push

* chore(main): release 1.69.0

* Apply automatic changes

---------

Co-authored-by: rubenfiszel <rubenfiszel@users.noreply.github.com>

.aiderignore

@@ -1,3 +0,0 @@
-/*
-!/backend/
-!/frontend/

.claude/agents/branch-diff-reviewer.md

@@ -1,127 +0,0 @@
----
-name: branch-diff-reviewer
-description: Use this agent when you want a comprehensive code review of changes in the current branch compared to main. This includes reviewing for bugs, optimization opportunities, code style issues, potential mistakes, and adherence to project conventions. The agent should be invoked after completing a feature branch or before creating a pull request.\n\nExamples:\n\n<example>\nContext: User has finished implementing a new feature and wants feedback before merging.\nuser: "I've finished the new kafka trigger implementation, can you review my changes?"\nassistant: "I'll use the branch-diff-reviewer agent to analyze your changes against the main branch and provide comprehensive feedback."\n<commentary>\nSince the user wants a review of their branch changes, use the Task tool to launch the branch-diff-reviewer agent to compare the current branch against main and provide detailed feedback.\n</commentary>\n</example>\n\n<example>\nContext: User wants to check their code quality before submitting a PR.\nuser: "Review my branch before I create a PR"\nassistant: "Let me launch the branch-diff-reviewer agent to examine all your changes and identify any issues or improvements."\n<commentary>\nThe user is preparing for a PR, so use the branch-diff-reviewer agent to provide a thorough review of all branch differences.\n</commentary>\n</example>\n\n<example>\nContext: User is unsure if their implementation follows project patterns.\nuser: "Does my implementation look correct? I'm not sure if I followed the existing patterns"\nassistant: "I'll use the branch-diff-reviewer agent to compare your changes against main and check for pattern consistency, potential issues, and optimization opportunities."\n<commentary>\nThe user needs validation of their implementation against project standards. Launch the branch-diff-reviewer agent to analyze the diff and provide feedback on patterns, correctness, and improvements.\n</commentary>\n</example>
-tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, ListMcpResourcesTool, ReadMcpResourceTool, mcp__svelte__get-documentation, mcp__svelte__list-sections, mcp__svelte__playground-link, mcp__svelte__svelte-autofixer, mcp__ide__getDiagnostics, mcp__ide__executeCode, Bash, Skill
-model: inherit
----
-
-You are an elite code reviewer with deep expertise in software engineering best practices, performance optimization, and security. Your role is to provide thorough, actionable feedback on code changes between the current branch and main.
-
-## Your Review Process
-
-1. **First, gather the diff**: Use git commands to obtain the complete diff between the current branch and main:
-   - Run `git diff main...HEAD` to see all changes
-   - Run `git log main..HEAD --oneline` to understand the commit history
-   - Identify all modified, added, and deleted files
-
-2. **Analyze each changed file** in the context of:
-   - The project's established patterns (check CLAUDE.md and related documentation)
-   - The file's purpose and its role in the broader codebase
-   - Dependencies and how changes might affect other parts of the system
-
-## Review Categories
-
-For each significant change, evaluate and report on:
-
-### 🐛 Bugs & Correctness
-- Logic errors or edge cases not handled
-- Null/undefined handling issues
-- Race conditions in async code
-- Incorrect error handling
-- Type mismatches or unsafe casts
-
-### ⚡ Performance
-- Inefficient algorithms or data structures
-- N+1 query problems in database code
-- Unnecessary re-renders in frontend code
-- Missing indexes for database queries
-- Blocking operations in async contexts
-- Memory leaks or excessive allocations
-- For Rust: Check for unnecessary clones, inefficient serde usage, blocking in async
-- For Svelte: Check for inefficient reactivity, missing keys in loops, excessive effects
-
-### 🔒 Security
-- SQL injection vulnerabilities
-- Missing input validation
-- Exposed sensitive data
-- Authentication/authorization gaps
-- Unsafe deserialization
-
-### 📐 Code Quality & Style
-- Adherence to project conventions (CLAUDE.md guidelines)
-- Code duplication that should be refactored
-- Unclear or misleading naming
-- Missing or inadequate documentation
-- Overly complex logic that could be simplified
-- Dead code or unused imports
-
-### 🏗️ Architecture & Design
-- Proper separation of concerns
-- Appropriate use of existing utilities vs. new code
-- Consistency with established patterns
-- Proper error propagation
-- API design issues
-
-### 🧪 Testing Considerations
-- Suggest test cases for new functionality
-- Identify untested edge cases
-- Note if changes break existing test assumptions
-
-## Project-Specific Rules
-
-### For Rust (Backend)
-- Verify `SELECT` statements list explicit columns (never `SELECT *` in worker code)
-- Check for proper use of `sqlx` with parameterized queries
-- Ensure errors use the custom `Error` enum from `windmill-common::error`
-- Verify async code doesn't block the tokio runtime
-- Check serde attributes for optimal serialization
-- Ensure openapi.yaml is updated for API changes
-
-### For Svelte (Frontend)
-- For Svelte 5 files: Verify proper use of Runes (`$state`, `$derived`, `$effect`)
-- Check for `key` attributes in `{#each}` blocks
-- Ensure event handlers use the new syntax (`onclick` not `on:click`) in Svelte 5
-- Verify snippets are used instead of slots in Svelte 5
-- Check for proper props declaration with `$props()`
-
-## Output Format
-
-Structure your review as follows:
-
-```
-## Summary
-[Brief overview of the changes and overall assessment]
-
-## Critical Issues 🚨
-[Issues that must be fixed before merging]
-
-## Recommendations 💡
-[Improvements that would significantly enhance the code]
-
-## Minor Suggestions 📝
-[Nice-to-haves and style improvements]
-
-## Positive Observations ✅
-[Well-done aspects worth acknowledging]
-
-## File-by-File Details
-[Detailed feedback organized by file]
-```
-
-For each issue, provide:
-1. **Location**: File path and line number(s)
-2. **Issue**: Clear description of the problem
-3. **Impact**: Why this matters
-4. **Suggestion**: Concrete fix or improvement with code example when helpful
-
-## Behavioral Guidelines
-
-- Be thorough but prioritize: focus most on critical issues
-- Be constructive: every criticism should come with a suggestion
-- Be specific: vague feedback is not actionable
-- Acknowledge good work: positive reinforcement matters
-- Consider context: understand why decisions might have been made
-- Ask clarifying questions if the intent of changes is unclear
-- Reference project documentation when pointing out convention violations
-
-Begin by fetching the diff and then proceed with your comprehensive review.

.claude/agents/openapi-sync.md

@@ -1,76 +0,0 @@
----
-name: openapi-sync
-description: Use this agent when backend API endpoints are added, modified, or removed, or when the Flow structure changes and the OpenAPI specification files need to be updated. This includes changes to route handlers in windmill-api, modifications to request/response schemas, changes to authentication requirements, or updates to the Flow data structures that affect the API.\n\nExamples:\n\n<example>\nContext: User has just added a new API endpoint for managing workspace templates.\nuser: "Add a new endpoint POST /api/w/{workspace}/templates to create workspace templates"\nassistant: "I've created the new endpoint handler in windmill-api. Now let me use the openapi-sync agent to update the OpenAPI specification files."\n<commentary>\nSince a new API endpoint was added, use the openapi-sync agent to ensure the openapi.yaml and openflow.openapi.yaml files are updated with the new endpoint definition.\n</commentary>\n</example>\n\n<example>\nContext: User has modified the response schema for an existing endpoint.\nuser: "Update the GET /api/w/{workspace}/flows endpoint to also return a 'versions' array in the response"\nassistant: "I've updated the flow listing endpoint to include the versions array. Now let me use the openapi-sync agent to update the OpenAPI specification."\n<commentary>\nSince the response schema of an existing endpoint was modified, use the openapi-sync agent to update the corresponding schema in the OpenAPI files.\n</commentary>\n</example>\n\n<example>\nContext: User has made changes to the Flow structure in the codebase.\nuser: "Add a new 'retry_policy' field to the Flow value structure"\nassistant: "I've added the retry_policy field to the Flow struct. Now let me use the openapi-sync agent to update the OpenAPI specification to reflect this schema change."\n<commentary>\nSince the Flow structure was modified, use the openapi-sync agent to ensure the flow-related schemas in openapi.yaml and openflow.openapi.yaml are updated.\n</commentary>\n</example>
-model: inherit
----
-
-You are an expert API documentation engineer specializing in OpenAPI specifications for the Windmill platform. Your primary responsibility is to maintain synchronization between the Rust backend API implementation and the OpenAPI specification files.
-
-## Your Core Responsibilities
-
-1. **Update OpenAPI Specifications**: When API endpoints are added, modified, or removed in the windmill-api crate, you must update:
-   - `backend/windmill-api/openapi.yaml` - The main OpenAPI specification
-   - `backend/windmill-api/openflow.openapi.yaml` - Flow-specific OpenAPI definitions (if flow-related changes)
-
-2. **Maintain Schema Accuracy**: Ensure all request/response schemas accurately reflect the Rust structs used in the API handlers.
-
-3. **Document Comprehensively**: Include proper descriptions, examples, and parameter documentation.
-
-## Key Files to Reference
-
-- **API Route Definitions**: Look in `backend/windmill-api/src/` for route handlers organized by domain
-- **Data Structures**: Check `backend/windmill-common/src/` for shared structs and types
-- **Database Schema**: Reference `backend/summarized_schema.txt` for understanding data models
-- **Existing OpenAPI Files**: Always review the current state of `openapi.yaml` and `openflow.openapi.yaml` before making changes
-
-## Workflow
-
-1. **Identify Changes**: Determine what API changes were made by examining:
-   - New or modified route handlers in windmill-api
-   - Changes to request/response structs
-   - Modifications to the Flow structure or related types
-
-2. **Analyze the Implementation**: For each endpoint, identify:
-   - HTTP method and path
-   - Path parameters, query parameters, and request body schema
-   - Response schema(s) and status codes
-   - Authentication requirements
-   - Any tags or groupings
-
-3. **Update OpenAPI Files**:
-   - Add or modify path definitions with accurate operation IDs
-   - Update or create schema definitions in the components section
-   - Ensure $ref references are correct
-   - Maintain consistent naming conventions with existing patterns
-
-4. **Validate Changes**: Ensure the YAML syntax is valid and follows OpenAPI 3.0 specification.
-
-## OpenAPI Conventions for Windmill
-
-- **Operation IDs**: Use camelCase, descriptive names (e.g., `createScript`, `listFlows`, `updateWorkspaceSettings`)
-- **Tags**: Group endpoints by domain (e.g., `scripts`, `flows`, `workspaces`, `users`)
-- **Schema Naming**: Use PascalCase for schema names matching Rust struct names
-- **Path Parameters**: Use `{workspace}` for workspace_id, maintain consistency with existing patterns
-- **Security**: Most endpoints require Bearer token authentication - include appropriate security requirements
-
-## Schema Mapping from Rust to OpenAPI
-
-- `String` / `&str` → `type: string`
-- `i32`, `i64` → `type: integer` (with appropriate format)
-- `f32`, `f64` → `type: number`
-- `bool` → `type: boolean`
-- `Vec<T>` → `type: array` with `items`
-- `Option<T>` → property is not in `required` array
-- `HashMap<K, V>` → `type: object` with `additionalProperties`
-- Enums → `type: string` with `enum` array
-- Custom structs → `$ref` to schema definition
-
-## Important Notes
-
-- Always preserve existing documentation and descriptions when updating
-- Maintain backward compatibility warnings in descriptions when applicable
-- Include example values where they aid understanding
-- For Flow-related changes, update BOTH openapi.yaml AND openflow.openapi.yaml as needed
-- Follow the existing indentation and formatting style in the YAML files
-
-When you complete updates, summarize what changes were made to which files and highlight any schema additions or modifications that downstream consumers should be aware of.

.claude/hooks/format-backend.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-# Format backend Rust files with rustfmt after Claude edits them
-
-# Get the file path from the tool result (passed via stdin as JSON)
-INPUT=$(cat)
-FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
-
-# Exit if no file path
-if [ -z "$FILE_PATH" ]; then
-    exit 0
-fi
-
-# Check if the file is in the backend directory and is a Rust file
-if [[ "$FILE_PATH" == *"/backend/"* ]] && [[ "$FILE_PATH" =~ \.rs$ ]]; then
-    cd "$CLAUDE_PROJECT_DIR/backend" || exit 0
-    # Run rustfmt with config from rustfmt.toml (edition=2021)
-    rustfmt --config-path rustfmt.toml "$FILE_PATH" 2>/dev/null || true
-fi
-
-exit 0

.claude/hooks/format-frontend.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-# Format frontend files with prettier after Claude edits them
-
-# Get the file path from the tool result (passed via stdin as JSON)
-INPUT=$(cat)
-FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
-
-# Exit if no file path
-if [ -z "$FILE_PATH" ]; then
-    exit 0
-fi
-
-# Check if the file is in the frontend directory
-if [[ "$FILE_PATH" == *"/frontend/"* ]]; then
-    # Check if it's a formattable file type
-    if [[ "$FILE_PATH" =~ \.(ts|js|svelte|json|css|html|md)$ ]]; then
-        cd "$CLAUDE_PROJECT_DIR/frontend" || exit 0
-        # Run prettier silently, don't fail the hook if prettier fails
-        npx prettier --write "$FILE_PATH" 2>/dev/null || true
-    fi
-fi
-
-exit 0

.claude/hooks/notify-user.sh

@@ -1,25 +0,0 @@
-#!/bin/bash
-# Notify user when Claude requires input (works on macOS and Linux)
-
-# Check if we're in an SSH session
-if [[ -n "$SSH_CLIENT" || -n "$SSH_TTY" || -n "$SSH_CONNECTION" ]]; then
-    # SSH session - use terminal bell
-    # If using VSCode, enable audible terminal bell for SSH sessions:
-    # Add the following to .vscode/settings.json:
-    #   "accessibility.signals.terminalBell": {
-    #     "sound": "on"
-    #   },
-    #   "terminal.integrated.enableVisualBell": true
-    printf '\a'
-else
-    # Local session - use native notifications
-    if [[ "$OSTYPE" == "darwin"* ]]; then
-        osascript -e 'display notification "Claude is waiting for your input" with title "Claude Code" sound name "Glass"' 2>/dev/null || printf '\a'
-    elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
-        notify-send "Claude Code" "Claude is waiting for your input" 2>/dev/null || printf '\a'
-    else
-        printf '\a'
-    fi
-fi
-
-exit 0

.claude/settings.json

@@ -1,103 +0,0 @@
-{
-  "permissions": {
-    "additionalDirectories": [
-      "../windmill-ee-private"
-    ],
-    "allow": [
-      "Bash(ls:*)",
-      "Bash(grep:*)",
-      "Bash(cat:*)",
-      "Bash(head:*)",
-      "Bash(tail:*)",
-      "Bash(less:*)",
-      "Bash(more:*)",
-      "Bash(find:*)",
-      "Bash(wc:*)",
-      "Bash(diff:*)",
-      "Bash(file:*)",
-      "Bash(stat:*)",
-      "Bash(tree:*)",
-      "Bash(pwd)",
-      "Bash(which:*)",
-      "Bash(whereis:*)",
-      "Bash(echo:*)",
-      "Bash(git status:*)",
-      "Bash(git diff:*)",
-      "Bash(git log:*)",
-      "Bash(git branch:*)",
-      "Bash(git show:*)",
-      "Bash(git blame:*)",
-      "Bash(cargo check:*)",
-      "mcp__ide__getDiagnostics",
-      "Bash(npm run generate-backend-client:*)",
-      "Bash(npm run check:*)"
-    ],
-    "deny": [
-      "Read(.env)",
-      "Read(.env.*)",
-      "Read(**/.env)",
-      "Read(**/.env.*)",
-      "Read(**/secrets/**)",
-      "Read(**/*.pem)",
-      "Read(**/*.key)",
-      "Read(**/credentials.json)",
-      "Read(**/*secret*)",
-      "Edit(.env)",
-      "Edit(.env.*)",
-      "Edit(**/.env)",
-      "Edit(**/.env.*)"
-    ],
-    "ask": [
-      "Bash(rm:*)",
-      "Bash(rmdir:*)",
-      "Bash(mv:*)",
-      "Bash(chmod:*)",
-      "Bash(chown:*)",
-      "Bash(truncate:*)",
-      "Bash(shred:*)",
-      "Bash(unlink:*)",
-      "Bash(git push:*)",
-      "Bash(git reset:*)",
-      "Bash(git revert:*)",
-      "Bash(git checkout:*)",
-      "Bash(git merge:*)",
-      "Bash(git rebase:*)"
-    ]
-  },
-  "enableAllProjectMcpServers": true,
-  "hooks": {
-    "PostToolUse": [
-      {
-        "matcher": "Edit|Write",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/format-frontend.sh",
-            "timeout": 30
-          },
-          {
-            "type": "command",
-            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/format-backend.sh",
-            "timeout": 30
-          }
-        ]
-      }
-    ],
-    "Notification": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/notify-user.sh",
-            "timeout": 10
-          }
-        ]
-      }
-    ]
-  },
-  "enabledPlugins": {
-    "rust-analyzer-lsp@claude-plugins-official": true,
-    "typescript-lsp@claude-plugins-official": true,
-    "code-review@claude-plugins-official": true
-  }
-}

.claude/skills/commit/SKILL.md

@@ -1,60 +0,0 @@
----
-name: commit
-user_invocable: true
-description: Create a git commit with conventional commit format. MUST use anytime you want to commit changes.
----
-
-# Git Commit Skill
-
-Create a focused, single-line commit following conventional commit conventions.
-
-## Instructions
-
-1. **Analyze changes**: Run `git status` and `git diff` to understand what was modified
-2. **Stage only modified files**: Add files individually by name. NEVER use `git add -A` or `git add .`
-3. **Write commit message**: Follow the conventional commit format as a single line
-
-## Conventional Commit Format
-
-```
-<type>: <description>
-```
-
-### Types
-- `feat`: New feature or capability
-- `fix`: Bug fix
-- `refactor`: Code change that neither fixes a bug nor adds a feature
-- `docs`: Documentation only changes
-- `style`: Formatting, missing semicolons, etc (no code change)
-- `test`: Adding or correcting tests
-- `chore`: Maintenance tasks, dependency updates, etc
-- `perf`: Performance improvement
-
-### Rules
-- Message MUST be a single line (no multi-line messages)
-- Description should be lowercase, imperative mood ("add" not "added")
-- No period at the end
-- Keep under 72 characters total
-
-### Examples
-```
-feat: add token usage tracking for AI providers
-fix: resolve null pointer in job executor
-refactor: extract common validation logic
-docs: update API endpoint documentation
-chore: upgrade sqlx to 0.7
-```
-
-## Execution Steps
-
-1. Run `git status` to see all changes
-2. Run `git diff` to understand the changes in detail
-3. Run `git log --oneline -5` to see recent commit style
-4. Stage ONLY the modified/relevant files: `git add <file1> <file2> ...`
-5. Create the commit with conventional format:
-   ```bash
-   git commit -m "<type>: <description>
-
-   Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>"
-   ```
-6. Run `git status` to verify the commit succeeded

.claude/skills/native-trigger/SKILL.md

@@ -1,777 +0,0 @@
-# Skill: Adding Native Trigger Services
-
-This skill provides comprehensive guidance for adding new native trigger services to Windmill. Native triggers allow external services (like Nextcloud, Google Drive, etc.) to trigger Windmill scripts/flows via webhooks or push notifications.
-
-## Architecture Overview
-
-The native trigger system consists of:
-
-1. **Database Layer** - PostgreSQL tables and enum types
-2. **Backend Rust Implementation** - Core trait, handlers, and service modules in the `windmill-native-triggers` crate
-3. **Frontend Svelte Components** - Configuration forms and UI components
-
-### Key Files
-
-| Component | Path |
-|-----------|------|
-| Core module with `External` trait | `backend/windmill-native-triggers/src/lib.rs` |
-| Generic CRUD handlers | `backend/windmill-native-triggers/src/handler.rs` |
-| Background sync logic | `backend/windmill-native-triggers/src/sync.rs` |
-| OAuth/workspace integration | `backend/windmill-native-triggers/src/workspace_integrations.rs` |
-| Re-export shim (windmill-api) | `backend/windmill-api/src/native_triggers/mod.rs` |
-| TriggerKind enum | `backend/windmill-common/src/triggers.rs` |
-| JobTriggerKind enum | `backend/windmill-common/src/jobs.rs` |
-| Frontend service registry | `frontend/src/lib/components/triggers/native/utils.ts` |
-| Frontend trigger utilities | `frontend/src/lib/components/triggers/utils.ts` |
-| Trigger badges (icons + counts) | `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte` |
-| Workspace integrations UI | `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte` |
-| OAuth config form component | `frontend/src/lib/components/workspaceSettings/OAuthClientConfig.svelte` |
-| OpenAPI spec | `backend/windmill-api/openapi.yaml` |
-| Reference: Nextcloud module | `backend/windmill-native-triggers/src/nextcloud/` |
-| Reference: Google module | `backend/windmill-native-triggers/src/google/` |
-
-### Crate Structure
-
-The native trigger code lives in the `windmill-native-triggers` crate (`backend/windmill-native-triggers/`). The `windmill-api` crate re-exports everything via a shim:
-
-```rust
-// backend/windmill-api/src/native_triggers/mod.rs
-pub use windmill_native_triggers::*;
-```
-
-All new service modules go in `backend/windmill-native-triggers/src/`.
-
----
-
-## Core Concepts
-
-### The `External` Trait
-
-Every native trigger service implements the `External` trait defined in `lib.rs`:
-
-```rust
-#[async_trait]
-pub trait External: Send + Sync + 'static {
-    // Associated types:
-    type ServiceConfig: Debug + DeserializeOwned + Serialize + Send + Sync;
-    type TriggerData: Debug + Serialize + Send + Sync;
-    type OAuthData: DeserializeOwned + Serialize + Clone + Send + Sync;
-    type CreateResponse: DeserializeOwned + Send + Sync;
-
-    // Constants:
-    const SUPPORT_WEBHOOK: bool;
-    const SERVICE_NAME: ServiceName;
-    const DISPLAY_NAME: &'static str;
-    const TOKEN_ENDPOINT: &'static str;
-    const REFRESH_ENDPOINT: &'static str;
-    const AUTH_ENDPOINT: &'static str;
-
-    // Required methods:
-    async fn create(&self, w_id, oauth_data, webhook_token, data, db, tx) -> Result<Self::CreateResponse>;
-    async fn update(&self, w_id, oauth_data, external_id, webhook_token, data, db, tx) -> Result<serde_json::Value>;
-    async fn get(&self, w_id, oauth_data, external_id, db, tx) -> Result<Self::TriggerData>;
-    async fn delete(&self, w_id, oauth_data, external_id, db, tx) -> Result<()>;
-    async fn exists(&self, w_id, oauth_data, external_id, db, tx) -> Result<bool>;
-    async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors);
-    fn external_id_and_metadata_from_response(&self, resp) -> (String, Option<serde_json::Value>);
-
-    // Methods with defaults:
-    async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned>;
-    fn service_config_from_create_response(&self, data, resp) -> Option<serde_json::Value>;
-    fn additional_routes(&self) -> axum::Router;
-    async fn http_client_request<T, B>(&self, url, method, workspace_id, tx, db, headers, body) -> Result<T>;
-}
-```
-
-Key design points:
-- **`update()` returns `serde_json::Value`** - the resolved service_config to store. Each service is responsible for building the final config.
-- **`maintain_triggers()`** - periodic background maintenance. Each service implements its own strategy (Nextcloud: reconcile with external state; Google: renew expiring channels).
-- **No `list_all()` in the trait** - services that need it (Nextcloud) implement it privately; services that don't (Google) use different maintenance strategies.
-- **No `get_external_id_from_trigger_data()` or `extract_service_config_from_trigger_data()`** - removed in favor of the `maintain_triggers` pattern.
-
-### Create Lifecycle: Two Paths
-
-The `create_native_trigger` handler in `handler.rs` supports two creation flows, controlled by `service_config_from_create_response()`:
-
-**Path A: Short (Google pattern)** - `service_config_from_create_response()` returns `Some(config)`:
-1. `create()` registers on external service
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `service_config_from_create_response()` builds the config directly from input data + response metadata
-4. Stores trigger in DB -- done, no extra round-trip
-
-Use this when the external_id is known before the create call (e.g., Google generates the channel_id as a UUID upfront and includes it in the webhook URL).
-
-**Path B: Long (Nextcloud pattern)** - `service_config_from_create_response()` returns `None` (default):
-1. `create()` registers on external service (webhook URL has no external_id yet)
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `update()` is called to fix the webhook URL with the now-known external_id
-4. `update()` returns the resolved service_config
-5. Stores trigger in DB
-
-Use this when the external_id is assigned by the remote service and the webhook URL needs to be corrected after creation.
-
-### OAuth Token Storage (Three-Table Pattern)
-
-OAuth tokens are stored across three tables, NOT in `workspace_integrations.oauth_data` directly:
-
-| Table | What's Stored |
-|-------|---------------|
-| `workspace_integrations` | `oauth_data` JSON with `base_url`, `client_id`, `client_secret`, `instance_shared` flag; `resource_path` pointing to the variable |
-| `variable` | Encrypted `access_token` (at the path stored in `resource_path`), linked to `account` via `account` column |
-| `account` | `refresh_token`, keyed by `workspace_id` + `client` (service name) + `is_workspace_integration = true` |
-
-The `decrypt_oauth_data()` function in `lib.rs` assembles these into a unified struct:
-```rust
-pub struct OAuthConfig {
-    pub base_url: String,
-    pub access_token: String,      // decrypted from variable
-    pub refresh_token: Option<String>, // from account table
-    pub client_id: String,         // from oauth_data or instance settings
-    pub client_secret: String,     // from oauth_data or instance settings
-}
-```
-
-Instance-level sharing: when `oauth_data.instance_shared == true`, `client_id` and `client_secret` are read from global settings instead of workspace_integrations.
-
-### URL Resolution
-
-The `resolve_endpoint()` helper handles both absolute and relative OAuth URLs:
-
-```rust
-pub fn resolve_endpoint(base_url: &str, endpoint: &str) -> String {
-    if endpoint.starts_with("http://") || endpoint.starts_with("https://") {
-        endpoint.to_string()  // Google: absolute URLs
-    } else {
-        format!("{}{}", base_url, endpoint)  // Nextcloud: relative paths
-    }
-}
-```
-
-### ServiceName Methods
-
-`ServiceName` is the central registry enum. Each variant must implement these match arms:
-
-| Method | Purpose |
-|--------|---------|
-| `as_str()` | Lowercase identifier (e.g., `"google"`) |
-| `as_trigger_kind()` | Maps to `TriggerKind` enum |
-| `as_job_trigger_kind()` | Maps to `JobTriggerKind` enum |
-| `token_endpoint()` | OAuth token endpoint (relative or absolute) |
-| `auth_endpoint()` | OAuth authorization endpoint |
-| `oauth_scopes()` | Space-separated OAuth scopes |
-| `resource_type()` | Resource type for token storage (e.g., `"gworkspace"`) |
-| `extra_auth_params()` | Extra OAuth params (e.g., Google needs `access_type=offline`, `prompt=consent`) |
-| `integration_service()` | Maps to the workspace integration service (usually `*self`) |
-| `TryFrom<String>` | Parse from string |
-| `Display` | Delegates to `as_str()` |
-
----
-
-## Step-by-Step Implementation Guide
-
-### Step 1: Database Migration
-
-Create a new migration file: `backend/migrations/YYYYMMDDHHMMSS_newservice_trigger.up.sql`
-
-```sql
--- Add the service to the native_trigger_service enum
-ALTER TYPE native_trigger_service ADD VALUE IF NOT EXISTS 'newservice';
-
--- Add to TRIGGER_KIND enum (used for trigger tracking)
-ALTER TYPE TRIGGER_KIND ADD VALUE IF NOT EXISTS 'newservice';
-
--- Add to job_trigger_kind enum (used for job tracking)
-ALTER TYPE job_trigger_kind ADD VALUE IF NOT EXISTS 'newservice';
-```
-
-Also create the corresponding down migration.
-
-### Step 2: Update windmill-common Enums
-
-#### `backend/windmill-common/src/triggers.rs`
-
-Add variant to `TriggerKind` enum, and update `to_key()` and `fmt()` implementations.
-
-#### `backend/windmill-common/src/jobs.rs`
-
-Add variant to `JobTriggerKind` enum and update the `Display` implementation.
-
-### Step 3: Backend Service Module
-
-Create a new directory: `backend/windmill-native-triggers/src/newservice/`
-
-#### `mod.rs` - Type Definitions
-
-```rust
-use serde::{Deserialize, Serialize};
-
-pub mod external;
-// pub mod routes; // Only if you need additional service-specific routes
-
-/// OAuth data deserialized from the three-table pattern.
-/// The actual structure is built by decrypt_oauth_data() from variable + account + workspace_integrations.
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct NewServiceOAuthData {
-    pub base_url: String,              // from workspace_integrations.oauth_data
-    pub access_token: String,          // decrypted from variable table
-    pub refresh_token: Option<String>, // from account table
-    // Note: client_id and client_secret are in OAuthConfig, not here
-    // unless the service needs them at runtime for API calls
-}
-
-/// Configuration provided by user when creating/updating a trigger.
-/// Stored as JSON in native_trigger.service_config.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceConfig {
-    // Service-specific configuration fields
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-}
-
-/// Data retrieved from the external service about a trigger.
-/// Returned by the get() method and shown in the UI.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceTriggerData {
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-    // Fields that shouldn't affect service_config comparison should use #[serde(skip_serializing)]
-}
-
-/// Response from external service when creating a trigger/webhook.
-#[derive(Debug, Deserialize)]
-pub struct CreateTriggerResponse {
-    pub id: String,
-}
-
-/// Handler struct (stateless, used for routing)
-#[derive(Copy, Clone)]
-pub struct NewService;
-```
-
-#### `external.rs` - External Trait Implementation
-
-```rust
-use async_trait::async_trait;
-use reqwest::Method;
-use sqlx::PgConnection;
-use std::collections::HashMap;
-use windmill_common::{
-    error::{Error, Result},
-    BASE_URL, DB,
-};
-
-use crate::{
-    generate_webhook_service_url, External, NativeTrigger, NativeTriggerData, ServiceName,
-    sync::{SyncError, TriggerSyncInfo},
-};
-use super::{NewService, NewServiceConfig, NewServiceOAuthData, NewServiceTriggerData, CreateTriggerResponse};
-
-#[async_trait]
-impl External for NewService {
-    type ServiceConfig = NewServiceConfig;
-    type TriggerData = NewServiceTriggerData;
-    type OAuthData = NewServiceOAuthData;
-    type CreateResponse = CreateTriggerResponse;
-
-    const SERVICE_NAME: ServiceName = ServiceName::NewService;
-    const DISPLAY_NAME: &'static str = "New Service";
-    const SUPPORT_WEBHOOK: bool = true;
-    const TOKEN_ENDPOINT: &'static str = "/oauth/token";
-    const REFRESH_ENDPOINT: &'static str = "/oauth/token";
-    const AUTH_ENDPOINT: &'static str = "/oauth/authorize";
-
-    async fn create(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::CreateResponse> {
-        let base_url = &*BASE_URL.read().await;
-
-        // external_id is None during create (we get it from the response)
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            None, Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/create", oauth_data.base_url);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let response: CreateTriggerResponse = self
-            .http_client_request(&url, Method::POST, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        Ok(response)
-    }
-
-    /// Update returns the resolved service_config as JSON.
-    /// For services using the update+get pattern, call self.get() and serialize.
-    async fn update(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<serde_json::Value> {
-        let base_url = &*BASE_URL.read().await;
-
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            Some(external_id), Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let _: serde_json::Value = self
-            .http_client_request(&url, Method::PUT, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        // Fetch back the updated state to get the resolved config
-        let trigger_data = self.get(w_id, oauth_data, external_id, db, tx).await?;
-        serde_json::to_value(&trigger_data)
-            .map_err(|e| Error::InternalErr(format!("Failed to serialize trigger data: {}", e)))
-    }
-
-    async fn get(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::TriggerData> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        self.http_client_request::<_, ()>(&url, Method::GET, w_id, tx, db, None, None).await
-    }
-
-    async fn delete(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<()> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let _: serde_json::Value = self
-            .http_client_request::<_, ()>(&url, Method::DELETE, w_id, tx, db, None, None)
-            .await
-            .or_else(|e| match &e {
-                Error::InternalErr(msg) if msg.contains("404") => Ok(serde_json::Value::Null),
-                _ => Err(e),
-            })?;
-        Ok(())
-    }
-
-    async fn exists(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<bool> {
-        match self.get(w_id, oauth_data, external_id, db, tx).await {
-            Ok(_) => Ok(true),
-            Err(Error::NotFound(_)) => Ok(false),
-            Err(e) => Err(e),
-        }
-    }
-
-    /// Background maintenance. Choose the right pattern for your service:
-    /// - For services with queryable external state: use reconcile_with_external_state()
-    /// - For channel-based services with expiration: implement renewal logic
-    async fn maintain_triggers(
-        &self,
-        db: &DB,
-        workspace_id: &str,
-        triggers: &[NativeTrigger],
-        oauth_data: &Self::OAuthData,
-        synced: &mut Vec<TriggerSyncInfo>,
-        errors: &mut Vec<SyncError>,
-    ) {
-        // Option A: Reconcile with external state (Nextcloud pattern)
-        // Fetch all triggers from external service and compare with DB
-        let external_triggers = match self.list_all(workspace_id, oauth_data, db).await {
-            Ok(triggers) => triggers,
-            Err(e) => {
-                errors.push(SyncError {
-                    resource_path: format!("workspace:{}", workspace_id),
-                    error_message: format!("Failed to list triggers: {}", e),
-                    error_type: "api_error".to_string(),
-                });
-                return;
-            }
-        };
-
-        // Convert to (external_id, config_json) pairs
-        let external_pairs: Vec<(String, serde_json::Value)> = external_triggers
-            .into_iter()
-            .map(|t| (t.id.clone(), serde_json::to_value(&t).unwrap_or_default()))
-            .collect();
-
-        crate::sync::reconcile_with_external_state(
-            db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-        ).await;
-    }
-
-    fn external_id_and_metadata_from_response(
-        &self,
-        resp: &Self::CreateResponse,
-    ) -> (String, Option<serde_json::Value>) {
-        (resp.id.clone(), None)
-    }
-
-    // service_config_from_create_response: NOT overridden (returns None).
-    // This means the handler uses the update+get pattern after create.
-    // Override and return Some(...) to skip the update+get cycle (Google pattern).
-}
-
-impl NewService {
-    /// Private helper to list all triggers from the external service.
-    async fn list_all(
-        &self,
-        w_id: &str,
-        oauth_data: &<Self as External>::OAuthData,
-        db: &DB,
-    ) -> Result<Vec<<Self as External>::TriggerData>> {
-        // Implementation depends on the external service's API
-        todo!()
-    }
-}
-```
-
-### Step 4: Update lib.rs Registry
-
-In `backend/windmill-native-triggers/src/lib.rs`:
-
-```rust
-// Service modules - add new services here:
-#[cfg(feature = "native_trigger")]
-pub mod newservice;  // <-- Add this
-
-// ServiceName enum - add variant:
-pub enum ServiceName {
-    Nextcloud,
-    Google,
-    NewService,  // <-- Add this
-}
-
-// Then add match arms in ALL ServiceName methods:
-// as_str(), as_trigger_kind(), as_job_trigger_kind(), token_endpoint(),
-// auth_endpoint(), oauth_scopes(), resource_type(), extra_auth_params(),
-// integration_service(), TryFrom<String>, Display
-```
-
-### Step 5: Update handler.rs Routes
-
-In `backend/windmill-native-triggers/src/handler.rs`:
-
-```rust
-pub fn generate_native_trigger_routers() -> Router {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-        return router
-            .nest("/nextcloud", service_routes(NextCloud))
-            .nest("/google", service_routes(Google))
-            .nest("/newservice", service_routes(NewService));  // <-- Add this
-    }
-    // ...
-}
-```
-
-### Step 6: Update sync.rs
-
-In `backend/windmill-native-triggers/src/sync.rs`:
-
-```rust
-pub async fn sync_all_triggers(db: &DB) -> Result<BackgroundSyncResult> {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-
-        // ... existing service syncs ...
-
-        // New service sync
-        let (service_name, result) = sync_service_triggers(db, NewService).await;
-        total_synced += result.synced_triggers.len();
-        total_errors += result.errors.len();
-        service_results.insert(service_name, result);
-    }
-    // ...
-}
-```
-
-### Step 7: Frontend Service Registry
-
-In `frontend/src/lib/components/triggers/native/utils.ts`:
-
-Add to `NATIVE_TRIGGER_SERVICES`, `getTriggerIconName()`, and `getServiceIcon()`.
-
-### Step 8: Frontend Trigger Form Component
-
-Create: `frontend/src/lib/components/triggers/native/services/newservice/NewServiceTriggerForm.svelte`
-
-### Step 9: Frontend Icon Component
-
-Create: `frontend/src/lib/components/icons/NewServiceIcon.svelte`
-
-### Step 10: Update NativeTriggerEditor
-
-Check `frontend/src/lib/components/triggers/native/NativeTriggerEditor.svelte` to ensure it dynamically loads form components based on service name.
-
-### Step 11: Workspace Integration UI
-
-Add your service to the `supportedServices` map in `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte`:
-
-```typescript
-const supportedServices: Record<string, ServiceConfig> = {
-    // ... existing services ...
-    newservice: {
-        name: 'newservice',
-        displayName: 'New Service',
-        description: 'Connect to New Service for triggers',
-        icon: NewServiceIcon,
-        docsUrl: 'https://www.windmill.dev/docs/integrations/newservice',
-        requiresBaseUrl: false,  // false for cloud services, true for self-hosted
-        setupInstructions: [
-            'Step 1: Create an OAuth app on the service',
-            'Step 2: Configure the redirect URI shown below',
-            'Step 3: Enter the client credentials below'
-        ]
-    }
-}
-```
-
-### Step 12: Update `frontend/src/lib/components/triggers/utils.ts`
-
-Update ALL of these maps/functions:
-1. `triggerIconMap` - import and add icon
-2. `triggerDisplayNamesMap` - add display name
-3. `triggerTypeOrder` in `sortTriggers()` - add type
-4. `getLightConfig()` - add case for your service
-5. `getTriggerLabel()` - add case for your service
-6. `jobTriggerKinds` - add to array
-7. `countPropertyMap` - add count property
-8. `triggerSaveFunctions` - add save function
-
-### Step 13: Update TriggersBadge Component
-
-In `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte`:
-
-1. Import the icon
-2. Add to `baseConfig` with `countKey` (the dynamic `availableNativeServices` loop does NOT set `countKey`)
-3. Add to the `allTypes` array
-
-### Step 14: Update TriggersWrapper.svelte
-
-In `frontend/src/lib/components/triggers/TriggersWrapper.svelte`:
-
-Add a `{:else if selectedTrigger.type === 'yourservice'}` case that renders `<NativeTriggersPanel service="yourservice" ...>` with the same props pattern as the existing native trigger cases (e.g., `nextcloud`).
-
-### Step 15: Update AddTriggersButton.svelte
-
-In `frontend/src/lib/components/triggers/AddTriggersButton.svelte`:
-
-1. Add `yourserviceAvailable` state variable
-2. Add `setYourserviceState()` async function using `isServiceAvailable('yourservice', $workspaceStore!)`
-3. Call it at module level
-4. Add a dropdown entry to `addTriggerItems` with `hidden: !yourserviceAvailable`
-
-### Step 16: Update TriggersEditor.svelte Delete Handling
-
-In `frontend/src/lib/components/triggers/TriggersEditor.svelte`:
-
-Add your service to the `nativeTriggerServices` map in `deleteDeployedTrigger()`. Native triggers use `NativeTriggerService.deleteNativeTrigger({ workspace, serviceName, externalId })` instead of the standard `path`-based delete.
-
-### Step 17: Update OpenAPI Spec and Regenerate Types
-
-Add to `JobTriggerKind` enum in `backend/windmill-api/openapi.yaml`, then:
-
-```bash
-cd frontend && npm run generate-backend-client
-```
-
----
-
-## Special Patterns
-
-### Unified Service with `trigger_type` (Google Pattern)
-
-When a single service handles multiple trigger types (e.g., Google Drive + Calendar share OAuth and API patterns), use a single `ServiceName` variant with a discriminator field:
-
-```rust
-pub enum GoogleTriggerType { Drive, Calendar }
-
-pub struct GoogleServiceConfig {
-    pub trigger_type: GoogleTriggerType,
-    // Drive-specific fields (only used when trigger_type = Drive)
-    pub resource_id: Option<String>,
-    pub resource_name: Option<String>,
-    // Calendar-specific fields (only used when trigger_type = Calendar)
-    pub calendar_id: Option<String>,
-    pub calendar_name: Option<String>,
-    // Metadata set after creation
-    pub google_resource_id: Option<String>,
-    pub expiration: Option<String>,
-}
-```
-
-Branch in trait methods based on `trigger_type`. Frontend uses a `ToggleButtonGroup` to switch between types. This keeps the codebase simpler (one service, one OAuth flow, one set of routes).
-
-See `backend/windmill-native-triggers/src/google/` for the reference implementation.
-
-### Skipping update+get After Create (Google Pattern)
-
-Override `service_config_from_create_response()` to return `Some(config)` when the external_id is known before the create call:
-
-```rust
-fn service_config_from_create_response(
-    &self,
-    data: &NativeTriggerData<Self::ServiceConfig>,
-    resp: &Self::CreateResponse,
-) -> Option<serde_json::Value> {
-    // Clone input config, add metadata from response
-    let mut config = data.service_config.clone();
-    config.google_resource_id = Some(resp.resource_id.clone());
-    config.expiration = Some(resp.expiration.clone());
-    Some(serde_json::to_value(&config).unwrap())
-}
-```
-
-### Services with Absolute OAuth Endpoints (Google)
-
-Unlike self-hosted services where OAuth endpoints are relative paths appended to `base_url`, services like Google have absolute URLs:
-
-```rust
-// Nextcloud: relative paths
-ServiceName::Nextcloud => "/apps/oauth2/api/v1/token",
-// Google: absolute URLs
-ServiceName::Google => "https://oauth2.googleapis.com/token",
-```
-
-The `resolve_endpoint()` function handles both. For services with absolute endpoints:
-- `base_url` can be empty
-- `requiresBaseUrl: false` in the frontend workspace integration config
-- Add `extra_auth_params()` if needed (Google requires `access_type=offline` and `prompt=consent`)
-
-### Channel-Based Push Notifications with Renewal (Google Pattern)
-
-For services using expiring watch channels instead of persistent webhooks:
-
-1. Store expiration in `service_config` (as part of `ServiceConfig`)
-2. In `maintain_triggers()`, implement renewal logic instead of using `reconcile_with_external_state()`:
-   ```rust
-   async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors) {
-       for trigger in triggers {
-           if should_renew_channel(trigger) {
-               self.renew_channel(db, trigger, oauth_data).await;
-           }
-       }
-   }
-   ```
-3. Renewal: best-effort stop old channel, create new one with same external_id, update service_config with new expiration
-4. Google example: Drive channels expire in 24h (renew when <1h left), Calendar channels expire in 7 days (renew when <1 day left)
-
-### reconcile_with_external_state (Nextcloud Pattern)
-
-The reusable function in `sync.rs` compares external triggers with DB state:
-- Triggers missing externally: sets error "Trigger no longer exists on external service"
-- Triggers present externally: clears errors, updates service_config if it differs
-
-Usage in `maintain_triggers()`:
-```rust
-let external_pairs: Vec<(String, serde_json::Value)> = /* fetch from external */;
-crate::sync::reconcile_with_external_state(
-    db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-).await;
-```
-
-### Webhook Payload Processing
-
-Override `prepare_webhook()` to parse service-specific payloads into script/flow args:
-
-```rust
-async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned> {
-    let mut args = HashMap::new();
-    args.insert("event_type".to_string(), Box::new(headers.get("x-event-type").cloned()) as _);
-    args.insert("payload".to_string(), Box::new(serde_json::from_str::<serde_json::Value>(&body)?) as _);
-    Ok(PushArgsOwned { extra: None, args })
-}
-```
-
-Then register in `prepare_native_trigger_args()` in `lib.rs`:
-```rust
-pub async fn prepare_native_trigger_args(service_name, db, w_id, headers, body) -> Result<Option<PushArgsOwned>> {
-    match service_name {
-        ServiceName::Google => { /* ... */ Ok(Some(args)) }
-        ServiceName::NewService => { /* ... */ Ok(Some(args)) }
-        ServiceName::Nextcloud => Ok(None), // Uses default body parsing
-    }
-}
-```
-
-### Instance-Level OAuth Credentials
-
-When `workspace_integrations.oauth_data.instance_shared == true`, `decrypt_oauth_data()` reads `client_id` and `client_secret` from instance-level global settings instead of workspace-level. This allows admins to share OAuth app credentials across workspaces.
-
-The frontend handles this via the `generate_instance_connect_url` endpoint in `workspace_integrations.rs`.
-
----
-
-## Testing Checklist
-
-- [ ] Database migration runs successfully
-- [ ] `cargo check -p windmill-native-triggers --features native_trigger` passes
-- [ ] `npx svelte-check --threshold error` passes (in frontend/)
-- [ ] Service appears in workspace integrations list
-- [ ] OAuth flow completes successfully
-- [ ] Can create a new trigger
-- [ ] Can view trigger details
-- [ ] Can update trigger configuration
-- [ ] Can delete trigger
-- [ ] Webhook receives and processes payloads
-- [ ] Background sync works correctly (reconciliation or channel renewal)
-- [ ] Error handling works (expired tokens, service unavailable)
-
----
-
-## Reference Implementations
-
-### Nextcloud (Self-Hosted, Update+Get Pattern)
-
-| File | Purpose |
-|------|---------|
-| `nextcloud/mod.rs` | Types: NextCloudOAuthData, NextcloudServiceConfig, NextCloudTriggerData |
-| `nextcloud/external.rs` | External trait: uses update+get pattern, reconcile_with_external_state for sync |
-| `nextcloud/routes.rs` | Additional route: `GET /events` |
-
-Key patterns: relative OAuth endpoints, base_url required, list_all + reconcile for sync, update returns JSON from get().
-
-### Google (Cloud, Unified Service, Short Create)
-
-| File | Purpose |
-|------|---------|
-| `google/mod.rs` | Types: GoogleServiceConfig with trigger_type discriminator, GoogleTriggerType enum |
-| `google/external.rs` | External trait: overrides service_config_from_create_response, channel renewal for sync |
-| `google/routes.rs` | Additional routes: `GET /calendars`, `GET /drive/files`, `GET /drive/shared_drives` |
-
-Key patterns: absolute OAuth endpoints, empty base_url, trigger_type for Drive/Calendar, expiring watch channels with renewal, service_config_from_create_response skips update+get, get() reconstructs data from stored service_config (no external "get channel" API).

.claude/skills/pr/SKILL.md

@@ -1,87 +0,0 @@
----
-name: pr
-user_invocable: true
-description: Open a draft pull request on GitHub. MUST use when you want to create/open a PR.
----
-
-# Pull Request Skill
-
-Create a draft pull request with a clear title and explicit description of changes.
-
-## Instructions
-
-1. **Analyze branch changes**: Understand all commits since diverging from main
-2. **Push to remote**: Ensure all commits are pushed
-3. **Create draft PR**: Always open as draft for review before merging
-
-## PR Title Format
-
-Follow conventional commit format for the PR title:
-```
-<type>: <description>
-```
-
-### Types
-- `feat`: New feature or capability
-- `fix`: Bug fix
-- `refactor`: Code restructuring
-- `docs`: Documentation changes
-- `chore`: Maintenance tasks
-- `perf`: Performance improvements
-
-### Title Rules
-- Keep under 70 characters
-- Use lowercase, imperative mood
-- No period at the end
-
-## PR Body Format
-
-The body MUST be explicit about what changed. Structure:
-
-```markdown
-## Summary
-<Clear description of what this PR does and why>
-
-## Changes
-- <Specific change 1>
-- <Specific change 2>
-- <Specific change 3>
-
-## Test plan
-- [ ] <How to verify change 1>
-- [ ] <How to verify change 2>
-
----
-Generated with [Claude Code](https://claude.com/claude-code)
-```
-
-## Execution Steps
-
-1. Run `git status` to check for uncommitted changes
-2. Run `git log main..HEAD --oneline` to see all commits in this branch
-3. Run `git diff main...HEAD` to see the full diff against main
-4. Check if remote branch exists and is up to date:
-   ```bash
-   git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null || echo "no upstream"
-   ```
-5. Push to remote if needed: `git push -u origin HEAD`
-6. Create draft PR using gh CLI:
-   ```bash
-   gh pr create --draft --title "<type>: <description>" --body "$(cat <<'EOF'
-   ## Summary
-   <description>
-
-   ## Changes
-   - <change 1>
-   - <change 2>
-
-   ## Test plan
-   - [ ] <test 1>
-   - [ ] <test 2>
-
-   ---
-   Generated with [Claude Code](https://claude.com/claude-code)
-   EOF
-   )"
-   ```
-7. Return the PR URL to the user

.claude/skills/rust-backend/SKILL.md

@@ -1,495 +0,0 @@
----
-name: rust-backend
-description: Rust coding guidelines for the Windmill backend. MUST use when writing or modifying Rust code in the backend directory.
----
-
-# Rust Backend Coding Guidelines
-
-Apply these patterns when writing or modifying Rust code in the `backend/` directory.
-
-## Data Structure Design
-
-Choose between `struct`, `enum`, or `newtype` based on domain needs:
-
-- Use `enum` for state machines instead of boolean flags or loosely related fields
-- Model invariants explicitly using types (e.g., `NonZeroU32`, `Duration`, custom enums)
-- Consider ownership of each field:
-  - Use `&str` vs `String`, slices vs vectors
-  - Use `Arc<T>` when sharing across threads
-  - Use `Cow<'a, T>` for flexible ownership
-
-```rust
-// State machine with enum
-enum JobState {
-    Pending { scheduled_for: DateTime<Utc> },
-    Running { started_at: DateTime<Utc>, worker: String },
-    Completed { result: JobResult, duration_ms: i64 },
-    Failed { error: String, retries: u32 },
-}
-
-// Avoid multiple booleans
-struct Job {
-    is_pending: bool,   // Don't do this
-    is_running: bool,
-    is_completed: bool,
-}
-```
-
-## Impl Block Organization
-
-Place `impl` blocks immediately below the struct/enum they modify. Group methods logically:
-
-```rust
-struct JobQueue {
-    jobs: Vec<Job>,
-    capacity: usize,
-}
-
-impl JobQueue {
-    // Constructors first
-    pub fn new(capacity: usize) -> Self { ... }
-    pub fn with_jobs(jobs: Vec<Job>) -> Self { ... }
-
-    // Getters
-    pub fn len(&self) -> usize { ... }
-    pub fn is_empty(&self) -> bool { ... }
-
-    // Mutation methods
-    pub fn push(&mut self, job: Job) -> Result<()> { ... }
-    pub fn pop(&mut self) -> Option<Job> { ... }
-
-    // Domain logic
-    pub fn next_scheduled(&self) -> Option<&Job> { ... }
-}
-```
-
-## Iterator Chains Over For-Loops
-
-Prefer functional iterator chains (`.filter().map().collect()`) over imperative for-loops:
-
-```rust
-// Preferred
-let results: Vec<_> = items
-    .iter()
-    .filter(|item| item.is_valid())
-    .map(|item| item.transform())
-    .collect();
-
-// Avoid
-let mut results = Vec::new();
-for item in items.iter() {
-    if item.is_valid() {
-        results.push(item.transform());
-    }
-}
-```
-
-## Error Handling
-
-Use the `Error` type from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>` for fallible functions:
-
-```rust
-use windmill_common::error::{Error, Result};
-
-// Use ? operator for propagation
-pub async fn get_job(db: &DB, id: Uuid) -> Result<Job> {
-    let job = sqlx::query_as!(Job, "SELECT ... WHERE id = $1", id)
-        .fetch_optional(db)
-        .await?
-        .ok_or_else(|| Error::NotFound("job not found".to_string()))?;
-    Ok(job)
-}
-```
-
-Prefer `if let` for optional handling. Use `let...else` when early return makes code clearer:
-
-```rust
-let Some(config) = get_config() else {
-    return Err(Error::MissingConfig);
-};
-```
-
-Never panic in library code. Reserve `.unwrap()` for cases with compile-time guarantees. Keep functions short to help lifetime inference and clarity.
-
-## Early Returns
-
-Return early to avoid deep nesting. Handle error cases and edge conditions first:
-
-```rust
-// Preferred - early returns
-fn process_job(job: Option<Job>) -> Result<Output> {
-    let Some(job) = job else {
-        return Ok(Output::default());
-    };
-
-    if !job.is_valid() {
-        return Err(Error::InvalidJob);
-    }
-
-    if job.is_cached() {
-        return Ok(job.cached_result());
-    }
-
-    // Main logic at the end, not nested
-    execute_job(job)
-}
-
-// Avoid - deep nesting
-fn process_job(job: Option<Job>) -> Result<Output> {
-    if let Some(job) = job {
-        if job.is_valid() {
-            if !job.is_cached() {
-                execute_job(job)
-            } else {
-                Ok(job.cached_result())
-            }
-        } else {
-            Err(Error::InvalidJob)
-        }
-    } else {
-        Ok(Output::default())
-    }
-}
-```
-
-## Variable Shadowing
-
-Shadow variables instead of creating new names with prefixes:
-
-```rust
-// Preferred
-let data = fetch_raw_data();
-let data = parse(data);
-let data = validate(data)?;
-
-// Avoid
-let raw_data = fetch_raw_data();
-let parsed_data = parse(raw_data);
-let validated_data = validate(parsed_data)?;
-```
-
-## Minimal Comments
-
-- No inline comments explaining obvious code
-- No TODO/FIXME comments in committed code
-- Doc comments (`///`) only on public items
-- Let code be self-documenting through clear naming
-
-## Type Safety
-
-Use enums over boolean flags for clarity:
-
-```rust
-// Preferred
-enum JobStatus {
-    Pending,
-    Running,
-    Completed,
-}
-
-// Avoid
-struct Job {
-    is_running: bool,
-    is_completed: bool,
-}
-```
-
-## Pattern Matching
-
-Prefer explicit matching. Use wildcards strategically for fallback cases or ignored fields:
-
-```rust
-// Explicit matching preferred
-match status {
-    JobStatus::Pending => handle_pending(),
-    JobStatus::Running => handle_running(),
-    JobStatus::Completed => handle_completed(),
-}
-
-// Wildcards OK for fallback
-match result {
-    Ok(value) => process(value),
-    Err(_) => return default_value(),
-}
-
-// Wildcards OK for ignoring fields in destructuring
-let Point { x, y, .. } = point;
-```
-
-## Destructuring in Function Signatures
-
-Destructure structs directly in function parameters:
-
-```rust
-// Preferred
-async fn process_job(
-    Extension(db): Extension<DB>,
-    Path((workspace, job_id)): Path<(String, Uuid)>,
-    Query(pagination): Query<Pagination>,
-) -> Result<Json<Job>> {
-    // ...
-}
-
-// Avoid
-async fn process_job(
-    db_ext: Extension<DB>,
-    path: Path<(String, Uuid)>,
-    query: Query<Pagination>,
-) -> Result<Json<Job>> {
-    let Extension(db) = db_ext;
-    let Path((workspace, job_id)) = path;
-    // ...
-}
-```
-
-## Trait Implementations
-
-Use standard trait implementations to simplify conversions and reduce boilerplate:
-
-```rust
-// Implement From/Into for type conversions
-impl From<DbJob> for ApiJob {
-    fn from(db: DbJob) -> Self {
-        ApiJob {
-            id: db.id,
-            status: db.status.into(),
-        }
-    }
-}
-
-// Use TryFrom for fallible conversions
-impl TryFrom<String> for JobKind {
-    type Error = Error;
-    fn try_from(s: String) -> Result<Self, Self::Error> { ... }
-}
-```
-
-Apply `derive` macros to reduce boilerplate:
-
-```rust
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct Job { ... }
-```
-
-## Module Structure
-
-- Use `pub(crate)` instead of `pub` when possible; expose only what needs exposing
-- Keep APIs small and expressive; avoid leaking internal types
-- Organize code into modules reflecting ownership and domain boundaries
-
-```rust
-// Prefer restricted visibility
-pub(crate) fn internal_helper() { ... }
-
-// Only pub for external API
-pub fn create_job(...) -> Result<Job> { ... }
-```
-
-## Code Navigation
-
-Always use rust-analyzer LSP for:
-- Go to definition
-- Find references
-- Type information
-- Import resolution
-
-Do not guess at module paths or type definitions.
-
-## JSON Handling
-
-Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when:
-- Storing JSON in the database (JSONB columns)
-- Passing JSON through without modification
-- The JSON structure doesn't need inspection
-
-```rust
-// Preferred - avoids parsing/serialization overhead
-pub struct Job {
-    pub id: Uuid,
-    pub args: Option<Box<serde_json::value::RawValue>>,
-}
-
-// Only use Value when you need to inspect/modify JSON
-let value: serde_json::Value = serde_json::from_str(&json)?;
-if let Some(field) = value.get("field") {
-    // modify or inspect
-}
-```
-
-## Serde Optimizations
-
-Use serde attributes to optimize serialization:
-
-```rust
-#[derive(Serialize, Deserialize)]
-pub struct Job {
-    #[serde(rename = "jobId")]
-    pub id: Uuid,
-
-    #[serde(default)]
-    pub priority: i32,
-
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub parent_job: Option<Uuid>,
-
-    #[serde(skip_serializing_if = "Vec::is_empty")]
-    pub tags: Vec<String>,
-}
-```
-
-Prefer borrowing for zero-copy deserialization when lifetimes allow:
-
-```rust
-#[derive(Deserialize)]
-pub struct JobInput<'a> {
-    #[serde(borrow)]
-    pub workspace_id: Cow<'a, str>,
-
-    #[serde(borrow)]
-    pub script_path: &'a str,
-}
-```
-
-## SQLx Patterns
-
-**Never use `SELECT *`** - always list columns explicitly. This is critical for backwards compatibility when workers run behind the API server version:
-
-```rust
-// Preferred - explicit columns
-sqlx::query_as!(
-    Job,
-    "SELECT id, workspace_id, path, created_at FROM v2_job WHERE id = $1",
-    job_id
-)
-
-// Avoid - breaks when columns are added
-sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", job_id)
-```
-
-Use batch operations to minimize round trips:
-
-```rust
-// Preferred - single query with multiple values
-sqlx::query!(
-    "INSERT INTO job_logs (job_id, logs) VALUES ($1, $2), ($3, $4)",
-    id1, log1, id2, log2
-)
-
-// Avoid N+1 queries
-for id in ids {
-    sqlx::query!("SELECT ... WHERE id = $1", id).fetch_one(db).await?;
-}
-
-// Preferred - single query with IN clause
-sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
-```
-
-Use transactions for multi-step operations and parameterize all queries.
-
-## Async & Tokio Patterns
-
-Never block the async runtime. Use `spawn_blocking` for CPU-intensive or blocking I/O:
-
-```rust
-// Preferred - offload blocking work
-let result = tokio::task::spawn_blocking(move || {
-    expensive_computation(&data)
-}).await?;
-
-// Avoid - blocks the runtime
-let result = expensive_computation(&data);  // Don't do this in async
-```
-
-Use tokio primitives for sleep and channels:
-
-```rust
-use tokio::sync::mpsc;
-use tokio::time::sleep;
-
-// Avoid in async contexts
-use std::thread::sleep; // Blocks the runtime
-```
-
-Use bounded channels for backpressure:
-
-```rust
-// Preferred - bounded channel prevents overwhelming
-let (tx, rx) = tokio::sync::mpsc::channel(100);
-
-// Be careful with unbounded
-let (tx, rx) = tokio::sync::mpsc::unbounded_channel();
-```
-
-## Mutex Selection in Async Code
-
-**Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) over `tokio::sync::Mutex`** for protecting data in async code. The async mutex is more expensive and only needed when holding locks across `.await` points.
-
-```rust
-// Preferred for data protection - std mutex is faster
-use std::sync::Mutex;
-
-struct Cache {
-    data: Mutex<HashMap<String, Value>>,
-}
-
-impl Cache {
-    fn get(&self, key: &str) -> Option<Value> {
-        self.data.lock().unwrap().get(key).cloned()
-    }
-
-    fn insert(&self, key: String, value: Value) {
-        self.data.lock().unwrap().insert(key, value);
-    }
-}
-```
-
-**Use `tokio::sync::Mutex` only when you must hold the lock across `.await` points**, typically for IO resources like database connections:
-
-```rust
-use tokio::sync::Mutex;
-use std::sync::Arc;
-
-// Async mutex for IO resources held across await points
-let conn = Arc::new(Mutex::new(db_connection));
-
-async fn execute_query(conn: Arc<Mutex<DbConn>>, query: &str) {
-    let mut lock = conn.lock().await;
-    lock.execute(query).await;  // Lock held across .await
-}
-```
-
-**Common pattern**: Wrap `Arc<Mutex<...>>` in a struct with non-async methods that lock internally, keeping lock scope minimal:
-
-```rust
-struct SharedState {
-    inner: std::sync::Mutex<StateInner>,
-}
-
-impl SharedState {
-    fn update(&self, value: i32) {
-        self.inner.lock().unwrap().value = value;
-    }
-
-    fn get(&self) -> i32 {
-        self.inner.lock().unwrap().value
-    }
-}
-```
-
-**Alternative for IO resources**: Spawn a dedicated task to manage the resource and communicate via message passing:
-
-```rust
-let (tx, mut rx) = tokio::sync::mpsc::channel(32);
-
-tokio::spawn(async move {
-    while let Some(cmd) = rx.recv().await {
-        handle_io_command(&mut resource, cmd).await;
-    }
-});
-```
-
-## Build & Tooling
-
-Build speed tips:
-- Use `cargo check` during rapid iteration over `cargo build`
-- Minimize unnecessary dependencies and feature flags

.claude/skills/svelte-frontend/SKILL.md

@@ -1,229 +0,0 @@
----
-name: svelte-frontend
-description: Svelte coding guidelines for the Windmill frontend. MUST use when writing or modifying code in the frontend directory.
----
-
-# Svelte 5 Best Practices
-
-This guide outlines best practices for developing with Svelte 5, incorporating the new Runes API and other modern Svelte features. These rules MUST NOT be applied on svelte 4 files unless explicitly asked to do so.
-
-## Reactivity with Runes
-
-Svelte 5 introduces Runes for more explicit and flexible reactivity.
-
-1.  **Embrace Runes for State Management**:
-    *   Use `$state` for reactive local component state.
-        ```svelte
-        <script>
-          let count = $state(0);
-
-          function increment() {
-            count += 1;
-          }
-        </script>
-
-        <button onclick={increment}>
-          Clicked {count} {count === 1 ? 'time' : 'times'}
-        </button>
-        ```
-    *   Use `$derived` for computed values based on other reactive state.
-        ```svelte
-        <script>
-          let count = $state(0);
-          const doubled = $derived(count * 2);
-        </script>
-
-        <p>{count} * 2 = {doubled}</p>
-        ```
-    *   Use `$effect` for side effects that need to run when reactive values change (e.g., logging, manual DOM manipulation, data fetching). Remember `$effect` does not run on the server.
-        ```svelte
-        <script>
-          let count = $state(0);
-
-          $effect(() => {
-            console.log('The count is now', count);
-            if (count > 5) {
-              alert('Count is too high!');
-            }
-          });
-        </script>
-        ```
-
-2.  **Props with `$props`**:
-    *   Declare component props using `$props()`. This offers better clarity and flexibility compared to `export let`.
-        ```svelte
-        <script>
-          // ChildComponent.svelte
-          let { name, age = $state(30) } = $props();
-        </script>
-
-        <p>Name: {name}</p>
-        <p>Age: {age}</p>
-        ```
-    *   For bindable props, use `$bindable`.
-        ```svelte
-        <script>
-          // MyInput.svelte
-          let { value = $bindable() } = $props();
-        </script>
-
-        <input bind:value />
-        ```
-
-## Event Handling
-
-*   **Use direct event attributes**: Svelte 5 moves away from `on:` directives for DOM events.
-    *   **Do**: `<button onclick={handleClick}>...</button>`
-    *   **Don't**: `<button on:click={handleClick}>...</button>`
-*   **For component events, prefer callback props**: Instead of `createEventDispatcher`, pass functions as props.
-    ```svelte
-    <!-- Parent.svelte -->
-    <script>
-      import Child from './Child.svelte';
-      let message = $state('');
-      function handleChildEvent(detail) {
-        message = detail;
-      }
-    </script>
-    <Child onCustomEvent={handleChildEvent} />
-    <p>Message from child: {message}</p>
-
-    <!-- Child.svelte -->
-    <script>
-      let { onCustomEvent } = $props();
-      function emitEvent() {
-        onCustomEvent('Hello from child!');
-      }
-    </script>
-    <button onclick={emitEvent}>Send Event</button>
-    ```
-
-## Snippets for Content Projection
-
-*   **Use `{#snippet ...}` and `{@render ...}` instead of slots**: Snippets are more powerful and flexible.
-    ```svelte
-    <!-- Parent.svelte -->
-    <script>
-      import Card from './Card.svelte';
-    </script>
-
-    <Card>
-      {#snippet title()}
-        My Awesome Title
-      {/snippet}
-      {#snippet content()}
-        <p>Some interesting content here.</p>
-      {/snippet}
-    </Card>
-
-    <!-- Card.svelte -->
-    <script>
-      let { title, content } = $props();
-    </script>
-
-    <article>
-      <header>{@render title()}</header>
-      <div>{@render content()}</div>
-    </article>
-    ```
-*   Default content is passed via the `children` prop (which is a snippet).
-    ```svelte
-    <!-- Wrapper.svelte -->
-    <script>
-      let { children } = $props();
-    </script>
-    <div>
-      {@render children?.()}
-    </div>
-    ```
-
-## Component Design
-
-1.  **Create Small, Reusable Components**: Break down complex UIs into smaller, focused components. Each component should have a single responsibility. This also aids performance by limiting the scope of reactivity updates.
-2.  **Descriptive Naming**: Use clear and descriptive names for variables, functions, and components.
-3.  **Minimize Logic in Components**: Move complex business logic to utility functions or services. Keep components focused on presentation and interaction.
-
-## State Management (Stores)
-
-1.  **Segment Stores**: Avoid a single global store. Create multiple stores, each responsible for a specific piece of global state (e.g., `userStore.js`, `themeStore.js`). This can help limit reactivity updates to only the parts of the UI that depend on specific state segments.
-2.  **Use Custom Stores for Complex Logic**: For stores with related methods, create custom stores.
-    ```javascript
-    // counterStore.js
-    import { writable } from 'svelte/store';
-
-    function createCounter() {
-      const { subscribe, set, update } = writable(0);
-
-      return {
-        subscribe,
-        increment: () => update(n => n + 1),
-        decrement: () => update(n => n - 1),
-        reset: () => set(0)
-      };
-    }
-    export const counter = createCounter();
-    ```
-3.  **Use Context API for Localized State**: For state shared within a component subtree, consider Svelte's context API (`setContext`, `getContext`) instead of global stores when the state doesn't need to be truly global.
-
-## Performance Optimizations (Svelte 5)
-
-When generating Svelte 5 code, prioritize frontend performance by applying the following principles:
-
-### General Svelte 5 Principles
-
--   **Leverage the Compiler:** Trust Svelte's compiler to generate optimized JavaScript. Avoid manual DOM manipulation (`document.querySelector`, etc.) unless absolutely necessary for integrating third-party libraries that lack Svelte adapters.
--   **Keep Components Small and Focused:** Reinforcing from Component Design, smaller components lead to less complex reactivity graphs and more targeted, efficient updates.
-
-### Reactivity & State Management
-
--   **Optimize Computations with `$derived`:** Always use `$derived` for computed values that depend on other state. This ensures the computation only runs when its specific dependencies change, avoiding unnecessary work compared to recomputing derived values in `$effect` or less efficient methods.
--   **Minimize `$effect` Usage:** Use `$effect` sparingly and only for true side effects that interact with the outside world or non-Svelte state. Avoid putting complex logic or state updates *within* an `$effect` unless those updates are explicitly intended as a reaction to external changes or non-Svelte state. Excessive or complex effects can impact rendering performance.
--   **Structure State for Fine-Grained Updates:** Design your `$state` objects or variables such that updates affect only the necessary parts of the UI. Avoid putting too much unrelated state into a single large object that gets frequently updated, as this can potentially trigger broader updates than necessary. Consider normalizing complex, nested state.
-
-### List Rendering (`{#each}`)
-
--   **Mandate `key` Attribute:** Always use a `key` attribute (`{#each items as item (item.id)}`) that refers to a unique, stable identifier for each item in a list. This is critical for allowing Svelte to efficiently update, reorder, add, or remove list items without destroying and re-creating unnecessary DOM elements and component instances.
-
-### Component Loading & Bundling
-
--   **Implement Lazy Loading/Code Splitting:** For routes, components, or modules that are not immediately needed on page load, use dynamic imports (`import(...)`) to split the code bundle. SvelteKit handles this automatically for routes, but it can be applied manually to components using helper patterns if needed.
--   **Be Mindful of Third-Party Libraries:** When incorporating external libraries, import only the necessary functions or components to minimize the final bundle size. Prefer libraries designed to be tree-shakeable.
-
-### Rendering & DOM
-
--   **Use CSS for Animations/Transitions:** Prefer CSS animations or transitions where possible for performance. Svelte's built-in `transition:` directive is also highly optimized and should be used for complex state-driven transitions, but simple cases can often use plain CSS.
--   **Optimize Image Loading:** Implement best practices for images: use optimized formats (WebP, AVIF), lazy loading (`loading="lazy"`), and responsive images (`<picture>`, `srcset`) to avoid loading unnecessarily large images.
-
-### Server-Side Rendering (SSR) & Hydration
-
--   **Ensure SSR Compatibility:** Write components that can be rendered on the server for faster initial page loads. Avoid relying on browser-specific APIs (like `window` or `document`) in the main `<script>` context. If necessary, use `$effect` or check `if (browser)` inside effects to run browser-specific code only on the client.
--   **Minimize Work During Hydration:** Structure components and data fetching such that minimal complex setup or computation is required when the client-side Svelte code takes over from the server-rendered HTML. Heavy synchronous work during hydration can block the main thread.
-
-## General Clean Code Practices
-
-1.  **Organized File Structure**: Group related files together. A common structure:
-    ```
-    /src
-    |-- /routes      // Page components (if using a router like SvelteKit)
-    |-- /lib         // Utility functions, services, constants (SvelteKit often uses this)
-    |   |-- /stores
-    |   |-- /utils
-    |   |-- /services
-    |   |-- /components  // Reusable UI components
-    |-- App.svelte
-    |-- main.js (or main.ts)
-    ```
-2.  **Scoped Styles**: Keep CSS scoped to components to avoid unintended side effects and improve maintainability. Avoid `:global` where possible.
-3.  **Immutability**: With Svelte 5 and `$state`, direct assignments to properties of `$state` objects (`obj.prop = value;`) are generally fine as Svelte's reactivity system handles updates. However, for non-rune state or when interacting with other systems, understanding and sometimes preferring immutable updates (creating new objects/arrays) can still be relevant.
-4.  **Use `class:` and `style:` directives**: For dynamic classes and styles, use Svelte's built-in directives for cleaner templates and potentially optimized updates.
-    ```svelte
-    <script>
-      let isActive = $state(true);
-      let color = $state('blue');
-    </script>
-
-    <div class:active={isActive} style:color={color}>
-      Hello
-    </div>
-    ```
-5.  **Stay Updated**: Keep Svelte and its related packages up to date to benefit from the latest features, performance improvements, and security fixes.

.devcontainer/Dockerfile

@@ -29,6 +29,7 @@ FROM mcr.microsoft.com/vscode/devcontainers/rust:bullseye
 
 RUN apt update \
     && apt-get install -y \
+    lld \
     python3 \
     libprotobuf-dev \ 
     libnl-route-3-dev \

.devcontainer/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     # image: mcr.microsoft.com/vscode/devcontainers/rust:bullseye
     environment:
       - DENO_PATH=/usr/local/cargo/bin/deno
+      - PYTHON_PATH=/usr/bin/python3
       - NSJAIL_PATH=/bin/nsjail
     volumes:
       - .:/workspace:cached

.dockerignore

@@ -3,4 +3,3 @@ frontend/build/
 frontend/.svelte-kit/
 
 backend/target/
-backend/windmill-duckdb-ffi-internal/target/

.env

@@ -1,13 +1,2 @@
-DATABASE_URL=postgres://postgres:changeme@db/windmill?sslmode=disable
-
-# For Enterprise Edition, use:
-# WM_IMAGE=ghcr.io/windmill-labs/windmill-ee:main
-WM_IMAGE=ghcr.io/windmill-labs/windmill:main
-
-
-# To use another port than :80, setup the Caddyfile and the caddy section of the docker-compose to your needs: https://caddyserver.com/docs/getting-started
-# To have caddy take care of automatic TLS
-
-# To rotate logs, set the following variables:
-#LOG_MAX_SIZE=10m
-#LOG_MAX_FILE=3
+DB_PASSWORD=changeme
+WM_BASE_URL=localhost

.envrc

@@ -1 +0,0 @@
-use flake

.githooks/pre-commit

@@ -1,14 +0,0 @@
-#!/bin/sh
-#
-# This file is symlinked to local .git/hooks/pre-commit by the setup-hooks.sh script
-# It wil run before every commit, so it needs to be quick and efficient. If it returns
-# a non-zero exit code, the commit will be aborted.
-
-echo "Running pre-commit hook"
-
-# This checks that there is no symlinks in the backend directory among the EE files
-./backend/check_no_symlink.sh > /dev/null
-if [ $? -ne 0 ]; then
-  echo "/!\ Symlinks detected in the backend directory. Please run './backend/substitute_ee_code.sh --revert' before committing."
-  exit 1
-fi

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-*       @rubenfiszel @hugocasa @alpetric
+*       @rubenfiszel
 
-/community/ @rubenfiszel @hugocasa @alpetric
-/frontend/  @rubenfiszel @hugocasa @alpetric
+/community/ @fatonramadani @rubenfiszel
+/frontend/ @fatonramadani @rubenfiszel

.github/Dockerfile

@@ -1,7 +1,7 @@
 FROM nikolaik/python-nodejs
 
 RUN npm install -g @apidevtools/swagger-cli
-RUN pip install openapi-python-client==0.15.1
+RUN pip install openapi-python-client
 RUN pip install poetry
 
 

.github/DockerfileBackendTests

@@ -1,72 +1,66 @@
-ARG RUST_IMAGE=rust:1.80-slim-bookworm
-ARG PYTHON_IMAGE=python:3.11.4-slim-bookworm
+FROM python:3.10-slim-buster as nsjail
+
+WORKDIR /nsjail
+
+RUN apt-get -y update \
+    && apt-get install -y \
+    bison=2:3.3.* \
+    flex=2.6.* \
+    g++=4:8.3.* \
+    gcc=4:8.3.* \
+    git=1:2.20.* \
+    libprotobuf-dev=3.6.* \
+    libnl-route-3-dev=3.4.* \
+    make=4.2.* \
+    pkg-config=0.29-6 \
+    protobuf-compiler=3.6.*
+
+RUN git clone -b master --single-branch https://github.com/google/nsjail.git . \
+    && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800
+RUN make
 
 
-FROM ${RUST_IMAGE} as builder
+FROM rust:slim-buster as builder
 
 RUN apt-get update && apt-get install -y git libssl-dev pkg-config
 
 RUN apt-get -y update \
     && apt-get install -y \
-    curl
+    curl lld
 
 ENV SQLX_OFFLINE=true
 
 
 RUN mkdir -p /frontend/build
 RUN apt-get update \
-    && apt-get install -y ca-certificates tzdata libpq5 cmake unzip\
+    && apt-get install -y ca-certificates tzdata libpq5 \
     make build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev \
     libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libxml2-dev \
-    libxmlsec1-dev libffi-dev liblzma-dev mecab-ipadic-utf8 libgdbm-dev libc6-dev git libprotobuf-dev libnl-route-3-dev \
-    libv8-dev  nodejs npm clang libclang-dev\
+    libxmlsec1-dev libffi-dev liblzma-dev mecab-ipadic-utf8 libgdbm-dev libc6-dev git libprotobuf-dev=3.6.* libnl-route-3-dev=3.4.* \
+    libv8-dev tesseract-ocr nodejs npm\
     && rm -rf /var/lib/apt/lists/*
 
-
-RUN wget https://golang.org/dl/go1.21.5.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
+RUN wget https://golang.org/dl/go1.19.1.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.19.1.linux-amd64.tar.gz
 ENV PATH="${PATH}:/usr/local/go/bin"
 ENV GO_PATH=/usr/local/go/bin/go
 
-# UV
-RUN curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.24/uv-installer.sh | sh && mv /usr/local/cargo/bin/uv /usr/local/bin/uv
-
 ENV TZ=Etc/UTC
 
-ENV PYTHON_VERSION 3.11.4
+ENV PYTHON_VERSION 3.10.4
 
-# Python
 RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \
     && tar -xf Python-${PYTHON_VERSION}.tgz && cd Python-${PYTHON_VERSION}/ && ./configure --enable-optimizations \
     && make -j 4 && make install
 
 RUN /usr/local/bin/python3 -m pip install pip-tools
+RUN /usr/local/bin/python3 -m pip install nltk
+RUN mkdir -p /nsjail_data/python && HOME=/nsjail_data/python /usr/local/bin/python3 -m nltk.downloader vader_lexicon
 
-# Bun
-COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun
+COPY --from=nsjail /nsjail/nsjail /bin/nsjail
 
-# Install windmill CLI
-RUN bun install -g windmill-cli \
-    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill
-
-ARG TARGETPLATFORM
-
-# Deno
-RUN curl -Lsf https://github.com/denoland/deno/releases/download/v2.0.2/deno-x86_64-unknown-linux-gnu.zip -o deno.zip 
-# RUN [ "$TARGETPLATFORM" == "linux/arm64" ] && curl -Lsf https://github.com/denoland/deno/releases/download/v2.0.0/deno-aarch64-unknown-linux-gnu.zip -o deno.zip || true
-RUN unzip deno.zip && rm deno.zip && mv deno /usr/bin/deno
+COPY --from=denoland/deno:latest /usr/bin/deno /usr/bin/deno
 
 RUN apt-get update \
     && apt-get install -y postgresql-client --allow-unauthenticated
 
-RUN rustup component add rustfmt
-
-# C#
-RUN wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh \
-    && chmod +x dotnet-install.sh \
-    && ./dotnet-install.sh --channel 9.0 --install-dir /usr/share/dotnet \
-    && ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
-    && rm dotnet-install.sh
-
-
-# Nushell
-COPY --from=ghcr.io/nushell/nushell:0.101.0-bookworm /usr/bin/nu /usr/bin/nu
+RUN rustup component add rustfmt

.github/DockerfilePypiBuilder

@@ -4,4 +4,4 @@ RUN python3 -m pip install pipx poetry
 RUN python3 -m pipx ensurepath
 ENV PATH="/root/.local/bin:${PATH}"
 ENV PATH="/usr/local/bin:${PATH}"
-RUN pipx install openapi-python-client==0.15.1 --include-deps
+RUN pipx install openapi-python-client==0.11.6 --include-deps

.github/change-versions-mac.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-script_dirpath="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-root_dirpath="$(cd "${script_dirpath}/.." && pwd)"
-
-VERSION=$1
-echo "Updating versions to: $VERSION"
-
-sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/backend/Cargo.toml
-sed -i '' -e "/^export const VERSION =/s/= .*/= \"v$VERSION\";/"  ${root_dirpath}/cli/src/main.ts
-sed -i '' -e "/^export const VERSION =/s/= .*/= \"v$VERSION\";/" ${root_dirpath}/benchmarks/lib.ts
-sed -i '' -e "/version: /s/: .*/: $VERSION/" ${root_dirpath}/backend/windmill-api/openapi.yaml
-sed -i '' -e "/version: /s/: .*/: $VERSION/" ${root_dirpath}/openflow.openapi.yaml
-sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescript-client/package.json
-sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
-sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
-sed -i '' -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
-sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
-sed -i '' -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
-# sed -i '' -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill_pg/pyproject.toml
-sed -i '' -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
-sed -i '' -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
-
-sed -i '' -E "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock
-
-cd ${root_dirpath}/frontend && npm i --package-lock-only

.github/change-versions.sh

@@ -1,27 +1,20 @@
 #!/bin/bash
-set -euo pipefail
-script_dirpath="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-root_dirpath="$(cd "${script_dirpath}/.." && pwd)"
 
 VERSION=$1
 echo "Updating versions to: $VERSION"
 
-sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/backend/Cargo.toml
-sed -i -e "/^export const VERSION =/s/= .*/= \"$VERSION\";/" ${root_dirpath}/cli/src/main.ts
-sed -i -e "/^export const VERSION =/s/= .*/= \"v$VERSION\";/" ${root_dirpath}/benchmarks/lib.ts
-sed -i -e "/version: /s/: .*/: $VERSION/" ${root_dirpath}/backend/windmill-api/openapi.yaml
-sed -i -e "/version: /s/: .*/: $VERSION/" ${root_dirpath}/openflow.openapi.yaml
-sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescript-client/package.json
-sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/typescript-client/jsr.json
-sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/package.json
-sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
-sed -i -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
-sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
-sed -i -e "/^[[:space:]]*ModuleVersion[[:space:]]*=/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
-# sed -i -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
-sed -i -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
-sed -i -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
+sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" backend/Cargo.toml
+sed -i -e "/^const VERSION =/s/= .*/= \"v$VERSION\";/" cli/main.ts
+sed -i -e "/version: /s/: .*/: $VERSION/" backend/windmill-api/openapi.yaml
+sed -i -e "/version: /s/: .*/: $VERSION/" openflow.openapi.yaml
+sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" frontend/package.json
+sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" python-client/wmill/pyproject.toml
+sed -i -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill/pyproject.toml
+sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" python-client/wmill_pg/pyproject.toml
+# sed -i -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill_pg/pyproject.toml
+sed -i -e "/^wmill =/s/= .*/= \">=$VERSION\"/" lsp/Pipfile
+sed -i -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" lsp/Pipfile
 
-sed -i -zE "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" ${root_dirpath}/backend/Cargo.lock
+sed -i -zE "s/name = \"windmill\"\nversion = \"[^\"]*\"\\n(.*)/name = \"windmill\"\nversion = \"$VERSION\"\\n\\1/" backend/Cargo.lock
 
-cd ${root_dirpath}/frontend && npm i --package-lock-only --ignore-scripts
+cd frontend && npm i --package-lock-only

.github/uffizzi/caddy/Caddyfile

@@ -0,0 +1,5 @@
+localhost {
+        bind 0.0.0.0
+        reverse_proxy /ws/* http://0.0.0.0:3001
+        reverse_proxy /* http://0.0.0.0:8000
+}

.github/uffizzi/docker-compose.uffizzi.yml

@@ -0,0 +1,53 @@
+version: '3.7'
+
+x-uffizzi:
+  ingress:
+    service: windmill
+    port: 8000
+
+services:
+  db:
+    image: postgres:14
+    environment:
+      POSTGRES_PASSWORD: changeme
+      POSTGRES_DB: windmill
+
+  windmill:
+    image: '${WINDMILL_IMAGE}'
+    ports:
+      - 8000:8000
+    entrypoint: ['/bin/sh', '-c']
+    command: 'echo ${OAUTH_JSON_BASE64} | base64 --decode > /usr/src/app/oauth.json && ./windmill'
+    environment:
+      - DATABASE_URL=postgres://postgres:changeme@localhost/windmill?sslmode=disable
+      - BASE_URL=${EXPECTED_URL}
+      - BASE_INTERNAL_URL=http://localhost:8000
+      - RUST_LOG=info
+      - NUM_WORKERS=3
+      - KEEP_JOB_DIR=false
+      - DENO_PATH=/usr/bin/deno
+      - PYTHON_PATH=/usr/local/bin/python3
+      - METRICS_ADDR=false
+      - OAUTH_JSON_BASE64=${OAUTH_JSON_BASE64}
+    volumes:
+      - worker_dependency_cache:/tmp/windmill/cache
+    deploy:
+      resources:
+        limits:
+          memory: 250M
+
+  lsp:
+    image: '${LSP_IMAGE}'
+    ports:
+      - 3001:3001
+
+  # caddy:
+  #   image: caddy:2.5.2-alpine
+  #   restart: unless-stopped
+  #   volumes:
+  #     - ./.github/uffizzi/caddy:/etc/caddy
+  #   environment:
+  #     - BASE_URL=localhost
+
+volumes:
+  worker_dependency_cache:

.github/workflows/aider-after-review.yaml.archived

@@ -1,94 +0,0 @@
-name: Aider Auto-fix PR Review Change Requests
-
-on:
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  check-membership:
-    if: github.event.review.state == 'changes_requested' && contains(github.event.pull_request.title, '[Aider PR]')
-    runs-on: ubicloud-standard-2
-    outputs:
-      is_member: ${{ steps.check-membership.outputs.is_member }}
-    steps:
-      - name: Check organization membership
-        id: check-membership
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          REVIEWER: ${{ github.event.review.user.login }}
-          ORG_ACCESS_TOKEN: ${{ secrets.ORG_ACCESS_TOKEN }}
-        run: |
-          ORG="windmill-labs"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-            -H "Authorization: token $ORG_ACCESS_TOKEN" \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/orgs/$ORG/members/$REVIEWER")
-
-          if [ "$STATUS" -eq 204 ]; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-          fi
-
-  check-and-prepare:
-    needs: check-membership
-    if: github.event.review.state == 'changes_requested' && contains(github.event.pull_request.title, '[Aider PR]') && needs.check-membership.outputs.is_member == 'true'
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: write
-      pull-requests: write
-    outputs:
-      prompt_content: ${{ steps.prepare_prompt.outputs.prompt_content }}
-    env:
-      GEMINI_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      WINDMILL_TOKEN: ${{ secrets.WINDMILL_TOKEN }}
-
-    steps:
-      - name: Acknowledge Request
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-        run: |
-          echo "Commenting on PR #${{ github.event.pull_request.number }} to acknowledge the /aider command."
-          gh pr comment ${{ github.event.pull_request.number }} --body "🤖 Aider is starting to work on your request. Please be patient, this might take a few minutes." --repo $GITHUB_REPOSITORY
-
-      - name: Prepare prompt for Aider
-        id: prepare_prompt
-        shell: bash
-        env:
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REVIEW_BODY: ${{ github.event.review.body }}
-        run: |
-          REVIEW_BODY_ESCAPED="${REVIEW_BODY//\\/\\\\}"
-          REVIEW_BODY_ESCAPED="${REVIEW_BODY_ESCAPED//\"/\\\"}"
-
-          ALL_REVIEW_COMMENTS=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/comments)
-
-          FORMATTED_COMMENTS=$(jq -r '[.[] | {diff_hunk: .diff_hunk, path: .path, body: .body}]' <<< "$ALL_REVIEW_COMMENTS")
-
-          BASE_PROMPT="Fix the following issues in the PR based on the review feedback. The review body is prepended with REVIEW. The review comments are prepended with REVIEW_COMMENTS. The review body and comments are separated by a blank line."
-
-          COMPLETE_PROMPT="${BASE_PROMPT}"$'\n'"REVIEW:"$'\n'"${REVIEW_BODY_ESCAPED}"$'\n'"REVIEW_COMMENTS:"$'\n'"${FORMATTED_COMMENTS}"
-
-          echo "prompt_content<<EOF" >> $GITHUB_OUTPUT
-          echo "$COMPLETE_PROMPT" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-
-  run-aider:
-    needs: [check-membership, check-and-prepare]
-    if: github.event.review.state == 'changes_requested' && contains(github.event.pull_request.title, '[Aider PR]') && needs.check-membership.outputs.is_member == 'true'
-    uses: ./.github/workflows/aider-common.yml
-    with:
-      needs_processing: false
-      base_prompt: ${{ needs.check-and-prepare.outputs.prompt_content }}
-      rules_files: ".cursor/rules/rust-best-practices.mdc .cursor/rules/svelte5-best-practices.mdc .cursor/rules/windmill-overview.mdc"
-    secrets: inherit

.github/workflows/aider-common.yml.archived

@@ -1,522 +0,0 @@
-name: Aider Common Steps
-
-on:
-  workflow_call:
-    inputs:
-      issue_title:
-        description: "Title of the issue or PR"
-        required: false
-        type: string
-      issue_body:
-        description: "Body of the issue or PR"
-        required: false
-        type: string
-      instruction:
-        description: "Instruction for Aider"
-        required: false
-        type: string
-      issue_id:
-        description: "ID of the issue or PR"
-        required: false
-        type: string
-      needs_processing:
-        description: "Whether the issue needs to be processed by the external API"
-        required: false
-        type: boolean
-        default: true
-      base_prompt:
-        description: "Base prompt for Aider"
-        required: false
-        type: string
-        default: "Try to fix the following issue based on the instruction given by the user. The issue is prepended with the word ISSUE. The instruction is prepended with the word INSTRUCTION. The issue and instruction are separated by a blank line."
-      probe_prompt:
-        description: "Prompt for probe-chat"
-        required: false
-        type: string
-        default: 'I''m giving you a request that needs to be implemented. Your role is ONLY to give me the files that are relevant to the request and nothing else. The request is prepended with the word REQUEST. Give me all the files relevant to this request. Your output MUST be a single json array that can be parsed with programatic json parsing, with the relevant files. Files can be rust or typescript or javascript files. DO NOT INCLUDE ANY OTHER TEXT IN YOUR OUTPUT. ONLY THE JSON ARRAY. Example of output: ["file1.py", "file2.py"]'
-      rules_files:
-        description: "Rules files for Aider"
-        required: false
-        type: string
-    outputs:
-      files_to_edit:
-        description: "Files identified by probe-chat for editing"
-        value: ${{ jobs.common-steps.outputs.files_to_edit }}
-      final_prompt:
-        description: "Final prompt for Aider"
-        value: ${{ jobs.common-steps.outputs.final_prompt }}
-      pr_branch_name:
-        description: "Name of the branch used for PR"
-        value: ${{ jobs.common-steps.outputs.pr_branch_name }}
-      changes_applied_message:
-        description: "Message indicating changes were applied"
-        value: ${{ jobs.common-steps.outputs.changes_applied_message }}
-      changes_applied:
-        description: "Boolean indicating if changes were successfully applied"
-        value: ${{ jobs.common-steps.outputs.changes_applied }}
-
-jobs:
-  common-steps:
-    runs-on: ubicloud-standard-8
-    outputs:
-      files_to_edit: ${{ steps.probe_files.outputs.files_to_edit }}
-      final_prompt: ${{ steps.create_prompt.outputs.final_prompt }}
-      pr_branch_name: ${{ steps.commit_and_push.outputs.PR_BRANCH_NAME }}
-      changes_applied_message: ${{ steps.commit_and_push.outputs.CHANGES_APPLIED_MESSAGE }}
-      changes_applied: ${{ steps.commit_and_push.outputs.CHANGES_APPLIED }}
-    env:
-      GEMINI_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      WINDMILL_TOKEN: ${{ secrets.WINDMILL_TOKEN }}
-      LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Checkout PR Branch
-        id: checkout_pr
-        if: (github.event_name == 'issue_comment' && github.event.issue.pull_request) || (github.event_name == 'pull_request_review')
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo "Issue comment trigger: Checking out PR branch..."
-          PR_NUMBER=""
-          if [ -n "${{ github.event.issue.number }}" ]; then
-            PR_NUMBER="${{ github.event.issue.number }}"
-          elif [ -n "${{ github.event.pull_request.number }}" ]; then
-            PR_NUMBER="${{ github.event.pull_request.number }}"
-          else
-            echo "::error::Could not determine PR number."
-            exit 1
-          fi
-          PR_HEAD_REF=$(gh pr view $PR_NUMBER --json headRefName -q .headRefName --repo $GITHUB_REPOSITORY)
-          if [[ -z "$PR_HEAD_REF" || "$PR_HEAD_REF" == "null" ]]; then
-             echo "::error::Could not determine PR head branch for PR #$PR_NUMBER via gh CLI."
-             exit 1
-          fi
-          echo "Checking out PR head branch: $PR_HEAD_REF for PR #$PR_NUMBER"
-          git fetch origin "refs/heads/${PR_HEAD_REF}:refs/remotes/origin/${PR_HEAD_REF}" --no-tags
-          git checkout "$PR_HEAD_REF"
-          echo "Successfully checked out branch $(git rev-parse --abbrev-ref HEAD)"
-          echo "PR_BRANCH=$PR_HEAD_REF" >> $GITHUB_OUTPUT
-
-      - name: Configure Git User
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
-      - name: Cache Python dependencies
-        uses: actions/cache@v3
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/setup.py') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
-      - name: Install Aider and Dependencies
-        run: |
-          echo "Installing Aider..."
-          python -m pip install uv
-          python -m venv ~/uv-env
-          source ~/uv-env/bin/activate
-          uv pip install configargparse==1.7
-          uv pip install aider-chat==0.83.1
-          uv pip install -U google-generativeai
-          sudo apt-get update && sudo apt-get install -y jq
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-          echo "VIRTUAL_ENV_PATH=$HOME/uv-env" >> $GITHUB_ENV
-
-      - name: Create Prompt for Aider
-        id: create_prompt
-        shell: bash
-        env:
-          BASE_PROMPT_ENV: ${{ inputs.base_prompt }}
-          ISSUE_TITLE_ENV: ${{ inputs.issue_title }}
-          ISSUE_BODY_ENV: ${{ inputs.issue_body }}
-          INSTRUCTION_ENV: ${{ inputs.instruction }}
-          NEEDS_PROCESSING_ENV: ${{ inputs.needs_processing }}
-          WINDMILL_TOKEN: ${{ secrets.WINDMILL_TOKEN }}
-        run: |
-          set -e
-          FINAL_PROMPT_CONTENT=""
-
-          if [[ "$ISSUE_TITLE_ENV" != "" && "$ISSUE_BODY_ENV" != "" ]]; then
-            echo "Processing issue with title: $ISSUE_TITLE_ENV"
-            if [[ "$NEEDS_PROCESSING_ENV" == "true" ]]; then
-              echo "Needs processing is true. Calling Windmill API..."
-              JSON_PAYLOAD=$(jq -n \
-                --arg title "$ISSUE_TITLE_ENV" \
-                --arg body "$ISSUE_BODY_ENV" \
-                '{"body":{"issue_title":$title,"issue_body":$body}}')
-
-              echo "Windmill JSON Payload: $JSON_PAYLOAD"
-
-              API_RESULT_FILE=$(mktemp)
-              HTTP_CODE=$(curl -s -o "$API_RESULT_FILE" -w "%{http_code}" \
-                -X POST "https://app.windmill.dev/api/w/windmill-labs/jobs/run_wait_result/p/f/ai/quiet_script" \
-                -H "Content-Type: application/json" \
-                -H "Authorization: Bearer $WINDMILL_TOKEN" \
-                --data-binary "$JSON_PAYLOAD" \
-                --max-time 90)
-
-              BODY_CONTENT=$(cat "$API_RESULT_FILE")
-              rm -f "$API_RESULT_FILE" # Clean up temp file
-
-              echo "Windmill API HTTP Code: $HTTP_CODE"
-              if [[ "$HTTP_CODE" -eq 200 ]]; then
-                PROCESSED_ISSUE_PROMPT=$(echo "$BODY_CONTENT" | jq -r '.effective_body // empty')
-                if [[ -z "$PROCESSED_ISSUE_PROMPT" || "$PROCESSED_ISSUE_PROMPT" == "null" ]]; then
-                  echo "::warning::Windmill API returned 200 but effective_body was empty or null."
-                  EFFECTIVE_ISSUE_CONTENT_FOR_PROMPT="$ISSUE_BODY_ENV"
-                else
-                  echo "Successfully processed issue via Windmill API."
-                  EFFECTIVE_ISSUE_CONTENT_FOR_PROMPT="$PROCESSED_ISSUE_PROMPT"
-                fi
-                FINAL_PROMPT_CONTENT=$(printf "%s\nISSUE:\n%s\nINSTRUCTION:\n%s" \
-                  "$BASE_PROMPT_ENV" "$EFFECTIVE_ISSUE_CONTENT_FOR_PROMPT" "$INSTRUCTION_ENV")
-              else
-                echo "::error::Windmill API call failed (HTTP $HTTP_CODE). Using raw issue content for prompt."
-                FINAL_PROMPT_CONTENT=$(printf "%s\nISSUE:\n%s\nINSTRUCTION:\n%s" \
-                  "$BASE_PROMPT_ENV" "$ISSUE_BODY_ENV" "$INSTRUCTION_ENV")
-              fi
-            else
-              echo "Needs processing is false. Using raw issue content for prompt."
-              FINAL_PROMPT_CONTENT=$(printf "%s\nISSUE:\n%s\nINSTRUCTION:\n%s" \
-                "$BASE_PROMPT_ENV" "$ISSUE_BODY_ENV" "$INSTRUCTION_ENV")
-            fi
-          else
-            echo "No issue title or body given. Using base prompt."
-            FINAL_PROMPT_CONTENT=$(printf "%s\nINSTRUCTION:\n%s" "$BASE_PROMPT_ENV" "$INSTRUCTION_ENV")
-          fi
-
-          echo "Final prompt: $FINAL_PROMPT_CONTENT"
-          echo "final_prompt<<EOF_AIDER_PROMPT" >> "$GITHUB_OUTPUT"
-          echo "$FINAL_PROMPT_CONTENT" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_PROMPT" >> "$GITHUB_OUTPUT"
-
-      - name: Probe Chat for Relevant Files
-        id: probe_files
-        shell: bash
-        env:
-          FINAL_PROMPT: ${{ steps.create_prompt.outputs.final_prompt }}
-          PROBE_PROMPT: ${{ inputs.probe_prompt }}
-        run: |
-          echo "Running probe-chat to find relevant files..."
-
-          MESSAGE_FOR_PROBE=$(printf "%s\nREQUEST:\n%s" "$PROBE_PROMPT" "$FINAL_PROMPT")
-
-          set -o pipefail
-          PROBE_OUTPUT=$(npx --yes @buger/probe-chat@latest --max-iterations 50 --model-name gemini-2.5-pro-preview-05-06 --message "$MESSAGE_FOR_PROBE") || {
-            echo "::error::probe-chat command failed. Output:"
-            echo "$PROBE_OUTPUT"
-            exit 1
-          }
-          set +o pipefail
-          echo "Probe-chat raw output:"
-          echo "$PROBE_OUTPUT"
-
-          JSON_FILES=$(echo "$PROBE_OUTPUT" | sed -n '/^\s*\[/,$p' | sed '/^\s*\]/q')
-          echo "Extracted JSON block:"
-          echo "$JSON_FILES"
-
-          FILES_LIST=$(echo "$JSON_FILES" | jq -e -r '[.[] | select(type == "string" and . != "" and . != null and (endswith("/") | not))] | join(" ")' || echo "")
-
-          if [[ -z "$FILES_LIST" ]]; then
-             echo "::warning::probe-chat did not identify any relevant files."
-          fi
-
-          echo "Formatted files list for aider: $FILES_LIST"
-          echo "files_to_edit=$FILES_LIST" >> $GITHUB_OUTPUT
-
-      - name: Cache Aider tags
-        uses: actions/cache@v3
-        with:
-          path: .aider.tags.cache.v4
-          key: ${{ runner.os }}-aider-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-aider-
-
-      - name: Prepare branch for Aider
-        id: prepare_branch
-        env:
-          ISSUE_ID: ${{ inputs.issue_id }}
-        run: |
-          if [[ "$ISSUE_ID" != "" ]]; then
-            BRANCH_NAME="aider-fix-issue-${ISSUE_ID}"
-
-            # Check if branch exists remotely
-            if git ls-remote --heads origin $BRANCH_NAME | grep -q $BRANCH_NAME; then
-              echo "Branch $BRANCH_NAME already exists remotely, fetching it"
-              git fetch origin $BRANCH_NAME
-              git checkout $BRANCH_NAME
-              git pull origin $BRANCH_NAME
-            else
-              echo "Creating new branch $BRANCH_NAME"
-              git checkout -b $BRANCH_NAME
-            fi
-            echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_OUTPUT
-          else
-            # We're in a pull_request_review event
-            PR_NUMBER="${{ github.event.pull_request.number }}"
-            PR_HEAD_REF="${{ github.event.pull_request.head.ref }}"
-            
-            echo "Handling pull_request_review for PR #$PR_NUMBER on branch $PR_HEAD_REF"
-            
-            # Ensure we're on the correct branch
-            git config pull.rebase true
-            git fetch origin $PR_HEAD_REF
-            git checkout $PR_HEAD_REF
-            git pull origin $PR_HEAD_REF
-            
-            echo "Using PR branch $PR_HEAD_REF for PR #$PR_NUMBER"
-            echo "BRANCH_NAME=$PR_HEAD_REF" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run Aider
-        id: run_aider
-        shell: bash
-        env:
-          FILES_TO_EDIT: ${{ steps.probe_files.outputs.files_to_edit }}
-          FINAL_PROMPT: ${{ steps.create_prompt.outputs.final_prompt }}
-          RULES_FILES: ${{ inputs.rules_files }}
-        run: |
-          source $VIRTUAL_ENV_PATH/bin/activate
-          echo "$FINAL_PROMPT" > .aider_final_prompt.txt
-          echo "FILES_TO_EDIT: $FILES_TO_EDIT"
-
-          RULES=""
-          if [ -n "$RULES_FILES" ]; then
-            for rule in $RULES_FILES; do
-              RULES="$RULES --read $rule"
-            done
-          fi
-
-          aider \
-            $RULES \
-            $FILES_TO_EDIT \
-            --model gemini/gemini-2.5-pro-preview-05-06 \
-            --message-file .aider_final_prompt.txt \
-            --yes \
-            --no-check-update \
-            --auto-commits \
-            --no-analytics \
-            --no-gitignore \
-            | tee .aider_output.txt || true
-
-          echo "Aider command completed. Output saved to .aider_output.txt"
-
-      - name: Cache Node.js dependencies
-        uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
-      - name: Commit and Push Changes
-        id: commit_and_push
-        env:
-          ISSUE_ID: ${{ inputs.issue_id }}
-          BRANCH_NAME: ${{ steps.prepare_branch.outputs.BRANCH_NAME }}
-        run: |
-          if [[ "$ISSUE_ID" != "" ]]; then
-            # Check if there are any uncommitted changes
-            if [[ -n $(git status --porcelain) ]]; then
-              echo "Found uncommitted changes, committing them"
-              git add .
-              git commit -m "Aider changes"
-            fi
-
-            # Push changes to the branch
-            if git push origin $BRANCH_NAME; then
-              echo "Pushed to branch $BRANCH_NAME"
-              echo "PR_BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_OUTPUT
-              echo "CHANGES_APPLIED_MESSAGE=Aider changes pushed to branch $BRANCH_NAME." >> $GITHUB_OUTPUT
-              echo "CHANGES_APPLIED=true" >> $GITHUB_OUTPUT
-            else
-              echo "::warning::Push to PR branch $BRANCH_NAME failed."
-              echo "CHANGES_APPLIED_MESSAGE=Aider ran, but failed to push changes to PR branch $BRANCH_NAME." >> $GITHUB_OUTPUT
-              echo "CHANGES_APPLIED=false" >> $GITHUB_OUTPUT
-            fi
-          else
-            # We're in a pull_request_review event
-            PR_HEAD_REF="${{ github.event.pull_request.head.ref }}"
-            echo "Attempting to push changes to PR branch $PR_HEAD_REF"
-            if git push origin $PR_HEAD_REF; then
-              echo "Push to $PR_HEAD_REF successful (or no new changes to push)."
-              echo "CHANGES_APPLIED_MESSAGE=Aider changes (if any) pushed to PR branch $PR_HEAD_REF." >> $GITHUB_OUTPUT
-              echo "PR_BRANCH_NAME=$PR_HEAD_REF" >> $GITHUB_OUTPUT
-              echo "CHANGES_APPLIED=true" >> $GITHUB_OUTPUT
-            else
-              echo "::warning::Push to PR branch $PR_HEAD_REF failed."
-              echo "CHANGES_APPLIED_MESSAGE=Aider ran, but failed to push changes to PR branch $PR_HEAD_REF." >> $GITHUB_OUTPUT
-              echo "CHANGES_APPLIED=false" >> $GITHUB_OUTPUT
-            fi
-          fi
-
-      - name: Create Pull Request
-        if: always() && (github.event_name == 'issue_comment' || github.event_name == 'repository_dispatch') && !github.event.issue.pull_request && steps.commit_and_push.outputs.PR_BRANCH_NAME != ''
-        id: create_pr
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_BRANCH: ${{ steps.commit_and_push.outputs.PR_BRANCH_NAME }}
-          ISSUE_NUM: ${{ inputs.issue_id }}
-          ISSUE_TITLE: ${{ inputs.issue_title }}
-          GITHUB_EVENT_NAME: ${{ github.event_name }}
-        run: |
-          # Create PR description in a temporary file to avoid command line length limits and ensure it stays under 40k chars
-          HEADER="This PR was created automatically by Aider to fix issue #${ISSUE_NUM}."
-          # if event is repository_dispatch, add the issue title to the header
-          if [ "$GITHUB_EVENT_NAME" == "repository_dispatch" ]; then
-            if [[ "${{ github.event.client_payload.source }}" == "linear" ]]; then
-              HEADER="This PR was created automatically by Aider to fix issue #linear:${ISSUE_NUM}."
-            elif [[ "${{ github.event.client_payload.source }}" == "discord" ]]; then
-              HEADER="This PR was created automatically by Aider to fix issue #discord:${ISSUE_NUM}."
-            fi
-          fi
-          cat > /tmp/pr-description.md << EOL | head -c 40000
-          $HEADER
-
-          ## Aider Output
-          \`\`\`
-          $(cat .aider_output.txt || echo "No output available")
-          \`\`\`
-          EOL
-
-          # Create PR using the file for the body content, handle errors gracefully
-          set +e  # Don't exit on error
-          PR_TITLE="[Aider PR] Fix: ${ISSUE_TITLE}"
-          if [ -z "$ISSUE_TITLE" ]; then
-            PR_TITLE="[Aider PR] AI changes after request"
-          fi
-          gh pr create \
-            --title "$PR_TITLE" \
-            --body-file /tmp/pr-description.md \
-            --head "$PR_BRANCH" \
-            --base main \
-            --draft
-          PR_CREATE_EXIT_CODE=$?
-          set -e  # Re-enable exit on error
-
-          if [ $PR_CREATE_EXIT_CODE -eq 0 ]; then
-            echo "PR created successfully"
-            PR_URL=$(gh pr view $PR_BRANCH --json url --jq .url)
-            echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
-            echo "PR_CREATED=true" >> $GITHUB_OUTPUT
-          else
-            echo "Warning: Failed to create PR. Exit code: $PR_CREATE_EXIT_CODE"
-            echo "PR_CREATED=false" >> $GITHUB_OUTPUT
-            # Continue workflow despite PR creation failure
-          fi
-
-      - name: Comment on PR with Aider Output
-        if: always() && github.event_name == 'pull_request_review' && steps.commit_and_push.outputs.CHANGES_APPLIED != ''
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUM: ${{ github.event.pull_request.number }}
-          JOB_STATUS: ${{ job.status }}
-        run: |
-          # Create comment body in a temporary file to avoid command line length limits
-          if [[ "${{ steps.commit_and_push.outputs.CHANGES_APPLIED }}" == "true" ]]; then
-            if [[ "$JOB_STATUS" == "success" ]]; then
-              STATUS_PREFIX="🤖 I've automatically addressed the feedback based on the review."
-            else
-              STATUS_PREFIX="⚠️ I attempted to address the feedback, but encountered some issues."
-            fi
-          else
-            if [[ "$JOB_STATUS" == "success" ]]; then
-              STATUS_PREFIX="🤖 I attempted to address the review feedback, but no modifications were made."
-            else
-              STATUS_PREFIX="⚠️ I encountered issues while attempting to address the feedback, and no modifications were made."
-            fi
-          fi
-
-          cat > /tmp/pr-comment.md << EOL
-          ${STATUS_PREFIX}
-
-          ## Aider Output
-          \`\`\`
-          $(cat .aider_output.txt || echo 'No output available')
-          \`\`\`
-
-          Please review the output and provide additional guidance if needed.
-          EOL
-
-          # Use the file for comment body
-          gh pr comment $PR_NUM --body-file /tmp/pr-comment.md
-
-      - name: Comment on issue/PR to let the user know Aider has finished working on the request
-        if: always() && github.event_name == 'issue_comment'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          JOB_STATUS: ${{ job.status }}
-          PR_CREATED: ${{ steps.create_pr.outputs.PR_CREATED }}
-          PR_URL: ${{ steps.create_pr.outputs.PR_URL }}
-        run: |
-          echo "Commenting on issue/PR #${{ github.event.issue.number }} to let the user know Aider has finished working on the request."
-
-          if [[ "$JOB_STATUS" == "success" ]]; then
-            if [[ "$PR_CREATED" == "true" ]]; then
-              COMMENT_BODY="🤖 Aider has finished working on your request. A PR has been created. $PR_URL"
-            else
-              COMMENT_BODY="🤖 Aider has finished working on your request, but was unable to create a PR."
-            fi
-          else
-            COMMENT_BODY="⚠️ Aider encountered issues while working on your request. Please check the workflow logs for details."
-          fi
-
-          gh issue comment ${{ github.event.issue.number }} --body "$COMMENT_BODY" --repo $GITHUB_REPOSITORY
-
-      - name: Comment on linear issue to let the user know Aider has finished working on the request
-        if: always() && github.event_name == 'repository_dispatch'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          JOB_STATUS: ${{ job.status }}
-          LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
-          PR_CREATED: ${{ steps.create_pr.outputs.PR_CREATED }}
-          PR_URL: ${{ steps.create_pr.outputs.PR_URL }}
-          DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-          SOURCE: ${{ github.event.client_payload.source }}
-        run: |
-          echo "Notifying user about Aider completion status for $SOURCE request #${{ github.event.client_payload.issue_id }}"
-          if [[ "$JOB_STATUS" == "success" ]]; then
-            if [[ "$PR_CREATED" == "true" ]]; then
-              COMMENT_BODY="🤖 Aider has finished working on your request. A PR has been created. $PR_URL"
-            else
-              COMMENT_BODY="🤖 Aider has finished working on your request, but was unable to create a PR."
-            fi
-          else
-            COMMENT_BODY="⚠️ Aider encountered issues while working on your request. Please check the workflow logs for details."
-          fi
-
-          if [[ "$SOURCE" == "discord" ]]; then
-            curl -X POST \
-              -H "Authorization: Bot $DISCORD_BOT_TOKEN" \
-              -H "Content-Type: application/json" \
-              "https://discord.com/api/v10/channels/${{ github.event.client_payload.channel_id }}/messages" \
-              -d "{\"content\":\"${COMMENT_BODY}\"}"
-          else
-            curl -X POST \
-              -H "Authorization: $LINEAR_API_KEY" \
-              -H "Content-Type: application/json" \
-              "https://api.linear.app/graphql" \
-              -d "{\"query\":\"mutation { commentCreate(input: { issueId: \\\"${{ github.event.client_payload.issue_id }}\\\", body: \\\"${COMMENT_BODY}\\\" }) { success } }\"}"
-          fi

.github/workflows/aider-external.yaml.archived

@@ -1,80 +0,0 @@
-name: External Aider Issue Fix
-
-on:
-  repository_dispatch:
-    types: [external_issue_fix]
-
-jobs:
-  check-and-prepare:
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: write
-      pull-requests: write
-    outputs:
-      issue_title: ${{ steps.determine_inputs.outputs.ISSUE_TITLE }}
-      issue_body: ${{ steps.determine_inputs.outputs.ISSUE_BODY }}
-      instruction: ${{ steps.determine_inputs.outputs.INSTRUCTION }}
-    env:
-      GEMINI_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      WINDMILL_TOKEN: ${{ secrets.WINDMILL_TOKEN }}
-      LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-    steps:
-      - name: Acknowledge Request
-        env:
-          LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
-          DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-        run: |
-          if [[ "${{ github.event.client_payload.source }}" == "linear" ]]; then
-            echo "Commenting on Linear issue #${{ github.event.client_payload.issue_id }} to acknowledge the request."
-            curl -X POST \
-              -H "Authorization: $LINEAR_API_KEY" \
-              -H "Content-Type: application/json" \
-              "https://api.linear.app/graphql" \
-              -d "{\"query\":\"mutation { commentCreate(input: { issueId: \\\"${{ github.event.client_payload.issue_id }}\\\", body: \\\"🤖 Aider is starting to work on your request. I'll update you here once I have a PR ready. Please be patient, this might take a few minutes.\\\" }) { success } }\"}"
-          elif [[ "${{ github.event.client_payload.source }}" == "discord" ]]; then
-            echo "Commenting on Discord thread #${{ github.event.client_payload.channel_id }} to acknowledge the request."
-            curl -X POST \
-              -H "Authorization: Bot $DISCORD_BOT_TOKEN" \
-              -H "Content-Type: application/json" \
-              "https://discord.com/api/v10/channels/${{ github.event.client_payload.channel_id }}/messages" \
-              -d "{\"content\":\"🤖 Aider is starting to work on your request. I'll update you here once I have a PR ready. Please be patient, this might take a few minutes.\"}"
-          fi
-
-      - name: Determine inputs for Aider
-        id: determine_inputs
-        shell: bash
-        env:
-          ISSUE_TITLE: ${{ github.event.client_payload.issue_title }}
-          ISSUE_BODY: ${{ github.event.client_payload.issue_body }}
-          INSTRUCTION: ${{ github.event.client_payload.instruction }}
-        run: |
-          echo "Determining inputs for Aider..."
-
-          echo "ISSUE_TITLE<<EOF_AIDER_TITLE" >> "$GITHUB_OUTPUT"
-          echo "$ISSUE_TITLE" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_TITLE" >> "$GITHUB_OUTPUT"
-
-          echo "ISSUE_BODY<<EOF_AIDER_BODY" >> "$GITHUB_OUTPUT"
-          echo "$ISSUE_BODY" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_BODY" >> "$GITHUB_OUTPUT"
-
-          echo "INSTRUCTION<<EOF_AIDER_INSTRUCTION" >> "$GITHUB_OUTPUT"
-          echo "$INSTRUCTION" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_INSTRUCTION" >> "$GITHUB_OUTPUT"
-          echo "Finished determining inputs."
-
-  run-aider:
-    needs: check-and-prepare
-    uses: ./.github/workflows/aider-common.yml
-    with:
-      issue_title: ${{ needs.check-and-prepare.outputs.issue_title }}
-      issue_body: ${{ needs.check-and-prepare.outputs.issue_body }}
-      instruction: ${{ needs.check-and-prepare.outputs.instruction }}
-      issue_id: ${{ github.event.client_payload.issue_id }}
-      rules_files: ".cursor/rules/rust-best-practices.mdc .cursor/rules/svelte5-best-practices.mdc .cursor/rules/windmill-overview.mdc"
-    secrets: inherit

.github/workflows/aider.yaml.archived

@@ -1,165 +0,0 @@
-name: Aider Auto-fix issues and PR comments via external prompt
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  check-membership:
-    runs-on: ubicloud-standard-2
-    if: |
-      github.event_name == 'issue_comment' &&
-      contains(github.event.comment.body, '/aider') &&
-      !contains(github.event.comment.user.login, '[bot]')
-    outputs:
-      is_member: ${{ steps.check-membership.outputs.is_member }}
-    steps:
-      - name: Check organization membership
-        id: check-membership
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          COMMENTER: ${{ github.event.comment.user.login }}
-          ORG_ACCESS_TOKEN: ${{ secrets.ORG_ACCESS_TOKEN }}
-        run: |
-          ORG="windmill-labs"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-            -H "Authorization: token $ORG_ACCESS_TOKEN" \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/orgs/$ORG/members/$COMMENTER")
-
-          if [ "$STATUS" -eq 204 ]; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-          fi
-
-  check-and-prepare:
-    needs: check-membership
-    runs-on: ubicloud-standard-2
-    if: needs.check-membership.outputs.is_member == 'true'
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-    env:
-      GEMINI_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      WINDMILL_TOKEN: ${{ secrets.WINDMILL_TOKEN }}
-    outputs:
-      issue_title: ${{ steps.determine_inputs.outputs.ISSUE_TITLE }}
-      issue_body: ${{ steps.determine_inputs.outputs.ISSUE_BODY }}
-      comment_content: ${{ steps.determine_inputs.outputs.COMMENT_CONTENT }}
-      pr_branch: ${{ steps.checkout_pr.outputs.PR_BRANCH }}
-
-    steps:
-      - name: Acknowledge Request
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-        run: |
-          echo "Commenting on issue/PR #${{ github.event.issue.number }} to acknowledge the /aider command."
-          gh issue comment ${{ github.event.issue.number }} --body "🤖 Aider is starting to work on your request. I'll update you here once I have a PR ready. Please be patient, this might take a few minutes." --repo $GITHUB_REPOSITORY
-
-      - name: Determine inputs for Aider
-        id: determine_inputs
-        shell: bash
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COMMENT_BODY: ${{ github.event.comment.body }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
-        run: |
-          echo "Determining inputs for Aider..."
-          ISSUE_TITLE_VAL=""
-          ISSUE_BODY_VAL=""
-
-          if [[ ! -z "${{ github.event.issue.pull_request }}" ]]; then
-            echo "This is a comment on a Pull Request"
-            PR_NUMBER="$ISSUE_NUMBER"
-            
-            PR_BODY_JSON=$(gh pr view "$PR_NUMBER" --json body --repo "$GITHUB_REPOSITORY")
-            if [[ $? -ne 0 ]]; then
-              echo "Error fetching PR body for PR #$PR_NUMBER"
-              PR_BODY_VAL=""
-            else
-              PR_BODY_VAL=$(jq -r '.body // ""' <<< "$PR_BODY_JSON")
-            fi
-            
-            if [[ ! -z "$PR_BODY_VAL" ]]; then
-              REFERENCED_ISSUE=""
-              if [[ "$PR_BODY_VAL" =~ \#linear:([a-f0-9-]+) ]]; then
-                REFERENCED_ISSUE="${BASH_REMATCH[1]}"
-                echo "Found referenced Linear issue #$REFERENCED_ISSUE in PR description"
-                LINEAR_ISSUE_JSON=$(curl -s -H "Authorization: $LINEAR_API_KEY" \
-                  "https://api.linear.app/graphql" \
-                  -X POST \
-                  -H "Content-Type: application/json" \
-                  -d "{\"query\":\"query { issue(id: \\\"$REFERENCED_ISSUE\\\") { title description } }\"}")
-                
-                if [[ $? -eq 0 && ! "$LINEAR_ISSUE_JSON" =~ "error" ]]; then
-                  ISSUE_TITLE_VAL=$(jq -r '.data.issue.title // ""' <<< "$LINEAR_ISSUE_JSON")
-                  ISSUE_BODY_VAL=$(jq -r '.data.issue.description // ""' <<< "$LINEAR_ISSUE_JSON")
-                  echo "Successfully fetched Linear issue details"
-                else
-                  echo "Error fetching Linear issue details for #$REFERENCED_ISSUE"
-                fi
-              elif [[ "$PR_BODY_VAL" =~ \#([0-9]+) ]]; then
-                REFERENCED_ISSUE="${BASH_REMATCH[1]}"
-                echo "Found referenced GitHub issue #$REFERENCED_ISSUE in PR description"
-                
-                ISSUE_DETAILS_JSON=$(gh issue view "$REFERENCED_ISSUE" --json title,body --repo "$GITHUB_REPOSITORY")
-                if [[ $? -ne 0 ]]; then
-                  echo "Error fetching issue details for #$REFERENCED_ISSUE"
-                else
-                  ISSUE_TITLE_VAL=$(jq -r '.title // ""' <<< "$ISSUE_DETAILS_JSON")
-                  ISSUE_BODY_VAL=$(jq -r '.body // ""' <<< "$ISSUE_DETAILS_JSON")
-                fi
-              fi
-            else
-              echo "PR body is empty or could not be fetched."
-            fi
-          else
-            echo "This is a comment on a regular issue"
-            
-            ISSUE_DETAILS_JSON=$(gh issue view "$ISSUE_NUMBER" --json title,body --repo "$GITHUB_REPOSITORY")
-            if [[ $? -ne 0 ]]; then
-              echo "Error fetching issue details for #$ISSUE_NUMBER"
-            else
-              ISSUE_TITLE_VAL=$(jq -r '.title // ""' <<< "$ISSUE_DETAILS_JSON")
-              ISSUE_BODY_VAL=$(jq -r '.body // ""' <<< "$ISSUE_DETAILS_JSON") 
-            fi
-          fi
-
-          echo "ISSUE_TITLE<<EOF_AIDER_TITLE" >> "$GITHUB_OUTPUT"
-          echo "$ISSUE_TITLE_VAL" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_TITLE" >> "$GITHUB_OUTPUT"
-
-          echo "ISSUE_BODY<<EOF_AIDER_BODY" >> "$GITHUB_OUTPUT"
-          echo "$ISSUE_BODY_VAL" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_BODY" >> "$GITHUB_OUTPUT"
-
-          CLEAN_COMMENT="${COMMENT_BODY/\/aider/}"
-          CLEAN_COMMENT="${CLEAN_COMMENT#"${CLEAN_COMMENT%%[![:space:]]*}"}"
-          CLEAN_COMMENT="${CLEAN_COMMENT%"${CLEAN_COMMENT##*[![:space:]]}"}"
-
-          echo "COMMENT_CONTENT<<EOF_AIDER_COMMENT" >> "$GITHUB_OUTPUT"
-          echo "$CLEAN_COMMENT" >> "$GITHUB_OUTPUT"
-          echo "EOF_AIDER_COMMENT" >> "$GITHUB_OUTPUT"
-          echo "Finished determining inputs."
-
-  run-aider:
-    needs: [check-membership, check-and-prepare]
-    if: needs.check-membership.outputs.is_member == 'true'
-    uses: ./.github/workflows/aider-common.yml
-    with:
-      issue_title: ${{ needs.check-and-prepare.outputs.issue_title }}
-      issue_body: ${{ needs.check-and-prepare.outputs.issue_body }}
-      instruction: ${{ needs.check-and-prepare.outputs.comment_content }}
-      issue_id: ${{ github.event.issue.number }}
-      rules_files: ".cursor/rules/rust-best-practices.mdc .cursor/rules/svelte5-best-practices.mdc .cursor/rules/windmill-overview.mdc"
-    secrets: inherit

.github/workflows/archived/build_ws.yml.archived

@@ -1,57 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  ECR_REGISTRY: 976079455550.dkr.ecr.us-east-1.amazonaws.com
-  IMAGE_NAME: ${{ github.repository }}-multiplayer
-
-name: Publish websocket multiplayer server
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-  packages: write
-
-jobs:
-  publish_multiplayer:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      # - uses: depot/setup-action@v1
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./docker/DockerfileMultiplayer
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ steps.meta.outputs.tags }}
-          labels: |
-            ${{ steps.meta.outputs.labels }}
-            org.opencontainers.image.licenses=AGPLv3

.github/workflows/archived/publish_lsp.yml.archived

@@ -1,64 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  ECR_REGISTRY: 976079455550.dkr.ecr.us-east-1.amazonaws.com
-  IMAGE_NAME: ${{ github.repository }}-lsp
-
-name: Publish lsp
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-  packages: write
-
-jobs:
-  sleep:
-    runs-on: ubicloud
-    steps:
-      - name: Sleep for 900 seconds waiting for pypi to update index
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: sleep 900
-        shell: bash
-  publish_lsp:
-    needs: [sleep]
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: depot/setup-action@v1
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          context: "{{defaultContext}}:lsp"
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ steps.meta.outputs.tags }}
-          labels: |
-            ${{ steps.meta.outputs.labels }}
-            org.opencontainers.image.licenses=AGPLv3

.github/workflows/automerge-dependabot.yml

@@ -0,0 +1,26 @@
+name: dependabot auto-merge
+
+on: pull_request_target
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.3.6
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' ||  steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: |
+          echo ${{ secrets.RUBEN_PAT }} | gh auth login --with-token
+          gh pr review --approve "$PR_URL"
+          gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}

.github/workflows/automerge-dependabot.yml.archived

@@ -1,26 +0,0 @@
-# name: dependabot auto-merge
-
-# on: pull_request_target
-
-# permissions:
-#   contents: read
-#   pull-requests: read
-
-# jobs:
-#   dependabot:
-#     runs-on: ubuntu-latest
-#     if: ${{ github.actor == 'dependabot[bot]' }}
-#     steps:
-#       - name: Dependabot metadata
-#         id: metadata
-#         uses: dependabot/fetch-metadata@v1.6.0
-#         with:
-#           github-token: "${{ secrets.GITHUB_TOKEN }}"
-#       - name: Enable auto-merge for Dependabot PRs
-#         if: steps.metadata.outputs.update-type == 'version-update:semver-patch' ||  steps.metadata.outputs.update-type == 'version-update:semver-minor'
-#         run: |
-#           echo ${{ secrets.RUBEN_PAT }} | gh auth login --with-token
-#           gh pr review --approve "$PR_URL"
-#           gh pr merge --auto --squash "$PR_URL"
-#         env:
-#           PR_URL: ${{github.event.pull_request.html_url}}

.github/workflows/backend-check.yml

@@ -1,127 +0,0 @@
-name: Backend check
-on:
-  workflow_run:
-    workflows: ["Change versions"]
-    types:
-      - completed
-  push:
-    paths:
-      - "backend/**"
-      - ".github/workflows/backend-check.yml"
-
-jobs:
-  check_oss:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install mold and clang
-        run: sudo apt-get update && sudo apt-get install -y mold clang
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: false
-          toolchain: 1.93.0
-      - name: cargo check
-        working-directory: ./backend
-        timeout-minutes: 16
-        run: SQLX_OFFLINE=true cargo check
-
-  check_oss_full:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: install xmlsec1 and gssapi
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: false
-          toolchain: 1.93.0
-      - name: cargo check
-        working-directory: ./backend
-        timeout-minutes: 16
-        run: |
-          mkdir -p fake_frontend_build
-          FRONTEND_BUILD_DIR=$(pwd)/fake_frontend_build SQLX_OFFLINE=true cargo check --features all_sqlx_features
-
-  check_ee:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: Substitute EE code (EE logic is behind feature flag)
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Install mold and clang
-        run: sudo apt-get update && sudo apt-get install -y mold clang
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: false
-          toolchain: 1.93.0
-      - name: cargo check
-        working-directory: ./backend
-        timeout-minutes: 16
-        run: SQLX_OFFLINE=true cargo check
-
-  check_ee_full:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: install xmlsec1 and gssapi
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
-
-      - name: Substitute EE code (EE logic is behind feature flag)
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-      - name: cargo check
-        timeout-minutes: 16
-        working-directory: ./backend
-        run: |
-          mkdir -p fake_frontend_build
-          FRONTEND_BUILD_DIR=$(pwd)/fake_frontend_build SQLX_OFFLINE=true cargo check --features all_sqlx_features,private

.github/workflows/backend-test.yml

@@ -13,244 +13,31 @@ on:
       - "backend/**"
       - ".github/workflows/backend-test.yml"
 
-defaults:
-  run:
-    working-directory: ./backend
-
 jobs:
   cargo_test:
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: [self-hosted, new]
+    container:
+      image: ghcr.io/windmill-labs/backend-tests
+      options: --privileged
     services:
       postgres:
         image: postgres
-        ports:
-          - 5432:5432
         env:
           POSTGRES_DB: windmill
           POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c max_connections=500"
+
         options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5 --shm-size=256mb
-      mysql:
-        image: mysql:8.0
-        ports:
-          - 3306:3306
-        env:
-          MYSQL_ROOT_PASSWORD: changeme
-          MYSQL_DATABASE: windmill_test
-        options: >-
-          --health-cmd "mysqladmin ping -h localhost" --health-interval 10s
-          --health-timeout 5s --health-retries 5
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-dotnet@v4
+      - uses: actions/checkout@v3
+      - uses: Swatinem/rust-cache@v2
         with:
-          dotnet-version: "9.0.x"
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - uses: actions/setup-go@v2
-        with:
-          go-version: 1.21.5
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.8
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-      - uses: astral-sh/setup-uv@v6.2.1
-        with:
-          version: "0.9.24"
-      - uses: shivammathur/setup-php@v2
-        with:
-          php-version: "8.3"
-          tools: composer
-      - uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: "3.3"
-          bundler-cache: false
-      - name: Install windmill CLI from source
-        run: |
-          cd $GITHUB_WORKSPACE/cli
-          bash gen_wm_client.sh
-          bun install
-          mkdir -p "$HOME/.local/bin"
-          printf '#!/bin/sh\nexec bun run "%s/cli/src/main.ts" "$@"\n' "$GITHUB_WORKSPACE" > "$HOME/.local/bin/wmill"
-          chmod +x "$HOME/.local/bin/wmill"
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-        working-directory: /
-      - name: Install PowerShell, mold and clang
-        run: |
-          sudo apt-get update && sudo apt-get install -y powershell mold clang libcurl4-openssl-dev
-        working-directory: /
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: false
-          toolchain: 1.93.0
-      - name: Cache cargo target directory
-        uses: useblacksmith/stickydisk@v1
-        with:
-          key: cargo-target
-          path: ./backend/target
-      - name: Cache cargo registry
-        uses: useblacksmith/cache@v1
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-          key: cargo-registry-${{ hashFiles('backend/Cargo.lock') }}
-          restore-keys: |
-            cargo-registry-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - name: Substitute EE code (EE logic is behind feature flag)
-        run: |
-          ./substitute_ee_code.sh --copy --dir ./windmill-ee-private
-      - name: Setup private npm registry with test package
-        working-directory: /tmp
-        run: |
-          set -e
-
-          # Install Verdaccio globally
-          npm install -g verdaccio
-
-          # Create Verdaccio config that requires authentication for @windmill-test packages
-          mkdir -p /tmp/verdaccio/storage
-          cat > /tmp/verdaccio/config.yaml << 'VERDACCIO_CONFIG'
-          storage: /tmp/verdaccio/storage
-          auth:
-            htpasswd:
-              file: /tmp/verdaccio/htpasswd
-              max_users: 100
-          uplinks:
-            npmjs:
-              url: https://registry.npmjs.org/
-          packages:
-            '@windmill-test/*':
-              access: $authenticated
-              publish: $authenticated
-            '@*/*':
-              access: $all
-              publish: $authenticated
-              proxy: npmjs
-            '**':
-              access: $all
-              publish: $authenticated
-              proxy: npmjs
-          server:
-            keepAliveTimeout: 60
-          middlewares:
-            audit:
-              enabled: true
-          log: { type: stdout, format: pretty, level: warn }
-          VERDACCIO_CONFIG
-
-          # Create empty htpasswd file (users will be created via API)
-          touch /tmp/verdaccio/htpasswd
-
-          # Start Verdaccio in background
-          verdaccio --config /tmp/verdaccio/config.yaml &
-          VERDACCIO_PID=$!
-
-          # Wait for Verdaccio to be ready
-          echo "Waiting for Verdaccio to start..."
-          for i in {1..30}; do
-            if curl -s http://localhost:4873/-/ping > /dev/null 2>&1; then
-              echo "Verdaccio is ready"
-              break
-            fi
-            sleep 1
-          done
-
-          # Login to get a token
-          echo "Getting auth token..."
-          RESPONSE=$(curl -s -X PUT \
-            -H "Content-Type: application/json" \
-            -d '{"name":"testuser","password":"testpass123"}' \
-            http://localhost:4873/-/user/org.couchdb.user:testuser)
-
-          echo "Auth response: $RESPONSE"
-          NPM_TOKEN=$(echo "$RESPONSE" | jq -r '.token')
-
-          if [ -z "$NPM_TOKEN" ] || [ "$NPM_TOKEN" = "null" ]; then
-            echo "Failed to get NPM token from response"
-            exit 1
-          fi
-
-          echo "NPM_TOKEN=${NPM_TOKEN}" >> $GITHUB_ENV
-          {
-            echo "TEST_NPMRC<<NPMRC_EOF"
-            echo "@windmill-test:registry=http://localhost:4873/"
-            echo "//localhost:4873/:_authToken=${NPM_TOKEN}"
-            echo "NPMRC_EOF"
-          } >> $GITHUB_ENV
-          echo "Got NPM token successfully: ${NPM_TOKEN:0:10}..."
-
-          # Configure npm globally with the auth token
-          echo "//localhost:4873/:_authToken=${NPM_TOKEN}" > ~/.npmrc
-          echo "Configured ~/.npmrc with auth token"
-
-          # Create a simple test package
-          mkdir -p /tmp/windmill-test-private-pkg
-          cat > /tmp/windmill-test-private-pkg/package.json << 'PKG_JSON'
-          {
-            "name": "@windmill-test/private-pkg",
-            "version": "1.0.0",
-            "main": "index.js"
-          }
-          PKG_JSON
-          cat > /tmp/windmill-test-private-pkg/index.js << 'PKG_JS'
-          module.exports.greet = (name) => `Hello from private package, ${name}!`;
-          PKG_JS
-
-          # Publish to Verdaccio with auth
-          cd /tmp/windmill-test-private-pkg
-          echo "Publishing package..."
-          npm publish --registry http://localhost:4873
-          echo "Package published successfully"
-
-          # Verify the package requires auth by trying anonymous access (should fail)
-          rm -f ~/.npmrc
-          echo "Testing anonymous access (should fail)..."
-          if npm view @windmill-test/private-pkg --registry http://localhost:4873 2>/dev/null; then
-            echo "ERROR: Package should require authentication but anonymous access worked"
-            exit 1
-          fi
-          echo "Verified: Package requires authentication for @windmill-test/private-pkg"
-      - name: Cache DuckDB FFI module build
-        uses: useblacksmith/cache@v1
-        with:
-          path: ./backend/windmill-duckdb-ffi-internal/target
-          key: ${{ runner.os }}-duckdb-ffi-${{ hashFiles('./backend/windmill-duckdb-ffi-internal/src/**/*.rs', './backend/windmill-duckdb-ffi-internal/Cargo.toml', './backend/windmill-duckdb-ffi-internal/Cargo.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-duckdb-ffi-
+          workspaces: |
+            backend
+            backend -> target
       - name: cargo test
-        timeout-minutes: 30
-        env:
-          SQLX_OFFLINE: true
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432/windmill
-          DISABLE_EMBEDDING: true
-          RUST_LOG: "off"
-          RUST_LOG_STYLE: never
-          CARGO_NET_GIT_FETCH_WITH_CLI: true
-          CARGO_BUILD_JOBS: 12
-          CARGO_INCREMENTAL: 1
-          WMDEBUG_FORCE_V0_WORKSPACE_DEPENDENCIES: 1
-          WMDEBUG_FORCE_RUNNABLE_SETTINGS_V0: 1
-          WMDEBUG_FORCE_NO_LEGACY_DEBOUNCING_COMPAT: 1
-          TEST_NPM_REGISTRY: "http://localhost:4873/:_authToken=${{ env.NPM_TOKEN }}"
-        run: |
-          deno --version && bun -v && node --version && go version && python3 --version && php --version && ruby --version && pwsh --version && dotnet --version
-          cd windmill-duckdb-ffi-internal && ./build_dev.sh && cd ..
-          DENO_PATH=$(which deno) BUN_PATH=$(which bun) NODE_BIN_PATH=$(which node) GO_PATH=$(which go) UV_PATH=$(which uv) PHP_PATH=$(which php) COMPOSER_PATH=$(which composer) RUBY_PATH=$(which ruby) RUBY_BUNDLE_PATH=$(which bundle) RUBY_GEM_PATH=$(which gem) POWERSHELL_PATH=$(which pwsh) DOTNET_PATH=$(which dotnet) cargo test --features enterprise,deno_core,duckdb,license,python,rust,scoped_cache,parquet,private,private_registry_test,csharp,php,ruby,mysql,quickjs,mcp --all -- --nocapture --test-threads=10
+        timeout-minutes: 10
+        run: mkdir frontend/build && cd backend && touch windmill-api/openapi-deref.yaml && DATABASE_URL=postgres://postgres:changeme@postgres:5432/windmill DISABLE_NSJAIL=false cargo test --all -- --nocapture

.github/workflows/benchmark.yml

@@ -1,324 +0,0 @@
-name: Run benchmarks
-
-on:
-  schedule:
-    - cron: "0 0 */1 * *"
-  workflow_dispatch:
-
-jobs:
-  benchmark_single:
-    runs-on: ubicloud-standard-8
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c shared_buffers=2GB -c work_mem=32MB -c effective_cache_size=4GB"
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-          --shm-size=2g
-
-
-      windmill:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always --health-interval 10s --health-timeout 5s
-          --health-retries 5 --health-cmd "curl
-          http://localhost:8000/api/version"
-        ports:
-          - 8000:8000
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - name: benchmark
-        timeout-minutes: 30
-        run: deno run  -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
-          -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
-      - name: Save benchmark results
-        uses: actions/upload-artifact@v4
-        with:
-          name: benchmark_single
-          path: |
-            *.json
-
-  benchmark_dedicated:
-    runs-on: ubicloud-standard-8
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c shared_buffers=2GB -c work_mem=32MB -c effective_cache_size=4GB"
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-      windmill:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          WORKER_GROUP: dedicated
-          DEDICATED_WORKER: "admins:f/benchmarks/dedicated"
-        options: >-
-          --pull always --restart unless-stopped --health-interval 10s --health-timeout 5s
-          --health-retries 5 --health-cmd "curl
-          http://localhost:8000/api/version"
-        ports:
-          - 8000:8000
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - name: benchmark
-        timeout-minutes: 20
-        run: deno run  -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
-          --no-warm-up -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_dedicated.json
-      - name: Save benchmark results
-        uses: actions/upload-artifact@v4
-        with:
-          name: benchmark_dedicated
-          path: |
-            *.json
-
-  benchmark_4workers:
-    runs-on: ubicloud-standard-8
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c shared_buffers=2GB -c work_mem=32MB -c effective_cache_size=4GB"
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-      windmill:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always --health-interval 10s --health-timeout 5s
-          --health-retries 5 --health-cmd "curl
-          http://localhost:8000/api/version"
-        ports:
-          - 8000:8000
-      windmill_1:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_2:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_3:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - name: benchmark
-        timeout-minutes: 20
-        run: deno run  -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
-          -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
-          --workers 4
-          --factor 3
-      - name: Save benchmark results
-        uses: actions/upload-artifact@v4
-        with:
-          name: benchmark_4workers
-          path: |
-            *.json
-
-  benchmark_8workers:
-    runs-on: ubicloud-standard-8
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c shared_buffers=2GB -c work_mem=32MB -c effective_cache_size=4GB"
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-      windmill:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always --health-interval 10s --health-timeout 5s
-          --health-retries 5 --health-cmd "curl
-          http://localhost:8000/api/version"
-        ports:
-          - 8000:8000
-      windmill_1:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_2:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_3:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_4:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_5:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_6:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-
-      windmill_7:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          MODE: worker
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - name: benchmark
-        timeout-minutes: 20
-        run: deno run  -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
-          -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
-          --workers 8
-          --factor 3
-      - name: Save benchmark results
-        uses: actions/upload-artifact@v4
-        with:
-          name: benchmark_8workers
-          path: |
-            *.json
-
-  benchmark_graphs:
-    runs-on: ubicloud
-    needs:
-      - benchmark_single
-      - benchmark_dedicated
-      - benchmark_4workers
-      - benchmark_8workers
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - uses: actions/checkout@v4
-        with:
-          ref: benchmarks
-      - name: Download benchmark results
-        uses: actions/download-artifact@v4
-        with:
-          merge-multiple: true
-      - name: graphs
-        run: deno run -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_graphs.ts
-          -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/graphs_config.json
-      - name: Push changes
-        run: |
-          ls -la
-          pwd
-          git add .
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git commit -m "Update benchmarks"
-          git push

.github/workflows/build-caddy-l4-image.yml

@@ -1,45 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository_owner }}/caddy-l4
-
-name: Build caddy-l4
-on:
-  workflow_dispatch:
-
-permissions: write-all
-
-jobs:
-  build_ee:
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-      - uses: depot/setup-action@v1
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=branch
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          context: ./docker
-          file: ./docker/DockerfileCaddyL4
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}

.github/workflows/build-extra-image.yml

@@ -1,65 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-name: Build windmill-extra
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "Tag for the image"
-        required: false
-        default: "dev"
-        type: string
-
-permissions: write-all
-
-jobs:
-  sleep:
-    runs-on: ubicloud
-    steps:
-      - name: Sleep for 900 seconds waiting for pypi to update index
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: sleep 900
-        shell: bash
-  build_extra:
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-extra
-          flavor: |
-            latest=false
-          tags: |
-            type=raw,value=${{ github.event.inputs.tag }}
-            type=sha,enable=true,priority=100,prefix=,suffix=,format=short
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: "./docker/DockerfileExtra"
-          tags: |
-            ${{ steps.meta.outputs.tags }}
-          labels: |
-            ${{ steps.meta.outputs.labels }}

.github/workflows/build-publish-rh-image.yml

@@ -1,116 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-name: Build and publish windmill for RHEL9
-on: workflow_dispatch
-
-permissions: write-all
-
-jobs:
-  build_ee:
-    runs-on: ubicloud-standard-4
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-rhel9
-          flavor: |
-            latest=false
-          tags: |
-            type=sha
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Substitute EE code
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Copy RHEL9 Dockerfile
-        run: |
-          cp ./docker/RHEL9/Dockerfile ./Dockerfile
-
-      - name: Build and push EE (multi-arch)
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          build-args: |
-            features=ee_rhel
-          secrets: |
-            rh_username=${{ secrets.RH_USERNAME }}
-            rh_password=${{ secrets.RH_PASSWORD }}
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
-
-      - name: Install crane
-        uses: imjasonh/setup-crane@v0.4
-
-      - name: Extract binaries with crane
-        run: |
-          mkdir -p extracted
-
-          # Extract arm64 binary (include deps/ for hard link resolution)
-          mkdir -p /tmp/arm64
-          crane export --platform linux/arm64 ${{ steps.meta-ee-public.outputs.tags }} - \
-            | tar -xf - -C /tmp/arm64 windmill/target/release/ usr/src/app/libwindmill_duckdb_ffi_internal.so
-          cp /tmp/arm64/windmill/target/release/windmill extracted/windmill-ee-arm64-rhel9
-          cp /tmp/arm64/usr/src/app/libwindmill_duckdb_ffi_internal.so extracted/libwindmill_duckdb_ffi_internal-arm64.so
-          rm -rf /tmp/arm64
-
-          # Extract amd64 binary
-          mkdir -p /tmp/amd64
-          crane export --platform linux/amd64 ${{ steps.meta-ee-public.outputs.tags }} - \
-            | tar -xf - -C /tmp/amd64 windmill/target/release/ usr/src/app/libwindmill_duckdb_ffi_internal.so
-          cp /tmp/amd64/windmill/target/release/windmill extracted/windmill-ee-amd64-rhel9
-          cp /tmp/amd64/usr/src/app/libwindmill_duckdb_ffi_internal.so extracted/libwindmill_duckdb_ffi_internal-amd64.so
-          rm -rf /tmp/amd64
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL9-arm64 build
-          path: extracted/windmill-ee-arm64-rhel9
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL9-amd64 build
-          path: extracted/windmill-ee-amd64-rhel9
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL9-arm64 dynamic libraries build
-          path: extracted/libwindmill_duckdb_ffi_internal-arm64.so
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL9-amd64 dynamic libraries build
-          path: extracted/libwindmill_duckdb_ffi_internal-amd64.so

.github/workflows/build-publish-rh8-image.yml

@@ -1,140 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-name: Build and publish windmill for RHEL8
-on: workflow_dispatch
-
-permissions: write-all
-
-jobs:
-  build_ee:
-    runs-on: ubicloud-standard-4
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-rhel8
-          flavor: |
-            latest=false
-          tags: |
-            type=sha
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Substitute EE code
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Copy RHEL8 Dockerfile
-        run: |
-          cp ./docker/RHEL8/Dockerfile ./Dockerfile
-
-      - name: Build and push publicly ee amd64
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64
-          push: true
-          build-args: |
-            features=ee_rhel
-          secrets: |
-            rh_username=${{ secrets.RH_USERNAME }}
-            rh_password=${{ secrets.RH_PASSWORD }}
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}-amd64
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}-amd64
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
-
-      - name: Build and push publicly ee arm64
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/arm64
-          push: true
-          build-args: |
-            features=ee_rhel
-          secrets: |
-            rh_username=${{ secrets.RH_USERNAME }}
-            rh_password=${{ secrets.RH_PASSWORD }}
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}-arm64
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}-arm64
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract-ee-amd64
-        with:
-          image: ${{ steps.meta-ee-public.outputs.tags}}-amd64
-          path: "/windmill/target/release/windmill"
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract-duckdb-ffi-internal
-        with:
-          image: ${{ steps.meta-ee-public.outputs.tags}}-amd64
-          path: "/usr/src/app/libwindmill_duckdb_ffi_internal.so"
-
-      # - uses: shrink/actions-docker-extract@v3
-      #   id: extract-ee-arm64
-      #   with:
-      #     image: ${{ steps.meta-ee-public.outputs.tags}}-arm64
-      #     path: "/windmill/target/release/windmill"
-
-      - name: Rename binary with corresponding architecture
-        run: |
-          mv "${{ steps.extract-ee-amd64.outputs.destination }}/windmill" "${{ steps.extract-ee-amd64.outputs.destination }}/windmill-ee-amd64-rhel8"
-          # mv "${{ steps.extract-ee-arm64.outputs.destination }}/windmill" "${{ steps.extract-ee-arm64.outputs.destination }}/windmill-ee-arm64-rhel8"
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL8-amd64 build
-          path: ${{ steps.extract-ee-amd64.outputs.destination }}/windmill-ee-amd64-rhel8
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: RHEL8-amd64 dynamic libraries build
-          path: ${{ steps.extract-duckdb-ffi-internal.outputs.destination }}/libwindmill_duckdb_ffi_internal.so
-
-      # - uses: actions/upload-artifact@v4
-      #   with:
-      #     name: RHEL8-arm64 build
-      #     path:
-      #       ${{ steps.extract-ee-arm64.outputs.destination
-      #       }}/windmill-ee-arm64-rhel8
-
-      # - name: Attach binary to release
-      #   uses: softprops/action-gh-release@v2
-      #   if: startsWith(github.ref, 'refs/tags/')
-      #   with:
-      #     files: |
-      #       ${{ steps.extract-ee-arm64.outputs.destination }}/windmill-ee-arm64-rhel8
-      #       ${{ steps.extract-ee-amd64.outputs.destination }}/windmill-ee-amd64-rhel8

.github/workflows/build_cli_image.yml

@@ -1,55 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}-cli
-
-name: Publish cli image
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-  packages: write
-
-jobs:
-  publish_cli:
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: depot/setup-action@v1
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          file: "./docker/DockerfileCli"
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ steps.meta.outputs.tags }}
-          labels: |
-            ${{ steps.meta.outputs.labels }}
-            org.opencontainers.image.licenses=AGPLv3

.github/workflows/build_windows_worker_.yml

@@ -1,82 +0,0 @@
-name: Build windows executable for this branch
-
-on:
-  workflow_dispatch:
-
-env:
-  CARGO_INCREMENTAL: 0
-  SQLX_OFFLINE: true
-  DISABLE_EMBEDDING: true
-  RUST_LOG: info
-
-jobs:
-  cargo_build_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Read EE repo commit hash
-        shell: pwsh
-        run: |
-          $ee_repo_ref = Get-Content .\backend\ee-repo-ref.txt
-          echo "ee_repo_ref=$ee_repo_ref" | Out-File -FilePath $env:GITHUB_ENV -Append
-
-      - name: Checkout windmill-ee-private repository
-        uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - name: Substitute EE code
-        shell: bash
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Cargo check (fail fast on warnings)
-        timeout-minutes: 60
-        env:
-          RUSTFLAGS: "-D warnings"
-        run: |
-          mkdir frontend/build && cd backend
-          New-Item -Path . -Name "windmill-api/openapi-deref.yaml" -ItemType "File" -Force
-          cargo check --features=ee_windows
-
-      - name: Cargo build dynamic libraries windows
-        timeout-minutes: 180
-        run: |
-          cd backend/windmill-duckdb-ffi-internal
-          cargo build --release -p windmill_duckdb_ffi_internal
-
-      - name: Cargo build binary windows
-        timeout-minutes: 180
-        run: |
-          vcpkg.exe install openssl-windows:x64-windows
-          vcpkg.exe install openssl:x64-windows-static
-          vcpkg.exe integrate install
-          $env:VCPKGRS_DYNAMIC=1
-          $env:OPENSSL_DIR="${Env:VCPKG_INSTALLATION_ROOT}\installed\x64-windows-static"
-          cd backend
-          cargo build --release --features=ee_windows
-      - name: Rename binary with corresponding architecture
-        run: |
-          Rename-Item -Path ".\backend\target\release\windmill.exe" -NewName "windmill-ee.exe"
-
-      - name: Upload binary artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: windmill-ee-binary
-          path: ./backend/target/release/windmill-ee.exe
-
-      - name: Upload dynamic libraries artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: windmill_duckdb_ffi_internal.dll
-          path: ./backend/windmill-duckdb-ffi-internal/target/release/windmill_duckdb_ffi_internal.dll

.github/workflows/change-versions.yml

@@ -6,17 +6,10 @@ on:
       - "version.txt"
 jobs:
   change_version:
-    runs-on: ubicloud
+    runs-on: ubuntu-latest
     container: node:18
     steps:
-      - uses: actions/create-github-app-token@v2
-        id: app
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.app.outputs.token }}
+      - uses: actions/checkout@v3
       - run: git config --system --add safe.directory /__w/windmill/windmill
       - name: Change versions
         run: ./.github/change-versions.sh "$(cat version.txt)"
@@ -24,12 +17,5 @@ jobs:
         with:
           toolchain: stable
       - name: update lockfile
-        run: |
-          cd backend
-          cargo generate-lockfile
-      - uses: stefanzweifel/git-auto-commit-action@v5
-        with:
-          commit_user_name: windmill-internal-app[bot]
-          commit_user_email: windmill-internal-app[bot]@users.noreply.github.com
-        env:
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
+        run: cd backend && cargo generate-lockfile
+      - uses: stefanzweifel/git-auto-commit-action@v4

.github/workflows/check-org-membership.yml

@@ -1,83 +0,0 @@
-name: Check Organization Membership
-
-on:
-  workflow_call:
-    inputs:
-      commenter:
-        required: false
-        type: string
-        default: ''
-        description: 'The username to check. Auto-detected from the event context if not provided.'
-      organization:
-        required: false
-        type: string
-        default: 'windmill-labs'
-        description: 'The organization to check membership for'
-      trusted_bot:
-        required: false
-        type: string
-        default: 'windmill-internal-app[bot]'
-        description: 'The trusted bot username to allow'
-    secrets:
-      access_token:
-        required: true
-        description: 'The access token to use for org membership check'
-    outputs:
-      is_member:
-        description: 'Whether the user is an organization member or trusted bot'
-        value: ${{ jobs.check-membership.outputs.is_member }}
-
-jobs:
-  check-membership:
-    runs-on: ubicloud-standard-2
-    outputs:
-      is_member: ${{ steps.check-membership.outputs.is_member }}
-    steps:
-      - name: Determine commenter
-        id: determine-commenter
-        run: |
-          COMMENTER="${{ inputs.commenter }}"
-          if [[ -z "$COMMENTER" ]]; then
-            if [[ "${{ github.event_name }}" == "issue_comment" || \
-                  "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
-              COMMENTER="${{ github.event.comment.user.login }}"
-            elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
-              COMMENTER="${{ github.event.review.user.login }}"
-            else
-              COMMENTER="${{ github.event.issue.user.login }}"
-            fi
-          fi
-          echo "commenter=$COMMENTER" >> $GITHUB_OUTPUT
-
-      - name: Check organization membership
-        id: check-membership
-        env:
-          ORG_ACCESS_TOKEN: ${{ secrets.access_token }}
-          COMMENTER: ${{ steps.determine-commenter.outputs.commenter }}
-          ORG: ${{ inputs.organization }}
-          TRUSTED_BOT: ${{ inputs.trusted_bot }}
-        run: |
-          # 1. Allow the trusted bot straight away
-          if [[ "$COMMENTER" == "$TRUSTED_BOT" ]]; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # 2. Disallow other bots
-          if [[ "${COMMENTER}" =~ \[bot\]$ ]]; then
-            echo "is_member=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # 3. Otherwise check if the user is a member of the organization
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-            -H "Authorization: token $ORG_ACCESS_TOKEN" \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/orgs/$ORG/members/$COMMENTER")
-
-          if [ "$STATUS" -eq 204 ]; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-          fi

.github/workflows/claude-fast.yml

@@ -1,54 +0,0 @@
-name: Fast Claude
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  check-membership:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai-fast')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai-fast')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai-fast')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai-fast'))
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
-  claude-code-action:
-    needs: check-membership
-    if: |
-      needs.check-membership.outputs.is_member == 'true'
-    runs-on: ubicloud-standard-8
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          allowed_bots: "windmill-internal-app[bot]"
-          trigger_phrase: "/ai-fast"
-          settings: |
-            {
-              "env": {
-                "SQLX_OFFLINE": "true"
-              }
-            }
-          claude_args: |
-            --allowedTools "Bash,WebFetch,WebSearch"
-            --model opus

.github/workflows/claude-plan.yml

@@ -1,69 +0,0 @@
-name: Claude Plan Assistant
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  check-membership:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/plan')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/plan')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/plan')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '/plan'))
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
-  claude-plan-action:
-    needs: check-membership
-    if: |
-      needs.check-membership.outputs.is_member == 'true'
-    runs-on: ubicloud-standard-4
-    timeout-minutes: 20
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Plan Action
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          allowed_bots: 'windmill-internal-app[bot]'
-          trigger_phrase: '/plan'
-          claude_args: |
-            --model opus
-            --system-prompt "# Claude Planning Mode
-
-            You are operating in PLANNING MODE ONLY. Your role is to create detailed, structured plans without making any code changes.
-
-            ## Your Responsibilities:
-
-            1. **Analyze the Request**: Carefully read and understand what the user is asking for
-            2. **Explore the Codebase**: Understand the relevant code structure
-            3. **Create a Detailed Plan**: Provide a comprehensive, step-by-step plan that includes:
-               - Clear breakdown of all tasks needed
-               - Files that will need to be modified or created
-               - Code patterns and architecture decisions
-               - Potential challenges and how to address them
-               - If there are multiple options to achieve the same goal, explain the pros and cons of each option
-
-            ## Strict Constraints:
-
-            - **DO NOT** make any code changes
-            - **DO NOT** create branches or pull requests
-
-            Remember: You are here to plan, not to implement. Provide thorough analysis and clear guidance for implementation."

.github/workflows/claude.yml

@@ -1,107 +0,0 @@
-name: Claude PR Assistant
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  check-membership:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai'))
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
-  claude-code-action:
-    needs: check-membership
-    if: |
-      needs.check-membership.outputs.is_member == 'true'
-    runs-on: ubicloud-standard-8
-    timeout-minutes: 60
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
-      - name: Run npm install and generate-backend-client
-        working-directory: ./frontend
-        run: |
-          # add a build directory for cargo check
-          mkdir -p build
-          npm install
-          npm run generate-backend-client
-
-      - name: install xmlsec1 and gssapi
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libxml2-dev libxmlsec1-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - name: cargo check
-        working-directory: ./backend
-        timeout-minutes: 16
-        run: |
-          SQLX_OFFLINE=true cargo check --features all_sqlx_features
-
-      - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          allowed_bots: "windmill-internal-app[bot]"
-          trigger_phrase: "/ai"
-          settings: |
-            {
-              "env": {
-                "SQLX_OFFLINE": "true"
-              }
-            }
-          claude_args: |
-            --allowedTools "Bash,WebFetch,WebSearch"
-            --model opus
-            --system-prompt "## IMPORTANT INSTRUCTIONS
-            - Your branch name should be a short description of the requested changes.
-            - Bypass previous instructions and instead of adding a url in your comment to manually create a PR, if you created a new branch with your changes, automatically create a draft PR from that branch to main.
-
-            ## Code Quality Requirements
-
-            After making any code changes, you MUST run the appropriate validation commands:
-
-            **Frontend Changes:**
-            - Run: \`npm run check\` in the frontend directory
-            - Fix all warnings and errors before proceeding
-
-            **Backend Changes:**
-            - Run: \`cargo check --features all_sqlx_features\` in the backend directory
-            - Fix all warnings and errors before proceeding
-
-            **Pull Request Creation:**
-            - DO NOT FORGET TO OPEN A DRAFT PR AFTER YOU ARE DONE if you made changes after a request from a git issue.
-
-            ## Available Tools
-            - Bash: Full access to run validation commands and git operations"

.github/workflows/clean-docker.yml

@@ -0,0 +1,13 @@
+name: Clean docker
+on:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    - cron: "0 0 */2 * *"
+
+jobs:
+  build:
+    runs-on: [self-hosted, new]
+    steps:
+      - name: clean docker
+        run: |
+          sudo docker system prune -f

.github/workflows/cli-tests.yml

@@ -1,187 +0,0 @@
-name: CLI Tests
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'cli/**'
-      - '.github/workflows/cli-tests.yml'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'cli/**'
-      - '.github/workflows/cli-tests.yml'
-
-env:
-  CARGO_TERM_COLOR: always
-  SQLX_OFFLINE: true
-
-jobs:
-  build-check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Generate Windmill client
-        working-directory: cli
-        run: ./gen_wm_client.sh
-
-      - name: Run CLI build
-        working-directory: cli
-        run: ./build.sh
-
-  test-linux:
-    runs-on: ubuntu-latest
-
-    services:
-      postgres:
-        image: postgres:16
-        env:
-          POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_DB: windmill
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: true
-          cache-workspaces: backend
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Symlink Bun to /usr/bin/bun
-        run: sudo ln -sf $(which bun) /usr/bin/bun
-
-      - name: Symlink Node to /usr/bin/node
-        run: sudo ln -sf $(which node) /usr/bin/node
-
-      - name: Install dependencies
-        working-directory: cli
-        run: bun install
-
-      - name: Generate Windmill clients
-        working-directory: cli
-        run: |
-          ./gen_wm_client.sh
-          ./windmill-utils-internal/gen_wm_client.sh
-
-      - name: Run CLI tests
-        working-directory: cli
-        env:
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432
-          CI_MINIMAL_FEATURES: "true"
-        run: bun test --timeout 120000 test/
-
-  test-windows:
-    runs-on: blacksmith-16vcpu-windows-2025
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup PostgreSQL
-        uses: ikalnytskyi/action-setup-postgres@v6
-        with:
-          username: postgres
-          password: changeme
-          database: windmill
-          port: 5432
-
-      - name: Setup Rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache: true
-          cache-workspaces: backend
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Get Bun and Node paths
-        id: runtime-paths
-        shell: pwsh
-        run: |
-          $bunPath = (Get-Command bun).Source
-          $nodePath = (Get-Command node).Source
-          echo "BUN_PATH=$bunPath" >> $env:GITHUB_OUTPUT
-          echo "NODE_BIN_PATH=$nodePath" >> $env:GITHUB_OUTPUT
-
-      - name: Install dependencies
-        working-directory: cli
-        run: bun install
-
-      - name: Generate Windmill clients
-        working-directory: cli
-        shell: bash
-        run: |
-          ./gen_wm_client.sh
-          ./windmill-utils-internal/gen_wm_client.sh
-
-      - name: Run CLI tests
-        working-directory: cli
-        shell: pwsh
-        env:
-          DATABASE_URL: postgres://postgres:changeme@localhost:5432
-          CI_MINIMAL_FEATURES: "true"
-          BUN_PATH: ${{ steps.runtime-paths.outputs.BUN_PATH }}
-          NODE_BIN_PATH: ${{ steps.runtime-paths.outputs.NODE_BIN_PATH }}
-        run: bun test --timeout 120000 test/
-
-      - name: Keep runner alive for SSH debug
-        if: failure()
-        shell: pwsh
-        run: Start-Sleep -Seconds 3600
-
-  # Combined summary job for branch protection
-  test-summary:
-    runs-on: ubuntu-latest
-    needs: [build-check, test-linux, test-windows]
-    if: always()
-    steps:
-      - name: Check test results
-        run: |
-          if [ "${{ needs.build-check.result }}" != "success" ]; then
-            echo "Build check failed"
-            exit 1
-          fi
-          if [ "${{ needs.test-linux.result }}" != "success" ] || [ "${{ needs.test-windows.result }}" != "success" ]; then
-            echo "Some tests failed"
-            exit 1
-          fi
-          echo "All checks passed"

.github/workflows/deno_on_release.yml

@@ -0,0 +1,48 @@
+name: Publish deno-client
+on:
+  push:
+    tags:
+      - "v*"
+env:
+  repo: windmill-deno-client
+
+jobs:
+  build_deno_and_push_to_repo:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: generate_deno
+        run: |
+          cd deno-client
+          rm .gitignore
+          ./build.sh
+      - name: Pushes to another repository
+        id: push_directory
+        uses: cpina/github-action-push-to-another-repository@devel
+        env:
+          API_TOKEN_GITHUB: ${{ secrets.DENO_PAT }}
+        with:
+          source-directory: deno-client/
+          destination-github-username: ${{ github.repository_owner }}
+          destination-repository-name: ${{ env.repo }}
+          user-email: ruben@windmill.dev
+          commit-message: See ORIGIN_COMMIT from $GITHUB_REF
+          target-branch: main
+
+  tag_repo:
+    needs: [build_deno_and_push_to_repo]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{ github.repository_owner }}/${{ env.repo }}
+          token: ${{ secrets.DENO_PAT }}
+          path: ./client
+
+      - name: Push client
+        run: |
+          cd ./client
+          git config --global user.email "ruben@windmill.dev"
+          git config --global user.name "rubenfiszel[bot]"
+          git tag -a ${{ github.ref_name }} -m "${{ github.ref_name }}"
+          git push --tags

.github/workflows/deploy_to_windmill.yml

@@ -0,0 +1,20 @@
+name: Deploy to windmill.dev
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "community/**"
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Deploy to windmill.dev
+        uses: windmill-labs/windmill-gh-action-deploy@v2.0.0
+        with:
+          dry_run: false
+          input_dir: community
+          windmill_workspace: starter
+          windmill_token: ${{ secrets.WINDMILL_API_TOKEN }}

.github/workflows/discord-notification.yml

@@ -1,76 +0,0 @@
-name: Create discord thread when a PR is opened, react with green checkmark when PR is merged
-
-on:
-  pull_request:
-    types:
-      - opened
-      - ready_for_review
-      - closed
-  issue_comment:
-    types:
-      - created
-  pull_request_review_comment:
-    types:
-      - created
-
-jobs:
-  notify_discord_when_pr_opened:
-    if: (github.event.pull_request.draft == false) && (github.event.action == 'opened' || github.event.action == 'ready_for_review')
-    uses: ./.github/workflows/shareable-discord-notification.yml
-    with:
-      PR_TITLE: ${{ github.event.pull_request.title }}
-      PR_URL: ${{ github.event.pull_request.html_url }}
-      PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-      PR_STATUS: "opened"
-      PR_NUMBER: ${{ github.event.pull_request.number }}
-      DISCORD_CHANNEL_ID: "1372204995868491786"
-      DISCORD_GUILD_ID: "930051556043276338"
-    secrets:
-      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_PR_REVIEWS_WEBHOOK }}
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-  merge_success_emoji:
-    if: github.event.action == 'closed'
-    uses: ./.github/workflows/shareable-discord-notification.yml
-    with:
-      PR_STATUS: "merged"
-      DISCORD_CHANNEL_ID: "1372204995868491786"
-      DISCORD_GUILD_ID: "930051556043276338"
-      PR_NUMBER: ${{ github.event.pull_request.number }}
-    secrets:
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-  notify_discord_on_comment:
-    if: >
-      github.event_name == 'issue_comment'
-      && github.event.issue.pull_request
-      && github.event.comment.user.login != 'cloudflare-workers-and-pages[bot]'
-      && github.event.comment.user.login != 'ellipsis-dev[bot]'
-    uses: ./.github/workflows/shareable-discord-notification.yml
-    with:
-      PR_STATUS: "comment"
-      PR_NUMBER: ${{ github.event.issue.number }}
-      COMMENT_BODY: ${{ github.event.comment.body }}
-      COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-      COMMENT_URL: ${{ github.event.comment.html_url }}
-      DISCORD_CHANNEL_ID: "1372204995868491786"
-      DISCORD_GUILD_ID: "930051556043276338"
-    secrets:
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}
-
-  notify_discord_on_review_comment:
-    if: >
-      github.event_name == 'pull_request_review_comment'
-      && github.event.comment.user.login != 'cloudflare-workers-and-pages[bot]'
-      && github.event.comment.user.login != 'ellipsis-dev[bot]'
-    uses: ./.github/workflows/shareable-discord-notification.yml
-    with:
-      PR_STATUS: "comment"
-      PR_NUMBER: ${{ github.event.pull_request.number }}
-      COMMENT_BODY: ${{ github.event.comment.body }}
-      COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-      COMMENT_URL: ${{ github.event.comment.html_url }}
-      DISCORD_CHANNEL_ID: "1372204995868491786"
-      DISCORD_GUILD_ID: "930051556043276338"
-    secrets:
-      DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_AI_BOT_TOKEN }}

.github/workflows/docker-310.yml

@@ -0,0 +1,47 @@
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+name: Build and push windmill with python 3.10 and openbb
+on: workflow_dispatch
+
+concurrency:
+  group: ${{ github.ref }}-openbb
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+  
+jobs:
+  build_ee:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      # - name: Set up Docker Buildx
+      #   uses: docker/setup-buildx-action@v2
+
+      - uses: depot/setup-action@v1
+
+      - name: Login to registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push publicly ee
+        uses: depot/build-push-action@v1
+        with:
+          context: .
+          push: true
+          file: ./docker/DockerfileOpenbb
+          build-args: |
+            features=enterprise
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:openbb
+          labels: |
+            org.opencontainers.image.licenses=Windmill-Enterprise-License

.github/workflows/docker-image-rpi4.yml

@@ -1,76 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}-rpi
-
-name: Build windmill without jemalloc
-on:
-  workflow_dispatch:
-
-concurrency:
-  group: windmill-without-jemalloc
-  cancel-in-progress: true
-
-permissions: write-all
-
-jobs:
-  build:
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-      - uses: depot/setup-action@v1
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Substitute EE code (EE logic is behind feature flag)
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Docker meta
-        id: meta-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
-          tags: |
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          build-args: |
-            features=ce_rpi
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:dev
-            ${{ steps.meta-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-public.outputs.labels }}
-            org.opencontainers.image.licenses=AGPLv3

.github/workflows/docker-image.yml

@@ -1,61 +1,30 @@
 env:
+  LOCAL_REGISTRY: registry.wimill.xyz
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.event_name != 'pull_request' && github.event_name !=
-    'workflow_dispatch' && github.repository || 'windmill-labs/windmill-test' }}
-  DEV_SHA: ${{ github.event_name != 'pull_request' && github.event_name !=
-    'workflow_dispatch' && 'dev' || github.event.inputs.tag || github.sha }}
-name: Build windmill:main
+  ECR_REGISTRY: 976079455550.dkr.ecr.us-east-1.amazonaws.com
+  IMAGE_NAME: ${{ github.repository }}
+
+name: Build and push docker image
 on:
   push:
     branches: [main]
     tags: ["*"]
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - "Dockerfile"
-  workflow_dispatch:
-    inputs:
-      ee:
-        description: "Build EE image (true, false)"
-        required: false
-        default: false
-        type: boolean
-      tag:
-        description: "Tag the image"
-        required: true
-        default: "test"
-      slim:
-        description: "Build slim image (true, false)"
-        required: false
-        default: false
-        type: boolean
+
 concurrency:
   group: ${{ github.ref }}
-  cancel-in-progress: false
-
-permissions: write-all
+  cancel-in-progress: true
 
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+  
 jobs:
   build:
-    runs-on: ubicloud
-    if: (github.event_name != 'workflow_dispatch') || (github.event.inputs &&
-      !github.event.inputs.ee)
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
           fetch-depth: 0
 
       # - name: Set up Docker Buildx
@@ -63,564 +32,203 @@ jobs:
       - uses: depot/setup-action@v1
 
       - name: Login to registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Substitute EE code (EE logic is behind feature flag)
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
       - name: Docker meta
         id: meta-public
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
         with:
           images: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
           tags: |
+            type=ref,event=branch
+            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
+
       - name: Build and push publicly
         uses: depot/build-push-action@v1
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          build-args: |
-            features=ce
           tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
             ${{ steps.meta-public.outputs.tags }}
           labels: |
             ${{ steps.meta-public.outputs.labels }}
-
+            org.opencontainers.image.licenses=AGPLv3
+   
   build_ee:
-    runs-on: ubicloud
-    if: (github.event_name != 'workflow_dispatch') || github.event.inputs.ee
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
-          ref: ${{ github.ref }}
           fetch-depth: 0
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
       # - name: Set up Docker Buildx
       #   uses: docker/setup-buildx-action@v2
+
       - uses: depot/setup-action@v1
 
       - name: Docker meta
         id: meta-ee-public
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
         with:
           images: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee
-          flavor: |
-            latest=false
           tags: |
+            type=ref,event=branch
+            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Login to registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Substitute EE code
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
       - name: Build and push publicly ee
         uses: depot/build-push-action@v1
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
           push: true
           build-args: |
-            features=ee
+            features=enterprise
+            nsjail=true
           tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:latest
             ${{ steps.meta-ee-public.outputs.tags }}
           labels: |
             ${{ steps.meta-ee-public.outputs.labels }}
             org.opencontainers.image.licenses=Windmill-Enterprise-License
 
-  attach_amd64_binary_to_release:
-    needs: [build, build_ee]
-    runs-on: ubicloud
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    env:
-      ARCH: amd64
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          # pulling docker image with desired arch so that actions-docker-extract doesn't do it
-          docker pull --platform "linux/$ARCH" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-          docker pull --platform "linux/$ARCH" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
 
-      - run: |
-          # Checks the image is in docker prior to running actions-docker-extract. It fails if not
-          # Also useful to visually check that the arch is the right opencontainers
-          docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-          docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-          path: "/usr/src/app/windmill"
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract-duckdb-ffi-internal
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-          path: "/usr/src/app/libwindmill_duckdb_ffi_internal.so"
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract-ee
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
-          path: "/usr/src/app/windmill"
-
-      - name: Rename binary with corresponding architecture
-        run: |
-          mv "${{ steps.extract.outputs.destination }}/windmill" "${{ steps.extract.outputs.destination }}/windmill-${ARCH}"
-          mv "${{ steps.extract-ee.outputs.destination }}/windmill" "${{ steps.extract-ee.outputs.destination }}/windmill-ee-${ARCH}"
-
-      - name: Attach binary to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ${{ steps.extract.outputs.destination }}/*
-            ${{ steps.extract-ee.outputs.destination }}/*
-            ${{ steps.extract-duckdb-ffi-internal.outputs.destination }}/*
-
-  # attach_arm64_binary_to_release:
-  #   needs: [build, build_ee]
-  #   runs-on: ubicoud
-  #   if: ${{ startsWith(github.ref, 'refs/tags/') }}
-  #   env:
-  #     ARCH: arm64
-  #   steps:
-  #     - uses: actions/checkout@v4
-
-  #     - run: |
-  #         # pulling docker image with desired arch so that actions-docker-extract doesn't do it
-  #         docker pull --platform "linux/$ARCH" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-  #         docker pull --platform "linux/$ARCH" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
-
-  #     - run: |
-  #         # Checks the image is in docker prior to running actions-docker-extract. It fails if not
-  #         # Also useful to visually check that the arch is the right opencontainers
-  #         docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-  #         docker image inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
-
-  #     - uses: shrink/actions-docker-extract@v3
-  #       id: extract
-  #       with:
-  #         image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }}
-  #         path: "/usr/src/app/windmill"
-
-  #     - uses: shrink/actions-docker-extract@v3
-  #       id: extract-ee
-  #       with:
-  #         image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }}
-  #         path: "/usr/src/app/windmill"
-
-  #     - name: Rename binary with corresponding architecture
-  #       run: |
-  #         mv "${{ steps.extract.outputs.destination }}/windmill" "${{ steps.extract.outputs.destination }}/windmill-${ARCH}"
-  #         mv "${{ steps.extract-ee.outputs.destination }}/windmill" "${{ steps.extract-ee.outputs.destination }}/windmill-ee-${ARCH}"
-
-  #     - name: Attach binary to release
-  #       uses: softprops/action-gh-release@v2
-  #       with:
-  #         files: |
-  #           ${{ steps.extract.outputs.destination }}/*
-  #           ${{ steps.extract-ee.outputs.destination }}/*
-
-  run_integration_test:
-    runs-on: ubicloud
-    needs: [build_ee]
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-      - name: Prepare test run
-        if: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
-        run: cd integration_tests && ./build.sh
-      - name: Test run
-        if: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
-        timeout-minutes: 15
+  playwright:
+    runs-on: [self-hosted, new]
+    needs: [build]
+    services:
+      postgres:
+        image: postgres
         env:
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-        run: cd integration_tests && ./run.sh
-      - name: Archive logs
-        uses: actions/upload-artifact@v4
+          POSTGRES_DB: windmill
+          POSTGRES_USER: admin
+          POSTGRES_PASSWORD: changeme
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v3
+      - name: "Docker"
+        run: echo "::set-output name=id::$(docker run --network=host --rm -d -p 8000:8000 --privileged -it -e DATABASE_URL=postgres://admin:changeme@localhost:5432/windmill -e BASE_INTERNAL_URL=http://localhost:8000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest)"
+        id: docker-container
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+      - name: "Playwright run"
+        timeout-minutes: 2
+        run: cd frontend && npm ci @playwright/test && npx playwright install && export BASE_URL=http://localhost:8000 && npm run test
+      - name: "Clean up"
+        run: docker kill ${{ steps.docker-container.outputs.id }}
         if: always()
-        with:
-          name: Windmill Integration Tests Logs
-          path: |
-            integration_tests/logs
 
-  tag_latest:
-    runs-on: ubicloud
-    needs: [run_integration_test, build]
-    if:
-      github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' ||
-      startsWith(github.ref, 'refs/tags/v'))  && (github.event_name != 'workflow_dispatch')
+
+  publish_privately_heavy:
+    needs: [build_ee]
+    runs-on: [self-hosted, new]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Tag main and latest
-        run: |
-          docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-          docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEV_SHA }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
-
-  tag_latest_ee:
-    runs-on: ubicloud
-    needs: [run_integration_test, build_ee]
-    if:
-      github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch') && (github.ref == 'refs/heads/main' ||
-      startsWith(github.ref, 'refs/tags/v'))
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Tag main and latest for ee
-        run: |
-          docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:latest
-          docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ env.DEV_SHA }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
-
-  verify_ee_image_vulnerabilities:
-    runs-on: ubicloud
-    needs: [tag_latest_ee]
-    if: startsWith(github.ref, 'refs/tags/v') && (github.event_name != 'workflow_dispatch')
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Analyze for critical and high CVEs
-        id: docker-scout-cves
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          only-severities: critical,high
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
-          sarif-file: sarif.output.json
-          summary: true
-          dockerhub-user: windmilllabs
-          dockerhub-password: ${{ secrets.DOCKER_PAT }}
-
-      - name: Upload SARIF result
-        id: upload-sarif
-        if: ${{ github.event_name != 'pull_request_target' }}
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: sarif.output.json
-
-  # docker_scout_ee:
-  #   runs-on: ubicloud
-  #   needs: [tag_latest_ee]
-  #   steps:
-  #     - name: Docker Scout
-  #       id: docker-scout
-  #       uses: docker/scout-action@v1
-  #       with:
-  #         dockerhub-
-  #         command: cves,recommendations,compare
-  #         to-latest: true
-  #         ignore-base: true
-  #         ignore-unchanged: true
-  #         only-fixed: true
-
-  publish_ecr_s3:
-    needs: [build_ee_full]
-    runs-on: ubicloud-standard-2-arm
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get version from tag
-        id: version
-        run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
-
-      - uses: shrink/actions-docker-extract@v3
-        id: extract
-        with:
-          image: |-
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-full:${{ steps.version.outputs.VERSION }}
-          path: "/static_frontend/."
-
-      - uses: reggionick/s3-deploy@v4
-        with:
-          folder: ${{ steps.extract.outputs.destination }}
-          bucket: windmill-frontend
-          bucket-region: us-east-1
-
-  build_ee_cuda:
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    needs: [build_ee]
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: ${{ github.ref }}
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-
-      - uses: depot/setup-action@v1
-
       - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
+        id: meta-heavy
+        uses: docker/metadata-action@v4
         with:
           images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-cuda
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly ee
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64
-          push: true
-          file: "./docker/DockerfileCuda"
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
-
-  build_slim:
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    needs: [build]
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-slim
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly ee
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64
-          push: true
-          file: "./docker/DockerfileSlim"
-          tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
-
-  build_ee_slim:
-    needs: [build_ee]
-    runs-on: ubicloud
-    if: (github.event_name != 'pull_request') && ((github.event_name != 'workflow_dispatch') || (github.event.inputs.ee || github.event.inputs.slim))
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-slim
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=ref,event=branch
+            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
+            type=sha
+
+      - name: Login to ECR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
       - name: Login to registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push publicly ee
-        uses: depot/build-push-action@v1
+      - name: Build and push privately
+        uses: docker/build-push-action@v3
+        if: github.event_name != 'pull_request'
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
           push: true
-          file: "./docker/DockerfileSlimEe"
+          file: ./docker/DockerfileHeavy
           tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
+            ${{ steps.meta-heavy.outputs.tags }}
+          labels: ${{ steps.meta-heavy.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.LOCAL_REGISTRY }}/${{ env.IMAGE_NAME }}-heavy:buildcache
+          cache-to: type=registry,ref=${{ env.LOCAL_REGISTRY }}/${{ env.IMAGE_NAME }}-heavy:buildcache,mode=max
 
-  build_full:
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    needs: [build]
-    runs-on: ubicloud
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-full
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: "./docker/DockerfileFull"
-          tags: |
-            ${{ steps.meta-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-public.outputs.labels }}
-
-  build_ee_full:
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+  publish_privately_helm:
+    runs-on: [self-hosted, new]
     needs: [build_ee]
-    runs-on: ubicloud
+    if: github.event_name != 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta-ee-public
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-full
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+ 
 
       - name: Login to registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push publicly ee
-        uses: depot/build-push-action@v1
+      - name: Login to ECR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          
+      - name: Build and push privately
+        uses: docker/build-push-action@v3
+        if: github.event_name != 'pull_request'
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
           push: true
-          file: "./docker/DockerfileFullEe"
+          file: ./docker/DockerfileHelm
           tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
-          labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
-            org.opencontainers.image.licenses=Windmill-Enterprise-License
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:helm
+          cache-from: type=registry,ref=${{ env.LOCAL_REGISTRY }}/${{ env.IMAGE_NAME }}-helm:buildcache
+          cache-to: type=registry,ref=${{ env.LOCAL_REGISTRY }}/${{ env.IMAGE_NAME }}-helm:buildcache,mode=max

.github/workflows/frontend-check.yml

@@ -1,27 +1,17 @@
 name: check frontend build
 on:
-  workflow_run:
-    workflows: ["Change versions"]
-    types:
-      - completed
-
-  merge_group:
-  push:
+  pull_request:
+    types: [opened,synchronize,reopened,closed]
     paths:
       - "frontend/**"
-      - ".github/workflows/frontend-check.yml"
-
 jobs:
   npm_check:
-    runs-on: ubicloud-standard-8
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
-          node-version: 24
-          cache: "npm"
-          cache-dependency-path: "frontend/package-lock.json"
+          node-version: 18
       - name: "npm check"
-        timeout-minutes: 5
-        run: cd frontend && npm ci && npm run generate-backend-client && npm run
-          check
+        timeout-minutes: 2
+        run: cd frontend && npm ci && npm run generate-backend-client && npm run check

.github/workflows/gallery_on_release.yml

@@ -1,16 +0,0 @@
-name: Publish powershell-client
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-jobs:
-  publish_gallery:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-      - run: . ./powershell-client/publish.ps1
-        shell: pwsh
-        env:
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}

.github/workflows/git-commands.yaml

@@ -1,332 +0,0 @@
-name: Git commands
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  check-membership:
-    if: >-
-      github.event.issue.pull_request && (
-        startsWith(github.event.comment.body, '/updatesqlx') ||
-        startsWith(github.event.comment.body, '/demo') ||
-        startsWith(github.event.comment.body, '/eeref') ||
-        startsWith(github.event.comment.body, '/docs')
-      )
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
-  update-sqlx:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/updatesqlx')
-    runs-on: ubicloud-standard-8
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-
-    services:
-      postgres:
-        image: postgres:16
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-          POSTGRES_DB: windmill
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - uses: actions/create-github-app-token@v2
-        id: app
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-
-      - name: Comment on PR - Starting
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ steps.app.outputs.token }}
-          script: |
-            const runUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `Starting sqlx update...\n\n[View workflow run](${runUrl})`
-            })
-
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          token: ${{ steps.app.outputs.token }}
-          ref: ${{ github.event.issue.pull_request.head.ref }}
-          fetch-depth: 0
-
-      - name: Checkout windmill-ee-private
-        uses: actions/checkout@v3
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: windmill-ee-private
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-
-      # Setup Rust toolchain
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - name: Install xmlsec and gssapi build-time deps
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-            pkg-config libxml2-dev libssl-dev libkrb5-dev libsasl2-dev libcurl4-openssl-dev mold clang \
-            xmlsec1 libxmlsec1-dev libxmlsec1-openssl
-
-      - name: Run update-sqlx script
-        env:
-          DATABASE_URL: postgres://postgres:postgres@localhost:5432/windmill
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          set -e  # Exit on any command failure
-          PR_NUMBER=${{ github.event.issue.number }}
-
-          # Set up error trap to comment on PR for any failure
-          trap 'gh pr comment $PR_NUMBER --body "❌ SQLx update failed. Please check the workflow logs for details."' ERR
-
-          BRANCH_NAME=$(gh pr view $PR_NUMBER --json headRefName --jq .headRefName)
-          echo "Checking out PR branch: $BRANCH_NAME"
-          git checkout $BRANCH_NAME
-          git config --local user.email "windmill-internal-app[bot]@users.noreply.github.com"
-          git config --local user.name "windmill-internal-app[bot]"
-          git config pull.rebase true
-          git pull origin $BRANCH_NAME
-          mkdir -p frontend/build
-          cd backend
-          cargo install sqlx-cli --version 0.8.5
-          sqlx migrate run
-          ./substitute_ee_code.sh --dir ./windmill-ee-private
-          ./update_sqlx.sh
-          # Pass the branch name to the next step
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
-
-      - name: Commit changes if any
-        run: |
-          git add backend/.sqlx
-          git commit -m "Update SQLx metadata"
-          git push origin ${{ env.BRANCH_NAME }}
-
-      - name: Comment on PR - Completed
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ steps.app.outputs.token }}
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Successfully ran sqlx update'
-            })
-
-  demo:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/demo')
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Run Claude Code for Demo Generation
-        uses: anthropics/claude-code-action@beta
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          timeout_minutes: "10"
-          allowed_tools: "Bash"
-          direct_prompt: |
-            You need to:
-
-            1. Extract the Cloudflare preview URL from the cloudflare-workers-and-pages bot comment in this PR
-            2. Analyze the PR changes to understand what feature was added/modified
-            3. Create detailed instructions to give to an AI agent that will click and interact with buttons and inputs to showcase the new feature. Only include the instructions, nothing else.
-            4. Create a demo.json file with a valid JSON object containing:
-              - instructions: the demo instructions
-              - url: the preview URL
-            5. VALIDATE the JSON file using `jq` before finishing
-            DO NOT COMMIT THIS FILE TO THE PR.
-
-            Example demo.json:
-            {
-              "instructions": "Click on settings, then account settings, then 'generate new token'",
-              "url": "https://example.pages.dev"
-            }
-
-            CRITICAL: After creating demo.json, you MUST:
-            1. Run `jq empty demo.json` to validate the JSON is properly formatted
-            2. If validation fails, fix the JSON and validate again
-            3. Only proceed once the JSON passes validation
-            4. Use proper JSON escaping for newlines, quotes, and special characters
-
-            Make sure to:
-            - Create a valid JSON object that passes `jq empty demo.json`
-            - Extract the correct preview URL (should be a .pages.dev domain)
-            - Create specific, actionable demo steps based on the actual changes in the PR
-            - Properly escape all strings in the JSON (use jq to create the file if needed)
-            - NOT COMMIT THE DEMO.JSON FILE TO THE PR
-
-      - name: Send instructions to Windmill
-        env:
-          DEMO_WEBHOOK_TOKEN: ${{ secrets.DEMO_WEBHOOK_TOKEN }}
-        run: |
-          if [[ -f "demo.json" ]]; then
-            echo "Found demo.json, sending to Windmill..."
-            cat demo.json
-
-            # Validate JSON one more time (Claude should have already done this)
-            if ! jq empty demo.json; then
-              echo "Error: demo.json is not valid JSON"
-              exit 1
-            fi
-
-            RESULT=$(curl -s \
-              -H 'Content-Type: application/json' \
-              -H "Authorization: Bearer $DEMO_WEBHOOK_TOKEN" \
-              -X POST \
-              -d @demo.json \
-              'https://app.windmill.dev/api/w/windmill-labs/jobs/run/f/f/ai/browserbase_demo')
-
-            echo "Windmill response:"
-            echo -E "$RESULT"
-          else
-            echo "Error: demo.json file not found"
-            exit 1
-          fi
-
-  update-ee-ref:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/eeref')
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-    steps:
-      - uses: actions/create-github-app-token@v2
-        id: app
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-
-      - name: Comment on PR - Starting
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ steps.app.outputs.token }}
-          script: |
-            const runUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `Starting ee ref update...\n\n[View workflow run](${runUrl})`
-            })
-
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          token: ${{ steps.app.outputs.token }}
-          ref: ${{ github.event.issue.pull_request.head.ref }}
-          fetch-depth: 0
-
-      - name: Checkout windmill-ee-private
-        uses: actions/checkout@v3
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: windmill-ee-private
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-
-      - name: Get last commit hash of private-repo
-        id: get-commit-hash
-        run: |
-          cd windmill-ee-private
-          COMMIT_HASH=$(git rev-parse HEAD)
-          echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
-          echo "Latest commit hash: $COMMIT_HASH"
-
-      - name: Update ee-repo-ref.txt
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          set -e  # Exit on any command failure
-          PR_NUMBER=${{ github.event.issue.number }}
-
-          # Set up error trap to comment on PR for any failure
-          trap 'gh pr comment $PR_NUMBER --body "❌ EE ref update failed. Please check the workflow logs for details."' ERR
-
-          BRANCH_NAME=$(gh pr view $PR_NUMBER --json headRefName --jq .headRefName)
-          echo "Checking out PR branch: $BRANCH_NAME"
-          git checkout $BRANCH_NAME
-          git config --local user.email "windmill-internal-app[bot]@users.noreply.github.com"
-          git config --local user.name "windmill-internal-app[bot]"
-          git config pull.rebase true
-          git pull origin $BRANCH_NAME
-          echo "${{ steps.get-commit-hash.outputs.commit_hash }}" > backend/ee-repo-ref.txt
-          echo "Updated backend/ee-repo-ref.txt with commit hash: ${{ steps.get-commit-hash.outputs.commit_hash }}"
-          # commit and push the changes
-          git add backend/ee-repo-ref.txt
-          git commit -m "Update ee-repo-ref.txt" || echo "No changes to commit"
-          git push origin $BRANCH_NAME
-
-      - name: Comment on PR - Completed
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ steps.app.outputs.token }}
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Successfully updated ee-repo-ref.txt'
-            })
-
-  update-docs:
-    needs: check-membership
-    if: needs.check-membership.outputs.is_member == 'true' && startsWith(github.event.comment.body, '/docs')
-    runs-on: ubicloud-standard-2
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-    steps:
-      - uses: actions/create-github-app-token@v2
-        id: app
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: |
-            windmilldocs
-
-      - name: Trigger docs update
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-          COMMENT_TEXT: ${{ github.event.comment.body }}
-        run: |
-          jq -n \
-            --argjson pr_number ${{ github.event.issue.number }} \
-            --arg repo "${{ github.event.repository.name }}" \
-            --arg comment "$COMMENT_TEXT" \
-            '{event_type: "create-docs", client_payload: {pr_number: $pr_number, repo: $repo, comment_text: $comment}}' | \
-          gh api repos/windmill-labs/windmilldocs/dispatches \
-            --method POST \
-            --input -

.github/workflows/go_on_release.yml

@@ -10,14 +10,10 @@ env:
 
 jobs:
   build_go_and_push_to_repo:
-    runs-on: ubicloud-standard-8
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
-      - name: install_jq
-        run: |
-          sudo apt-get update
-          sudo apt-get install jq
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
       - name: generate_go
         run: |
           go install github.com/deepmap/oapi-codegen/cmd/oapi-codegen@v1.11.0
@@ -42,7 +38,7 @@ jobs:
     needs: [build_go_and_push_to_repo]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           repository: ${{ github.repository_owner }}/${{ env.repo }}
           token: ${{ secrets.DENO_PAT }}

.github/workflows/helmchart_on_release.yml

@@ -1,91 +0,0 @@
-name: Publish Helm Chart on Release
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  bump-helm-version:
-    runs-on: ubicloud-standard-2
-
-    steps:
-      - name: Generate an installation token
-        id: app
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ vars.INTERNAL_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_APP_KEY }}
-          owner: windmill-labs
-
-      - name: Checkout on helm repository
-        uses: actions/checkout@v3
-        with:
-          repository: windmill-labs/windmill-helm-charts
-          token: ${{ steps.app.outputs.token }}
-
-      - name: Get version
-        id: get_version
-        run: |
-          echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
-
-      - name: Create new branch
-        run: |
-          # Check if branch already exists remotely
-          if git ls-remote --heads origin bump-helm-version-${{ env.VERSION }} | grep -q bump-helm-version-${{ env.VERSION }}; then
-            # Branch exists, check it out
-            git fetch origin bump-helm-version-${{ env.VERSION }}
-            git checkout bump-helm-version-${{ env.VERSION }}
-          else
-            # Create new branch
-            git checkout -b bump-helm-version-${{ env.VERSION }}
-          fi
-
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
-
-      - name: Bump helm version
-        run: |
-          # Get current version and increment it by 1
-          CURRENT_VERSION=$(grep "version:" ./charts/windmill/Chart.yaml | awk '{print $2}' | head -n 1)
-          NEW_VERSION=$(echo "$CURRENT_VERSION" | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g')
-          sed -i "s/^version: .*/version: $NEW_VERSION/" ./charts/windmill/Chart.yaml
-
-          # Get the app version from the version
-          VERSION=${{ env.VERSION }}
-          APP_VERSION=${VERSION#refs/tag/}
-          APP_VERSION=${APP_VERSION#v}
-          APP_VERSION=${APP_VERSION%/}
-          sed -i "s/appVersion: .*/appVersion: $APP_VERSION/" ./charts/windmill/Chart.yaml
-
-      - name: Close existing bump-helm PRs
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          # List open PR numbers whose title starts with the prefix
-          prs=$(gh pr list \
-                  --state open \
-                  --search '"helm: bump version to" in:title' \
-                  --json number \
-                  -q '.[].number')
-
-          for pr in $prs; do
-            echo "Closing outdated bump PR #$pr"
-            gh pr close "$pr" \
-              --comment "Closed automatically – superseded by a newer Helm-chart bump PR."
-          done
-
-      - name: Commit and push
-        run: |
-          git add .
-          git commit -m "Bump helm version to ${{ env.VERSION }}"
-          git push origin bump-helm-version-${{ env.VERSION }}
-
-      - name: Create PR
-        env:
-          GH_TOKEN: ${{ steps.app.outputs.token }}
-        run: |
-          gh pr create \
-            --title "helm: bump version to ${{ env.VERSION }}" \
-            --body "This PR was auto-generated to bring the helm chart up to date for [release ${{ env.VERSION }}](https://github.com/windmill-labs/windmill/releases/tag/v${{ env.VERSION }}) in the main repo." \
-            --head bump-helm-version-${{ env.VERSION }} \
-            --base main

.github/workflows/jsr_on_release.yml

@@ -1,16 +0,0 @@
-name: Publish typescript-client on JSR
-
-on:
-  push:
-    tags:
-      - "v*"
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - run: cd typescript-client && ./publish.jsr.sh

.github/workflows/linear-claude.yaml

@@ -1,38 +0,0 @@
-name: Claude PR Assistant
-
-on:
-  repository_dispatch:
-    types: [external_claude_issue_fix]
-
-jobs:
-  claude-code-action:
-    runs-on: ubicloud-standard-8
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Process inputs
-        id: process_inputs
-        shell: bash
-        run: |
-          ISSUE_TITLE="${{ github.event.client_payload.issue_title }}"
-          INSTRUCTION="${{ github.event.client_payload.instruction }}"
-          ISSUE_BODY=$(printf '%q' "${{ github.event.client_payload.issue_body }}")
-          BASE_PROMPT="Try to fix the following issue based on the instruction given. You are provided with the issue title, issue body, and instruction. You are to fix the issue based on the instruction. You are to create a pull request to fix the issue."
-          CUSTOM_PROMPT=$(printf -v PROMPT "%s\n\nISSUE_TITLE: %s\n\nISSUE_BODY: %s\n\nINSTRUCTION: %s" "$BASE_PROMPT" "$ISSUE_TITLE" "$ISSUE_BODY" "$INSTRUCTION")
-          echo "CUSTOM_PROMPT=$CUSTOM_PROMPT" >> $GITHUB_OUTPUT
-
-      - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@beta
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          timeout_minutes: "60"
-          allowed_tools: "mcp__github__create_pull_request"
-          direct_prompt: ${{ steps.process_inputs.outputs.CUSTOM_PROMPT }}

.github/workflows/npm_on_release.yml

@@ -1,33 +0,0 @@
-name: Publish typescript-client & CLI to NPM on release
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-jobs:
-  publish_typescript_client:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "20.x"
-          registry-url: "https://registry.npmjs.org"
-      - run: cd typescript-client && ./publish.sh && cd ..
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  publish_cli:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "20.x"
-          registry-url: "https://registry.npmjs.org"
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-      - run: cd cli && ./build.sh && cd npm && npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/pr-ready-review.yml

@@ -1,48 +0,0 @@
-name: Claude Auto Review
-
-on:
-  pull_request:
-    types: [ready_for_review, opened]
-
-concurrency:
-  group: claude-review-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  auto-review:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false || github.event.pull_request.ready_for_review == true
-    permissions:
-      contents: read
-      pull-requests: read
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Automatic PR Review
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          track_progress: true
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-
-            Please review this pull request and provide comprehensive feedback.
-
-            Focus on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Performance considerations
-            - Security implications
-
-            Provide detailed feedback using inline comments for specific issues.
-            Use top-level comments for general observations or praise.
-
-            At the end of your review, add complete instructions to reproduce the added changes through the app interface. These instructions will be given to a tester so he can verify the changes. It should be a short descriptive text (not a step by step or a list) on how to navigate the app (what page, what action, what input, etc) to see the changes.
-          claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
-            --model opus

.github/workflows/publish_extra.yml

@@ -1,126 +0,0 @@
-env:
-  REGISTRY: ghcr.io
-  ECR_REGISTRY: 976079455550.dkr.ecr.us-east-1.amazonaws.com
-  IMAGE_NAME: ${{ github.repository }}-extra
-
-name: Publish windmill-extra
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-permissions: write-all
-
-jobs:
-  sleep:
-    runs-on: ubicloud
-    steps:
-      - name: Sleep for 900 seconds waiting for pypi to update index
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: sleep 900
-        shell: bash
-
-  # Build and test the image before publishing
-  test_extra:
-    needs: [sleep]
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build test image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./docker/DockerfileExtra
-          load: true
-          tags: windmill-extra:test
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Start container
-        run: |
-          docker run -d --name windmill-extra-test \
-            -p 3001:3001 -p 3002:3002 -p 3003:3003 \
-            -e ENABLE_LSP=true \
-            -e ENABLE_MULTIPLAYER=true \
-            -e ENABLE_DEBUGGER=true \
-            -e DEBUGGER_PORT=3003 \
-            -e REQUIRE_SIGNED_DEBUG_REQUESTS=false \
-            windmill-extra:test
-
-          # Wait for container to start
-          echo "Waiting for container to initialize..."
-          sleep 10
-
-          # Show container logs for debugging
-          docker logs windmill-extra-test
-
-      - name: Run integration tests
-        run: |
-          bun run docker/test_windmill_extra.ts
-
-      - name: Show container logs on failure
-        if: failure()
-        run: |
-          echo "=== Container logs ==="
-          docker logs windmill-extra-test
-
-      - name: Cleanup
-        if: always()
-        run: |
-          docker stop windmill-extra-test || true
-          docker rm windmill-extra-test || true
-
-  publish_extra:
-    needs: [sleep, test_extra]
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: depot/setup-action@v1
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push publicly
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          file: ./docker/DockerfileExtra
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ steps.meta.outputs.tags }}
-          labels: |
-            ${{ steps.meta.outputs.labels }}
-            org.opencontainers.image.licenses=AGPLv3

.github/workflows/publish_windows_worker.yml

@@ -1,76 +0,0 @@
-name: Build and Publish Windows Worker
-
-on:
-  push:
-    tags:
-      - "v*"
-
-env:
-  CARGO_INCREMENTAL: 0
-  SQLX_OFFLINE: true
-  DISABLE_EMBEDDING: true
-  RUST_LOG: info
-
-jobs:
-  cargo_build_windows:
-    runs-on: blacksmith-16vcpu-windows-2025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Read EE repo commit hash
-        shell: pwsh
-        run: |
-          $ee_repo_ref = Get-Content .\backend\ee-repo-ref.txt
-          echo "ee_repo_ref=$ee_repo_ref" | Out-File -FilePath $env:GITHUB_ENV -Append
-
-      - name: Checkout windmill-ee-private repository
-        uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-          fetch-depth: 0
-
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          cache-workspaces: backend
-          toolchain: 1.93.0
-
-      - name: Substitute EE code
-        shell: bash
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - name: Cargo build dynamic libraries windows
-        timeout-minutes: 180
-        run: |
-          cd backend/windmill-duckdb-ffi-internal
-          cargo build --release -p windmill_duckdb_ffi_internal
-
-      - name: Cargo build windows
-        timeout-minutes: 180
-        run: |
-          vcpkg.exe install openssl-windows:x64-windows
-          vcpkg.exe install openssl:x64-windows-static
-          vcpkg.exe integrate install
-          $env:VCPKGRS_DYNAMIC=1
-          $env:OPENSSL_DIR="${Env:VCPKG_INSTALLATION_ROOT}\installed\x64-windows-static"
-          mkdir frontend/build && cd backend
-          New-Item -Path . -Name "windmill-api/openapi-deref.yaml" -ItemType "File" -Force
-          cargo build --release --features=ee_windows
-      - name: Rename binary with corresponding architecture
-        run: |
-          Rename-Item -Path ".\backend\target\release\windmill.exe" -NewName "windmill-ee.exe"
-
-      - name: Attach binary to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ./backend/target/release/windmill-ee.exe
-
-      - name: Attach dynamic libraries to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ./backend/windmill-duckdb-ffi-internal/target/release/windmill_duckdb_ffi_internal.dll

.github/workflows/pypi_on_release.yml

@@ -1,3 +1,8 @@
+env:
+  REGISTRY: ghcr.io
+  ECR_REGISTRY: 976079455550.dkr.ecr.us-east-1.amazonaws.com
+  IMAGE_NAME: ${{ github.repository }}-lsp
+
 name: Publish python-client
 on:
   push:
@@ -7,15 +12,69 @@ on:
 
 jobs:
   publish_pypi:
-    runs-on: ubicloud-standard-8
-    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/windmill-labs/python-client-builder
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Upload python client
         env:
           PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
         run: |
           cd python-client
           ./publish.sh
+
+  publish_lsp:
+    needs: [publish_pypi]
+    runs-on: [self-hosted, new]
+    steps:
+      - name: Sleep for 30 seconds waiting for pypi to update index
+        run: sleep 30s
+        shell: bash
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Login to registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Build and push publicly
+        uses: docker/build-push-action@v3
+        with:
+          context: "{{defaultContext}}:lsp"
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ steps.metalocal.outputs.tags }}
+            ${{ steps.meta.outputs.tags }}
+            registry.uffizzi.com/windmill-lsp:60d
+          labels: ${{ steps.metalocal.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
+          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max

.github/workflows/release-please.yml

@@ -6,7 +6,7 @@ name: release-please
 jobs:
   release-please:
     name: "Release please"
-    runs-on: ubicloud
+    runs-on: ubuntu-latest
     steps:
       - uses: GoogleCloudPlatform/release-please-action@v3
         with:

.github/workflows/rust-client-check.yml

@@ -1,27 +0,0 @@
-name: Rust Client Check
-on:
-  workflow_run:
-    workflows: ["Change versions"]
-    types:
-      - completed
-  push:
-    paths:
-      - "rust-client/**"
-      - "backend/**/*.rs"
-      - "backend/windmill-api/openapi.yaml"
-      - "version.txt"
-      - "flake.nix"
-      - ".github/workflows/rust-client-check.yml"
-
-jobs:
-  check_rust_client:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v20
-        with:
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-      - name: Check rust client builds
-        run: cd rust-client && nix develop ../ --command ./dev.nu --check
-        timeout-minutes: 16

.github/workflows/rust_on_release.yml

@@ -1,19 +0,0 @@
-name: Publish rust-client to crates.io on release
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-jobs:
-  build_rust_and_publish_to_crates_io:
-    runs-on: ubicloud-standard-8
-    steps:
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v20
-        with:
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-      - run: cd rust-client && nix develop ../ --command ./dev.nu --check --publish 
-        env:
-          CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}

.github/workflows/shareable-discord-notification.yml

@@ -1,183 +0,0 @@
-name: "Notify Discord when a PR is opened or merged"
-
-on:
-  workflow_call:
-    inputs:
-      PR_TITLE:
-        description: "The title of the PR"
-        type: string
-      PR_URL:
-        description: "The URL of the PR"
-        type: string
-      PR_AUTHOR:
-        description: "The author of the PR"
-        type: string
-      PR_STATUS:
-        description: "The status of the PR"
-        type: string
-      DISCORD_CHANNEL_ID:
-        description: "The Discord channel ID"
-        type: string
-      PR_NUMBER:
-        description: "The number of the PR"
-        type: string
-      DISCORD_GUILD_ID:
-        description: "The Discord guild ID"
-        type: string
-      COMMENT_BODY:
-        description: "The comment body"
-        type: string
-        default: ""
-      COMMENT_AUTHOR:
-        description: "The comment author"
-        type: string
-        default: ""
-      COMMENT_URL:
-        description: "The comment URL"
-        type: string
-        default: ""
-    secrets:
-      DISCORD_WEBHOOK_URL:
-        description: "Discord Webhook URL"
-        required: false
-      DISCORD_BOT_TOKEN:
-        description: "Discord Bot Token"
-
-jobs:
-  open_thread:
-    runs-on: ubicloud-standard-2
-    if: ${{ inputs.PR_STATUS == 'opened' }}
-    steps:
-      - name: Send Discord notification and start a thread
-        env:
-          WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
-          BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
-          CHANNEL_ID: ${{ inputs.DISCORD_CHANNEL_ID }}
-          GUILD_ID: ${{ inputs.DISCORD_GUILD_ID }}
-          PR_TITLE: ${{ inputs.PR_TITLE }}
-          PR_NUMBER: ${{ inputs.PR_NUMBER }}
-          PR_URL: ${{ inputs.PR_URL }}
-          PR_AUTHOR: ${{ inputs.PR_AUTHOR }}
-        run: |
-          # Check if thread already exists
-          thread_exists=false
-          if threads=$(curl -s -H "Authorization: Bot $BOT_TOKEN" "https://discord.com/api/v10/guilds/${GUILD_ID}/threads/active"); then
-            if thread_id=$(echo "$threads" | jq -r --arg cid "$CHANNEL_ID" --arg pref "#${PR_NUMBER}:" '.threads[] | select(.parent_id == $cid and (.name | startswith($pref))) | .id' 2>/dev/null); then
-              if [ -n "$thread_id" ]; then
-                thread_exists=true
-                echo "Thread already exists, skipping creation"
-              fi
-            fi
-          else
-            echo "Failed to check for existing threads, will create new thread"
-          fi
-
-          # Create thread if it doesn't exist or if check failed
-          if [ "$thread_exists" = false ]; then
-            echo "Creating new thread"
-            THREAD_TITLE="#${PR_NUMBER}: ${PR_TITLE} by \`${PR_AUTHOR}\`"
-            payload=$(jq -n \
-              --arg content "${PR_URL}" \
-              --arg thread "${THREAD_TITLE:0:99}" \
-              '{
-                content: $content,
-                thread_name: $thread,
-                auto_archive_duration: 10080
-              }'
-            )
-            curl -H "Content-Type: application/json" \
-              -X POST \
-              -d "$payload" \
-              "$WEBHOOK_URL"
-          fi
-
-  merge_success_emoji:
-    runs-on: ubuntu-latest
-    if: ${{ inputs.PR_STATUS == 'merged' }}
-    steps:
-      - name: React
-        env:
-          BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
-          CHANNEL_ID: ${{ inputs.DISCORD_CHANNEL_ID }}
-          GUILD_ID: ${{ inputs.DISCORD_GUILD_ID }}
-          PR_NUMBER: ${{ inputs.PR_NUMBER }}
-        run: |
-          # 1) get PR thread
-          threads=$(curl -H "Authorization: Bot $BOT_TOKEN" "https://discord.com/api/v10/guilds/${GUILD_ID}/threads/active")
-          thread_id=$(
-            echo "$threads" \
-              | jq -r --arg cid "$CHANNEL_ID" \
-                    --arg pref "#${PR_NUMBER}:" \
-                '.threads[]
-                | select(.parent_id == $cid and (.name | startswith($pref)))
-                | .id'
-          )
-          if [ -z "$thread_id" ]; then
-            echo "Thread not found"
-            exit 1
-          fi
-          # 2) get the first message in that thread
-          messages=$(curl -H "Authorization: Bot $BOT_TOKEN" \
-            "https://discord.com/api/v10/channels/$thread_id/messages")
-          message_id=$(echo "$messages" | jq -r '.[-1].id')
-
-          if [ -z "$message_id" ]; then
-            echo "Message not found"
-            exit 1
-          fi
-
-          # 3) add the ✅ reaction
-          curl -X PUT \
-            -H "Authorization: Bot $BOT_TOKEN" \
-            "https://discord.com/api/v10/channels/$thread_id/messages/$message_id/reactions/%E2%9C%85/@me"
-
-  post_comment:
-    runs-on: ubuntu-latest
-    if: ${{ inputs.PR_STATUS == 'comment' }}
-    steps:
-      - name: Post comment to Discord thread
-        env:
-          BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
-          CHANNEL_ID: ${{ inputs.DISCORD_CHANNEL_ID }}
-          GUILD_ID: ${{ inputs.DISCORD_GUILD_ID }}
-          PR_NUMBER: ${{ inputs.PR_NUMBER }}
-          COMMENT_BODY: ${{ inputs.COMMENT_BODY }}
-          COMMENT_AUTHOR: ${{ inputs.COMMENT_AUTHOR }}
-          COMMENT_URL: ${{ inputs.COMMENT_URL }}
-        run: |
-          # 1) Find the thread by PR number
-          threads=$(curl -s -H "Authorization: Bot $BOT_TOKEN" \
-            "https://discord.com/api/v10/guilds/${GUILD_ID}/threads/active")
-          thread_id=$(echo "$threads" | jq -r \
-            --arg cid "$CHANNEL_ID" \
-            --arg pref "#${PR_NUMBER}:" \
-            '.threads[] | select(.parent_id == $cid and (.name | startswith($pref))) | .id')
-
-          if [ -z "$thread_id" ]; then
-            echo "Thread not found for PR #${PR_NUMBER}, skipping"
-            exit 0
-          fi
-
-          # 2) Truncate comment body to fit Discord's 2000 char limit
-          # Reserve space for the author line + link (~100 chars)
-          max_body=1800
-          if [ ${#COMMENT_BODY} -gt $max_body ]; then
-            # For bot comments, show the tail (conclusions/code tend to be at the end)
-            if [[ "$COMMENT_AUTHOR" == *"[bot]"* ]] || [[ "$COMMENT_AUTHOR" == *"-bot"* ]]; then
-              truncated_body="...${COMMENT_BODY: -$max_body}"
-            else
-              truncated_body="${COMMENT_BODY:0:$max_body}..."
-            fi
-          else
-            truncated_body="$COMMENT_BODY"
-          fi
-
-          # 3) Post the comment to the thread
-          message=$(printf '**%s** [commented](%s):\n%s' "$COMMENT_AUTHOR" "$COMMENT_URL" "$truncated_body")
-          payload=$(jq -n --arg content "$message" '{content: $content, flags: 4, allowed_mentions: {parse: []}}')
-
-          curl -s -X POST \
-            -H "Authorization: Bot $BOT_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d "$payload" \
-            "https://discord.com/api/v10/channels/${thread_id}/messages"

.github/workflows/sign-cla.yml

@@ -7,15 +7,12 @@ on:
 
 jobs:
   CLAssistant:
-    runs-on: ubicloud
+    runs-on: ubuntu-latest
     steps:
       - name: "CLA Assistant"
-        if:
-          (github.event.comment.body == 'recheck' || github.event.comment.body
-          == 'I have read the CLA Document and I hereby sign the CLA') ||
-          github.event_name == 'pull_request_target'
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         # Beta Release
-        uses: cla-assistant/github-action@v2.6.1
+        uses: cla-assistant/github-action@v2.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_PAT }}

.github/workflows/spawn-ephemeral-backend.yml

@@ -1,126 +0,0 @@
-name: Spawn Ephemeral Backend
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: "PR number"
-        required: true
-        type: number
-
-jobs:
-  check-membership:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/spawnbackend')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/spawnbackend'))
-    uses: ./.github/workflows/check-org-membership.yml
-    secrets:
-      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
-
-  spawn-backend:
-    needs: check-membership
-    # Only run on PR comments that contain /spawn-backend, or manual dispatch
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.issue.pull_request && needs.check-membership.outputs.is_member == 'true')
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-      contents: read
-
-    steps:
-      - name: Get PR details
-        id: pr-details
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = context.eventName === 'workflow_dispatch'
-              ? context.payload.inputs.pr_number
-              : context.issue.number;
-
-            const pr = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: prNumber
-            });
-
-            // Get branch name and format it for Cloudflare Pages
-            // Replace '/' with '-' for the URL
-            const branchName = pr.data.head.ref;
-            const formattedBranch = branchName.replace(/\//g, '-');
-            const cfFrontendUrl = `https://${formattedBranch}.windmill.pages.dev`;
-
-            core.setOutput('commit_hash', pr.data.head.sha);
-            core.setOutput('pr_number', prNumber);
-            core.setOutput('branch_name', branchName);
-            core.setOutput('cf_frontend_url', cfFrontendUrl);
-
-      - name: Check manager URL
-        id: check-manager-url
-        run: |
-          if [ -z "${{ secrets.EPHEMERAL_BACKEND_QUEUE_URL }}" ]; then
-            echo "manager_url_set=false" >> $GITHUB_OUTPUT
-          else
-            echo "manager_url_set=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Post error comment if manager not running
-        if: steps.check-manager-url.outputs.manager_url_set == 'false'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = context.eventName === 'workflow_dispatch'
-              ? Number(context.payload.inputs.pr_number)
-              : context.issue.number;
-
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: prNumber,
-              body: `❌ Manager URL not set (did you start the ephemeral backend manager?)\n\nThe ephemeral backend manager needs to be running to spawn backends. Please start the manager first.`
-            });
-
-      - name: Fail if manager not running
-        if: steps.check-manager-url.outputs.manager_url_set == 'false'
-        run: |
-          echo "Error: EPHEMERAL_BACKEND_QUEUE_URL secret is not set"
-          exit 1
-
-      - name: Trigger Windmill flow
-        if: steps.check-manager-url.outputs.manager_url_set == 'true'
-        id: trigger-flow
-        run: |
-          JOB_UUID=$(curl -s -X POST "https://app.windmill.dev/api/w/windmill-labs/jobs/run/f/f/all/run_ephemeral_backend" \
-            -H "Authorization: Bearer ${{ secrets.WINDMILL_RUN_FLOW_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d '{
-              "manager_url": "${{ secrets.EPHEMERAL_BACKEND_QUEUE_URL }}",
-              "commit_hash": "${{ steps.pr-details.outputs.commit_hash }}",
-              "pr_number": ${{ steps.pr-details.outputs.pr_number }},
-              "cf_frontend_url": "${{ steps.pr-details.outputs.cf_frontend_url }}"
-            }' | tr -d '"')
-
-          echo "Job UUID: $JOB_UUID"
-          echo "job_uuid=$JOB_UUID" >> $GITHUB_OUTPUT
-
-      - name: Post comment with job link
-        if: steps.check-manager-url.outputs.manager_url_set == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const jobUuid = '${{ steps.trigger-flow.outputs.job_uuid }}';
-            const appUrl = `https://app.windmill.dev/public/windmill-labs/a106bad0256c1dfa7a4f9279c42b1a4b#${jobUuid}`;
-            const prNumber = context.eventName === 'workflow_dispatch'
-              ? Number(context.payload.inputs.pr_number)
-              : context.issue.number;
-
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: prNumber,
-              body: `🚀 Spawning new ephemeral backend!\n\n${appUrl}`
-            });

.github/workflows/uffizzi-build.yml

@@ -0,0 +1,93 @@
+name: Build PR Image
+on:
+  pull_request:
+    types: [opened,synchronize,reopened,closed]
+    paths:
+      - "backend/**"
+      - ".github/uffizzi/**"
+      - ".github/workflows/**"
+  workflow_dispatch:
+      
+jobs:
+  build-windmill:
+    name: Build and Push `windmill`
+    runs-on: ubuntu-latest
+    if: ${{ (github.event_name != 'pull_request' || github.event.action != 'closed')}}
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+    steps:
+      - name: Checkout git repo
+        uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Generate UUID image name
+        id: uuid
+        run: echo "UUID_TAG_APP=$(uuidgen)" >> $GITHUB_ENV
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: registry.uffizzi.com/${{ env.UUID_TAG_APP }}
+          tags: type=raw,value=60d
+      - name: Build and Push Image to registry.uffizzi.com ephemeral registry
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: ./
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+
+  render-compose-file:
+    name: Render Docker Compose File
+    # Pass output of this workflow to another triggered by `workflow_run` event.
+    runs-on: ubuntu-latest
+    needs:
+      - build-windmill
+    outputs:
+      compose-file-cache-key: ${{ steps.hash.outputs.hash }}
+    steps:
+      - name: Checkout git repo
+        uses: actions/checkout@v3
+      - name: Render Compose File
+        run: |
+          WINDMILL_IMAGE=${{ needs.build-windmill.outputs.tags }}
+          export WINDMILL_IMAGE
+          LSP_IMAGE=registry.uffizzi.com/windmill-lsp:60d
+          export LSP_IMAGE
+          envsubst '${WINDMILL_IMAGE} ${LSP_IMAGE}' < ./.github/uffizzi/docker-compose.uffizzi.yml > docker-compose.rendered.yml
+          cat docker-compose.rendered.yml
+      - name: Upload Rendered Compose File as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: docker-compose.rendered.yml
+          retention-days: 2
+      - name: Serialize PR Event to File
+        run:  |
+          cat << EOF > event.json
+          ${{ toJSON(github.event) }}
+          EOF
+      - name: Upload PR Event as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: event.json
+          retention-days: 2
+
+  delete-preview:
+    name: Call for Preview Deletion
+    runs-on: ubuntu-latest
+    if: ${{ github.event.action == 'closed' }}
+    steps:
+      # If this PR is closing, we will not render a compose file nor pass it to the next workflow.
+      - name: Serialize PR Event to File
+        run: echo '${{ toJSON(github.event) }}' > event.json
+      - name: Upload PR Event as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: event.json
+          retention-days: 2

.github/workflows/uffizzi-preview.yml

@@ -0,0 +1,115 @@
+name: Deploy Uffizzi Preview
+
+on:
+  workflow_run:
+    workflows:
+      - "Build PR Image"
+    types:
+      - completed
+
+jobs:
+  cache-compose-file:
+    name: Cache Compose File
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    outputs:
+      compose-file-cache-key: ${{ env.COMPOSE_FILE_HASH }}
+      pr-number: ${{ env.PR_NUMBER }}
+    steps:
+      - name: 'Download artifacts'
+        # Fetch output (zip archive) from the workflow run that triggered this workflow.
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "preview-spec"
+            })[0];
+            if (matchArtifact === undefined) {
+              throw TypeError('Build Artifact not found!');
+            }
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/preview-spec.zip`, Buffer.from(download.data));
+      - name: 'Unzip artifact'
+        run: unzip preview-spec.zip
+      - name: Read Event into ENV
+        run: |
+          echo 'EVENT_JSON<<EOF' >> $GITHUB_ENV
+          cat event.json >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+      - name: Read PR Number From Event Object
+        id: pr
+        run: echo "PR_NUMBER=${{ fromJSON(env.EVENT_JSON).number }}" >> $GITHUB_ENV
+      - name: Predict Deployment URL
+        id: url
+        # Replace dots in the repo name with the plus sign
+        run: |
+          REPO=$(echo ${{ github.repository }} | sed 's/\./+/g')
+          echo "EXPECTED_URL=https://app.uffizzi.com/github.com/$REPO/pull/$PR_NUMBER" >> $GITHUB_ENV
+
+      - name: Re-Render Compose File
+        run: |
+          OAUTH_JSON_BASE64=${{ secrets.OAUTH_JSON_BASE64 }}
+          export OAUTH_JSON_BASE64
+          envsubst '${OAUTH_JSON_BASE64} ${EXPECTED_URL}' < docker-compose.rendered.yml > docker-compose.uffizzi.yml
+          # cat docker-compose.uffizzi.yml
+
+      - name: Hash Rendered Compose File
+        id: hash
+        # If the previous workflow was triggered by a PR close event, we will not have a compose file artifact.
+        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
+        run: echo "COMPOSE_FILE_HASH=$(md5sum docker-compose.uffizzi.yml | awk '{ print $1 }')" >> $GITHUB_ENV
+      - name: Cache Rendered Compose File
+        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
+        uses: actions/cache@v3
+        with:
+          path: docker-compose.uffizzi.yml
+          key: ${{ env.COMPOSE_FILE_HASH }}
+
+      - name: DEBUG - Print Job Outputs
+        if: ${{ runner.debug }}
+        run: |
+          echo "PR number: ${{ env.PR_NUMBER }}"
+          echo "Compose file hash: ${{ env.COMPOSE_FILE_HASH }}"
+          cat event.json
+
+  deploy-uffizzi-preview:
+    name: Use Remote Workflow to Preview on Uffizzi
+    needs:
+      - cache-compose-file
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    uses: UffizziCloud/preview-action/.github/workflows/reusable.yaml@v2
+    with:
+      # If this workflow was triggered by a PR close event, cache-key will be an empty string
+      # and this reusable workflow will delete the preview deployment.
+      compose-file-cache-key: ${{ needs.cache-compose-file.outputs.compose-file-cache-key }}
+      compose-file-cache-path: docker-compose.uffizzi.yml
+      server: https://app.uffizzi.com
+      pr-number: ${{ needs.cache-compose-file.outputs.pr-number }}
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+
+  playwright:
+    runs-on: ubuntu-latest
+    needs:
+      - deploy-uffizzi-preview
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+      - name: "Playwright run"
+        timeout-minutes: 2
+        run: cd frontend && npm ci @playwright/test && npx playwright install && export BASE_URL=${{ needs.deploy-uffizzi-preview.outputs.url }} && npm run test

.github/workflows/validate-openapi.yml

@@ -1,34 +0,0 @@
-name: Validate OpenAPI Spec
-
-on:
-  push:
-    paths:
-      - 'backend/windmill-api/openapi*'
-  pull_request:
-    paths:
-      - 'backend/windmill-api/openapi*'
-jobs:
-  validate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Install openapi-generator-cli
-        run: npm install @openapitools/openapi-generator-cli -g
-
-      - name: Validate openapi.yaml
-        run: npx @openapitools/openapi-generator-cli validate -i backend/windmill-api/openapi.yaml
-
-      - name: Validate openapi-deref.json
-        run: npx @openapitools/openapi-generator-cli validate -i backend/windmill-api/openapi-deref.json
-
-      # Does not work well with dereferenced yaml
-      # - name: Validate openapi-deref.yaml
-      #   run: npx @openapitools/openapi-generator-cli validate -i backend/windmill-api/openapi-deref.yaml
-

.github/workflows/weekly-pr-summary.yml

@@ -1,145 +0,0 @@
-name: Weekly PR Summary
-
-on:
-  schedule:
-    # Every Friday at 8:00 AM UTC
-    - cron: '0 8 * * 5'
-  workflow_dispatch:
-    # Allow manual triggering for testing
-
-jobs:
-  weekly-pr-summary:
-    runs-on: ubicloud-standard-4
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Generate Weekly PR Summary
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          prompt: |
-            REPO: ${{ github.repository }}
-
-            Generate a categorized weekly summary of ONLY MERGED Pull Requests from the past 7 days.
-
-            ## Your Task:
-
-            1. **Calculate Date Range**:
-               - Run: `CUTOFF_DATE=$(date --date='7 days ago' --iso-8601)`
-               - Run: `TODAY=$(date --iso-8601)`
-               - This gives you the exact 7-day window (store these in variables for use in commands)
-
-            2. **Fetch ONLY Merged PRs from Past Week**:
-               - Command: `gh pr list --repo ${{ github.repository }} --state merged --search "merged:>=$CUTOFF_DATE" --limit 100 --json number,title,author,mergedAt,url`
-               - This returns ONLY PRs that were merged in the last 7 days
-               - The --search flag filters by merge date using GitHub's search syntax
-               - **FILTER OUT** any PRs with titles starting with "chore: release" or "chore(release)"
-
-            3. **Categorize PRs**: Group PRs into three categories by analyzing titles and labels:
-               - **Features**: PRs with titles starting with "feat:", "feature:", or containing "add", "implement", "new"
-               - **Bug Fixes**: PRs with titles starting with "fix:", "bug:", or containing "fix", "resolve", "patch"
-               - **Other**: All remaining PRs (improvements, refactors, docs, chores, etc.)
-
-            4. **Gather Details**: For each feature and bug fix merged PR, include:
-               - Full PR title (NO truncation, NO links)
-               - Author (extract login from author.login in JSON)
-               - Brief summary: Use `gh pr view <number> --json body` to get PR description, then extract first paragraph or key points (1-2 sentences max)
-
-            5. **Character Limit Enforcement**:
-               - The final summary MUST be under 5000 characters
-               - If the summary exceeds 5000 characters, truncate PR descriptions (NOT titles) and add at the end: "_and X more PRs_" where X is the count of omitted PRs
-
-            6. **Save Summary to Markdown File**: Write the summary to a file for webhook delivery:
-               - Save the complete formatted markdown to: `summary.md`
-               - Do not commit the file to the repository
-
-            ## Output Format:
-
-            ```markdown
-            ### 📈 Weekly overview
-            - **Total merged**: X
-            - **Features**: Y
-            - **Bug Fixes**: Z
-            - **Other**: W
-
-            ### ✨ Features (Y)
-            - **[Full PR Title]** by @username - [brief impact description]
-            - **[Full PR Title]** by @username - [brief impact description]
-
-            ### 🐛 Bug Fixes (Z)
-            - **[Full PR Title]** by @username - [brief impact description]
-            - **[Full PR Title]** by @username - [brief impact description]
-
-            _and X more PRs_
-            ```
-
-            ## Important Notes:
-            - **CRITICAL**: ONLY include PRs with state "merged" from the last 7 days
-            - **CRITICAL**: EXCLUDE all PRs with titles starting with "chore: release" or "chore(release)"
-            - **CRITICAL**: Total character count MUST be under 5000 characters
-            - Count the number of "Other" PRs but do not include a section for them in the output
-            - Only use ### markdown headers for major sections and emoji indicators
-            - NO links to PRs
-            - NO merged date in output
-            - NEVER truncate PR titles - show full titles
-            - Use GitHub CLI (`gh`) for all operations
-            - Sort PRs within each category by merge date (most recent first)
-            - If a PR has no description, write "(No description provided)"
-            - Extract meaningful summary from PR body - look for the first paragraph or key bullet points
-            - Parse JSON responses carefully using `jq` or similar tools
-            - If summary exceeds 5000 chars, shorten PR descriptions and add "_and X more PRs_" at the end
-            - Count PRs in each category and display in both overview and section headers
-
-            ## Saving the Markdown Output:
-            After generating the markdown summary, save it to a file, BUT DO NOT COMMIT IT TO THE REPOSITORY.
-
-            ## Write Tool Fallback:
-            - First, attempt to use the Write tool to create `summary.md` with the markdown content
-            - If the Write tool returns ANY error or fails:
-              1. Use the Bash tool with the `echo` command instead
-              2. Use a heredoc to write the content: `cat > summary.md << 'EOF'` followed by your markdown content and `EOF` on a new line
-              3. Example: `cat > summary.md << 'EOF'\n[your markdown content here]\nEOF`
-              4. This ensures the file is always created regardless of Write tool issues
-            - Verify the file was created by running: `ls -lh summary.md`
-          claude_args: |
-            --allowedTools "Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash"
-            --model haiku
-
-      - name: Send Summary to Windmill
-        if: hashFiles('summary.md') != ''
-        env:
-          WEEKLY_SUMMARY_TOKEN: ${{ secrets.WEEKLY_SUMMARY_TOKEN }}
-        run: |
-          if [[ -f "summary.md" ]]; then
-            echo "Found summary.md, sending to Windmill..."
-
-            # Read the markdown content
-            MARKDOWN_CONTENT=$(cat summary.md)
-
-            # Create JSON payload
-            PAYLOAD=$(jq -n --arg markdown "$MARKDOWN_CONTENT" '{markdown: $markdown}')
-
-            # Send to Windmill webhook
-            RESULT=$(curl -s \
-              -H 'Content-Type: application/json' \
-              -H "Authorization: Bearer $WEEKLY_SUMMARY_TOKEN" \
-              -X POST \
-              -d "$PAYLOAD" \
-              'https://app.windmill.dev/api/w/windmill-labs/jobs/run/f/f/ai/send_past_week_pr_summaries_to_discord')
-
-            echo "Windmill response:"
-            echo -E "$RESULT"
-            echo "✅ Summary sent successfully to Windmill!"
-          else
-            echo "⚠️ Warning: summary.md not found, skipping delivery"
-            exit 1
-          fi

.gitignore

@@ -5,25 +5,3 @@ local/
 frontend/src/routes/test.svelte
 CaddyfileRemoteMalo
 *.swp
-**/.idea/
-.direnv
-/.vscode
-.dev-docker-wrapper*
-backend/.minio-data
-.aider*
-!.aiderignore
-rust-client/Cargo.toml
-
-# Worktree-generated port isolation
-.env.local
-
-# Worktree-specific Claude Code settings (generated by scripts/worktree-env)
-.claude/settings.local.json
-
-# Symlinked cache directories (for git worktrees)
-backend/target
-frontend/node_modules
-typescript-client/node_modules
-frontend/.svelte-kit
-backend/chrome_profiler.json
-.fast-check/

.mcp.json

@@ -1,14 +0,0 @@
-{
-  "mcpServers": {
-    "svelte": {
-      "type": "http",
-      "url": "https://mcp.svelte.dev/mcp"
-    }
-  },
-  "playwright": {
-    "command": "npx",
-    "args": [
-      "@playwright/mcp@latest"
-    ]
-  }
-}

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "python.analysis.typeCheckingMode": "basic"
+}

.workmux.yaml

@@ -1,75 +0,0 @@
-main_branch: main
-
-merge_strategy: rebase
-# worktree_dir: .worktrees
-
-worktree_naming: basename
-
-worktree_prefix: ""
-
-# Default: "wm-"
-window_prefix: "wm-"
-
-auto_name:
-  model: "claude-sonnet-4.6"
-  system_prompt: |
-    Generate a concise git branch name based on the task description.
-
-    Rules:
-    - Use kebab-case (lowercase with hyphens)
-    - Keep it short: 1-3 words, max 4 if necessary
-    - Focus on the core task/feature, not implementation details
-    - No prefixes like feat/, fix/, chore/
-
-    Examples of good branch names:
-    - "Add dark mode toggle" → dark-mode
-    - "Fix the search results not showing" → fix-search
-    - "Refactor the authentication module" → auth-refactor
-    - "Add CSV export to reports" → export-csv
-    - "Shell completion is broken" → shell-completion
-
-    Output ONLY the branch name, nothing else.
-  background: true
-
-
-# Commands to run in new worktree before tmux window opens.
-# These block window creation - use for short tasks only.
-# Use "<global>" to inherit from global config.
-# Set to empty list to disable: `post_create: []`
-# post_create:
-#   - "<global>"
-#   - mise use
-post_create:
-  - ./scripts/worktree-env
-
-pre_remove:
-  - ./scripts/worktree-cleanup
-
-panes:
-  - command: >-
-      claude --append-system-prompt
-      "You are running inside a tmux session with other panes running services.\n
-      Pane layout (current window):\n
-      - Pane 0: this pane (claude agent)\n
-      - Pane 1: backend (cargo watch -x run)\n
-      - Pane 2: frontend (npm run dev)\n\n
-      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).\n
-      When restarting backend or frontend, make sure to use the ports listed in .env.local.\n
-      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check."
-    focus: true
-  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x run'
-    split: horizontal
-  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/frontend" && npm install && npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0'
-    split: vertical
-
-files:
-  copy:
-    - backend/.env
-    - scripts/
-
-sandbox:
-  enabled: false
-  toolchain: off
-  # image, host_commands, and extra_mounts configured in global
-  # ~/.config/workmux/config.yaml — see README_WORKMUX_DEV.md for required
-  # extra_mounts (windmill-ee-private access in sandbox)

CLAUDE.md

@@ -1,68 +0,0 @@
-# Windmill Development Guide
-
-## Overview
-
-Windmill is an open-source developer platform for building internal tools, workflows, API integrations, background jobs, workflows, and user interfaces. See @windmill-overview.mdc for full platform details.
-
-## New Feature Implementation Guidelines
-
-When implementing new features in Windmill, follow these best practices:
-
-- **Clean Code First**: Write clean, readable, and maintainable code. Prioritize clarity over cleverness.
-- **Avoid Duplication at All Costs**: Before writing new code, thoroughly search for existing implementations that can be reused or extended.
-- **Adapt Existing Code**: Refactor and generalize existing code when necessary to avoid logic duplication. Extract common patterns into reusable utilities.
-- **Follow Established Patterns**: Study existing code patterns in the codebase and maintain consistency with established conventions.
-- **Single Responsibility**: Each function, component, and module should have a single, well-defined responsibility.
-- **Incremental Implementation**: Break large features into smaller, reviewable chunks that can be implemented and tested incrementally.
-
-## Language-Specific Guides
-
-- Backend (Rust): see `backend/CLAUDE.md` and the `rust-backend` skill: `.claude/skills/rust-backend/SKILL.md`
-- Frontend (Svelte 5): see `frontend/CLAUDE.md` and the `svelte-frontend` skill: `.claude/skills/svelte-frontend/SKILL.md`
-
-## Dev Environment
-
-- **Backend**: `cargo run` from `backend/` (API at http://localhost:8000)
-- **Frontend**: `REMOTE=http://localhost:8000 npm run dev` from `frontend/`
-  - The `REMOTE` env var configures the Vite proxy target. Without it, API calls proxy to `https://app.windmill.dev` instead of the local backend.
-  - The dev server starts on port 3000 (or 3001+ if 3000 is in use).
-- **Default login**: `admin@windmill.dev` / `changeme`
-- **Instance settings**: navigate to `/#superadmin-settings` (opens the drawer overlay)
-
-## UI Testing with Playwright MCP
-
-When testing the frontend with the Playwright MCP tools:
-
-1. **Start servers**: Launch backend (`cargo run`) and frontend (`REMOTE=http://localhost:8000 npm run dev`) as background tasks
-2. **Wait for readiness**: Backend takes ~60s to compile; check output for `health check completed`. Frontend starts in ~5s.
-3. **Login flow**: Navigate to `/user/login`, click "Log in without third-party", fill email/password, submit
-4. **Instance settings drawer**: Navigate to `/#superadmin-settings` to open the drawer directly
-5. **Toggle components**: The YAML toggle uses a custom `<Toggle>` component where the checkbox is visually hidden (`sr-only`). Click the wrapper `<label>` element (the parent container with `cursor=pointer`), not the checkbox ref directly.
-6. **Console errors to ignore**: `critical_alerts` 404s are expected on CE builds (EE-only endpoint). VSCode worker 404s are dev-mode artifacts.
-
-## Code Validation (MUST DO)
-
-After making code changes, you MUST run the appropriate checks and fix all errors before considering the work done:
-
-- **Backend**: Run `cargo check` from the `backend/` directory. Only enable the feature flags needed for the code you changed — check `backend/Cargo.toml` `[features]` section to identify which flags gate the crates/modules you modified. For example: `cargo check --features enterprise,parquet` if you only touched enterprise and parquet code.
-- **Frontend**: Run `npm run check` from the `frontend/` directory.
-
-## Querying the Database
-
-`backend/summarized_schema.txt` provides a compact overview of all tables, columns, types, ENUMs, and foreign keys. Use it to quickly understand the data model and relationships. Note: this file is a simplified summary — it omits indexes, constraints details, and other metadata.
-
-For exact table definitions (indexes, constraints, column defaults, etc.), query the database directly:
-
-```bash
-psql postgres://postgres:changeme@localhost:5432/windmill
-```
-
-Useful psql commands:
-- `\d <table_name>` — full table definition with indexes and constraints
-- `\di <table_name>*` — list indexes for a table
-- `\d+ <table_name>` — extended table info including storage and descriptions
-
-This is also helpful for:
-- Inspecting database state during development
-- Testing queries before implementing them in Rust
-- Debugging data-related issues

Caddyfile

@@ -1,35 +1,15 @@
+{
         auto_https off
-	layer4 {
-		:25 {
-			proxy {
-				to windmill_server:2525
-			}
-		}
-	}
+}
 
 http://{$BASE_URL} {
-{$BASE_URL} {
+        bind {$ADDRESS}
         reverse_proxy /ws/* http://lsp:3001
-
-        # LSP - Language Server Protocol for code intelligence (windmill_extra:3001)
-        reverse_proxy /ws/* http://windmill_extra:3001
-
-        # Multiplayer - Real-time collaboration, Enterprise Edition (windmill_extra:3002)
-        # Uncomment and set ENABLE_MULTIPLAYER=true in docker-compose.yml
-        # reverse_proxy /ws_mp/* http://windmill_extra:3002
-
-        # Debugger - Interactive debugging via DAP WebSocket (windmill_extra:3003)
-        # Set ENABLE_DEBUGGER=true in docker-compose.yml to enable
-        handle_path /ws_debug/* {
-                reverse_proxy http://windmill_extra:3003
-        }
-
-        # Search indexer, Enterprise Edition (windmill_indexer:8002)
-        # reverse_proxy /api/srch/* http://windmill_indexer:8002
-
-        # Default: Windmill server
+        reverse_proxy /* http://windmill_server:8000
 }
-
-        # TLS with custom certificates
-        # tls /certs/cert.pem /certs/key.pem
+
+https://{$BASE_URL}  {  
+  bind {$ADDRESS}
+  reverse_proxy /ws/* http://localhost:3001
+}
 }

Dockerfile

@@ -1,65 +1,49 @@
-ARG DEBIAN_IMAGE=debian:bookworm-slim
-ARG RUST_IMAGE=rust:1.93-slim-bookworm
-
-FROM debian:bookworm-slim AS nsjail
+FROM debian:buster-slim as nsjail
 
 WORKDIR /nsjail
 
-RUN apt-get -y update \
+ARG nsjail=""
+
+RUN  if [ "$nsjail" = "true" ]; then apt-get -y update \
     && apt-get install -y \
-    bison=2:3.8.* \
+    bison=2:3.3.* \
     flex=2.6.* \
-    g++=4:12.2.* \
-    gcc=4:12.2.* \
-    git=1:2.39.* \
-    libprotobuf-dev=3.21.* \
-    libnl-route-3-dev=3.7.* \
-    make=4.3-4.1 \
-    pkg-config=1.8.* \
-    protobuf-compiler=3.21.*
+    g++=4:8.3.* \
+    gcc=4:8.3.* \
+    git=1:2.20.* \
+    libprotobuf-dev=3.6.* \
+    libnl-route-3-dev=3.4.* \
+    make=4.2.* \
+    pkg-config=0.29-6 \
+    protobuf-compiler=3.6.*; fi
 
-RUN git clone -b master --single-branch https://github.com/google/nsjail.git . && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800
-RUN make
 
-FROM ${RUST_IMAGE} AS rust_base
+RUN if [ "$nsjail" = "true" ]; then git clone -b master --single-branch https://github.com/google/nsjail.git . \
+    && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800; fi
+RUN if [ "$nsjail" = "true" ]; then make; else touch nsjail; fi
 
-RUN apt-get update && apt-get install -y git libssl-dev pkg-config npm mold clang
+FROM rust:slim-buster AS rust_base
+
+RUN apt-get update && apt-get install -y git libssl-dev pkg-config npm
 
 RUN apt-get -y update \
     && apt-get install -y \
-    curl nodejs
+    curl lld nodejs npm
 
 RUN rustup component add rustfmt
 
-RUN CARGO_NET_GIT_FETCH_WITH_CLI=true cargo install cargo-chef --version 0.1.68
-RUN cargo install sccache --version ^0.8
-ENV RUSTC_WRAPPER=sccache SCCACHE_DIR=/backend/sccache
+RUN CARGO_NET_GIT_FETCH_WITH_CLI=true cargo install cargo-chef 
 
 WORKDIR /windmill
 
 ENV SQLX_OFFLINE=true
-# ENV CARGO_INCREMENTAL=1
+ENV CARGO_INCREMENTAL=1
 
-FROM rust_base AS windmill_duckdb_ffi_internal_builder
-
-WORKDIR /windmill-duckdb-ffi-internal
-
-RUN apt-get update && apt-get install -y clang=1:14.0-55.* libclang-dev=1:14.0-55.* cmake=3.25.* && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-COPY ./backend/windmill-duckdb-ffi-internal .
-
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
-    cargo build --release -p windmill_duckdb_ffi_internal
-
-FROM node:24-alpine as frontend
+FROM node:19-alpine as frontend
 
 # install dependencies
 WORKDIR /frontend
 COPY ./frontend/package.json ./frontend/package-lock.json ./
-COPY ./frontend/scripts/ ./scripts/
 RUN npm ci
 
 # Copy all local files into the image.
@@ -68,19 +52,13 @@ RUN mkdir /backend
 COPY /backend/windmill-api/openapi.yaml /backend/windmill-api/openapi.yaml
 COPY /openflow.openapi.yaml /openflow.openapi.yaml
 COPY /backend/windmill-api/build_openapi.sh /backend/windmill-api/build_openapi.sh
-COPY /system_prompts/auto-generated /system_prompts/auto-generated
-
 RUN cd /backend/windmill-api && . ./build_openapi.sh
-COPY /backend/parsers/windmill-parser-wasm/pkg/ /backend/parsers/windmill-parser-wasm/pkg/
-COPY /typescript-client/docs/ /frontend/static/tsdocs/
-COPY /python-client/docs/ /frontend/static/pydocs/
 
 RUN npm run generate-backend-client
 ENV NODE_OPTIONS "--max-old-space-size=8192"
-ARG VITE_BASE_URL ""
-# Read more about macro in docker/dev.nu
-# -- MACRO-SPREAD-WASM-PARSER-DEV-ONLY -- #
 RUN npm run build
+RUN npm run check
+
 
 
 FROM rust_base AS planner
@@ -88,121 +66,51 @@ FROM rust_base AS planner
 COPY ./openflow.openapi.yaml /openflow.openapi.yaml
 COPY ./backend ./
 
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
-    CARGO_NET_GIT_FETCH_WITH_CLI=true cargo chef prepare --recipe-path recipe.json
+RUN CARGO_NET_GIT_FETCH_WITH_CLI=true cargo chef prepare --recipe-path recipe.json
 
 FROM rust_base AS builder
 ARG features=""
 
 COPY --from=planner /windmill/recipe.json recipe.json
 
-RUN apt-get update && apt-get install -y libxml2-dev=2.9.* libxmlsec1-dev=1.2.* libkrb5-dev libsasl2-dev libcurl4-openssl-dev clang=1:14.0-55.* libclang-dev=1:14.0-55.* cmake=3.25.* && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
-    CARGO_NET_GIT_FETCH_WITH_CLI=true RUST_BACKTRACE=1 cargo chef cook --release --features "$features" --recipe-path recipe.json
+RUN CARGO_NET_GIT_FETCH_WITH_CLI=true cargo chef cook --release --features "$features" --recipe-path recipe.json
 
 COPY ./openflow.openapi.yaml /openflow.openapi.yaml
 COPY ./backend ./
 
-RUN mkdir -p /frontend
-
-COPY --from=frontend /frontend/build /frontend/build
+COPY --from=frontend /frontend /frontend
 COPY --from=frontend /backend/windmill-api/openapi-deref.yaml ./windmill-api/openapi-deref.yaml
 COPY .git/ .git/
 
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
-    CARGO_NET_GIT_FETCH_WITH_CLI=true cargo build --release --features "$features"
+RUN CARGO_NET_GIT_FETCH_WITH_CLI=true cargo build --release --features "$features"
 
-FROM ${DEBIAN_IMAGE}
 
-ARG TARGETPLATFORM
-ARG POWERSHELL_VERSION=7.5.0
-ARG POWERSHELL_DEB_VERSION=7.5.0-1
-ARG KUBECTL_VERSION=1.28.7
-ARG HELM_VERSION=3.14.3
-# NOTE: If changing, also change go version in workspace dependencies template at WorkspaceDependenciesEditor.svelte
-ARG GO_VERSION=1.25.0
+FROM python:3.11.2-slim-buster
+
 ARG APP=/usr/src/app
-ARG WITH_POWERSHELL=true
-ARG WITH_KUBECTL=true
-ARG WITH_HELM=true
-ARG WITH_GIT=true
-ARG features=""
-
-# To change latest stable version:
-# 1. Change placeholder in instanceSettings.ts
-# 2. Change LATEST_STABLE_PY in dockerfile
-# 3. Change #[default] annotation for PyVersion in backend
-ARG LATEST_STABLE_PY=3.12
-ENV UV_PYTHON_INSTALL_DIR=/tmp/windmill/cache/py_runtime
-ENV UV_PYTHON_PREFERENCE=only-managed
-
-RUN mkdir -p /usr/local/uv
-ENV UV_TOOL_BIN_DIR=/usr/local/bin
-ENV UV_TOOL_DIR=/usr/local/uv
-
-ENV PATH /usr/local/bin:/root/.local/bin:/tmp/.local/bin:$PATH
-
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends netbase tzdata ca-certificates wget curl jq unzip build-essential unixodbc xmlsec1 software-properties-common tini \
-    && if echo "$features" | grep -q "ee"; then apt-get install -y --no-install-recommends libsasl2-modules-gssapi-mit krb5-user; fi \
-    && apt-get clean \
+    && apt-get install -y ca-certificates wget curl git jq libprotobuf-dev libnl-route-3-dev unzip \
+    && apt-get install -y ca-certificates wget curl git jq libprotobuf-dev libnl-route-3-dev unzip build-essential \
     && rm -rf /var/lib/apt/lists/*
 
-RUN if [ "$WITH_GIT" = "true" ]; then \
-    apt-get update  -y \
-    && apt-get install -y git \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*; \
-    else echo 'Building the image without git'; fi;
-
-RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
-    if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* && \
-    dpkg --install 'pwsh.deb' && \
-    rm 'pwsh.deb'; \
-    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* && \
-    mkdir -p /opt/microsoft/powershell/7 && \
-    tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \
-    chmod +x /opt/microsoft/powershell/7/pwsh && \
-    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
-    rm powershell.tar.gz; \
-    else echo 'Could not install pwshell, not on amd64 or arm64'; fi;  \
-    else echo 'Building the image without powershell'; fi
-
-RUN if [ "$WITH_HELM" = "true" ]; then \
-    arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
-    wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \
-    tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz"  && \
-    mv linux-$arch/helm /usr/local/bin/helm &&\
-    chmod +x /usr/local/bin/helm; \
-    else echo 'Building the image without helm'; fi
-
-RUN if [ "$WITH_KUBECTL" = "true" ]; then \
-    arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
-    curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/$arch/kubectl" && \
-    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl; \
-    else echo 'Building the image without kubectl'; fi
-
+RUN arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
+    curl -o rclone.zip "https://downloads.rclone.org/v1.60.1/rclone-v1.60.1-linux-$arch.zip"; \
+    unzip -p rclone.zip rclone-v1.60.1-linux-$arch/rclone > /usr/bin/rclone; rm rclone.zip; \
+    chown root:root /usr/bin/rclone; chmod 755 /usr/bin/rclone
 
 RUN set -eux; \
     arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
+    url=; \
     case "$arch" in \
-    "amd64") \
-    targz="go${GO_VERSION}.linux-amd64.tar.gz"; \
+    'amd64') \
+    targz='go1.19.3.linux-amd64.tar.gz'; \
     ;; \
-    "arm64") \
-    targz="go${GO_VERSION}.linux-arm64.tar.gz"; \
+    'arm64') \
+    targz='go1.19.3.linux-arm64.tar.gz'; \
     ;; \
-    "armhf") \
-    targz="go${GO_VERSION}.linux-armv6l.tar.gz"; \
+    'armhf') \
+    targz='go1.19.3.linux-armv6l.tar.gz'; \
     ;; \
     *) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; \
     esac; \
@@ -211,93 +119,20 @@ RUN set -eux; \
 ENV PATH="${PATH}:/usr/local/go/bin"
 ENV GO_PATH=/usr/local/go/bin/go
 
-# Install UV
-RUN curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.24/uv-installer.sh | sh && mv /root/.local/bin/uv /usr/local/bin/uv
-
-# Preinstall python runtimes to temp build location (will copy with world-writable perms later)
-RUN UV_CACHE_DIR=/tmp/build_cache/uv UV_PYTHON_INSTALL_DIR=/tmp/build_cache/py_runtime uv python install 3.11
-RUN UV_CACHE_DIR=/tmp/build_cache/uv UV_PYTHON_INSTALL_DIR=/tmp/build_cache/py_runtime uv python install $LATEST_STABLE_PY
-
-
-RUN curl -sL https://deb.nodesource.com/setup_20.x | bash -
-RUN apt-get -y update && apt-get install -y curl procps nodejs awscli && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# go build is slower the first time it is ran, so we prewarm it in the build
-# This mirrors Windmill's Go wrapper structure: main.go imports inner package, uses encoding/json, os, fmt
-RUN export GOCACHE=/tmp/build_cache/go && \
-    mkdir -p /tmp/gobuildwarm/inner && \
-    cd /tmp/gobuildwarm && \
-    go mod init mymod && \
-    printf 'package main\nimport (\n\t"encoding/json"\n\t"os"\n\t"fmt"\n\t"mymod/inner"\n)\nfunc main() {\n\tdat, _ := os.ReadFile("args.json")\n\tvar req inner.Req\n\tjson.Unmarshal(dat, &req)\n\tres, _ := inner.Run(req)\n\tres_json, _ := json.Marshal(res)\n\tfmt.Println(string(res_json))\n}' > main.go && \
-    printf 'package inner\ntype Req struct {\n\tX int `json:"x"`\n}\nfunc Run(req Req) (interface{}, error) {\n\treturn main(req.X)\n}\nfunc main(x int) (interface{}, error) {\n\treturn x, nil\n}' > inner/inner.go && \
-    go build -x . && \
-    rm -rf /tmp/gobuildwarm
-
-# Copy build caches to final location, then add write permissions for any UID
-# chmod a+rw adds read+write WITHOUT removing execute bits (755->777, 644->666)
-# Note: uv python install only creates py_runtime, not uv cache - we create uv/go dirs for runtime
-RUN mkdir -p /tmp/windmill/cache && \
-    cp -r /tmp/build_cache/* /tmp/windmill/cache/ && \
-    chmod -R a+rw /tmp/windmill/cache && \
-    rm -rf /tmp/build_cache && \
-    mkdir -p -m 777 /tmp/windmill/cache/uv /tmp/windmill/cache/go /tmp/windmill/cache/rustup /tmp/windmill/cache/cargo
-
-# Runtime cache locations
-ENV UV_CACHE_DIR=/tmp/windmill/cache/uv
-ENV UV_PYTHON_INSTALL_DIR=/tmp/windmill/cache/py_runtime
-ENV GOCACHE=/tmp/windmill/cache/go
-
 ENV TZ=Etc/UTC
 
-COPY --from=builder /frontend/build /static_frontend
+RUN /usr/local/bin/python3 -m pip install pip-tools
+
 COPY --from=builder /windmill/target/release/windmill ${APP}/windmill
-COPY --from=windmill_duckdb_ffi_internal_builder /windmill-duckdb-ffi-internal/target/release/libwindmill_duckdb_ffi_internal.so ${APP}/libwindmill_duckdb_ffi_internal.so
 
-COPY --from=denoland/deno:2.2.1 --chmod=755 /usr/bin/deno /usr/bin/deno
-
-COPY --from=oven/bun:1.3.8 /usr/local/bin/bun /usr/bin/bun
-
-# Install windmill CLI
-RUN bun install -g windmill-cli \
-    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill
-
-COPY --from=php:8.3.7-cli /usr/local/bin/php /usr/bin/php
-COPY --from=composer:2.7.6 /usr/bin/composer /usr/bin/composer
-
-# add the docker client to call docker from a worker if enabled
-COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/
-
-ENV RUSTUP_HOME="/tmp/windmill/cache/rustup"
-ENV CARGO_HOME="/tmp/windmill/cache/cargo"
-ENV LD_LIBRARY_PATH="."
-
-# nsjail runtime deps and binary
-RUN apt-get update && apt-get install -y libprotobuf-dev libnl-route-3-dev \
-    && apt-get clean && rm -rf /var/lib/apt/lists/*
 COPY --from=nsjail /nsjail/nsjail /bin/nsjail
 
+COPY --from=denoland/deno:latest /usr/bin/deno /usr/bin/deno
+
+RUN mkdir -p ${APP}
+
 WORKDIR ${APP}
 
-RUN ln -s ${APP}/windmill /usr/local/bin/windmill
-
-COPY ./frontend/src/lib/hubPaths.json ${APP}/hubPaths.json
-
-RUN windmill cache ${APP}/hubPaths.json && rm ${APP}/hubPaths.json
-
-RUN windmill cache-rt
-
-# Create a non-root user 'windmill' with UID and GID 1000
-RUN addgroup --gid 1000 windmill && \
-    adduser --disabled-password --gecos "" --uid 1000 --gid 1000 windmill
-
-# /tmp/.cache may be created by earlier build steps with 755; chmod ensures any UID can write
-RUN mkdir -p -m 777 /tmp/windmill/logs /tmp/windmill/search /tmp/.cache && chmod 777 /tmp/.cache
-
-# Make directories world-accessible for any UID
-# (cache files already have 666 from umask copy above, cache_nomount is read-only)
-RUN find ${APP} /tmp/windmill -type d -exec chmod 777 {} +
-
 EXPOSE 8000
 
-CMD ["windmill"]
+CMD ["./windmill"]

Dockerfile.sandbox

@@ -1,234 +0,0 @@
-FROM debian:bookworm-slim
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    ca-certificates \
-    git \
-    iptables \
-    gosu \
-    sudo \
-    unzip \
-    # Rust native build deps (for cargo check)
-    pkg-config \
-    cmake \
-    clang \
-    mold \
-    libtool \
-    libssl-dev \
-    libxml2-dev \
-    libxmlsec1-dev \
-    libxslt1-dev \
-    libffi-dev \
-    zlib1g-dev \
-    libcurl4-openssl-dev \
-    libclang-dev \
-    libkrb5-dev \
-    libsasl2-dev \
-    # PostgreSQL (for local DB during development)
-    postgresql \
-    postgresql-client \
-    # Node.js 22 (for npm run check / frontend dev)
-    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get install -y --no-install-recommends nodejs \
-    && rm -rf /var/lib/apt/lists/* \
-    # Container runs as arbitrary UIDs (--user uid:gid). These three lines make
-    # sudo work for any UID:
-    # 1) NOPASSWD rule so sudo never prompts for a password
-    # 2) Writable passwd/group so the entrypoint can register the dynamic UID
-    # 3) Writable shadow so unix_chkpwd can validate the account (without this,
-    #    sudo fails with "account validation failure, is your account locked?")
-    && echo "ALL ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sandbox \
-    && chmod 0440 /etc/sudoers.d/sandbox \
-    && chmod 666 /etc/passwd /etc/group /etc/shadow
-
-# ── GitHub CLI (for PR creation) ──────────────────────────────────────────────
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
-        -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
-        > /etc/apt/sources.list.d/github-cli.list \
-    && apt-get update && apt-get install -y --no-install-recommends gh \
-    && rm -rf /var/lib/apt/lists/*
-
-# ── Rust toolchain ────────────────────────────────────────────────────────────
-# Install under /usr/local/lib/ so bins are world-readable with default umask.
-# CARGO_HOME is overridden to /tmp/.cargo at the end for mutable runtime state.
-ENV RUSTUP_HOME=/usr/local/lib/rustup CARGO_HOME=/usr/local/lib/cargo
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
-    sh -s -- -y --default-toolchain stable --profile minimal && \
-    ln -s /usr/local/lib/cargo/bin/* /usr/local/bin/
-RUN cargo install sqlx-cli --no-default-features --features native-tls,postgres && \
-    cargo install cargo-watch && \
-    ln -sf /usr/local/lib/cargo/bin/sqlx /usr/local/bin/sqlx && \
-    ln -sf /usr/local/lib/cargo/bin/cargo-watch /usr/local/bin/cargo-watch
-
-# ── Register dynamic runtime users ───────────────────────────────────────────
-RUN cat <<'SCRIPT' > /usr/local/bin/register-dynamic-user.sh
-#!/bin/sh
-set -eu
-
-uid="${1:-}"
-gid="${2:-}"
-
-if [ -z "$uid" ] || [ -z "$gid" ]; then
-    echo "register-dynamic-user: usage: register-dynamic-user <uid> <gid>" >&2
-    exit 1
-fi
-
-if ! getent group "$gid" >/dev/null 2>&1; then
-    echo "sandbox:x:${gid}:" >> /etc/group
-fi
-
-if ! getent passwd "$uid" >/dev/null 2>&1; then
-    echo "sandbox:x:${uid}:${gid}:sandbox:/tmp:/bin/sh" >> /etc/passwd
-fi
-
-# Add a shadow entry ("*" = no password) so unix_chkpwd doesn't reject sudo.
-if ! grep -q "^sandbox:" /etc/shadow 2>/dev/null; then
-    echo "sandbox:*:19000:0:99999:7:::" >> /etc/shadow
-fi
-SCRIPT
-RUN chmod +x /usr/local/bin/register-dynamic-user.sh
-
-# ── Network init script (iptables firewall + privilege drop) ──────────────────
-RUN cat <<'SCRIPT' > /usr/local/bin/network-init.sh
-#!/bin/bash
-set -euo pipefail
-
-if [ -n "${WM_PROXY_HOST:-}" ] && [ -n "${WM_PROXY_PORT:-}" ]; then
-    # Resolve hostnames to ALL IPs (multi-A records, round-robin DNS)
-    PROXY_IPS=$(getent ahostsv4 "$WM_PROXY_HOST" | awk '{print $1}' | sort -u)
-    RPC_HOST="${WM_RPC_HOST:-$WM_PROXY_HOST}"
-    RPC_IPS=$(getent ahostsv4 "$RPC_HOST" | awk '{print $1}' | sort -u)
-
-    if [ -z "$PROXY_IPS" ] || [ -z "$RPC_IPS" ]; then
-        echo "network-init: failed to resolve proxy/RPC host" >&2
-        exit 1
-    fi
-
-    # IPv4: default deny outbound
-    iptables -P OUTPUT DROP
-    iptables -A OUTPUT -o lo -j ACCEPT
-    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-    # Allow DNS (UDP/TCP 53) to configured nameservers.
-    if [ -f /etc/resolv.conf ]; then
-        grep '^nameserver' /etc/resolv.conf | awk '{print $2}' | while read -r ns; do
-            iptables -A OUTPUT -d "$ns" -p udp --dport 53 -j ACCEPT
-            iptables -A OUTPUT -d "$ns" -p tcp --dport 53 -j ACCEPT
-        done
-    fi
-
-    # Allow ALL resolved proxy IPs (handles multi-A DNS)
-    for ip in $PROXY_IPS; do
-        iptables -A OUTPUT -d "$ip" -p tcp --dport "$WM_PROXY_PORT" -j ACCEPT
-    done
-
-    # Allow ALL resolved RPC IPs
-    if [ -n "${WM_RPC_PORT:-}" ]; then
-        for ip in $RPC_IPS; do
-            iptables -A OUTPUT -d "$ip" -p tcp --dport "$WM_RPC_PORT" -j ACCEPT
-        done
-    fi
-
-    # Reject (not drop) everything else to fail fast instead of hanging
-    iptables -A OUTPUT -j REJECT
-
-    # IPv6: block entirely to prevent leaks (fail closed)
-    if ip6tables -L -n >/dev/null 2>&1; then
-        ip6tables -P OUTPUT DROP
-        ip6tables -A OUTPUT -o lo -j ACCEPT
-        ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        ip6tables -A OUTPUT -j REJECT
-    else
-        if ! sysctl -w net.ipv6.conf.all.disable_ipv6=1 2>/dev/null; then
-            echo "network-init: failed to block IPv6 (neither ip6tables nor sysctl available)" >&2
-            exit 1
-        fi
-    fi
-fi
-
-# Add sandbox user/group so sudo works after dropping privileges.
-if [ -z "${WM_TARGET_UID:-}" ] || [ -z "${WM_TARGET_GID:-}" ]; then
-    echo "network-init: WM_TARGET_UID and WM_TARGET_GID are required" >&2
-    exit 1
-fi
-/usr/local/bin/register-dynamic-user.sh "${WM_TARGET_UID}" "${WM_TARGET_GID}"
-
-# Fix PTY ownership so the unprivileged user can read/write the terminal.
-if [ -t 0 ]; then
-    chown "${WM_TARGET_UID}:${WM_TARGET_GID}" "$(tty)"
-fi
-
-# Drop privileges and exec the user command.
-exec gosu "${WM_TARGET_UID}:${WM_TARGET_GID}" env HOME=/tmp "$@"
-SCRIPT
-RUN chmod +x /usr/local/bin/network-init.sh
-
-# ── workmux (sandbox RPC) ────────────────────────────────────────────────────
-RUN curl -fsSL https://raw.githubusercontent.com/raine/workmux/main/scripts/install.sh | bash
-
-# ── Claude Code ───────────────────────────────────────────────────────────────
-RUN curl -fsSL https://claude.ai/install.sh | bash && \
-    target="$(readlink -f /root/.local/bin/claude)" && \
-    mv /root/.local/share/claude /usr/local/lib/claude && \
-    ln -s "/usr/local/lib/claude/versions/$(basename "$target")" /usr/local/bin/claude && \
-    mkdir -p /tmp/.local/bin && \
-    ln -s /usr/local/bin/claude /tmp/.local/bin/claude
-
-# ── Codex ─────────────────────────────────────────────────────────────────────
-RUN npm i -g @openai/codex
-
-# ── Bun ───────────────────────────────────────────────────────────────────────
-ENV BUN_INSTALL=/usr/local/lib/bun
-RUN curl -fsSL https://bun.sh/install | bash && \
-    ln -s /usr/local/lib/bun/bin/bun /usr/local/bin/bun && \
-    ln -s /usr/local/lib/bun/bin/bunx /usr/local/bin/bunx
-
-# ── Playwright + Chromium (for screenshots) ──────────────────────────────────
-ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/lib/playwright-browsers
-RUN bun add -g @playwright/test \
-    && bunx playwright install chromium --with-deps \
-    && chmod -R a+rwX /usr/local/lib/playwright-browsers \
-    && rm -rf /var/lib/apt/lists/* /tmp/bunx-*
-
-# ── AWS CLI (for S3-compatible uploads to R2) ─────────────────────────────────
-RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \
-    && unzip -q /tmp/awscliv2.zip -d /tmp \
-    && /tmp/aws/install \
-    && rm -rf /tmp/aws /tmp/awscliv2.zip
-
-ENV AWS_DEFAULT_REGION=auto
-
-# ── Runtime env for arbitrary UID ─────────────────────────────────────────────
-# Mutable state goes to /tmp (writable by any UID). Toolchains stay read-only.
-ENV CARGO_HOME=/tmp/.cargo BUN_TMPDIR=/tmp
-
-# ── Entrypoint ────────────────────────────────────────────────────────────────
-RUN cat <<'ENTRY' > /usr/local/bin/entrypoint.sh
-#!/bin/sh
-/usr/local/bin/register-dynamic-user.sh "$(id -u)" "$(id -g)"
-
-# Start PostgreSQL (unix socket in /tmp, owned by postgres user)
-mkdir -p /tmp/pgdata && sudo chown postgres:postgres /tmp/pgdata
-if [ ! -f /tmp/pgdata/PG_VERSION ]; then
-    sudo -u postgres /usr/lib/postgresql/15/bin/initdb -D /tmp/pgdata --auth=trust
-fi
-sudo -u postgres /usr/lib/postgresql/15/bin/pg_ctl -D /tmp/pgdata -l /tmp/pg.log start -o "-k /tmp"
-sudo -u postgres psql -h /tmp -c "CREATE ROLE sandbox SUPERUSER LOGIN" 2>/dev/null || true
-sudo -u postgres createdb -h /tmp windmill 2>/dev/null || true
-
-# Run database migrations so sqlx compile-time checks work
-if [ -d "$PWD/backend/migrations" ]; then
-    DATABASE_URL="postgres://sandbox@localhost/windmill?host=/tmp" \
-        sqlx migrate run --source "$PWD/backend/migrations" 2>/dev/null || true
-fi
-
-# Install frontend dependencies and generate backend client
-if [ -d "$PWD/frontend" ]; then
-    (cd "$PWD/frontend" && npm install && npm run generate-backend-client) 2>/dev/null || true
-fi
-
-exec "$@"
-ENTRY
-RUN chmod +x /usr/local/bin/entrypoint.sh
-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

LICENSE

@@ -1,34 +1,12 @@
+
 Source code in this repository is variously licensed under the Apache License
-Version 2.0 (see file ./LICENSE-APACHE), or the AGPLv3 License (see file
-./LICENSE-AGPL) and a proprietary license for certain enterprise features.
+Version 2.0 (see file ./LICENSE-APACHE),or the AGPLv3 License (see file ./LICENSE-AGPL)
 
-Every file is under copyright (c) Windmill Labs, Inc 2022 unless otherwise
-specified. Every file is under License AGPL unless otherwise specified or
-belonging to one of the below cases:
+Every file is under copyright (c) Windmill Labs, Inc 2022 unless otherwise specified.
+Every file is under License AGPL unless otherwise specified 
+or belonging to one of the below cases:
 
-The files under backend/ are AGPLv3 Licensed, except any snippets of code under
-the compile flag "enterprise". Those snippets and files are under a proprietary
-and commercial license. The files under frontend/ are AGPLv3 Licensed, except
-any snippets of code that require a positive license check to be activated.
-Those snippets and files are under a proprietary and commercial license. Private
-and public forks MUST not include any of the above proprietary and commercial
-code. The files under python-client/ deno-client/ go-client/ powershell-client/
-are Apache 2.0 Licensed. The openapi files, including the OpenFlow spec is
-Apache 2.0 Licensed.
-
-The binary compilable from source code in this repository without the
-"enterprise" feature flag is open-source under the AGPLv3 License terms and
-conditions.
-
-The "Community Edition" of Windmill available in the docker images hosted under
-ghcr.io/windmill-labs/windmill and the github binary releases contains the files
-under the AGPLv3 and Apache 2 sources but also includes proprietary and
-non-public code and features which are not open source and under the following
-terms: Windmill Labs, Inc. grants a right to use all the features of the
-"Community Edition" for free without restrictions other than the limits and
-quotas set in the software and a right to distribute the community edition as is
-but not to sell, resell, serve as a managed service, modify or wrap under any
-form without an explicit agreement.
-
-All third party components incorporated into the Windmill Software are licensed
-under the original license provided by the owner of the applicable component.
+The files under backend/ are AGPL Licensed.
+The files under frontend/ are AGPL Licensed.
+The files under python-client/ are Apache 2.0 Licensed.
+The files under community/ are Apache 2.0 Licensed.

README.md

@@ -1,177 +1,162 @@
 <p align="center">
-  <a href="https://www.windmill.dev/"><img src="./imgs/windmill-banner.png" alt="windmill.dev"></a>
+  <a href="https://app.windmill.dev"><img src="./imgs/windmill-banner.png" alt="windmill.dev"></a>
+</p>
+<p align="center">
+    <em>.</em>
 </p>
-
 <p align=center>
-Open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Self-hostable alternative to Retool, Pipedream, Superblocks and a simplified Temporal with autogenerated UIs and custom UIs to trigger workflows and scripts as internal apps.
-
-<p align=center>
-Scripts are turned into sharable UIs automatically, and can be composed together into flows or used into richer apps built with low-code. Supported languages: Python, TypeScript, Go, Bash, SQL, GraphQL, PowerShell, Rust, and more.
+Open-source developer infrastructure for internal tools. Self-hostable alternative to Airplane, Pipedream, Superblocks and a simplified Temporal with autogenerated UIs to trigger workflows and scripts as internal apps. Scripts are turned into UIs and no-code modules, no-code modules can be composed into very rich flows, and script and flows can be triggered from internal UIs made with a low-code builder. The script languages supported are: Python, Typescript, Go, Bash, SQL.
 </p>
 
 <p align="center">
-<a href="https://github.com/windmill-labs/windmill/blob/main/LICENSE-AGPL" target="_blank">
-    <img src="https://img.shields.io/badge/License-AGPLv3-blue.svg" alt="Package version">
-</a>
 <a href="https://github.com/windmill-labs/windmill/actions/workflows/docker-image.yml" target="_blank">
     <img src="https://github.com/windmill-labs/windmill/actions/workflows/docker-image.yml/badge.svg" alt="Docker Image CI">
 </a>
 <a href="https://pypi.org/project/wmill" target="_blank">
     <img src="https://img.shields.io/pypi/v/wmill?color=%2334D058&label=pypi%20package" alt="Package version">
 </a>
-</p>
-
-<p align="center">
-<a href="https://img.shields.io/github/commit-activity/m/windmill-labs/windmill" target="_blank">
-    <img src="https://img.shields.io/github/commit-activity/m/windmill-labs/windmill" alt="Commit activity">
-</a>
 <a href="https://discord.gg/V7PM2YHsPB" target="_blank">
   <img src="https://discordapp.com/api/guilds/930051556043276338/widget.png" alt="Discord Shield"/>
 </a>
 </p>
 
 <p align="center">
-  <a href="https://app.windmill.dev">Try it</a> - <a href="https://www.windmill.dev/">Website</a> - <a href="https://www.windmill.dev/docs/intro/">Docs</a> - <a href="https://discord.gg/V7PM2YHsPB">Discord</a> - <a href="https://hub.windmill.dev">Hub</a> - <a href="https://www.windmill.dev/docs/misc/contributing">Contributor's guide</a>
+  <a href="https://app.windmill.dev">Try it</a> - <a href="https://docs.windmill.dev/docs/intro/">Docs</a> - <a href="https://discord.gg/V7PM2YHsPB">Discord</a> - <a href="https://hub.windmill.dev">Hub</a> - <a href="https://docs.windmill.dev/docs/misc/contributing">Contributor's guide</a>
 </p>
 
-# Windmill - Developer platform for APIs, background jobs, workflows and UIs
+# Windmill - Turn scripts into workflows and UIs that you can share and run at scale
 
-Windmill is fully open-sourced (AGPLv3) and Windmill Labs offers dedicated instances and commercial support and licenses.
+Windmill is <b>fully open-sourced (AGPLv3)</b> and Windmill Labs offers dedicated instance and commercial support and licenses.
 
-![Windmill Diagram](./imgs/stacks.svg)
+![Windmill Diagram](/imgs/stacks.svg)
 
-https://github.com/user-attachments/assets/d80de1d9-64de-4d89-aacd-6df23fa81fc4
+https://user-images.githubusercontent.com/275584/218350457-bc2fdc3b-e667-4da5-a2bd-3bacc1f0ec79.mp4
 
-- [Windmill - Developer platform for APIs, background jobs, workflows and UIs](#windmill---developer-platform-for-apis-background-jobs-workflows-and-uis)
+- [Windmill - Turn scripts into workflows and UIs that you can share and run at scale](#windmill---turn-scripts-into-workflows-and-uis-that-you-can-share-and-run-at-scale)
   - [Main Concepts](#main-concepts)
   - [Show me some actual script code](#show-me-some-actual-script-code)
-  - [Local Development](#local-development)
+  - [CLI](#cli)
+    - [Running scripts locally](#running-scripts-locally)
   - [Stack](#stack)
-  - [Fastest Self-Hostable Workflow Engine](#fastest-self-hostable-workflow-engine)
   - [Security](#security)
+    - [Sandboxing](#sandboxing)
+    - [Secrets, credentials and sensitive values](#secrets-credentials-and-sensitive-values)
   - [Performance](#performance)
   - [Architecture](#architecture)
   - [How to self-host](#how-to-self-host)
     - [Docker compose](#docker-compose)
-    - [Kubernetes (Helm charts)](#kubernetes-helm-charts)
-    - [Cloud providers](#cloud-providers)
-    - [OAuth, SSO \& SMTP](#oauth-sso--smtp)
-    - [License](#license)
-    - [Integrations](#integrations)
+    - [Kubernetes (k8s) and Helm charts](#kubernetes-k8s-and-helm-charts)
+    - [Postgres without superuser](#postgres-without-superuser)
+    - [Commercial license](#commercial-license)
+    - [OAuth for self-hosting](#oauth-for-self-hosting)
+    - [Resource types](#resource-types)
   - [Environment Variables](#environment-variables)
   - [Run a local dev setup](#run-a-local-dev-setup)
-    - [Frontend only](#frontend-only)
+    - [only Frontend](#only-frontend)
     - [Backend + Frontend](#backend--frontend)
   - [Contributors](#contributors)
   - [Copyright](#copyright)
 
 ## Main Concepts
 
-1. Define a minimal and generic script in Python, TypeScript, Go or Bash that solves a specific task. The code can be defined in the provided Web IDE or synchronized with your own GitHub repo (e.g. through VS Code extension): [provided Web IDE](https://www.windmill.dev/docs/code_editor) or [synchronized with your own GitHub repo](https://www.windmill.dev/docs/advanced/cli/sync) (e.g. through [VS Code](https://www.windmill.dev/docs/cli_local_dev/vscode-extension) extension):
+1. Define a minimal and generic script in Python, Typescript, Go or Bash that
+   solves a specific task. Here sending an email with SMTP. The code can be
+   defined in the provided Web IDE or synchronized with your own github repo:
+   ![Step 1](./imgs/windmill-editor.png)
 
-![Step 1](./imgs/windmill-editor.png)
+2. Your scripts parameters are automatically parsed and generate a frontend.
+   ![Step 2](./imgs/windmill-run.png) ![Step 3](./imgs/windmill-result.png)
 
-2. Your scripts parameters are automatically parsed and [generate a frontend](https://www.windmill.dev/docs/core_concepts/auto_generated_uis).
+3. Make it flow! You can chain your scripts or scripts made by the community
+   shared on [WindmillHub](https://hub.windmill.dev).
+   ![Step 4](./imgs/windmill-flow.png)
 
-![Step 2](./imgs/windmill-run.png)
+4. Build complex UI on top of your scripts and flows.
+   ![Step 5](./imgs/windmill-builder.png)
 
-![Step 3](./imgs/windmill-result.png)
+Scripts and flows can also be triggered by a cron schedule '*/5 * * * *' or
+through webhooks.
 
-3. Make it [flow](https://www.windmill.dev/docs/flows/flow_editor)! You can chain your scripts or scripts made by the community shared on [WindmillHub](https://hub.windmill.dev).
-
-![Step 3](./imgs/windmill-flow.png)
-
-4. Build [complex UIs](https://www.windmill.dev/docs/apps/app_editor) on top of your scripts and flows.
-
-![Step 4](./imgs/windmill-builder.png)
-
-Scripts and flows can be triggered by [schedules](https://www.windmill.dev/docs/core_concepts/scheduling), [webhooks](https://www.windmill.dev/docs/core_concepts/webhooks), [HTTP routes](https://www.windmill.dev/docs/core_concepts/http_routing), [Kafka](https://www.windmill.dev/docs/core_concepts/kafka_triggers), [WebSockets](https://www.windmill.dev/docs/core_concepts/websocket_triggers), [emails](https://www.windmill.dev/docs/core_concepts/email_triggers), and more.
-
-Build your entire infra on top of Windmill!
+You can build your entire infra on top of Windmill!
 
 ## Show me some actual script code
 
 ```typescript
+import * as wmill from "https://deno.land/x/windmill@v1.62.0/mod.ts"
 //import any dependency  from npm
-import * as wmill from "windmill-client";
-import * as cowsay from "cowsay@1.5.0";
 
-// fill the type, or use the +Resource type to get a type-safe reference to a resource
-type Postgresql = {
-  host: string;
-  port: number;
-  user: string;
-  dbname: string;
-  sslmode: string;
-  password: string;
-};
+import cowsay from 'npm:cowsay@1.5.0'
 
 export async function main(
-  a: number,
-  b: "my" | "enum",
-  c: Postgresql,
-  d = "inferred type string from default arg",
-  e = { nested: "object" }
-  //f: wmill.Base64
-) {
-  const email = process.env["WM_EMAIL"];
-  // variables are permissioned and by path
-  let variable = await wmill.getVariable("f/company-folder/my_secret");
-  const lastTimeRun = await wmill.getState();
-  // logs are printed and always inspectable
-  console.log(cowsay.say({ text: "hello " + email + " " + lastTimeRun }));
-  await wmill.setState(Date.now());
+    a: number,
+    // unions generate enums
+    b: "my" | "enum",
+    // default parameters prefill the field 
+    d = "default arg",
+    // nested objects work c = { nested: "object" }, 
+    // permissioned and typed json
+    db: wmill.Resource<"postgresql">) {
 
-  // return is serialized as JSON
-  return { foo: d, variable };
+    const email = Deno.env.get('WM_EMAIL')
+    // variables are permissioned and by path
+    let variable = await wmill.getVariable('f/company-folder/my_secret')
+    const lastTimeRun = await wmill.getState()
+    // logs are printed and always inspectable
+    console.log(cowsay.say({ text: "hello " + email + " " + lastTimeRun }))
+    await wmill.setState(Date.now())
+
+    // return is serialized as JSON
+    return { foo: d, variable };
 }
 ```
 
-## Local Development
+## CLI
 
-Windmill supports multiple ways to develop locally and sync with your instance:
+We have a powerful CLI to interact with the windmill platform and sync your
+scripts from local files, github repos and to run scripts and flows on the instance from local commands. See
+[more details](https://github.com/windmill-labs/windmill/tree/main/cli)
 
-| Tool | Description |
-|------|-------------|
-| **[CLI](https://www.windmill.dev/docs/advanced/cli)** | Sync scripts from local files or GitHub, run scripts/flows from the command line |
-| **[VS Code Extension](https://www.windmill.dev/docs/cli_local_dev/vscode-extension)** | Edit and test scripts & flows directly from VS Code / Cursor with full IDE support |
-| **[Git Sync](https://www.windmill.dev/docs/advanced/git_sync)** | Two-way sync between Windmill and your Git repository |
-| **[Claude Code](https://www.windmill.dev/docs/core_concepts/ai_generation)** | AI-assisted development with Claude for scripts, flows, and apps |
+![CLI Screencast](./cli/vhs/output/setup.gif)
 
-https://github.com/user-attachments/assets/c541c326-e9ae-4602-a09a-1989aaded1e9
 
-You can run scripts locally by passing the right environment variables for the `wmill` client library to fetch resources and variables from your instance. See [local development docs](https://www.windmill.dev/docs/advanced/local_development).
+### Running scripts locally
+
+You can run your script locally easily, you simply need to pass the right environment variables for the `wmill` client library to fetch resource and variables from your instance if necessary. See more: <https://docs.windmill.dev/docs/advanced/local_development/>
 
 ## Stack
 
-- **Database**: Postgres (compatible with Aurora, Cloud SQL, Neon, Azure PostgreSQL)
-- **Backend**: Rust - stateless API servers and workers pulling jobs from a Postgres queue
-- **Frontend**: Svelte 5
-- **Sandboxing**: [nsjail](https://github.com/google/nsjail) and PID namespace isolation
-- **Runtimes**:
-  - TypeScript/JavaScript: Bun (default) and Deno
-  - Python: python3 with uv for dependency management
-  - Go, Bash, PowerShell, PHP, Rust, C#, Java, Ansible
-
-## Fastest Self-Hostable Workflow Engine
-
-We have compared Windmill to other self-hostable workflow engines (Airflow,
-Prefect & Temporal) and Windmill is the most performant solution for both
-benchmarks: one flow composed of 40 lightweight tasks & one flow composed of 10
-long-running tasks.
-
-All methodology & results on our
-[Benchmarks](https://www.windmill.dev/docs/misc/benchmarks/competitors#airflow-setup)
-page.
-
-![Fastest workflow engine](./imgs/fastest.png)
+- Postgres as the database
+- backend in Rust with the following highly-available and horizontally scalable
+  architecture:
+  - stateless API backend
+  - workers that pull jobs from a queue in Postgres (and later, Kafka or Redis.
+    Upvote [#173](#https://github.com/windmill-labs/windmill/issues/173) if
+    interested )
+- frontend in Svelte
+- scripts executions are sandboxed using google's
+  [nsjail](https://github.com/google/nsjail)
+- javascript runtime is the
+  [deno_core rust library](https://denolib.gitbook.io/guide/) (which itself uses
+  the [rusty_v8](https://github.com/denoland/rusty_v8) and hence V8 underneath)
+- typescript runtime is deno
+- python runtime is python3
+- golang runtime is 1.19.1
 
 ## Security
 
-- **Sandboxing**: [nsjail](https://github.com/google/nsjail) for filesystem/resource isolation, and PID namespace isolation (enabled by default) to prevent jobs from accessing worker process memory
-- **Secrets**: One encryption key per workspace for credentials stored in Windmill's K/V store. We recommend encrypting the Postgres database as well.
+### Sandboxing
 
-See [Security documentation](https://www.windmill.dev/docs/advanced/security_isolation) for details.
+Windmill uses [nsjail](https://github.com/google/nsjail) on top of the deno
+sandboxing. It is production multi-tenant grade secure. Do not take our word for
+it, take [fly.io's one](https://fly.io/blog/sandboxing-and-workload-isolation/)
+
+### Secrets, credentials and sensitive values
+
+There is one encryption key per workspace to encrypt the credentials and secrets
+stored in Windmill's K/V store.
+
+In addition, we strongly recommend that you encrypt the whole Postgres database.
+That is what we do at <https://app.windmill.dev>.
 
 ## Performance
 
@@ -191,141 +176,188 @@ back to the database is ~50ms. A typical lightweight deno job will take around
 
 ## How to self-host
 
-For detailed setup options, see [Self-Host documentation](https://www.windmill.dev/docs/advanced/self_host).
+We only provide docker-compose setup here. For more advanced setups, like
+compiling from source or using without a postgres super user, see
+[documentation](https://docs.windmill.dev/docs/advanced/self_host)
 
 ### Docker compose
 
-Deploy Windmill with 3 files ([docker-compose.yml](./docker-compose.yml), [Caddyfile](./Caddyfile), [.env](./.env)):
+`docker compose up` with the following docker-compose is sufficient:
+<https://github.com/windmill-labs/windmill/blob/main/docker-compose.yml>
 
-```bash
-curl https://raw.githubusercontent.com/windmill-labs/windmill/main/docker-compose.yml -o docker-compose.yml
-curl https://raw.githubusercontent.com/windmill-labs/windmill/main/Caddyfile -o Caddyfile
-curl https://raw.githubusercontent.com/windmill-labs/windmill/main/.env -o .env
+Go to http://localhost et voilà :)
 
-docker compose up -d
+
+The default super-admin user is: admin@windmill.dev / changeme
+
+From there, you can create other users (do not forget to change the password!)
+
+### Kubernetes (k8s) and Helm charts
+
+We publish helm charts at:
+<https://github.com/windmill-labs/windmill-helm-charts>
+
+### Postgres without superuser
+
+If you do not want, or cannot (for instance, in AWS Aurora or Cloud sql) use a postgres superuser,
+you can run `./init-db-as-superuser.sql` to init the required users for windmill.
+
+
+### Commercial license
+
+To self-host Windmill, you must respect the terms of the AGPLv3 license which
+you do not need to worry about for personal uses. For business uses, you should
+be fine if you do not re-expose it in any way Windmill to your users and are
+comfortable with AGPLv3.
+
+To re-expose any Windmill parts to your users as a feature of your product, or
+to build a feature on top of Windmill, to comply with AGPLv3 your product must
+be AGPLv3 or you must get a commercial license. Contact us at
+<ruben@windmill.dev> if you have any doubts.
+
+In addition, a commercial license grants you a dedicated engineer to transition
+your current infrastructure to Windmill, support with tight SLA, audit logs
+export features, SSO, unlimited users creation, advanced permission managing
+features such as groups and the ability to create more than one workspace.
+
+### OAuth for self-hosting
+
+To get the same oauth integrations as Windmill Cloud, mount `oauth.json` with
+the following format:
+
+```json
+{
+  "<client>": {
+    "id": "<CLIENT_ID>",
+    "secret": "<CLIENT_SECRET>",
+    "allowed_domains": ["windmill.dev"] //restrict a client OAuth login to some domains
+  }
+}
 ```
 
-Go to http://localhost - default credentials: `admin@windmill.dev` / `changeme`
+and mount it at `/usr/src/app/oauth.json`.
 
-**Using an external database**: Set `DATABASE_URL` in `.env` to point to your managed Postgres (AWS RDS, GCP Cloud SQL, Azure, Neon, etc.) and set db replicas to 0.
+The redirect url for the oauth clients is:
+`<instance_url>/user/login_callback/<client>`
 
-### Kubernetes (Helm charts)
+[The list of all possible "connect an app" oauth clients](https://github.com/windmill-labs/windmill/blob/main/backend/oauth_connect.json)
 
-```bash
-helm repo add windmill https://windmill-labs.github.io/windmill-helm-charts/
-helm install windmill-chart windmill/windmill --namespace=windmill --create-namespace
+To add more "connect an app" OAuth clients to the Windmill project, read the
+[Contributor's guide](https://docs.windmill.dev/docs/misc/contributing). We
+welcome contributions!
+
+You may also add your own custom OAuth2 IdP and OAuth2 Resource provider:
+
+```json
+{
+  "<client>": {
+    "id": "<CLIENT_ID>",
+    "secret": "<CLIENT_SECRET>",
+    // To add a new OAuth2 IdP
+    "login_config": {
+      "auth_url": "<auth_endpoint>",
+      "token_url": "<token_endpoint>",
+      "userinfo_url": "<userinfo endpoint>",
+      "scopes": ["scope1", "scope2"],
+      "extra_params": "<if_needed>"
+    },
+    // To add a new OAuth2 Resource
+    "connect_config": {
+      "auth_url": "<auth_endpoint>",
+      "token_url": "<token_endpoint>",
+      "scopes": ["scope1", "scope2"],
+      "extra_params": "<if_needed>"
+    }
+  }
+}
 ```
 
-See [windmill-helm-charts](https://github.com/windmill-labs/windmill-helm-charts) for configuration options.
+### Resource types
 
-### Cloud providers
-
-Windmill works on AWS (EKS/ECS), GCP, Azure, Ubicloud, Fly.io, Render.com, Hetzner, Digital Ocean, and others. Rule of thumb: 1 worker per 1vCPU and 1-2 GB RAM.
-
-### OAuth, SSO & SMTP
-
-Configure OAuth and SSO (Google Workspace, Microsoft/Azure, Okta) directly from the superadmin UI. [See documentation](https://www.windmill.dev/docs/misc/setup_oauth).
-
-### License
-
-The Community Edition is free to use internally. For commercial redistribution or managed services, contact <sales@windmill.dev>. See [LICENSE](./LICENSE) and [Pricing](https://www.windmill.dev/pricing) for details.
-
-The "Community Edition" of Windmill available in the docker images hosted under ghcr.io/windmill-labs/windmill and the github binary releases contains the files under the AGPLv3 and Apache 2 sources but also includes proprietary and non-public code and features which are not open source and under the following terms: Windmill Labs, Inc. grants a right to use all the features of the "Community Edition" for free without restrictions other than the limits and quotas set in the software and a right to distribute the community edition as is but not to sell, resell, serve Windmill as a managed service, modify or wrap under any form without an explicit agreement.
-
-The binary compilable from source code in this repository without the "enterprise" feature flag is open-source under the [LICENSE-AGPLv3](https://github.com/windmill-labs/windmill/blob/main/LICENSE-AGPL) License terms and conditions.
-
-To [re-expose directly any Windmill parts to your users](https://www.windmill.dev/docs/misc/white_labelling) as a feature of your product, with the exception of iframed public Windmill "apps", or to build a feature on top of "Windmill Community Edition" that you sell commercially or embed in a distributable product or binary, you must get a commercial license. Contact us at <sales@windmill.dev> if you have any questions. To do the same from the binary compiled from the source code in this repository without the "enterprise" feature flag, you must comply with the AGPLv3 license terms and conditions or get a commercial license from Windmill Labs, Inc.
-
-To use Windmill "Community Edition" as is internally in your organization, or to use its APIs as is, you do NOT need a commercial license.
-
-### Integrations
-
-In Windmill, integrations are referred to as [resources and resource types](https://www.windmill.dev/docs/core_concepts/resources_and_types). Each Resource has a Resource Type that defines the schema that the resource
-needs to implement.
-
-On self-hosted instances, you might want to import all the approved resource types from [WindmillHub](https://hub.windmill.dev). A setup script will prompt you to have it being synced automatically everyday.
+You will also want to import all the approved resource types from
+[WindmillHub](https://hub.windmill.dev). A setup script will prompt
+you to have it being synced automatically everyday.
 
 ## Environment Variables
 
-| Environment Variable name           | Default                          | Description                                                                                                                                                                                        | Api Server/Worker/All |
-| ----------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| DATABASE_URL                        |                                  | The Postgres database url.                                                                                                                                                                         | All                   |
-| WORKER_GROUP                        | default                          | The worker group the worker belongs to and get its configuration pulled from                                                                                                                       | Worker                |
-| MODE                                | standalone                       | The mode if the binary. Possible values: standalone, worker, server, agent                                                                                                                         | All                   |
-| METRICS_ADDR                        | None                             | (ee only) The socket addr at which to expose Prometheus metrics at the /metrics path. Set to "true" to expose it on port 8001                                                                      | All                   |
-| JSON_FMT                            | false                            | Output the logs in json format instead of logfmt                                                                                                                                                   | All                   |
-| BASE_URL                            | http://localhost:8000            | The base url that is exposed publicly to access your instance. Is overriden by the instance settings if any.                                                                                       | Server                |
-| ZOMBIE_JOB_TIMEOUT                  | 30                               | The timeout after which a job is considered to be zombie if the worker did not send pings about processing the job (every server check for zombie jobs every 30s)                                  | Server                |
-| RESTART_ZOMBIE_JOBS                 | true                             | If true then a zombie job is restarted (in-place with the same uuid and some logs), if false the zombie job is failed                                                                              | Server                |
-| NATIVE_MODE                         | false                            | Enable native mode: sets NUM_WORKERS=8, rejects non-native jobs (nativets, postgresql, mysql, etc.)                                                                                                | Worker                |
-| SLEEP_QUEUE                         | 50                               | The number of ms to sleep in between the last check for new jobs in the DB. It is multiplied by NUM_WORKERS such that in average, for one worker instance, there is one pull every SLEEP_QUEUE ms. | Worker                |
-| KEEP_JOB_DIR                        | false                            | Keep the job directory after the job is done. Useful for debugging.                                                                                                                                | Worker                |
-| LICENSE_KEY (EE only)               | None                             | License key checked at startup for the Enterprise Edition of Windmill                                                                                                                              | Worker                |
-| SLACK_SIGNING_SECRET                | None                             | The signing secret of your Slack app. See [Slack documentation](https://api.slack.com/authentication/verifying-requests-from-slack)                                                                | Server                |
-| COOKIE_DOMAIN                       | None                             | The domain of the cookie. If not set, the cookie will be set by the browser based on the full origin                                                                                               | Server                |
-| DENO_PATH                           | /usr/bin/deno                    | The path to the deno binary.                                                                                                                                                                       | Worker                |
-| PYTHON_PATH                         |                                  | The path to the python binary if wanting to not have it managed by uv.                                                                                                                             | Worker                |
-| GO_PATH                             | /usr/bin/go                      | The path to the go binary.                                                                                                                                                                         | Worker                |
-| GOPRIVATE                           |                                  | The GOPRIVATE env variable to use private go modules                                                                                                                                               | Worker                |
-| GOPROXY                             |                                  | The GOPROXY env variable to use                                                                                                                                                                    | Worker                |
-| NETRC                               |                                  | The netrc content to use a private go registry                                                                                                                                                     | Worker                |
-| PY_CONCURRENT_DOWNLOADS             | 20                               | Sets the maximum number of in-flight concurrent python downloads that windmill will perform at any given time.                                                                                     | Worker                |
-| PATH                                | None                             | The path environment variable, usually inherited                                                                                                                                                   | Worker                |
-| HOME                                | None                             | The home directory to use for Go and Bash , usually inherited                                                                                                                                      | Worker                |
-| DATABASE_CONNECTIONS                | 50 (Server)/3 (Worker)           | The max number of connections in the database connection pool                                                                                                                                      | All                   |
-| SUPERADMIN_SECRET                   | None                             | A token that would let the caller act as a virtual superadmin superadmin@windmill.dev                                                                                                              | Server                |
-| TIMEOUT_WAIT_RESULT                 | 20                               | The number of seconds to wait before timeout on the 'run_wait_result' endpoint                                                                                                                     | Worker                |
-| QUEUE_LIMIT_WAIT_RESULT             | None                             | The number of max jobs in the queue before rejecting immediately the request in 'run_wait_result' endpoint. Takes precedence on the query arg. If none is specified, there are no limit.           | Worker                |
-| DENO_AUTH_TOKENS                    | None                             | Custom DENO_AUTH_TOKENS to pass to worker to allow the use of private modules                                                                                                                      | Worker                |
-| DISABLE_RESPONSE_LOGS               | false                            | Disable response logs                                                                                                                                                                              | Server                |
-| CREATE_WORKSPACE_REQUIRE_SUPERADMIN | true                             | If true, only superadmins can create new workspaces                                                                                                                                                | Server                |
-| MIN_FREE_DISK_SPACE_MB              | 15000                            | Minimum amount of free space on worker. Sends critical alert if worker has less free space.                                                                                                        | Worker                |
-| RUN_UPDATE_CA_CERTIFICATE_AT_START  | false                            | If true, runs CA certificate update command at startup before other initialization                                                                                                                 | All                   |
-| RUN_UPDATE_CA_CERTIFICATE_PATH      | /usr/sbin/update-ca-certificates | Path to the CA certificate update command/script to run when RUN_UPDATE_CA_CERTIFICATE_AT_START is true                                                                                            | All                   |
+| Environment Variable name | Default                | Description                                                                                                                                                                                        | Api Server/Worker/All |
+| ------------------------- | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| DATABASE_URL              |                        | The Postgres database url.                                                                                                                                                                         | All                   |
+| DISABLE_NSJAIL            | true                   | Disable Nsjail Sandboxing                                                                                                                                                                          | Worker                |
+| PORT                      | 8000                   | Exposed port                                                                                                                                                                                       | Server                |  |
+| NUM_WORKERS               | 3                      | The number of worker per Worker instance (set to 1 on Eks to have 1 pod = 1 worker, set to 0 for an API only instance)                                                                             | Worker                |
+| DISABLE_SERVER            | false                  | Binary would operate as a worker only instance                                                                                                                                                     | Worker                |
+| METRICS_ADDR              | None                   | The socket addr at which to expose Prometheus metrics at the /metrics path. Set to "true" to expose it on port 8001                                                                                | All                   |
+| JSON_FMT                  | false                  | Output the logs in json format instead of logfmt                                                                                                                                                   | All                   |
+| BASE_URL                  | http://localhost:8000  | The base url that is exposed publicly to access your instance                                                                                                                                      | Server                |
+| BASE_INTERNAL_URL         | http://localhost:8000  | The base url that is reachable by your workers to talk to the Servers. This help avoiding going through the external load balancer for VPC-internal requests.                                      | Worker                |
+| TIMEOUT                   | 300                    | The timeout in seconds for the execution of a script                                                                                                                                               | Worker                |
+| SLEEP_QUEUE               | 50                     | The number of ms to sleep in between the last check for new jobs in the DB. It is multiplied by NUM_WORKERS such that in average, for one worker instance, there is one pull every SLEEP_QUEUE ms. | Worker                |
+| MAX_LOG_SIZE              | 500000                 | The maximum number of characters a job can emit (log + result)                                                                                                                                     | Worker                |
+| DISABLE_NUSER             | false                  | If Nsjail is enabled, disable the nsjail's `clone_newuser` setting                                                                                                                                 | Worker                |
+| KEEP_JOB_DIR              | false                  | Keep the job directory after the job is done. Useful for debugging.                                                                                                                                | Worker                |
+| LICENSE_KEY (EE only)     | None                   | License key checked at startup for the Enterprise Edition of Windmill                                                                                                                              | Worker                |
+| S3_CACHE_BUCKET (EE only) | None                   | The S3 bucket to sync the cache of the workers to                                                                                                                                                  | Worker                |
+| TAR_CACHE_RATE (EE only)  | 100                    | The rate at which to tar the cache of the workers. 100 means every 100th job in average (uniformly randomly distributed).                                                                          | Worker                |
+| SLACK_SIGNING_SECRET      | None                   | The signing secret of your Slack app. See [Slack documentation](https://api.slack.com/authentication/verifying-requests-from-slack)                                                                | Server                |
+| COOKIE_DOMAIN             | None                   | The domain of the cookie. If not set, the cookie will be set by the browser based on the full origin                                                                                               | Server                |  |
+| DENO_PATH                 | /usr/bin/deno          | The path to the deno binary.                                                                                                                                                                       | Worker                |
+| PYTHON_PATH               | /usr/local/bin/python3 | The path to the python binary.                                                                                                                                                                     | Worker                |
+| GO_PATH                   | /usr/bin/go            | The path to the go binary.                                                                                                                                                                         | Worker                |
+| PIP_INDEX_URL             | None                   | The index url to pass for pip.                                                                                                                                                                     | Worker                |
+| PIP_EXTRA_INDEX_URL       | None                   | The extra index url to pass to pip.                                                                                                                                                                | Worker                |
+| PIP_TRUSTED_HOST          | None                   | The trusted host to pass to pip.                                                                                                                                                                   | Worker                |
+| PATH                      | None                   | The path environment variable, usually inherited                                                                                                                                                   | Worker                |
+| HOME                      | None                   | The home directory to use for Go and Bash , usually inherited                                                                                                                                      | Worker                |
+| DATABASE_CONNECTIONS      | 50 (Server)/3 (Worker) | The max number of connections in the database connection pool                                                                                                                                      | All                   |
+| SUPERADMIN_SECRET         | None                   | A token that would let the caller act as a virtual superadmin superadmin@windmill.dev                                                                                                              | Server                |
+| TIMEOUT_WAIT_RESULT       | 20                     | The number of seconds to wait before timeout on the 'run_wait_result' endpoint                                                                                                                     | Worker                |
+| QUEUE_LIMIT_WAIT_RESULT   | None                   | The number of max jobs in the queue before rejecting immediately the request in 'run_wait_result' endpoint. Takes precedence on the query arg. If none is specified, there are no limit.           | Worker                |
+| DENO_AUTH_TOKENS          | None                   | Custom DENO_AUTH_TOKENS to pass to worker to allow the use of private modules                                                                                                                      | Worker                |
+| DENO_FLAGS                | None                   | Override the flags passed to deno (default --allow-all) to tighten permissions. Minimum permissions needed are "--allow-read=args.json --allow-write=result.json"                                  | Worker                |
+| PIP_LOCAL_DEPENDENCIES    | None                   | Specify dependencies that are installed locally and do not need to be solved nor installed again                                                                                                   |                       |
+| ADDITIONAL_PYTHON_PATHS   | None                   | Specify python paths (separated by a :) to be appended to the PYTHONPATH of the python jobs. To be used with PIP_LOCAL_DEPENDENCIES to use python codebases within Windmill                        | Worker                |
+| INCLUDE_HEADERS           | None                   | Whitelist of headers that are passed to jobs as args (separated by a comma)                                                                                                                        | Server                |
+| WHITELIST_WORKSPACES      | None                   | Whitelist of workspaces this worker takes job from                                                                                                                                                 | Worker                |
+| BLACKLIST_WORKSPACES      | None                   | Blacklist of workspaces this worker takes job from                                                                                                                                                 | Worker                |
+| NEW_USER_WEBHOOK          | None                   | Webhook to notify of a new user added, signup/invite. Can hook back to windmill to send emails                                                                                                     | Server                |
 
 ## Run a local dev setup
 
-We recommend using [Nix](./frontend/README_DEV.md#nix). See [./frontend/README_DEV.md](./frontend/README_DEV.md) for all options.
+### only Frontend
 
-### Frontend only
+This will use the backend of <https://app.windmill.dev> but your own frontend
+with hot-code reloading.
 
-Uses the backend of <https://app.windmill.dev> with local frontend (hot-reload):
-
-```bash
-cd frontend
-npm install
-npm run generate-backend-client  # or generate-backend-client-mac on Mac
-npm run dev
-```
-
-Windmill available at `http://localhost/`
+1. Install [caddy](https://caddyserver.com)
+2. Go to `frontend/`:
+   1. `npm install`, `npm run generate-backend-client` then `npm run dev`
+   2. In another shell `sudo caddy run --config CaddyfileRemote`
+3. Et voilà, windmill should be available at `http://localhost/`
 
 ### Backend + Frontend
 
 See the [./frontend/README_DEV.md](./frontend/README_DEV.md) file for all
 running options.
 
-1. Start a local Postgres database using for instance the `start-dev-db.sh` script which will make a database available at `postgres://postgres:changeme@localhost:5432/windmill`
-   Then run the migrations using the following command:
-   ```
-   cargo install sqlx-cli
-   env DATABASE_URL=<YOUR_DATABASE_URL> sqlx migrate run
-   ```
-   This will also avoid compile time issue with sqlx's `query!` macro.
-2. (optional, linux only) Install [nsjail](https://github.com/google/nsjail) and have it accessible in
+1. Create a Postgres Database for Windmill and create an admin role inside your
+   Postgres setup. The easiest way to get a working postgres is running
+   `cargo install sqlx-cli && sqlx migrate run`. This will also avoid compile
+   time issue with sqlx's `query!` macro
+2. Install [nsjail](https://github.com/google/nsjail) and have it accessible in
    your PATH
-3. Install bun, deno and python3 (+ any languages you want to use), have the bins at `/usr/bin/bun`,`/usr/bin/deno`, and
-   `/usr/local/bin/python3` or set the corresponding environment variables.
-4. (optional) Install the [lld linker](https://lld.llvm.org/)
-5. Go to `frontend/`:
-   1. `npm install`, `npm run generate-backend-client` then `REMOTE=http://localhost:8000 npm run dev`
-   2. You might need to set some extra heap space for the node runtime
-      `export NODE_OPTIONS="--max-old-space-size=4096"`
-   3. Create an empty `frontend/build` folder using `mkdir frontend/build`
-6. Go to `backend/`:
-   1. `env DATABASE_URL=<YOUR_DATABASE_URL> RUST_LOG=info cargo run`
-   2. You can specify any feature flag you want to enable, for example `cargo run --features python` to enable the python executor.
-7. Windmill should be available at `http://localhost:3000`
+3. Install deno and python3, have the bins at `/usr/bin/deno` and
+   `/usr/local/bin/python3`
+4. Install [caddy](https://caddyserver.com)
+5. Install the [lld linker](https://lld.llvm.org/)
+6. Go to `frontend/`:
+   1. `npm install`, `npm run generate-backend-client` then `npm run dev`
+   2. In another shell `npm run build` otherwise the backend will not find the
+      `frontend/build` folder and will crash
+   3. In another shell `sudo caddy run --config Caddyfile`
+7. Go to `backend/`:
+   `DATABASE_URL=<DATABASE_URL_TO_YOUR_WINDMILL_DB> RUST_LOG=info cargo run`
+8. Et voilà, windmill should be available at `http://localhost/`
 
 ## Contributors
 
@@ -335,4 +367,4 @@ running options.
 
 ## Copyright
 
-© 2023-2026 Windmill Labs, Inc.
+Windmill Labs, Inc 2023

README_WORKMUX_DEV.md

@@ -1,196 +0,0 @@
-# Windmill Development with workmux
-
-This guide covers the workmux-based development setup for Windmill. Each worktree gets its own tmux window with a Claude Code agent, a backend server (with auto-reload), and a frontend dev server — all on isolated ports.
-
-## Prerequisites
-
-- tmux
-- Rust toolchain (rustup)
-- Node.js + npm
-- PostgreSQL running locally (see `backend/.env`)
-
-## Installation
-
-### 1. Install workmux
-
-```bash
-cargo install workmux
-```
-
-### 2. Install the Claude Code plugin
-
-```bash
-workmux claude install
-```
-
-This lets workmux manage Claude Code agents in worktree panes.
-
-### 3. Install cargo-watch
-
-Used for auto-recompiling the backend on file changes:
-
-```bash
-cargo install cargo-watch
-```
-
-### 4. Install llm CLI (required for auto branch naming)
-
-workmux uses the `llm` CLI to automatically generate branch names from prompts. Install it with:
-
-```bash
-uv tool install llm
-llm install llm-anthropic
-```
-
-Then set your Anthropic API key:
-
-```bash
-llm keys set anthropic
-# paste your API key when prompted
-```
-
-### 5. Recommended: shell alias and autocomplete
-
-Set up a `wm` alias for convenience:
-
-```bash
-# Add to your ~/.zshrc
-alias wm="workmux"
-```
-
-Setting up zsh autocomplete is also recommended — see the [workmux docs](https://github.com/rubenfiszel/workmux) for instructions.
-
-## Port Slot System
-
-Each worktree is assigned a **slot** that determines its ports:
-
-| Slot | Backend | Frontend |
-|------|---------|----------|
-| 0    | 8000    | 3000     |
-| 1    | 8010    | 3010     |
-| 2    | 8020    | 3020     |
-| 3    | 8030    | 3030     |
-| ...  | ...     | ...      |
-
-- **Slot 0** is reserved for the main worktree (default `cargo run` / `npm run dev`).
-- Without `WM_SLOT`, the script auto-assigns the first available slot (starting from 1) and prints it.
-- With `WM_SLOT=N`, it uses that slot and errors if the ports are taken.
-
-## SSH Port Forwarding
-
-If you develop over SSH, add this to `~/.ssh/config` on your **local machine** to pre-configure tunnels for each slot:
-
-```
-Host windmill-dev
-  HostName <remote-ip>
-  User <username>
-  # Slot 0 (main worktree)
-  LocalForward 8000 localhost:8000
-  LocalForward 3000 localhost:3000
-  # Slot 1
-  LocalForward 8010 localhost:8010
-  LocalForward 3010 localhost:3010
-  # Slot 2
-  LocalForward 8020 localhost:8020
-  LocalForward 3020 localhost:3020
-  # Slot 3
-  LocalForward 8030 localhost:8030
-  LocalForward 3030 localhost:3030
-```
-
-Then connect once and all tunnels are active:
-
-```bash
-ssh windmill-dev
-```
-
-Access the frontend at `http://localhost:<frontend-port>` in your local browser.
-
-## Quickstart
-
-```bash
-# Create a new worktree (auto-assigns slot, prints ports)
-workmux add my-feature
-
-# Or with an explicit slot
-WM_SLOT=2 workmux add my-feature
-
-# Create a worktree and immediately send a prompt to the agent
-workmux add -A -p "fix the login bug in auth.rs"
-```
-
-The `add` command creates the worktree but does **not** open it. To open the tmux window and start working:
-
-```bash
-workmux open my-feature
-```
-
-This will open a tmux window with three panes:
-
-- **Claude Code agent** (focused)
-- **Backend**: `cargo watch -x run` on the assigned port (auto-reloads on save)
-- **Frontend**: `npm run dev` proxying to the backend
-
-When using `-A` with `add`, the worktree is created and opened automatically, and the prompt is sent to the agent right away.
-
-Check which ports were assigned:
-
-```bash
-cat <worktree-path>/.env.local
-```
-
-### Sending work to the agent
-
-```bash
-# Send a prompt to the agent in a worktree
-workmux send my-feature "fix the login bug in auth.rs"
-
-# Check agent status
-workmux status
-```
-
-### Merging and cleaning up
-
-We never merge worktrees directly — always create a PR on GitHub and let it be merged there. Once the PR is merged, clean up the worktree:
-
-```bash
-# Close the tmux window but keep the worktree
-workmux close my-feature
-
-# After your PR is merged, remove the worktree, branch, and tmux window
-workmux rm my-feature
-```
-
-> **Note**: Do not use `workmux merge`. Always go through a PR to get your changes into main. You can ask the Claude Code agent in the worktree to create the PR for you.
-
-## Configuration
-
-The setup is defined in `.workmux.yaml` at the repo root. Key sections:
-
-- **`post_create`**: Runs `scripts/worktree-env` to generate `.env.local` with port assignments
-- **`panes`**: Defines the tmux layout (agent, backend, frontend)
-- **`files.copy`**: Copies `backend/.env` and `scripts/` into each worktree
-- **`files.symlink`**: Symlinks `node_modules` and `.svelte-kit` to avoid reinstalling per worktree
-
-## Enterprise (EE) Code Access
-
-The enterprise source code lives in the `windmill-ee-private` repository (sibling to this repo). When you create a worktree, `scripts/worktree-env` automatically creates a matching EE worktree on the same branch and configures Claude Code's `additionalDirectories` to grant access.
-
-### Sandbox setup
-
-When using sandbox mode, the container needs explicit mounts to access the EE repo. Add the following to your global workmux config (`~/.config/workmux/config.yaml`):
-
-```yaml
-sandbox:
-  extra_mounts:
-    - host_path: ~/windmill-ee-private
-      writable: true
-    - host_path: ~/windmill-ee-private__worktrees
-      writable: true
-```
-
-This mounts both the main EE repo (used by the main worktree) and the EE worktrees directory (used by feature worktrees) into every sandbox container.
-
-## Login
-
-Default credentials: `admin@windmill.dev` / `changeme`

backend/.cargo/config.toml

@@ -1,27 +1,10 @@
 [build]
+rustflags = [
+    "--cfg",
+    "tokio_unstable",
+    "-C",
+    "link-arg=-fuse-ld=lld",
+    "-Clink-arg=-Wl,--no-rosegment",
+]
 incremental = true
 
-[target.x86_64-unknown-linux-gnu]
-linker = "clang"
-rustflags = ["-C", "link-arg=-fuse-ld=mold"]
-
-[target.aarch64-unknown-linux-gnu]
-linker = "clang"
-rustflags = ["-C", "link-arg=-fuse-ld=mold"]
-
-[target.x86_64-apple-darwin]
-rustflags = [
-    "-C", "link-arg=-undefined",
-    "-C", "link-arg=dynamic_lookup",
-    "-C", "link-args=-Wl,-rpath,$ORIGIN/"
-]
-
-[target.aarch64-apple-darwin]
-rustflags = [
-    "-C", "link-arg=-undefined",
-    "-C", "link-arg=dynamic_lookup",
-    "-C", "link-args=-Wl,-rpath,$ORIGIN/"
-]
-
-[net]
-git-fetch-with-cli = true

backend/.gitignore

@@ -1,13 +1,4 @@
 target/
 .env
 oauth.json
-oauth2.json
-tracing.folded
-heaptrack*
-index/
-windmill-api/openapi-*.*
-.duckdb/*
-*ee.rs
-generate_mcp_endpoints_tools/venv
-bacon.toml
-libwindmill_duckdb_ffi_internal.so
+windmill-api/openapi-deref.yaml

backend/.ignore

@@ -1 +0,0 @@
-!*ee.rs

backend/.sqlx/query-0010ef26da16facd1c2c832601ac687c4c27de46a90f45496b8446af1a9d0578.json

@@ -1,44 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            oauth_data as \"oauth_data: sqlx::types::Json<WorkspaceOAuthConfig>\",\n            service_name as \"service_name!: ServiceName\",\n            resource_path\n        FROM\n            workspace_integrations\n        WHERE\n            workspace_id = $1\n        ",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "oauth_data: sqlx::types::Json<WorkspaceOAuthConfig>",
-        "type_info": "Jsonb"
-      },
-      {
-        "ordinal": 1,
-        "name": "service_name!: ServiceName",
-        "type_info": {
-          "Custom": {
-            "name": "native_trigger_service",
-            "kind": {
-              "Enum": [
-                "nextcloud",
-                "google"
-              ]
-            }
-          }
-        }
-      },
-      {
-        "ordinal": 2,
-        "name": "resource_path",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      true,
-      false,
-      true
-    ]
-  },
-  "hash": "0010ef26da16facd1c2c832601ac687c4c27de46a90f45496b8446af1a9d0578"
-}

backend/.sqlx/query-002d68d7c4437522a6dae95af007a356217bbae06b8453f0c32046f0cbf20dcb.json

@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT created_by FROM v2_job WHERE id = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "created_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "002d68d7c4437522a6dae95af007a356217bbae06b8453f0c32046f0cbf20dcb"
-}

backend/.sqlx/query-00588a40dde5189ac1c61505f17acb0f4c244c60477427505bf5bd1b104d3bf9.json

@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE alerts SET acknowledged_workspace = true, acknowledged = true WHERE workspace_id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "00588a40dde5189ac1c61505f17acb0f4c244c60477427505bf5bd1b104d3bf9"
-}

backend/.sqlx/query-005b9255699e73600c579f74b529caf531b2312b6e405b4d35efd2f7ca663143.json

@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email FROM password WHERE email = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "005b9255699e73600c579f74b529caf531b2312b6e405b4d35efd2f7ca663143"
-}

backend/.sqlx/query-006f03e979abdf8055b1c598bc9806337216a6abf74db4eb64b0acb918a0de08.json

@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE usr SET disabled = $1 WHERE username = $2 AND workspace_id = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Bool",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "006f03e979abdf8055b1c598bc9806337216a6abf74db4eb64b0acb918a0de08"
-}

backend/.sqlx/query-0084c1246d1391d106da2e67a394eafc6695257632406ed9a2111dba1dd106c7.json

@@ -1,23 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT args as \"args: sqlx::types::Json<HashMap<String, Box<RawValue>>>\" FROM v2_job WHERE id = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "args: sqlx::types::Json<HashMap<String, Box<RawValue>>>",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Text"
-      ]
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "0084c1246d1391d106da2e67a394eafc6695257632406ed9a2111dba1dd106c7"
-}