ([d46913b](https://github.com/windmill-labs/windmill/commit/d46913b74a0ffd41d2323e0355cc81954f09e29d))
-
-## [1.650.0](https://github.com/windmill-labs/windmill/compare/v1.649.0...v1.650.0) (2026-03-05)
-
-
-### Features
-
-* add move, delete, and duplicate to flow node context menu ([#8050](https://github.com/windmill-labs/windmill/issues/8050)) ([c0c9388](https://github.com/windmill-labs/windmill/commit/c0c9388415716ce77d841bd08a46f94e0a529685))
-* add variable and resource types to flow env variables ([#8214](https://github.com/windmill-labs/windmill/issues/8214)) ([164e499](https://github.com/windmill-labs/windmill/commit/164e499c64dc5eb76fcfb0f8cefbad2df244f610))
-* Ducklake typechecker ([#8118](https://github.com/windmill-labs/windmill/issues/8118)) ([53caecf](https://github.com/windmill-labs/windmill/commit/53caecf1da8d76e246178dfb9b86d330f0ec52fd))
-* make WINDMILL_DIR configurable via environment variable ([#8215](https://github.com/windmill-labs/windmill/issues/8215)) ([424ca59](https://github.com/windmill-labs/windmill/commit/424ca59dfe3e730f5388d9cac4ea7e69773614d3))
-* make WM_END_USER_EMAIL display users from different workspaces ([#8208](https://github.com/windmill-labs/windmill/issues/8208)) ([baf2bcf](https://github.com/windmill-labs/windmill/commit/baf2bcf14da0c8c95bdbbf511fcaee48be33948b))
-* persistent Db manager state in URI ([#8134](https://github.com/windmill-labs/windmill/issues/8134)) ([4bf827b](https://github.com/windmill-labs/windmill/commit/4bf827bea4d44aca8c5ff7aa67ad449dbcf00673))
-* replace hub error toasts with warning alerts and add disable hub setting ([#8225](https://github.com/windmill-labs/windmill/issues/8225)) ([63ebae8](https://github.com/windmill-labs/windmill/commit/63ebae8829a6dc47a4e23c8670b514f042c9d4be))
-* token expiration notifications ([#8190](https://github.com/windmill-labs/windmill/issues/8190)) ([e56ccd2](https://github.com/windmill-labs/windmill/commit/e56ccd200be29e6ac8ea2b04a341b1ce78a307f6))
-
-
-### Bug Fixes
-
-* handle multipart stream errors gracefully instead of panicking ([#8226](https://github.com/windmill-labs/windmill/issues/8226)) ([19c065b](https://github.com/windmill-labs/windmill/commit/19c065bed5468c484c8e7a50a6b79ab90153cc0e))
-* improve windows compatibility ([077779e](https://github.com/windmill-labs/windmill/commit/077779ec52f7d3e5fcc93951544bf47bd6dc30b6))
-* wrap set_encryption_key in a single database transaction ([#8212](https://github.com/windmill-labs/windmill/issues/8212)) ([62382fd](https://github.com/windmill-labs/windmill/commit/62382fd2869ea0190dd0c0b714f9cbd35ceddd7a))
-
-## [1.649.0](https://github.com/windmill-labs/windmill/compare/v1.648.0...v1.649.0) (2026-03-03)
-
-
-### Features
-
-* **frontend:** add script recorder for offline replay ([#8200](https://github.com/windmill-labs/windmill/issues/8200)) ([c97d8b4](https://github.com/windmill-labs/windmill/commit/c97d8b4715f86ea83ab2c0223ba859ced690829a))
-* move index management out of /srch/, add storage size reporting ([#8169](https://github.com/windmill-labs/windmill/issues/8169)) ([ee01acd](https://github.com/windmill-labs/windmill/commit/ee01acd9a6a2cd68a3f226988bfb46f6a6e64c08))
-
-
-### Bug Fixes
-
-* clean up slow-load toast interval on component destroy ([#8207](https://github.com/windmill-labs/windmill/issues/8207)) ([26f4f2b](https://github.com/windmill-labs/windmill/commit/26f4f2b399b828185b553289d6560e12261030a3))
-* **frontend:** prevent subflow expansion from hiding all insertion points ([#8203](https://github.com/windmill-labs/windmill/issues/8203)) ([e97da86](https://github.com/windmill-labs/windmill/commit/e97da860672171e33054a77d71f4824bb09e540d))
-* gracefully handle malformed OAuth entries in instance config ([#8205](https://github.com/windmill-labs/windmill/issues/8205)) ([cac4bdd](https://github.com/windmill-labs/windmill/commit/cac4bdd54f0c3ea80844ac31f7597f418ff7d8ae))
-* skip stop_after_if evaluation for skipped (identity) flow steps ([#8201](https://github.com/windmill-labs/windmill/issues/8201)) ([e6f7775](https://github.com/windmill-labs/windmill/commit/e6f7775d4d9a052aefc37260c6ed161146841cd7))
-* use exact matching for python requirements directive parsing ([#8199](https://github.com/windmill-labs/windmill/issues/8199)) ([2b2be38](https://github.com/windmill-labs/windmill/commit/2b2be38f129bbe58b6bb3815c4bd94aa03a3da90))
-
-
-### Performance Improvements
-
-* use two-step query in input history to leverage v2_job index ([#8197](https://github.com/windmill-labs/windmill/issues/8197)) ([50defdd](https://github.com/windmill-labs/windmill/commit/50defdded113b4d2cf0991b3fb642d1cd9a462b7))
-
-## [1.648.0](https://github.com/windmill-labs/windmill/compare/v1.647.2...v1.648.0) (2026-03-02)
-
-
-### Features
-
-* add right-click context menu to ObjectViewer ([#8181](https://github.com/windmill-labs/windmill/issues/8181)) ([1855204](https://github.com/windmill-labs/windmill/commit/18552046c29878b5cf115b9364c2ce829ab7aa59))
-* **frontend:** add drag-and-drop node movement in flow editor ([#8076](https://github.com/windmill-labs/windmill/issues/8076)) ([7a5e487](https://github.com/windmill-labs/windmill/commit/7a5e48787860c38aa3589c49ea9a70654d479c8a))
-
-
-### Bug Fixes
-
-* don't insert underscore after digit in PascalCase to snake_case conversion ([#8184](https://github.com/windmill-labs/windmill/issues/8184)) ([a111653](https://github.com/windmill-labs/windmill/commit/a111653c6d32fd1a3d2f45351eceb8d8d7df6f41))
-* **frontend:** preserve keycloak realm url between instance settings saves ([#8189](https://github.com/windmill-labs/windmill/issues/8189)) ([cfd9541](https://github.com/windmill-labs/windmill/commit/cfd9541ab1daf635c7d801cd3a7788db57b98257))
-* preserve debouncing settings for post-preprocessing arg accumulation ([#8191](https://github.com/windmill-labs/windmill/issues/8191)) ([9e92445](https://github.com/windmill-labs/windmill/commit/9e92445faed1a10b2406b97562e8df7a5b2dfd76))
-
-## [1.647.2](https://github.com/windmill-labs/windmill/compare/v1.647.1...v1.647.2) (2026-03-02)
-
-
-### Bug Fixes
-
-* update oracle instant client arm64 download url ([#8179](https://github.com/windmill-labs/windmill/issues/8179)) ([758b35f](https://github.com/windmill-labs/windmill/commit/758b35f8ebbf78e1473a8fd83dbc795d58b23b80))
-
-## [1.647.1](https://github.com/windmill-labs/windmill/compare/v1.647.0...v1.647.1) (2026-03-02)
-
-
-### Bug Fixes
-
-* add missing display_name and tenant fields to instance config OAuthClient ([#8176](https://github.com/windmill-labs/windmill/issues/8176)) ([db44b8b](https://github.com/windmill-labs/windmill/commit/db44b8be74e1709dbf759dd391bdb3861b3c711b))
-* add missing grant_types field to instance config OAuth structs ([#8175](https://github.com/windmill-labs/windmill/issues/8175)) ([fca94f8](https://github.com/windmill-labs/windmill/commit/fca94f88dd796db66e0c5bd0225e23b92efce4a7))
-* show sync endpoint timeout setting on all instances ([#8170](https://github.com/windmill-labs/windmill/issues/8170)) ([c70307d](https://github.com/windmill-labs/windmill/commit/c70307d3f2dfe61a0250dd12234470a25baf2d1b))
-
-## [1.647.0](https://github.com/windmill-labs/windmill/compare/v1.646.0...v1.647.0) (2026-03-01)
-
-
-### Features
-
-* populate baseUrl and userId in Nextcloud resource from OAuth ([#8132](https://github.com/windmill-labs/windmill/issues/8132)) ([5d58a87](https://github.com/windmill-labs/windmill/commit/5d58a87a7f02c4f7775bd02c885071495a5f686d))
-* runScript inline for path and hash ([#8019](https://github.com/windmill-labs/windmill/issues/8019)) ([7d9d16a](https://github.com/windmill-labs/windmill/commit/7d9d16a6a3357981e5692023982ca1e670acfaae))
-* slow stream warnings, batch size control, and fix result/skipped filters ([#8154](https://github.com/windmill-labs/windmill/issues/8154)) ([7a32abe](https://github.com/windmill-labs/windmill/commit/7a32abec96124f96a1dbac11e03162cca68f3286))
-
-
-### Bug Fixes
-
-* : persist show schedules and show future jobs toggles in local storage ([#8125](https://github.com/windmill-labs/windmill/issues/8125)) ([f1d8568](https://github.com/windmill-labs/windmill/commit/f1d8568831bf69ee790def4f90df8f32c59a94e0)), closes [#8123](https://github.com/windmill-labs/windmill/issues/8123)
-* add partial index for fast failure filtering on runs page ([#8150](https://github.com/windmill-labs/windmill/issues/8150)) ([d4673c2](https://github.com/windmill-labs/windmill/commit/d4673c2e91168dcdb0aca9d6c039df0d9c52bb28))
-* copy deps and remove user auto-add on workspace fork ([#8142](https://github.com/windmill-labs/windmill/issues/8142)) ([0776de6](https://github.com/windmill-labs/windmill/commit/0776de6b2173075f533fd59a49efb111000da5df))
-* fix custom TS Monaco worker not reloading on file uri change ([#8130](https://github.com/windmill-labs/windmill/issues/8130)) ([b68ff96](https://github.com/windmill-labs/windmill/commit/b68ff965dd4f67046fae7e8cf756c8b3e15c2643))
-* Handle CTEs and local tables in SQL asset parser ([#8131](https://github.com/windmill-labs/windmill/issues/8131)) ([0955051](https://github.com/windmill-labs/windmill/commit/095505136c2b3e03f656ace20a5c1bbe142fa63f))
-* prevent wm-cursor from hanging on stale cursor IPC sockets ([b9e3e05](https://github.com/windmill-labs/windmill/commit/b9e3e053e4914e753bbb806e6b748c791edb92d2))
-* process deletes before adds in CLI sync push to avoid conflicts ([#8148](https://github.com/windmill-labs/windmill/issues/8148)) ([278983c](https://github.com/windmill-labs/windmill/commit/278983c4fd38d67a14a8c208178c04db05ee1880))
-* remove review comments from discord notifications and support comment edits ([cdc0543](https://github.com/windmill-labs/windmill/commit/cdc0543747680267e30974037a2eb180a19062d9))
-* restore email domain (MX) setting in instance settings UI ([#8152](https://github.com/windmill-labs/windmill/issues/8152)) ([13daebf](https://github.com/windmill-labs/windmill/commit/13daebf88ac1abcb833646490073f922ac7c050e))
-* sync flow on_behalf_of_email on load ([#8149](https://github.com/windmill-labs/windmill/issues/8149)) ([faf190f](https://github.com/windmill-labs/windmill/commit/faf190f12d96cd75ba9eda10ab3e6f26d2eed813))
-* validate tarball URL host against registry to prevent SSRF and token exfiltration ([#8153](https://github.com/windmill-labs/windmill/issues/8153)) ([86182ed](https://github.com/windmill-labs/windmill/commit/86182ed2e999f018fc72343308e7df8e9de6c189))
-
-
-### Performance Improvements
-
-* batch large job list requests and fix loadExtraJobs cursor ([#8151](https://github.com/windmill-labs/windmill/issues/8151)) ([4f5a804](https://github.com/windmill-labs/windmill/commit/4f5a8040912e18f34401a6e3a95dea6f97d1d24c))
-* lazy-load heavy deps (graphql, openapi-parser, sha256) ([#8145](https://github.com/windmill-labs/windmill/issues/8145)) ([ba48d70](https://github.com/windmill-labs/windmill/commit/ba48d7015741eb6bbbe04088a957c37499cd8471))
-* lazy-load markdown in Tooltip components ([#8143](https://github.com/windmill-labs/windmill/issues/8143)) ([bd9ff03](https://github.com/windmill-labs/windmill/commit/bd9ff03010f75557dcc315d10e9208b4e9cafece))
-
-## [1.646.0](https://github.com/windmill-labs/windmill/compare/v1.645.0...v1.646.0) (2026-02-26)
-
-
-### Features
-
-* add force_branch parameter to git sync settings ([#8089](https://github.com/windmill-labs/windmill/issues/8089)) ([4e1ae27](https://github.com/windmill-labs/windmill/commit/4e1ae276b006992e06ae755ec9315dbfadf4f838))
-* add wmill docs CLI command for querying documentation ([#8114](https://github.com/windmill-labs/windmill/issues/8114)) ([01c7270](https://github.com/windmill-labs/windmill/commit/01c7270cdaa0d5dbee2e15aa5dd08551cff60c70))
-* Broad filters for search ([#8112](https://github.com/windmill-labs/windmill/issues/8112)) ([16a6d5e](https://github.com/windmill-labs/windmill/commit/16a6d5e7afe9323b2f2c7a93828518f5d924cc69))
-* change on behalf selector to allow picking any user + select value in target by default if possible ([#8113](https://github.com/windmill-labs/windmill/issues/8113)) ([408c5af](https://github.com/windmill-labs/windmill/commit/408c5af6d8352f1e205e4543772ce5d060556ffc))
-
-
-### Bug Fixes
-
-* remove duplicate job loading on chart zoom ([#8121](https://github.com/windmill-labs/windmill/issues/8121)) ([99c01bc](https://github.com/windmill-labs/windmill/commit/99c01bca3863ac9b2882948bb5914f051a7716a4))
-* runs page date picker query parameter handling ([#8120](https://github.com/windmill-labs/windmill/issues/8120)) ([427bc64](https://github.com/windmill-labs/windmill/commit/427bc6410be7fda132fc91991164e9b38b32c7e3))
-
-## [1.645.0](https://github.com/windmill-labs/windmill/compare/v1.644.0...v1.645.0) (2026-02-26)
-
-
-### Features
-
-* add resume and cancel button text options to Slack approval API + formatted args + typo ([#8095](https://github.com/windmill-labs/windmill/issues/8095)) ([c7c828b](https://github.com/windmill-labs/windmill/commit/c7c828b56e7a5f877ef0a78498018ed930bccb23))
-* Data table as pg resource / trigger ([#8088](https://github.com/windmill-labs/windmill/issues/8088)) ([8e7ba9b](https://github.com/windmill-labs/windmill/commit/8e7ba9b33da2ddba0eba8341219b9a3576a9d95d))
-* option to preserve on_behalf_of and edited_by for admins and users in the new wm_deployers group ([#8079](https://github.com/windmill-labs/windmill/issues/8079)) ([7ac93f6](https://github.com/windmill-labs/windmill/commit/7ac93f6ee30eb8dfa6ddb9c19697cde93bf7e134))
-* per-worktree database isolation and Claude Code auto-trust ([09970cd](https://github.com/windmill-labs/windmill/commit/09970cd22b8f19c6d01351f9a9bf4aac170116c2))
-* show triggers in fork deploy to parent UI. ([#8094](https://github.com/windmill-labs/windmill/issues/8094)) ([935b005](https://github.com/windmill-labs/windmill/commit/935b0058e2b8056e07f8dd8f80ef6de78ca8331f))
-
-
-### Bug Fixes
-
-* **backend:** fix skip check crash when flow-level skip_expr triggers on first module with skip_if ([#8111](https://github.com/windmill-labs/windmill/issues/8111)) ([7bb450e](https://github.com/windmill-labs/windmill/commit/7bb450edbfccd5c21dc5dbc1e7bf2f2ecc4c779c))
-* **backend:** pass parent_path for trigger renames in git sync ([#8059](https://github.com/windmill-labs/windmill/issues/8059)) ([5730009](https://github.com/windmill-labs/windmill/commit/5730009404171cbffb67d0296baf9c0aa2858816))
-* correct asset node x offset inside loops and branches ([#8093](https://github.com/windmill-labs/windmill/issues/8093)) ([1c9ac97](https://github.com/windmill-labs/windmill/commit/1c9ac97f876a82c6ce3b18e30ffdeea79ccd4481))
-* delete non-session tokens on workspace archive and reject token creation for archived workspaces ([#8082](https://github.com/windmill-labs/windmill/issues/8082)) ([bc67255](https://github.com/windmill-labs/windmill/commit/bc672555a77f3b78ff324a26603d2ab7839df77e))
-* improve Anthropic API proxy handling and update default models ([#8105](https://github.com/windmill-labs/windmill/issues/8105)) ([a9968d0](https://github.com/windmill-labs/windmill/commit/a9968d0aed446a090b158c3269ffeb6907330933))
-* optimize slow list_assets query for recents loading ([#8103](https://github.com/windmill-labs/windmill/issues/8103)) ([0c204b6](https://github.com/windmill-labs/windmill/commit/0c204b69bdd319af2706c1add552622678cd343f))
-* remove duplicate num_columns in test_parse_relation test ([cff9e2c](https://github.com/windmill-labs/windmill/commit/cff9e2c5c22b3c1a0b5891839fe59e4058ded888))
-* resolve Vite dependency pre-bundling errors ([#8102](https://github.com/windmill-labs/windmill/issues/8102)) ([07ddcd2](https://github.com/windmill-labs/windmill/commit/07ddcd2a08c103246b2b60f9df1ffb477ff97006))
-* use @-prefixed LIKE pattern for email domain matching ([#8101](https://github.com/windmill-labs/windmill/issues/8101)) ([02d5447](https://github.com/windmill-labs/windmill/commit/02d5447e1d567a18b0d6eb24f3423bd675f6cbe8))
-* use main runtime handle in QuickJS eval to prevent connection pool poisoning ([#8106](https://github.com/windmill-labs/windmill/issues/8106)) ([af2aca5](https://github.com/windmill-labs/windmill/commit/af2aca56b04c7a3fd25f096f2471292489923431))
-
 ## [1.644.0](https://github.com/windmill-labs/windmill/compare/v1.643.0...v1.644.0) (2026-02-24)


--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,84 +1,68 @@
-# Windmill
+# Windmill Development Guide

-Open-source platform for internal tools, workflows, API integrations, background jobs, and UIs. Rust backend + Svelte 5 frontend.
+## Overview

-## Workflow
+Windmill is an open-source developer platform for building internal tools, workflows, API integrations, background jobs, workflows, and user interfaces. See @windmill-overview.mdc for full platform details.

-1. **Understand**: Before coding, explore the codebase (see Code Navigation below). Use `outline` to understand file structure, `body` to read specific symbols, `def`/`callers`/`callees` to trace code, `Grep` to find usages. Read `docs/` for domain context.
-2. **Plan**: For non-trivial changes, use plan mode. For large features, break into reviewable stages
-3. **Execute**: Follow coding patterns from skills (`rust-backend`, `svelte-frontend`)
-4. **Validate**: After every change, run the appropriate checks per `docs/validation.md`
+## New Feature Implementation Guidelines

-## Documentation
+When implementing new features in Windmill, follow these best practices:

- **Validation**: `docs/validation.md` — what checks to run based on what you changed
- **Enterprise**: `docs/enterprise.md` — EE file conventions and PR workflow
- **Backend patterns**: use the `rust-backend` skill when writing Rust code
- **Frontend patterns**: use the `svelte-frontend` skill when writing Svelte code. Do NOT edit svelte files unless you have read that skill.
- **Code review**: use `/local-review` to review a PR for bugs and CLAUDE.md compliance
- **Domain guides**: `.claude/skills/native-trigger/` and `frontend/tutorial-system-guide.mdc`
- **Brand/UI guidelines**: `frontend/brand-guidelines.md`
+- **Clean Code First**: Write clean, readable, and maintainable code. Prioritize clarity over cleverness.
+- **Avoid Duplication at All Costs**: Before writing new code, thoroughly search for existing implementations that can be reused or extended.
+- **Adapt Existing Code**: Refactor and generalize existing code when necessary to avoid logic duplication. Extract common patterns into reusable utilities.
+- **Follow Established Patterns**: Study existing code patterns in the codebase and maintain consistency with established conventions.
+- **Single Responsibility**: Each function, component, and module should have a single, well-defined responsibility.
+- **Incremental Implementation**: Break large features into smaller, reviewable chunks that can be implemented and tested incrementally.
+
+## Language-Specific Guides
+
+- Backend (Rust): see `backend/CLAUDE.md` and the `rust-backend` skill: `.claude/skills/rust-backend/SKILL.md`
+- Frontend (Svelte 5): see `frontend/CLAUDE.md` and the `svelte-frontend` skill: `.claude/skills/svelte-frontend/SKILL.md`

 ## Dev Environment

 - **Backend**: `cargo run` from `backend/` (API at http://localhost:8000)
- **Frontend**: `REMOTE=http://localhost:8000 npm run dev` from `frontend/` (port 3000+)
- **DB**: `psql postgres://postgres:changeme@localhost:5432/windmill`
- **Login**: `admin@windmill.dev` / `changeme`
- **Instance settings**: navigate to `/#superadmin-settings`
+- **Frontend**: `REMOTE=http://localhost:8000 npm run dev` from `frontend/`
+  - The `REMOTE` env var configures the Vite proxy target. Without it, API calls proxy to `https://app.windmill.dev` instead of the local backend.
+  - The dev server starts on port 3000 (or 3001+ if 3000 is in use).
+- **Default login**: `admin@windmill.dev` / `changeme`
+- **Instance settings**: navigate to `/#superadmin-settings` (opens the drawer overlay)

-## Banned Patterns
+## UI Testing with Playwright MCP

-### `$bindable(default_value)` on optional props
+When testing the frontend with the Playwright MCP tools:

-Using `$bindable(default_value)` on props that can be `undefined` is **banned**. This pattern causes subtle bugs because the default value masks the `undefined` state.
+1. **Start servers**: Launch backend (`cargo run`) and frontend (`REMOTE=http://localhost:8000 npm run dev`) as background tasks
+2. **Wait for readiness**: Backend takes ~60s to compile; check output for `health check completed`. Frontend starts in ~5s.
+3. **Login flow**: Navigate to `/user/login`, click "Log in without third-party", fill email/password, submit
+4. **Instance settings drawer**: Navigate to `/#superadmin-settings` to open the drawer directly
+5. **Toggle components**: The YAML toggle uses a custom `<Toggle>` component where the checkbox is visually hidden (`sr-only`). Click the wrapper `<label>` element (the parent container with `cursor=pointer`), not the checkbox ref directly.
+6. **Console errors to ignore**: `critical_alerts` 404s are expected on CE builds (EE-only endpoint). VSCode worker 404s are dev-mode artifacts.

-**Bad:**
+## Code Validation (MUST DO)

-```svelte
-let { my_prop = $bindable(default_value) }: { my_prop?: string } = $props()
-```
+After making code changes, you MUST run the appropriate checks and fix all errors before considering the work done:

-**Correct alternatives:**
+- **Backend**: Run `cargo check` from the `backend/` directory. Only enable the feature flags needed for the code you changed — check `backend/Cargo.toml` `[features]` section to identify which flags gate the crates/modules you modified. For example: `cargo check --features enterprise,parquet` if you only touched enterprise and parquet code.
+- **Frontend**: Run `npm run check` from the `frontend/` directory.

-1. **Use `$derived` with nullish coalescing** — handle the potential `undefined` at the usage site:
+## Querying the Database

-   ```svelte
-   let { my_prop = $bindable() }: { my_prop?: string } = $props()
-   let effective_value = $derived(my_prop ?? default_value)
-   ```
+`backend/summarized_schema.txt` provides a compact overview of all tables, columns, types, ENUMs, and foreign keys. Use it to quickly understand the data model and relationships. Note: this file is a simplified summary — it omits indexes, constraints details, and other metadata.

-2. **Create a `useMyPropState()` helper** — encapsulate the undefined-handling logic in a reusable function and call it higher in the component tree, so the child component always receives a defined value.
-
-## Code Navigation
-
-`wm-ts-nav` is an AST-aware code navigator. Use **wm-ts-nav** for structural queries — it skips comments/strings and understands symbol boundaries.
-
-**MUST use `outline` before `Read`** on unfamiliar files — a 500-line file costs ~500 lines of context, while `outline` costs ~20. Then **MUST use `body "X"`** instead of reading a full file to see one function/struct. Use `Read` with offset/limit only when you need surrounding context that `body` doesn't capture.
- `refs "X" --caller` instead of reading files to find which function contains each reference
- `callers "X"` / `callees "X"` for call-graph questions
+For exact table definitions (indexes, constraints, column defaults, etc.), query the database directly:

 ```bash
-NAV="sh wm-ts-nav/nav"
-# Use --root backend for Rust, --root frontend/src for TS/Svelte
-$NAV --root backend outline backend/path/to/file.rs      # file structure
-$NAV --root backend def "ServiceName"                     # find definition
-$NAV --root backend body "decrypt_oauth_data"             # extract source code
-$NAV --root backend search "%" --parent ServiceName       # methods on a type
-$NAV --root backend search "Trigger" --kind struct        # find by kind
-$NAV --root backend refs "X" --file handler.rs --caller   # scoped refs with caller
-$NAV --root backend callers "X"                           # who calls X?
-$NAV --root backend callees "X"                           # what does X call?
+psql postgres://postgres:changeme@localhost:5432/windmill
 ```

-**Limitations** — syntax-level analysis, no type inference. Use **Grep** instead when completeness matters (finding all usages, exhaustiveness checks):
- `refs`/`callers`/`callees` can't follow re-exports, glob imports, or different import paths to the same symbol
- Trait impls, macro-generated symbols (`sqlx::FromRow`), and namespace member access (`ns.X`) are invisible
- `callees` shows all identifiers in a function body, not just actual calls
+Useful psql commands:
+- `\d <table_name>` — full table definition with indexes and constraints
+- `\di <table_name>*` — list indexes for a table
+- `\d+ <table_name>` — extended table info including storage and descriptions

-## Core Principles
-
- **MUST `outline` before `Read`** on unfamiliar files — then `body` or `Read` with offset/limit for specifics
- Search for existing code to reuse before writing new code
- Follow established patterns in the codebase
- Keep changes focused — don't refactor beyond what's asked
+This is also helpful for:
+- Inspecting database state during development
+- Testing queries before implementing them in Rust
+- Debugging data-related issues
--- a/18
+++ b/18
@@ -58,7 +58,7 @@ FROM node:24-alpine as frontend

 # install dependencies
 WORKDIR /frontend
-COPY ./frontend/package.json ./frontend/package-lock.json ./frontend/.npmrc ./
+COPY ./frontend/package.json ./frontend/package-lock.json ./
 COPY ./frontend/scripts/ ./scripts/
 RUN npm ci

@@ -126,7 +126,7 @@ ARG POWERSHELL_DEB_VERSION=7.5.0-1
 ARG KUBECTL_VERSION=1.28.7
 ARG HELM_VERSION=3.14.3
 # NOTE: If changing, also change go version in workspace dependencies template at WorkspaceDependenciesEditor.svelte
-ARG GO_VERSION=1.26.0
+ARG GO_VERSION=1.25.0
 ARG APP=/usr/src/app
 ARG WITH_POWERSHELL=true
 ARG WITH_KUBECTL=true
@@ -256,23 +256,17 @@ COPY --from=windmill_duckdb_ffi_internal_builder /windmill-duckdb-ffi-internal/t

 COPY --from=denoland/deno:2.2.1 --chmod=755 /usr/bin/deno /usr/bin/deno

-COPY --from=oven/bun:1.3.10 /usr/local/bin/bun /usr/bin/bun
+COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun

 # Install windmill CLI
 RUN bun install -g windmill-cli \
    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill

-# Install Claude Code CLI (used by claude sandbox scripts)
-# The installer puts the binary in ~/.local/bin/claude (symlink to ~/.local/share/claude/versions/*)
-# Copy it to /usr/bin/claude so it's accessible inside nsjail sandbox (which mounts /usr but not /root)
-RUN curl -fsSL https://claude.ai/install.sh | bash \
-    && cp /root/.local/share/claude/versions/* /usr/bin/claude
-
-COPY --from=php:8.3.30-cli /usr/local/bin/php /usr/bin/php
-COPY --from=composer:2.9.5 /usr/bin/composer /usr/bin/composer
+COPY --from=php:8.3.7-cli /usr/local/bin/php /usr/bin/php
+COPY --from=composer:2.7.6 /usr/bin/composer /usr/bin/composer

 # add the docker client to call docker from a worker if enabled
-COPY --from=docker:29-dind /usr/local/bin/docker /usr/local/bin/
+COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/

 ENV RUSTUP_HOME="/tmp/windmill/cache/rustup"
 ENV CARGO_HOME="/tmp/windmill/cache/cargo"
--- a/Dockerfile.sandbox
+++ b/Dockerfile.sandbox
@@ -0,0 +1,238 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    git \
+    iptables \
+    gosu \
+    sudo \
+    unzip \
+    # Rust native build deps (for cargo check)
+    pkg-config \
+    cmake \
+    clang \
+    mold \
+    libtool \
+    libssl-dev \
+    libxml2-dev \
+    libxmlsec1-dev \
+    libxslt1-dev \
+    libffi-dev \
+    zlib1g-dev \
+    libcurl4-openssl-dev \
+    libclang-dev \
+    libkrb5-dev \
+    libsasl2-dev \
+    # PostgreSQL (for local DB during development)
+    postgresql \
+    postgresql-client \
+    # Node.js 22 (for npm run check / frontend dev)
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/* \
+    # Container runs as arbitrary UIDs (--user uid:gid). These three lines make
+    # sudo work for any UID:
+    # 1) NOPASSWD rule so sudo never prompts for a password
+    # 2) Writable passwd/group so the entrypoint can register the dynamic UID
+    # 3) Writable shadow so unix_chkpwd can validate the account (without this,
+    #    sudo fails with "account validation failure, is your account locked?")
+    && echo "ALL ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sandbox \
+    && chmod 0440 /etc/sudoers.d/sandbox \
+    && chmod 666 /etc/passwd /etc/group /etc/shadow
+
+# ── GitHub CLI (for PR creation) ──────────────────────────────────────────────
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+        -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+        > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update && apt-get install -y --no-install-recommends gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# ── Rust toolchain ────────────────────────────────────────────────────────────
+# Install under /usr/local/lib/ so bins are world-readable with default umask.
+# CARGO_HOME is overridden to /tmp/.cargo at the end for mutable runtime state.
+ENV RUSTUP_HOME=/usr/local/lib/rustup CARGO_HOME=/usr/local/lib/cargo
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+    sh -s -- -y --default-toolchain stable --profile minimal && \
+    ln -s /usr/local/lib/cargo/bin/* /usr/local/bin/
+RUN cargo install sqlx-cli --no-default-features --features native-tls,postgres && \
+    cargo install cargo-watch && \
+    cargo install --locked --git https://github.com/asciinema/asciinema && \
+    ln -sf /usr/local/lib/cargo/bin/sqlx /usr/local/bin/sqlx && \
+    ln -sf /usr/local/lib/cargo/bin/cargo-watch /usr/local/bin/cargo-watch && \
+    ln -sf /usr/local/lib/cargo/bin/asciinema /usr/local/bin/asciinema
+
+# ── Register dynamic runtime users ───────────────────────────────────────────
+RUN cat <<'SCRIPT' > /usr/local/bin/register-dynamic-user.sh
+#!/bin/sh
+set -eu
+
+uid="${1:-}"
+gid="${2:-}"
+
+if [ -z "$uid" ] || [ -z "$gid" ]; then
+    echo "register-dynamic-user: usage: register-dynamic-user <uid> <gid>" >&2
+    exit 1
+fi
+
+if ! getent group "$gid" >/dev/null 2>&1; then
+    echo "sandbox:x:${gid}:" >> /etc/group
+fi
+
+if ! getent passwd "$uid" >/dev/null 2>&1; then
+    echo "sandbox:x:${uid}:${gid}:sandbox:/tmp:/bin/sh" >> /etc/passwd
+fi
+
+# Add a shadow entry ("*" = no password) so unix_chkpwd doesn't reject sudo.
+if ! grep -q "^sandbox:" /etc/shadow 2>/dev/null; then
+    echo "sandbox:*:19000:0:99999:7:::" >> /etc/shadow
+fi
+SCRIPT
+RUN chmod +x /usr/local/bin/register-dynamic-user.sh
+
+# ── Network init script (iptables firewall + privilege drop) ──────────────────
+RUN cat <<'SCRIPT' > /usr/local/bin/network-init.sh
+#!/bin/bash
+set -euo pipefail
+
+if [ -n "${WM_PROXY_HOST:-}" ] && [ -n "${WM_PROXY_PORT:-}" ]; then
+    # Resolve hostnames to ALL IPs (multi-A records, round-robin DNS)
+    PROXY_IPS=$(getent ahostsv4 "$WM_PROXY_HOST" | awk '{print $1}' | sort -u)
+    RPC_HOST="${WM_RPC_HOST:-$WM_PROXY_HOST}"
+    RPC_IPS=$(getent ahostsv4 "$RPC_HOST" | awk '{print $1}' | sort -u)
+
+    if [ -z "$PROXY_IPS" ] || [ -z "$RPC_IPS" ]; then
+        echo "network-init: failed to resolve proxy/RPC host" >&2
+        exit 1
+    fi
+
+    # IPv4: default deny outbound
+    iptables -P OUTPUT DROP
+    iptables -A OUTPUT -o lo -j ACCEPT
+    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+    # Allow DNS (UDP/TCP 53) to configured nameservers.
+    if [ -f /etc/resolv.conf ]; then
+        grep '^nameserver' /etc/resolv.conf | awk '{print $2}' | while read -r ns; do
+            iptables -A OUTPUT -d "$ns" -p udp --dport 53 -j ACCEPT
+            iptables -A OUTPUT -d "$ns" -p tcp --dport 53 -j ACCEPT
+        done
+    fi
+
+    # Allow ALL resolved proxy IPs (handles multi-A DNS)
+    for ip in $PROXY_IPS; do
+        iptables -A OUTPUT -d "$ip" -p tcp --dport "$WM_PROXY_PORT" -j ACCEPT
+    done
+
+    # Allow ALL resolved RPC IPs
+    if [ -n "${WM_RPC_PORT:-}" ]; then
+        for ip in $RPC_IPS; do
+            iptables -A OUTPUT -d "$ip" -p tcp --dport "$WM_RPC_PORT" -j ACCEPT
+        done
+    fi
+
+    # Reject (not drop) everything else to fail fast instead of hanging
+    iptables -A OUTPUT -j REJECT
+
+    # IPv6: block entirely to prevent leaks (fail closed)
+    if ip6tables -L -n >/dev/null 2>&1; then
+        ip6tables -P OUTPUT DROP
+        ip6tables -A OUTPUT -o lo -j ACCEPT
+        ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        ip6tables -A OUTPUT -j REJECT
+    else
+        if ! sysctl -w net.ipv6.conf.all.disable_ipv6=1 2>/dev/null; then
+            echo "network-init: failed to block IPv6 (neither ip6tables nor sysctl available)" >&2
+            exit 1
+        fi
+    fi
+fi
+
+# Add sandbox user/group so sudo works after dropping privileges.
+if [ -z "${WM_TARGET_UID:-}" ] || [ -z "${WM_TARGET_GID:-}" ]; then
+    echo "network-init: WM_TARGET_UID and WM_TARGET_GID are required" >&2
+    exit 1
+fi
+/usr/local/bin/register-dynamic-user.sh "${WM_TARGET_UID}" "${WM_TARGET_GID}"
+
+# Fix PTY ownership so the unprivileged user can read/write the terminal.
+if [ -t 0 ]; then
+    chown "${WM_TARGET_UID}:${WM_TARGET_GID}" "$(tty)"
+fi
+
+# Drop privileges and exec the user command.
+exec gosu "${WM_TARGET_UID}:${WM_TARGET_GID}" env HOME=/tmp "$@"
+SCRIPT
+RUN chmod +x /usr/local/bin/network-init.sh
+
+# ── workmux (sandbox RPC) ────────────────────────────────────────────────────
+RUN curl -fsSL https://raw.githubusercontent.com/raine/workmux/main/scripts/install.sh | bash
+
+# ── Claude Code ───────────────────────────────────────────────────────────────
+RUN curl -fsSL https://claude.ai/install.sh | bash && \
+    target="$(readlink -f /root/.local/bin/claude)" && \
+    mv /root/.local/share/claude /usr/local/lib/claude && \
+    ln -s "/usr/local/lib/claude/versions/$(basename "$target")" /usr/local/bin/claude && \
+    mkdir -p /tmp/.local/bin && \
+    ln -s /usr/local/bin/claude /tmp/.local/bin/claude && \
+    chmod -R a+rwX /tmp/.local
+
+# ── Codex ─────────────────────────────────────────────────────────────────────
+RUN npm i -g @openai/codex
+
+# ── Bun ───────────────────────────────────────────────────────────────────────
+ENV BUN_INSTALL=/usr/local/lib/bun
+RUN curl -fsSL https://bun.sh/install | bash && \
+    ln -s /usr/local/lib/bun/bin/bun /usr/local/bin/bun && \
+    ln -s /usr/local/lib/bun/bin/bunx /usr/local/bin/bunx
+
+# ── Playwright + Chromium (for screenshots) ──────────────────────────────────
+ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/lib/playwright-browsers
+RUN bun add -g @playwright/test \
+    && bunx playwright install chromium --with-deps \
+    && chmod -R a+rwX /usr/local/lib/playwright-browsers \
+    && chmod -R a+rwX /usr/local/lib/bun/install \
+    && rm -rf /var/lib/apt/lists/* /tmp/bunx-*
+
+# ── AWS CLI (for S3-compatible uploads to R2) ─────────────────────────────────
+RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \
+    && unzip -q /tmp/awscliv2.zip -d /tmp \
+    && /tmp/aws/install \
+    && rm -rf /tmp/aws /tmp/awscliv2.zip
+
+ENV AWS_DEFAULT_REGION=auto
+
+# ── Runtime env for arbitrary UID ─────────────────────────────────────────────
+# Mutable state goes to /tmp (writable by any UID). Toolchains stay read-only.
+ENV CARGO_HOME=/tmp/.cargo BUN_TMPDIR=/tmp
+
+# ── Entrypoint ────────────────────────────────────────────────────────────────
+RUN cat <<'ENTRY' > /usr/local/bin/entrypoint.sh
+#!/bin/sh
+/usr/local/bin/register-dynamic-user.sh "$(id -u)" "$(id -g)"
+
+# Start PostgreSQL (unix socket in /tmp, owned by postgres user)
+mkdir -p /tmp/pgdata && sudo chown postgres:postgres /tmp/pgdata
+if [ ! -f /tmp/pgdata/PG_VERSION ]; then
+    sudo -u postgres /usr/lib/postgresql/15/bin/initdb -D /tmp/pgdata --auth=trust
+fi
+sudo -u postgres /usr/lib/postgresql/15/bin/pg_ctl -D /tmp/pgdata -l /tmp/pg.log start -o "-k /tmp"
+sudo -u postgres psql -h /tmp -c "CREATE ROLE sandbox SUPERUSER LOGIN" 2>/dev/null || true
+sudo -u postgres createdb -h /tmp windmill 2>/dev/null || true
+
+# Run database migrations so sqlx compile-time checks work
+if [ -d "$PWD/backend/migrations" ]; then
+    DATABASE_URL="postgres://sandbox@localhost/windmill?host=/tmp" \
+        sqlx migrate run --source "$PWD/backend/migrations" 2>/dev/null || true
+fi
+
+# Install frontend dependencies and generate backend client
+if [ -d "$PWD/frontend" ]; then
+    (cd "$PWD/frontend" && npm install && npm run generate-backend-client) 2>/dev/null || true
+fi
+
+exec "$@"
+ENTRY
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
--- a/README_WORKMUX_DEV.md
+++ b/README_WORKMUX_DEV.md
@@ -192,6 +192,70 @@ sandbox:

 This mounts both the main EE repo (used by the main worktree) and the EE worktrees directory (used by feature worktrees) into every sandbox container.

+## Cursor SSH Integration (`wmc`)
+
+`wm-cursor` (aliased as `wmc`) gives each worktree its own Cursor SSH remote window with an independently-focused tmux session. All windows are visible in the status bar across all Cursor terminals, but each one is focused on its own worktree.
+
+This uses **grouped tmux sessions** — multiple sessions that share the same window list but track focus independently:
+
+```
+tmux session: main          <-- your main Cursor terminal
+tmux session: cursor-feat-a <-- Cursor window for feat-a (focused on wm-feat-a)
+tmux session: cursor-feat-b <-- Cursor window for feat-b (focused on wm-feat-b)
+    \__ all three share the same windows in the status bar
+```
+
+### Setup
+
+Run once from inside tmux on the remote:
+
+```bash
+./scripts/wm-cursor setup /home/hugo/projects/windmill
+```
+
+This:
+
+1. **Merges `.vscode/settings.json`** — adds the `wm-tmux` terminal profile (auto-attaches to the `main` tmux session), disables auto port forwarding, configures forwarding for ports 8000/3000/5432, and stops rust-analyzer from auto-starting. Existing settings are preserved.
+2. **Creates `.vscode/tasks.json`** — auto-starts the dev database (`start-dev-db.sh`) when the folder opens.
+3. **Adds `wmc` alias to `~/.zshrc`** — so you can use `wmc` from any tmux window.
+4. **Adds `eval "$(wmc completions)"`** to `~/.zshrc` — provides tab-completion for subcommands and worktree names (for `open`, `open-ee`, and `close`).
+
+After setup, reopen Cursor's terminal to pick up the new profile.
+
+### Usage
+
+All commands run from inside a tmux session (i.e., from Cursor's integrated terminal after setup).
+
+**Create a new worktree + open Cursor:**
+
+```bash
+wmc add -A -p "implement feature X"
+```
+
+This runs `workmux add`, creates a grouped tmux session, writes `.vscode/settings.json` in the worktree (with port forwarding matching the worktree's assigned ports), and opens a new Cursor window.
+
+**Open Cursor for an existing worktree:**
+
+```bash
+wmc open my-feature
+```
+
+**Open the EE worktree in Cursor (no tmux session):**
+
+```bash
+wmc open-ee my-feature
+```
+
+This finds the matching `windmill-ee-private__worktrees/<name>` directory and opens it in a new Cursor window.
+
+**Close a worktree's Cursor window and tmux window (keeps the worktree):**
+
+```bash
+wmc close my-feature
+```
+
+This kills the grouped tmux session and calls `workmux close` to close the tmux window. The worktree and branch are preserved. Grouped sessions are also automatically cleaned up when you `workmux rm` a worktree (via `scripts/worktree-cleanup`).
+
 ## Cargo Features

 To build the backend with specific Cargo features (e.g., `enterprise`, `parquet`), pass them via `CARGO_FEATURES`. The backend pane reads this from `.env.local` and appends `--features <value>` to the `cargo watch` command.
@@ -206,6 +270,20 @@ CARGO_FEATURES="enterprise,parquet" wm add my-feature

 This gets written to `.env.local` by the `post_create` hook (`scripts/worktree-env`), and the backend pane picks it up automatically.

+**With `wmc` (wm-cursor):**
+
+Use the `--features` flag:
+
+```bash
+# Create a new worktree with features
+wmc add --features "enterprise,parquet" -A -p "implement feature X"
+
+# Open an existing worktree with different features
+wmc open my-feature --features "enterprise,parquet"
+```
+
+The `--features` flag exports `CARGO_FEATURES` so the `post_create` hook writes it to `.env.local`. When using `wmc open`, it updates the existing `.env.local` with the new features.
+
 ## Login

 Default credentials: `admin@windmill.dev` / `changeme`
--- a/backend/.sqlx/query-00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f.json
+++ b/backend/.sqlx/query-00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = now() + interval '60 seconds'\n                         WHERE workspace_id = $1 AND name = $2 AND leased_by = $3 AND lease_until > now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "00bf3dbd9d3f51dd7fdefcbd654d55e0379cc84188954037165cbe2d198ef71f"
-}
--- a/backend/.sqlx/query-02e526146f3584cd599dec708e1be48db3b0cd1c74adbfa2e4039377daa016f0.json
+++ b/backend/.sqlx/query-02e526146f3584cd599dec708e1be48db3b0cd1c74adbfa2e4039377daa016f0.json
@@ -20,8 +20,7 @@
                      "resource",
                      "variable",
                      "ducklake",
-                      "datatable",
-                      "volume"
+                      "datatable"
                    ]
                  }
                }
--- a/backend/.sqlx/query-038d2fde90fa9e99e30d15161777fa3ab402e33edfca46daa95b52e525424586.json
+++ b/backend/.sqlx/query-038d2fde90fa9e99e30d15161777fa3ab402e33edfca46daa95b52e525424586.json
@@ -1,41 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT id, topic, partition, \"offset\" FROM kafka_pending_commits\n           WHERE workspace_id = $1 AND kafka_trigger_path = $2\n           ORDER BY id",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Int8"
-      },
-      {
-        "ordinal": 1,
-        "name": "topic",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 2,
-        "name": "partition",
-        "type_info": "Int4"
-      },
-      {
-        "ordinal": 3,
-        "name": "offset",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false,
-      false,
-      false
-    ]
-  },
-  "hash": "038d2fde90fa9e99e30d15161777fa3ab402e33edfca46daa95b52e525424586"
-}
--- a/backend/.sqlx/query-072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04.json
+++ b/backend/.sqlx/query-072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04.json
@@ -1,29 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n            UPDATE kafka_trigger\n            SET\n                kafka_resource_path = $1,\n                group_id = $2,\n                topics = $3,\n                filters = $4,\n                auto_offset_reset = $5,\n                auto_commit = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                edited_by = $10,\n                email = $11,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND path = $13\n            ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "VarcharArray",
-        "JsonbArray",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Varchar",
-        "Text",
-        "Text",
-        "Varchar",
-        "Jsonb",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04"
-}
--- a/backend/.sqlx/query-083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e.json
+++ b/backend/.sqlx/query-083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT large_file_storage->>'volume_storage' FROM workspace_settings WHERE workspace_id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "?column?",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "083d69abc8a662bb364cf43b8ffc6e9b159a54c179cecb108068597536835f7e"
-}
--- a/backend/.sqlx/query-08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7.json
+++ b/backend/.sqlx/query-08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7.json
@@ -0,0 +1,202 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT * FROM workspace_settings WHERE teams_team_id = $1 AND teams_command_script IS NOT NULL",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "workspace_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 1,
+        "name": "slack_team_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 2,
+        "name": "slack_name",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 3,
+        "name": "slack_command_script",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 4,
+        "name": "slack_email",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 5,
+        "name": "customer_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 6,
+        "name": "plan",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 7,
+        "name": "webhook",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 8,
+        "name": "deploy_to",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 9,
+        "name": "ai_config",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 10,
+        "name": "large_file_storage",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 11,
+        "name": "git_sync",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 12,
+        "name": "default_app",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 13,
+        "name": "default_scripts",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 14,
+        "name": "deploy_ui",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 15,
+        "name": "mute_critical_alerts",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 16,
+        "name": "color",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 17,
+        "name": "operator_settings",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 18,
+        "name": "teams_command_script",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 19,
+        "name": "teams_team_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "teams_team_name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 21,
+        "name": "git_app_installations",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 22,
+        "name": "ducklake",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 23,
+        "name": "slack_oauth_client_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 24,
+        "name": "slack_oauth_client_secret",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 25,
+        "name": "datatable",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 26,
+        "name": "teams_team_guid",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 27,
+        "name": "auto_invite",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 28,
+        "name": "error_handler",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 29,
+        "name": "success_handler",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 30,
+        "name": "public_app_execution_limit_per_minute",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      true,
+      true,
+      true,
+      false,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      false,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true,
+      true
+    ]
+  },
+  "hash": "08f288d2781d823e109a9e5b8848234ca7d1efeee9661f3901f298da375e73f7"
+}
--- a/backend/.sqlx/query-0af0e0a1dddeee2021ba060e390e1b60caa3752669636e9fb0817a68121a9451.json
+++ b/backend/.sqlx/query-0af0e0a1dddeee2021ba060e390e1b60caa3752669636e9fb0817a68121a9451.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE job_stats SET offsets_cs = array_append(offsets_cs, (EXTRACT(EPOCH FROM (now() - timeseries_start)) * 100)::int), timeseries_int = array_append(timeseries_int, $4) WHERE workspace_id = $1 AND job_id = $2 AND metric_id = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Uuid",
-        "Text",
-        "Int4"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "0af0e0a1dddeee2021ba060e390e1b60caa3752669636e9fb0817a68121a9451"
-}
--- a/backend/.sqlx/query-0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4.json
+++ b/backend/.sqlx/query-0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT extra_perms FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "extra_perms",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0afd4ae50ff7e1b0dcca4b483816c595401dd2e1f7699a28bf3b79db5e3841f4"
-}
--- a/backend/.sqlx/query-0cd9cad7109340edc81a5a40620b6efdae570e3416ec6c2493cc04f75c32a699.json
+++ b/backend/.sqlx/query-0cd9cad7109340edc81a5a40620b6efdae570e3416ec6c2493cc04f75c32a699.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_queue SET canceled_by = $2, canceled_reason = $3 WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "0cd9cad7109340edc81a5a40620b6efdae570e3416ec6c2493cc04f75c32a699"
-}
--- a/backend/.sqlx/query-0d4f28ca0c5697c96711ca7225a9a4013e6ccabb495c371471c9d1287defda8f.json
+++ b/backend/.sqlx/query-0d4f28ca0c5697c96711ca7225a9a4013e6ccabb495c371471c9d1287defda8f.json
@@ -1,40 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n            SELECT j.id, j.runnable_path, j.args, j.kind::text AS \"kind!\"\n            FROM v2_job j\n            JOIN v2_job_queue q ON j.id = q.id\n            WHERE j.runnable_path = $1\n              AND j.kind = 'deploymentcallback'\n            ORDER BY j.created_at DESC\n            ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Uuid"
-      },
-      {
-        "ordinal": 1,
-        "name": "runnable_path",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 2,
-        "name": "args",
-        "type_info": "Jsonb"
-      },
-      {
-        "ordinal": 3,
-        "name": "kind!",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      true,
-      true,
-      null
-    ]
-  },
-  "hash": "0d4f28ca0c5697c96711ca7225a9a4013e6ccabb495c371471c9d1287defda8f"
-}
--- a/backend/.sqlx/query-0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750.json
+++ b/backend/.sqlx/query-0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT created_by FROM volume WHERE name = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "created_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0eb54f04a8185085b3f80772f5c28e666f6fbd1ec5ee9d30ee0cdb5e30a68750"
-}
--- a/backend/.sqlx/query-0ee14619dd81df460b2b8cc6df2b89646279f77469c35deffca8e17a11d7f6c8.json
+++ b/backend/.sqlx/query-0ee14619dd81df460b2b8cc6df2b89646279f77469c35deffca8e17a11d7f6c8.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            (elem->>'installation_id')::bigint as installation_id,\n            elem->>'account_id' as account_id,\n            elem->>'github_base_url' as github_base_url\n        FROM workspace_settings,\n        LATERAL jsonb_array_elements(git_app_installations) AS elem\n        WHERE workspace_id = $1\n        ",
+  "query": "\n        SELECT\n            (elem->>'installation_id')::bigint as installation_id,\n            elem->>'account_id' as account_id\n        FROM workspace_settings,\n        LATERAL jsonb_array_elements(git_app_installations) AS elem\n        WHERE workspace_id = $1\n        ",
  "describe": {
    "columns": [
      {
@@ -12,11 +12,6 @@
        "ordinal": 1,
        "name": "account_id",
        "type_info": "Text"
-      },
-      {
-        "ordinal": 2,
-        "name": "github_base_url",
-        "type_info": "Text"
      }
    ],
    "parameters": {
@@ -25,10 +20,9 @@
      ]
    },
    "nullable": [
-      null,
      null,
      null
    ]
  },
-  "hash": "ae7adc583cdd3f876164ed60569ed531b05eaa17fccc599306eb1a96a65ee761"
+  "hash": "0ee14619dd81df460b2b8cc6df2b89646279f77469c35deffca8e17a11d7f6c8"
 }
--- a/backend/.sqlx/query-0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba.json
+++ b/backend/.sqlx/query-0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT email FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%@', $2::text)) AND NOT EXISTS (\n                    SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n                )",
+  "query": "SELECT email FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%', $2::text)) AND NOT EXISTS (\n                    SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n                )",
  "describe": {
    "columns": [
      {
@@ -19,5 +19,5 @@
      false
    ]
  },
-  "hash": "886a921adc115f0a9c6f3a68381bd8f5a16866135120175d9073b9b2c41bbd51"
+  "hash": "0ef37117c369f03236e18f9dbb1f3d52776c8cb73f2507199c6ca16d4d2405ba"
 }
--- a/backend/.sqlx/query-10af387fce25f6ea7af275e8e93b7ab1f2fc29a2ba79a39576551bdf66b592b6.json
+++ b/backend/.sqlx/query-10af387fce25f6ea7af275e8e93b7ab1f2fc29a2ba79a39576551bdf66b592b6.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_queue SET suspend = $2, suspend_until = now() + interval '14 day' WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Int4"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "10af387fce25f6ea7af275e8e93b7ab1f2fc29a2ba79a39576551bdf66b592b6"
-}
--- a/backend/.sqlx/query-14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6.json
+++ b/backend/.sqlx/query-14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6.json
@@ -1,25 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, lease_until, leased_by)\n                     VALUES ($1, $2, 0, $3, now() + interval '60 seconds', $4)\n                     ON CONFLICT (workspace_id, name) DO UPDATE\n                     SET lease_until = now() + interval '60 seconds', leased_by = $4\n                     WHERE volume.lease_until IS NULL OR volume.lease_until < now()\n                     RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "14004a7c1641a3157eddd571fea11a1dfb1422187200119268b2342b47a960c6"
-}
--- a/backend/.sqlx/query-16c96166ffa6b9aec65c6072b204b52b87e3c2f3d76e47eb173fc78721355066.json
+++ b/backend/.sqlx/query-16c96166ffa6b9aec65c6072b204b52b87e3c2f3d76e47eb173fc78721355066.json
@@ -0,0 +1,14 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n                    WITH _ AS (\n                        UPDATE debounce_key\n                        SET debounced_times = 0, -- reset debounced_times\n                            first_started_at = now(), -- rest\n                            previous_job_id = NULL\n                        WHERE job_id = $1\n                    )\n                    UPDATE v2_job_debounce_batch                 \n                    SET debounce_batch = nextval('debounce_batch_seq') -- move to new batch\n                    WHERE id = $1\n                        ",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "16c96166ffa6b9aec65c6072b204b52b87e3c2f3d76e47eb173fc78721355066"
+}
--- a/backend/.sqlx/query-181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051.json
+++ b/backend/.sqlx/query-181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, runnable_path, preprocessed)\n             VALUES ($1, 'flow', 'flow', 'test-user', 'u/test-user', 'test@windmill.dev', $2, $3, $4)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Varchar",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "181e6fca7e0d0fd88eccd79303f0339b1f2194c52f6bd1245dfa8ff3f0db4051"
-}
--- a/backend/.sqlx/query-19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed.json
+++ b/backend/.sqlx/query-19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email FROM token WHERE token = $1 AND (expiration > NOW() OR expiration IS NULL)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "19a7ebb2e7e8e57b6e7c974da8eb7c6841a5c4ff12ba7c12c73d691c49dd99ed"
-}
--- a/backend/.sqlx/query-1a0ab65bbf2751f702fc696c1e32a7dd9524cdd806be1ad8e9ab88d4c88d3f82.json
+++ b/backend/.sqlx/query-1a0ab65bbf2751f702fc696c1e32a7dd9524cdd806be1ad8e9ab88d4c88d3f82.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        WITH job_info AS (\n            SELECT id, kind::text AS kind, parent_job\n            FROM v2_job\n            WHERE id = $1\n        )\n        SELECT\n            q.id AS \"id!\",\n            s.flow_status,\n            q.suspend AS \"suspend!\",\n            j.runnable_path AS script_path,\n            j.permissioned_as_email AS email,\n            (ji.kind IN ('flow', 'flowpreview')) AS \"is_flow_level!\",\n            (ji.kind NOT IN ('flow', 'flowpreview') AND q.id = ji.id) AS \"is_wac!\"\n        FROM job_info ji\n        JOIN v2_job_queue q ON q.id = CASE\n            WHEN ji.kind IN ('flow', 'flowpreview') THEN ji.id\n            ELSE COALESCE(ji.parent_job, ji.id)\n        END\n        JOIN v2_job j ON j.id = q.id\n        LEFT JOIN v2_job_status s ON s.id = q.id\n        FOR UPDATE OF q\n        ",
+  "query": "\n        WITH job_info AS (\n            SELECT id, kind::text AS kind, parent_job\n            FROM v2_job\n            WHERE id = $1\n        )\n        SELECT\n            q.id AS \"id!\",\n            s.flow_status,\n            q.suspend AS \"suspend!\",\n            j.runnable_path AS script_path,\n            j.permissioned_as_email AS email,\n            (ji.kind IN ('flow', 'flowpreview')) AS \"is_flow_level!\"\n        FROM job_info ji\n        JOIN v2_job_queue q ON q.id = CASE\n            WHEN ji.kind IN ('flow', 'flowpreview') THEN ji.id\n            ELSE ji.parent_job\n        END\n        JOIN v2_job j ON j.id = q.id\n        JOIN v2_job_status s ON s.id = q.id\n        FOR UPDATE OF q\n        ",
  "describe": {
    "columns": [
      {
@@ -32,11 +32,6 @@
        "ordinal": 5,
        "name": "is_flow_level!",
        "type_info": "Bool"
-      },
-      {
-        "ordinal": 6,
-        "name": "is_wac!",
-        "type_info": "Bool"
      }
    ],
    "parameters": {
@@ -50,9 +45,8 @@
      false,
      true,
      false,
-      null,
      null
    ]
  },
-  "hash": "dbc7e74e259b502e700491ee0248e0c9c8c61e1bf609be60ac5dc5d438189353"
+  "hash": "1a0ab65bbf2751f702fc696c1e32a7dd9524cdd806be1ad8e9ab88d4c88d3f82"
 }
--- a/backend/.sqlx/query-1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e.json
+++ b/backend/.sqlx/query-1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET last_used_at = now() WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1d2f765c2a71e1154ca5d9f5e52ef31e6d647377d37747f7bdc834748a59419e"
-}
--- a/backend/.sqlx/query-1db82007445ff5f644bb607aa28f5747cb50d193475fff5fcfdde37d1bc74636.json
+++ b/backend/.sqlx/query-1db82007445ff5f644bb607aa28f5747cb50d193475fff5fcfdde37d1bc74636.json
@@ -0,0 +1,17 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE job_stats SET timestamps = array_append(timestamps, now()), timeseries_int = array_append(timeseries_int, $4) WHERE workspace_id = $1 AND job_id = $2 AND metric_id = $3",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Uuid",
+        "Text",
+        "Int4"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "1db82007445ff5f644bb607aa28f5747cb50d193475fff5fcfdde37d1bc74636"
+}
--- a/backend/.sqlx/query-1df610a583e86edb70c374fd66c68554a6a4291426c09dd5b04fd832f9d31208.json
+++ b/backend/.sqlx/query-1df610a583e86edb70c374fd66c68554a6a4291426c09dd5b04fd832f9d31208.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT reset_offset FROM kafka_trigger WHERE workspace_id = $1 AND path = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "reset_offset",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "1df610a583e86edb70c374fd66c68554a6a4291426c09dd5b04fd832f9d31208"
-}
--- a/backend/.sqlx/query-1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab.json
+++ b/backend/.sqlx/query-1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, last_used_at)\n         VALUES ($1, $2, $3, $4, now())\n         ON CONFLICT (workspace_id, name) DO UPDATE\n         SET size_bytes = $3, last_used_at = now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Int8",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1e9b9a02f45e6200f4d101bd5336fc8ce983f857339e6fccf799dc6587964aab"
-}
--- a/backend/.sqlx/query-23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc.json
+++ b/backend/.sqlx/query-23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc.json
@@ -1,25 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by, lease_until, leased_by)\n         VALUES ($1, $2, 0, $3, now() + interval '60 seconds', $4)\n         ON CONFLICT (workspace_id, name) DO UPDATE\n         SET lease_until = now() + interval '60 seconds', leased_by = $4\n         WHERE volume.lease_until IS NULL OR volume.lease_until < now()\n         RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "23f47f5207abe0cfaede197aeee485957990eb92fa3ce515895eab0d3f28bfdc"
-}
--- a/backend/.sqlx/query-28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98.json
+++ b/backend/.sqlx/query-28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = NULL, leased_by = NULL\n                 WHERE workspace_id = $1 AND name = $2 AND leased_by = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "28df7bbe1f54f69640bc76def9e580b4c7ba25f279644e3233b63f4f6db0ad98"
-}
--- a/backend/.sqlx/query-2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1.json
+++ b/backend/.sqlx/query-2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1.json
@@ -1,11 +1,11 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT group_ FROM usr_to_group WHERE usr = $1 AND workspace_id = $2",
+  "query": "SELECT value FROM variable WHERE workspace_id = $1 AND path = $2",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "group_",
+        "name": "value",
        "type_info": "Varchar"
      }
    ],
@@ -19,5 +19,5 @@
      false
    ]
  },
-  "hash": "015a8551c646f9b027fc23752c5c5c81e520e3ca97dd1cd1e4ebfe3e46c4ad11"
+  "hash": "2c0ab7571e1a7c4290315bc3efccb4db9e0c9aee05596a594f81975a0cdb74d1"
 }
--- a/backend/.sqlx/query-2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0.json
+++ b/backend/.sqlx/query-2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job_queue (id, workspace_id, scheduled_for, tag, running)\n             VALUES ($1, $2, now(), 'flow', false)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "2c503e1e8ee0863b3a6274874ef9b9a10b31dbbe2a676a50d1bbfb2e9e0ab7e0"
-}
--- a/backend/.sqlx/query-2c8b8ed14647332491846ae3fa8b0ab8113d52ae8ae613a810c2b452e0972d05.json
+++ b/backend/.sqlx/query-2c8b8ed14647332491846ae3fa8b0ab8113d52ae8ae613a810c2b452e0972d05.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT EXISTS(SELECT 1 FROM v2_job_queue WHERE id = $1)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "exists",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "2c8b8ed14647332491846ae3fa8b0ab8113d52ae8ae613a810c2b452e0972d05"
-}
--- a/backend/.sqlx/query-2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09.json
+++ b/backend/.sqlx/query-2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO workspace_invite\n            (workspace_id, email, is_admin, operator)\n            SELECT $1::text, email, false, $3 FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%@', $2::text)) AND NOT EXISTS (\n                SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n            )\n            ON CONFLICT DO NOTHING",
+  "query": "INSERT INTO workspace_invite\n            (workspace_id, email, is_admin, operator)\n            SELECT $1::text, email, false, $3 FROM password WHERE ($2::text = '*' OR email LIKE CONCAT('%', $2::text)) AND NOT EXISTS (\n                SELECT 1 FROM usr WHERE workspace_id = $1::text AND email = password.email\n            )\n            ON CONFLICT DO NOTHING",
  "describe": {
    "columns": [],
    "parameters": {
@@ -12,5 +12,5 @@
    },
    "nullable": []
  },
-  "hash": "c0fad64e5d707ffa29d236f558e23b608168dc3a1b3857d2ad33ec20627acbff"
+  "hash": "2e1d1c59bfc53d58962251822c85cf9a26e3b2888702e5e9d5fc1b082901df09"
 }
--- a/backend/.sqlx/query-2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943.json
+++ b/backend/.sqlx/query-2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943.json
@@ -1,24 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n                SELECT\n                    CASE\n                        WHEN flow_version.id IS NOT NULL THEN\n                            flow_version.value -> 'flow_env' -> $3\n                        ELSE\n                            root_job.raw_flow -> 'flow_env' -> $3\n                    END AS \"flow_env: sqlx::types::Json<Box<RawValue>>\"\n                FROM\n                    v2_job current_job\n                JOIN\n                    v2_job root_job ON root_job.id = COALESCE(current_job.root_job, current_job.flow_innermost_root_job, current_job.parent_job, current_job.id)\n                    AND root_job.workspace_id = current_job.workspace_id\n                LEFT JOIN\n                    flow_version ON flow_version.id = root_job.runnable_id\n                    AND flow_version.path = root_job.runnable_path\n                    AND flow_version.workspace_id = root_job.workspace_id\n            WHERE\n                    current_job.id = $1 AND\n                    current_job.workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "flow_env: sqlx::types::Json<Box<RawValue>>",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "2f53576c2ad58abc24617e911e486d7c4b9bdb1e8fb1f7725060990ef8984943"
-}
--- a/backend/.sqlx/query-34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc.json
+++ b/backend/.sqlx/query-34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc.json
@@ -1,28 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT workspace_id, teams_command_script FROM workspace_settings WHERE teams_team_id = $1 AND teams_command_script IS NOT NULL",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "workspace_id",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "teams_command_script",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      true
-    ]
-  },
-  "hash": "34721bce20aa8b2a2c6b9bd5455735f1a2270f23d73de95101e6350f6df40acc"
-}
--- a/backend/.sqlx/query-36b95bc7956eb7bba7cd6fa9cd829980a0bf4970b919cabad1daab16627404fc.json
+++ b/backend/.sqlx/query-36b95bc7956eb7bba7cd6fa9cd829980a0bf4970b919cabad1daab16627404fc.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT (config->>'native_mode')::boolean FROM config WHERE name = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "bool",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "36b95bc7956eb7bba7cd6fa9cd829980a0bf4970b919cabad1daab16627404fc"
-}
--- a/backend/.sqlx/query-380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d.json
+++ b/backend/.sqlx/query-380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO global_settings (name, value) VALUES ('indexer_settings', $1)\n         ON CONFLICT (name) DO UPDATE SET value = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "380ca9ebea53d5c016e4e76797cc103178ac4a25fc2842a13ce19b1ec4445c9d"
-}
--- a/backend/.sqlx/query-3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34.json
+++ b/backend/.sqlx/query-3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34.json
@@ -1,18 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume\n         SET size_bytes = $3, file_count = $4,\n             updated_at = now(), updated_by = $5, last_used_at = now(),\n             lease_until = NULL, leased_by = NULL\n         WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Int8",
-        "Int4",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "3955e57e216d169c30b1548a2252eb169329116cba57780fa90ecf2bdb910f34"
-}
--- a/backend/.sqlx/query-40d0f6dca30456514cb85e36c6e367b27171894016c714e41497e69115be1468.json
+++ b/backend/.sqlx/query-40d0f6dca30456514cb85e36c6e367b27171894016c714e41497e69115be1468.json
@@ -1,76 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT\n            name as \"name!\",\n            size_bytes as \"size_bytes!\",\n            file_count as \"file_count!\",\n            created_at as \"created_at!\",\n            created_by as \"created_by!\",\n            updated_at,\n            updated_by,\n            description as \"description!\",\n            last_used_at,\n            extra_perms as \"extra_perms!\"\n         FROM (\n            SELECT\n                COALESCE(v.name, a.path) as name,\n                COALESCE(v.size_bytes, 0) as size_bytes,\n                COALESCE(v.file_count, 0) as file_count,\n                COALESCE(v.created_at, a.min_created_at) as created_at,\n                COALESCE(v.created_by, 'unknown') as created_by,\n                v.updated_at,\n                v.updated_by,\n                COALESCE(v.description, '') as description,\n                v.last_used_at,\n                COALESCE(v.extra_perms, '{}'::jsonb) as extra_perms\n            FROM (\n                SELECT path, MIN(created_at) as min_created_at\n                FROM asset\n                WHERE workspace_id = $1 AND kind = 'volume'\n                GROUP BY path\n            ) a\n            FULL OUTER JOIN volume v ON v.workspace_id = $1 AND v.name = a.path\n            WHERE v.workspace_id = $1 OR a.path IS NOT NULL\n         ) combined\n         ORDER BY name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name!",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "size_bytes!",
-        "type_info": "Int8"
-      },
-      {
-        "ordinal": 2,
-        "name": "file_count!",
-        "type_info": "Int4"
-      },
-      {
-        "ordinal": 3,
-        "name": "created_at!",
-        "type_info": "Timestamptz"
-      },
-      {
-        "ordinal": 4,
-        "name": "created_by!",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 5,
-        "name": "updated_at",
-        "type_info": "Timestamptz"
-      },
-      {
-        "ordinal": 6,
-        "name": "updated_by",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 7,
-        "name": "description!",
-        "type_info": "Text"
-      },
-      {
-        "ordinal": 8,
-        "name": "last_used_at",
-        "type_info": "Timestamptz"
-      },
-      {
-        "ordinal": 9,
-        "name": "extra_perms!",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null,
-      null,
-      null,
-      null,
-      null,
-      true,
-      true,
-      null,
-      true,
-      null
-    ]
-  },
-  "hash": "40d0f6dca30456514cb85e36c6e367b27171894016c714e41497e69115be1468"
-}
--- a/backend/.sqlx/query-45fc21026fa76e5d69f00a68a7be81abb3ec627578f2d14f0ce33896dc6ab4cf.json
+++ b/backend/.sqlx/query-45fc21026fa76e5d69f00a68a7be81abb3ec627578f2d14f0ce33896dc6ab4cf.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, email, auto_commit\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)\n        ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "VarcharArray",
-        "Varchar",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "45fc21026fa76e5d69f00a68a7be81abb3ec627578f2d14f0ce33896dc6ab4cf"
-}
--- a/backend/.sqlx/query-48b394bd9ca63d33a7ea97113b0096bd0777da52c05e23262572089e0c3c6c46.json
+++ b/backend/.sqlx/query-48b394bd9ca63d33a7ea97113b0096bd0777da52c05e23262572089e0c3c6c46.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        UPDATE workspace_settings\n        SET git_app_installations = (\n            SELECT jsonb_agg(\n                CASE\n                    WHEN (elem->>'installation_id')::bigint = $2 THEN $1::jsonb\n                    ELSE elem\n                END\n            )\n            FROM jsonb_array_elements(git_app_installations) AS elem\n        )\n        WHERE workspace_id = $3\n        ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb",
-        "Int8",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "48b394bd9ca63d33a7ea97113b0096bd0777da52c05e23262572089e0c3c6c46"
-}
--- a/backend/.sqlx/query-4b2a29b3ef7ec4802d81ec4b706623b991c938e40d0db25290b03dc0577c2740.json
+++ b/backend/.sqlx/query-4b2a29b3ef7ec4802d81ec4b706623b991c938e40d0db25290b03dc0577c2740.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT auto_commit FROM kafka_trigger WHERE workspace_id = $1 AND path = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "auto_commit",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "4b2a29b3ef7ec4802d81ec4b706623b991c938e40d0db25290b03dc0577c2740"
-}
--- a/backend/.sqlx/query-50807b807bb901a380926798be655c13a18dfd26e237a8218d3006e2898b5aa3.json
+++ b/backend/.sqlx/query-50807b807bb901a380926798be655c13a18dfd26e237a8218d3006e2898b5aa3.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        SELECT auto_commit\n        FROM kafka_trigger\n        WHERE workspace_id = $1 AND path = $2\n        ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "auto_commit",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "50807b807bb901a380926798be655c13a18dfd26e237a8218d3006e2898b5aa3"
-}
--- a/backend/.sqlx/query-56f7325e3b0316866714e76d94b50d9d258c288883b2b5b0ab286f5cb50850b5.json
+++ b/backend/.sqlx/query-56f7325e3b0316866714e76d94b50d9d258c288883b2b5b0ab286f5cb50850b5.json
@@ -0,0 +1,16 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE v2_job_status SET\n                        workflow_as_code_status = jsonb_set(\n                            jsonb_set(\n                                COALESCE(workflow_as_code_status, '{}'::jsonb),\n                                array[$1],\n                                COALESCE(workflow_as_code_status->$1, '{}'::jsonb)\n                            ),\n                            array[$1, 'duration_ms'],\n                            to_jsonb($2::bigint)\n                        )\n                    WHERE id = $3",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Int8",
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "56f7325e3b0316866714e76d94b50d9d258c288883b2b5b0ab286f5cb50850b5"
+}
--- a/backend/.sqlx/query-5af44b46a2e2f1a9adeb39013790be7046cf8789d842717b6c793c22a2a05daa.json
+++ b/backend/.sqlx/query-5af44b46a2e2f1a9adeb39013790be7046cf8789d842717b6c793c22a2a05daa.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM volume WHERE workspace_id = $1 AND name = $2\n         AND (lease_until IS NULL OR lease_until < now())\n         RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "5af44b46a2e2f1a9adeb39013790be7046cf8789d842717b6c793c22a2a05daa"
-}
--- a/backend/.sqlx/query-6086849bb08e1b37d6693d2808767cd897dca4722e4f2076308afdb7ee9fc147.json
+++ b/backend/.sqlx/query-6086849bb08e1b37d6693d2808767cd897dca4722e4f2076308afdb7ee9fc147.json
@@ -1,29 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT created_by, extra_perms FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "created_by",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "extra_perms",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "6086849bb08e1b37d6693d2808767cd897dca4722e4f2076308afdb7ee9fc147"
-}
--- a/backend/.sqlx/query-712092e5033bc6894025a55ebc58bca8450d09982e582266d215dff521256fa6.json
+++ b/backend/.sqlx/query-712092e5033bc6894025a55ebc58bca8450d09982e582266d215dff521256fa6.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT count(*) FROM volume WHERE workspace_id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "count",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "712092e5033bc6894025a55ebc58bca8450d09982e582266d215dff521256fa6"
-}
--- a/backend/.sqlx/query-72d3ebb05ac1ffeb0e8d0a3146d95bb5b90e7c4d1dc2c8a6ef06eddf6678f230.json
+++ b/backend/.sqlx/query-72d3ebb05ac1ffeb0e8d0a3146d95bb5b90e7c4d1dc2c8a6ef06eddf6678f230.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "WITH active_users AS (SELECT distinct username as email FROM (SELECT username, timestamp, operation FROM audit_partitioned UNION ALL SELECT username, timestamp, operation FROM audit) AS a WHERE timestamp > NOW() - INTERVAL '1 month' AND (operation = 'users.login' OR operation = 'oauth.login' OR operation = 'users.token.refresh')),\n            authors as (SELECT distinct email FROM usr WHERE usr.operator IS false)\n            SELECT email, email NOT IN (SELECT email FROM authors) as operator_only, login_type::text, verified, super_admin, devops, name, company, username, first_time_user\n            FROM password\n            WHERE email IN (SELECT email FROM active_users)\n            ORDER BY super_admin DESC, devops DESC\n            LIMIT $1 OFFSET $2",
+  "query": "WITH active_users AS (SELECT distinct username as email FROM audit WHERE timestamp > NOW() - INTERVAL '1 month' AND (operation = 'users.login' OR operation = 'oauth.login' OR operation = 'users.token.refresh')),\n            authors as (SELECT distinct email FROM usr WHERE usr.operator IS false)\n            SELECT email, email NOT IN (SELECT email FROM authors) as operator_only, login_type::text, verified, super_admin, devops, name, company, username, first_time_user\n            FROM password\n            WHERE email IN (SELECT email FROM active_users)\n            ORDER BY super_admin DESC, devops DESC\n            LIMIT $1 OFFSET $2",
  "describe": {
    "columns": [
      {
@@ -73,5 +73,5 @@
      false
    ]
  },
-  "hash": "9229d9a9ff389cf26e480b604b83900e2d362ee934ef27284ef39f4eed440e59"
+  "hash": "72d3ebb05ac1ffeb0e8d0a3146d95bb5b90e7c4d1dc2c8a6ef06eddf6678f230"
 }
--- a/backend/.sqlx/query-75a03e9e4cba350a104e2e3a95de919cd25538c0b433bc29bb052c7a7b8568ca.json
+++ b/backend/.sqlx/query-75a03e9e4cba350a104e2e3a95de919cd25538c0b433bc29bb052c7a7b8568ca.json
@@ -1,18 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume\n                         SET size_bytes = $3, file_count = $4,\n                             updated_at = now(), last_used_at = now(),\n                             lease_until = NULL, leased_by = NULL\n                         WHERE workspace_id = $1 AND name = $2 AND leased_by = $5",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Int8",
-        "Int4",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "75a03e9e4cba350a104e2e3a95de919cd25538c0b433bc29bb052c7a7b8568ca"
-}
--- a/backend/.sqlx/query-769035629df5a5034f64bf38992e142006825a3911addacdf1a026660b5e2b7f.json
+++ b/backend/.sqlx/query-769035629df5a5034f64bf38992e142006825a3911addacdf1a026660b5e2b7f.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = now() + interval '60 seconds'\n         WHERE workspace_id = $1 AND name = $2 AND leased_by = $3 AND lease_until > now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "769035629df5a5034f64bf38992e142006825a3911addacdf1a026660b5e2b7f"
-}
--- a/backend/.sqlx/query-78af8bdb6a3ee6396c54f87ff6403b566fc75e16e0b7a81204816fd50b3346a5.json
+++ b/backend/.sqlx/query-78af8bdb6a3ee6396c54f87ff6403b566fc75e16e0b7a81204816fd50b3346a5.json
@@ -1,24 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT EXISTS(SELECT 1 FROM volume WHERE workspace_id = $1 AND name = $2 AND lease_until > now() AND leased_by = $3)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "exists",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "78af8bdb6a3ee6396c54f87ff6403b566fc75e16e0b7a81204816fd50b3346a5"
-}
--- a/backend/.sqlx/query-79b437ad31ddab94310989b8fb6a1c130b9be1ab4b6a100fffffd687677b9c92.json
+++ b/backend/.sqlx/query-79b437ad31ddab94310989b8fb6a1c130b9be1ab4b6a100fffffd687677b9c92.json
@@ -0,0 +1,19 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "WITH job_result AS (\n                 SELECT result\n                 FROM v2_job_completed\n                 WHERE id = $1\n             ),\n             updated_queue AS (\n                UPDATE v2_job_queue\n                SET running = false,\n                tag = COALESCE($3, tag),\n                scheduled_for = COALESCE($6, scheduled_for)\n                WHERE id = $2\n             )\n             UPDATE v2_job\n             SET\n                tag = COALESCE($3, tag),\n                concurrent_limit = COALESCE($4, concurrent_limit),\n                concurrency_time_window_s = COALESCE($5, concurrency_time_window_s),\n                args = COALESCE(\n                     CASE\n                         WHEN job_result.result IS NULL THEN NULL\n                         WHEN jsonb_typeof(job_result.result) = 'object'\n                         THEN job_result.result\n                         WHEN jsonb_typeof(job_result.result) = 'null'\n                         THEN NULL\n                         ELSE jsonb_build_object('value', job_result.result)\n                     END,\n                     '{}'::jsonb\n                 ),\n                 preprocessed = TRUE\n             FROM job_result\n             WHERE v2_job.id = $2;\n             ",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Uuid",
+        "Varchar",
+        "Int4",
+        "Int4",
+        "Timestamptz"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "79b437ad31ddab94310989b8fb6a1c130b9be1ab4b6a100fffffd687677b9c92"
+}
--- a/backend/.sqlx/query-7ce06d4f623932fce12352be3a09ba8973a2ef1defa36c6d46d9c1c6406a7c33.json
+++ b/backend/.sqlx/query-7ce06d4f623932fce12352be3a09ba8973a2ef1defa36c6d46d9c1c6406a7c33.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = NULL, leased_by = NULL\n             WHERE workspace_id = $1 AND name = $2 AND leased_by = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "7ce06d4f623932fce12352be3a09ba8973a2ef1defa36c6d46d9c1c6406a7c33"
-}
--- a/backend/.sqlx/query-7e3bfb33fb771aec39b43a7550091ce7c9b1261b52d10f4a7f3273fed3c916df.json
+++ b/backend/.sqlx/query-7e3bfb33fb771aec39b43a7550091ce7c9b1261b52d10f4a7f3273fed3c916df.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        SELECT kafka_resource_path, topics, group_id, mode AS \"mode: String\",\n               auto_offset_reset, auto_commit, reset_offset\n        FROM kafka_trigger\n        WHERE workspace_id = $1 AND path = $2\n        ",
+  "query": "\n        SELECT kafka_resource_path, topics, group_id, mode AS \"mode: String\"\n        FROM kafka_trigger\n        WHERE workspace_id = $1 AND path = $2\n        ",
  "describe": {
    "columns": [
      {
@@ -33,21 +33,6 @@
            }
          }
        }
-      },
-      {
-        "ordinal": 4,
-        "name": "auto_offset_reset",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 5,
-        "name": "auto_commit",
-        "type_info": "Bool"
-      },
-      {
-        "ordinal": 6,
-        "name": "reset_offset",
-        "type_info": "Bool"
      }
    ],
    "parameters": {
@@ -57,14 +42,11 @@
      ]
    },
    "nullable": [
-      false,
-      false,
-      false,
      false,
      false,
      false,
      false
    ]
  },
-  "hash": "4cf4be7a981173d3f242887d9313c7e60d23e9827f23c0de5b546ed56697d54a"
+  "hash": "7e3bfb33fb771aec39b43a7550091ce7c9b1261b52d10f4a7f3273fed3c916df"
 }
--- a/backend/.sqlx/query-7e4aa6b19b110bca423b3a3f428826d92b9808c64ef989fef2142bc8e02d6630.json
+++ b/backend/.sqlx/query-7e4aa6b19b110bca423b3a3f428826d92b9808c64ef989fef2142bc8e02d6630.json
@@ -0,0 +1,19 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO token (token, email, label, expiration, scopes, workspace_id)\n         VALUES ($1, $2, $3, now() + ($4 || ' seconds')::interval, $5, $6)",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "Text",
+        "TextArray",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "7e4aa6b19b110bca423b3a3f428826d92b9808c64ef989fef2142bc8e02d6630"
+}
--- a/backend/.sqlx/query-7e8e79a7d140be511cedbfe9ff8eea76a8a3079ce80c035087f797cdc410f35b.json
+++ b/backend/.sqlx/query-7e8e79a7d140be511cedbfe9ff8eea76a8a3079ce80c035087f797cdc410f35b.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by)\n         VALUES ($1, $2, $3, $4)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Int8",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "7e8e79a7d140be511cedbfe9ff8eea76a8a3079ce80c035087f797cdc410f35b"
-}
--- a/backend/.sqlx/query-803abdcd3614437b26c5d2e4f1ad75ca7014b431239ac1b681f2b26380c719c4.json
+++ b/backend/.sqlx/query-803abdcd3614437b26c5d2e4f1ad75ca7014b431239ac1b681f2b26380c719c4.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT last_used_at FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "last_used_at",
-        "type_info": "Timestamptz"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "803abdcd3614437b26c5d2e4f1ad75ca7014b431239ac1b681f2b26380c719c4"
-}
--- a/backend/.sqlx/query-80bad96cbec6b5eca57a6380e7515565490a271050dcc4b5aac2b730ae3a55b9.json
+++ b/backend/.sqlx/query-80bad96cbec6b5eca57a6380e7515565490a271050dcc4b5aac2b730ae3a55b9.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM kafka_pending_commits WHERE id = ANY($1)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Int8Array"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "80bad96cbec6b5eca57a6380e7515565490a271050dcc4b5aac2b730ae3a55b9"
-}
--- a/backend/.sqlx/query-82b3bd95e5d28c4cd4eedcae8cf050ba7b7e4d9eabba03be251ae9a8017b317d.json
+++ b/backend/.sqlx/query-82b3bd95e5d28c4cd4eedcae8cf050ba7b7e4d9eabba03be251ae9a8017b317d.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET extra_perms = extra_perms - $1\n         WHERE workspace_id = $2 AND name = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "82b3bd95e5d28c4cd4eedcae8cf050ba7b7e4d9eabba03be251ae9a8017b317d"
-}
--- a/backend/.sqlx/query-88e25dc24bb06237b3677c947ee53fd6e9c7606231ad3c522e98cb1fcc14361a.json
+++ b/backend/.sqlx/query-88e25dc24bb06237b3677c947ee53fd6e9c7606231ad3c522e98cb1fcc14361a.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT leased_by FROM volume WHERE workspace_id = $1 AND name = $2 AND lease_until > now()",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "leased_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "88e25dc24bb06237b3677c947ee53fd6e9c7606231ad3c522e98cb1fcc14361a"
-}
--- a/backend/.sqlx/query-90092c0b3f7612373fcc8fb7a966200118ab308430d4a0cbb5cb16c397246492.json
+++ b/backend/.sqlx/query-90092c0b3f7612373fcc8fb7a966200118ab308430d4a0cbb5cb16c397246492.json
@@ -1,17 +1,16 @@
 {
  "db_name": "PostgreSQL",
-  "query": "DELETE FROM variable WHERE path = $1 AND workspace_id = $2 RETURNING path",
+  "query": "\n        SELECT token\n        FROM token\n        WHERE token LIKE concat($1::text, '%')\n        LIMIT 1\n        ",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "path",
+        "name": "token",
        "type_info": "Varchar"
      }
    ],
    "parameters": {
      "Left": [
-        "Text",
        "Text"
      ]
    },
@@ -19,5 +18,5 @@
      false
    ]
  },
-  "hash": "3317484a9c09c07c2c9db9debaecc4a4d518093ab48e79365dbb808068e0b8ff"
+  "hash": "90092c0b3f7612373fcc8fb7a966200118ab308430d4a0cbb5cb16c397246492"
 }
--- a/backend/.sqlx/query-907241c195fea227e4a945ee472425e5f7600e28c728a06235f7ff430a4bd77a.json
+++ b/backend/.sqlx/query-907241c195fea227e4a945ee472425e5f7600e28c728a06235f7ff430a4bd77a.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT count(*) FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "count",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "907241c195fea227e4a945ee472425e5f7600e28c728a06235f7ff430a4bd77a"
-}
--- a/backend/.sqlx/query-94d6f598076ad67d68e6f01926c9fc2c73e855790e17abf5461b96ea30fbbdb7.json
+++ b/backend/.sqlx/query-94d6f598076ad67d68e6f01926c9fc2c73e855790e17abf5461b96ea30fbbdb7.json
@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT size_bytes FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "size_bytes",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "94d6f598076ad67d68e6f01926c9fc2c73e855790e17abf5461b96ea30fbbdb7"
-}
--- a/backend/.sqlx/query-9662f1e304124fa52db4aa1e80e03b2601630f2d31458bdaf70c2702b2998d89.json
+++ b/backend/.sqlx/query-9662f1e304124fa52db4aa1e80e03b2601630f2d31458bdaf70c2702b2998d89.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE volume SET lease_until = NULL, leased_by = NULL\n         WHERE workspace_id = $1 AND name = $2 AND leased_by = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "9662f1e304124fa52db4aa1e80e03b2601630f2d31458bdaf70c2702b2998d89"
-}
--- a/backend/.sqlx/query-9c76a980bf1e3b79ab26c79aee19e5552aa16eb3626618da4dbb44ed18efee60.json
+++ b/backend/.sqlx/query-9c76a980bf1e3b79ab26c79aee19e5552aa16eb3626618da4dbb44ed18efee60.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, runnable_path, args)\n             VALUES ($1, 'script', 'deno', 'test-user', 'u/test-user', 'test@windmill.dev', $2, $3, $4)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Varchar",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "9c76a980bf1e3b79ab26c79aee19e5552aa16eb3626618da4dbb44ed18efee60"
-}
--- a/backend/.sqlx/query-9f64d6ed0adb609ced1551563062550919fcac56deaf1b3cb36b3e15117936e7.json
+++ b/backend/.sqlx/query-9f64d6ed0adb609ced1551563062550919fcac56deaf1b3cb36b3e15117936e7.json
@@ -1,29 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT extra_perms, created_by FROM volume WHERE workspace_id = $1 AND name = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "extra_perms",
-        "type_info": "Jsonb"
-      },
-      {
-        "ordinal": 1,
-        "name": "created_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "9f64d6ed0adb609ced1551563062550919fcac56deaf1b3cb36b3e15117936e7"
-}
--- a/backend/.sqlx/query-a35164456ade8e79cb8f5418c8fe82c45be45409f881292f0d4a3316362ba1f4.json
+++ b/backend/.sqlx/query-a35164456ade8e79cb8f5418c8fe82c45be45409f881292f0d4a3316362ba1f4.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_queue SET suspend = GREATEST(suspend - 1, 0) WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a35164456ade8e79cb8f5418c8fe82c45be45409f881292f0d4a3316362ba1f4"
-}
--- a/backend/.sqlx/query-a3970c15271a124307301c0dafa263e7168fa325c5ceb44e9dd1595bdb7e7ce6.json
+++ b/backend/.sqlx/query-a3970c15271a124307301c0dafa263e7168fa325c5ceb44e9dd1595bdb7e7ce6.json
@@ -1,24 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO volume (workspace_id, name, size_bytes, created_by)\n         VALUES ($1, $2, 0, $3)\n         ON CONFLICT (workspace_id, name) DO NOTHING\n         RETURNING name",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "name",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "a3970c15271a124307301c0dafa263e7168fa325c5ceb44e9dd1595bdb7e7ce6"
-}
--- a/backend/.sqlx/query-a4d973d0f1c293345ad2bfd2472da8d6a3b425ea0590a66f1db6692dd2ddb437.json
+++ b/backend/.sqlx/query-a4d973d0f1c293345ad2bfd2472da8d6a3b425ea0590a66f1db6692dd2ddb437.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO token_expiry_notification (token, expiration) VALUES ($1, $2) ON CONFLICT DO NOTHING",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Timestamptz"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a4d973d0f1c293345ad2bfd2472da8d6a3b425ea0590a66f1db6692dd2ddb437"
-}
--- a/backend/.sqlx/query-a684f160d1a366c1928fef27c613e6e08f808f423c8f2d58b9c849aba7d176f5.json
+++ b/backend/.sqlx/query-a684f160d1a366c1928fef27c613e6e08f808f423c8f2d58b9c849aba7d176f5.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_queue SET running = false, started_at = null WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a684f160d1a366c1928fef27c613e6e08f808f423c8f2d58b9c849aba7d176f5"
-}
--- a/backend/.sqlx/query-a6b1c8808c892e62ae4ba04171d856a39c89cdc658b09c478050de5145a45ca4.json
+++ b/backend/.sqlx/query-a6b1c8808c892e62ae4ba04171d856a39c89cdc658b09c478050de5145a45ca4.json
@@ -1,12 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM token_expiry_notification WHERE expiration <= now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": []
-  },
-  "hash": "a6b1c8808c892e62ae4ba04171d856a39c89cdc658b09c478050de5145a45ca4"
-}
--- a/backend/.sqlx/query-a72081cb042f09034338dcb49381e91093233cf16af0dae666b4743f3878b22e.json
+++ b/backend/.sqlx/query-a72081cb042f09034338dcb49381e91093233cf16af0dae666b4743f3878b22e.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_queue SET suspend = 0, suspend_until = NULL WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a72081cb042f09034338dcb49381e91093233cf16af0dae666b4743f3878b22e"
-}
--- a/backend/.sqlx/query-a837494a58ab58bfa18c0385350a861076a5fc4f7eefceb1c0de5cf55293f327.json
+++ b/backend/.sqlx/query-a837494a58ab58bfa18c0385350a861076a5fc4f7eefceb1c0de5cf55293f327.json
@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE job_stats SET offsets_cs = array_append(offsets_cs, (EXTRACT(EPOCH FROM (now() - timeseries_start)) * 100)::int), timeseries_float = array_append(timeseries_float, $4) WHERE workspace_id = $1 AND job_id = $2 AND metric_id = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Uuid",
-        "Text",
-        "Float4"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a837494a58ab58bfa18c0385350a861076a5fc4f7eefceb1c0de5cf55293f327"
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
centdix	71e08c239b	chore: add deliberate type error to fail frontend CI Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 20:27:21 +01:00
centdix	ee206b8594	chore: add test.txt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 20:24:31 +01:00