fix: create parent dirs in script new and accept python as language alias

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.agents/skills/commit/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: commit
+description: Create a git commit with conventional commit format. MUST use anytime you want to commit changes.
+---
+
+# Git Commit Skill
+
+Create a focused, single-line commit following conventional commit conventions.
+
+## Instructions
+
+1. **Analyze changes**: Run `git status` and `git diff` to understand what was modified
+2. **Stage only modified files**: Add files individually by name. NEVER use `git add -A` or `git add .`
+3. **Write commit message**: Follow the conventional commit format as a single line
+
+## Conventional Commit Format
+
+```
+<type>: <description>
+```
+
+### Types
+- `feat`: New feature or capability
+- `fix`: Bug fix
+- `refactor`: Code change that neither fixes a bug nor adds a feature
+- `docs`: Documentation only changes
+- `style`: Formatting, missing semicolons, etc (no code change)
+- `test`: Adding or correcting tests
+- `chore`: Maintenance tasks, dependency updates, etc
+- `perf`: Performance improvement
+
+### Rules
+- Message MUST be a single line (no multi-line messages)
+- Description should be lowercase, imperative mood ("add" not "added")
+- No period at the end
+- Keep under 72 characters total
+
+### Examples
+```
+feat: add token usage tracking for AI providers
+fix: resolve null pointer in job executor
+refactor: extract common validation logic
+docs: update API endpoint documentation
+chore: upgrade sqlx to 0.7
+```
+
+## Execution Steps
+
+1. Run `git status` to see all changes
+2. Run `git diff` to understand the changes in detail
+3. Run `git log --oneline -5` to see recent commit style
+4. Stage ONLY the modified/relevant files: `git add <file1> <file2> ...`
+5. Create the commit with conventional format:
+   ```bash
+   git commit -m "<type>: <description>
+
+   Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>"
+   ```
+6. Run `git status` to verify the commit succeeded

.agents/skills/local-review/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: local-review
+description: Code review a pull request for bugs and CLAUDE.md compliance. MUST use when asked to review code.
+---
+
+# Local Code Review Skill
+
+Review a pull request for real bugs and CLAUDE.md compliance violations. This review targets HIGH SIGNAL issues only.
+
+## Review Philosophy
+
+- **Only flag issues you are certain about.** If you are not sure an issue is real, do not flag it. False positives erode trust and waste reviewer time.
+- Think like a senior engineer doing a final review — flag things that would cause incidents, not things that are merely imperfect.
+
+## What to Flag
+
+- Code that won't compile or parse (syntax errors, type errors, missing imports)
+- Code that will definitely produce wrong results regardless of inputs
+- Clear, unambiguous CLAUDE.md violations (quote the exact rule being violated)
+- Security issues in introduced code (injection, auth bypass, data exposure)
+- Incorrect logic that will fail in production
+
+## What NOT to Flag
+
+- Code style or quality concerns
+- Potential issues that depend on specific inputs or runtime state
+- Subjective suggestions or improvements
+- Pre-existing issues not introduced by this PR
+- Pedantic nitpicks a senior engineer wouldn't flag
+- Issues a linter or type checker will catch
+- General quality concerns unless explicitly prohibited in CLAUDE.md
+- Issues silenced via lint ignore comments
+
+## Execution Steps
+
+1. **Determine the PR scope**:
+   - If an argument is provided, use it as the PR number or branch
+   - Otherwise, detect from the current branch vs main
+   - Run `gh pr view` if a PR exists, or use `git diff main...HEAD`
+
+2. **Find relevant CLAUDE.md files**:
+   - Read the root `CLAUDE.md`
+   - Check for CLAUDE.md files in directories containing changed files
+
+3. **Get the diff and metadata**:
+   - `gh pr diff` or `git diff main...HEAD` for the full diff
+   - `gh pr view` or `git log main..HEAD --oneline` for context
+
+4. **Read changed files** where the diff alone is insufficient to understand context
+
+5. **Review for**:
+   - CLAUDE.md compliance — check each rule against the changed code
+   - Bugs and logic errors — will this code work correctly?
+   - Security issues — injection, auth, data exposure in new code
+
+6. **Self-validate each finding**: Before reporting, ask yourself:
+   - "Is this definitely a real issue, not a false positive?"
+   - "Would a senior engineer flag this in review?"
+   - If the answer to either is no, discard the finding
+
+7. **Output findings** to the terminal (default) or post as PR comments (with `--comment` flag)
+
+## Output Format
+
+```
+## Code review
+
+Found N issues:
+
+1. <description> (<reason: CLAUDE.md adherence | bug | security>)
+   <file_path:line_number>
+
+2. <description> (<reason>)
+   <file_path:line_number>
+```
+
+If no issues are found:
+
+```
+## Code review
+
+No issues found. Checked for bugs and CLAUDE.md compliance.
+```
+
+## Posting Comments (--comment flag)
+
+If the user passes `--comment`, post findings as inline PR comments using:
+
+```bash
+gh pr review --comment --body "<summary>"
+```
+
+Or for inline comments on specific lines:
+
+```bash
+gh api repos/{owner}/{repo}/pulls/{pr}/reviews -f body="<summary>" -f event="COMMENT" -f comments="[...]"
+```

.agents/skills/native-trigger/SKILL.md

@@ -0,0 +1,777 @@
+# Skill: Adding Native Trigger Services
+
+This skill provides comprehensive guidance for adding new native trigger services to Windmill. Native triggers allow external services (like Nextcloud, Google Drive, etc.) to trigger Windmill scripts/flows via webhooks or push notifications.
+
+## Architecture Overview
+
+The native trigger system consists of:
+
+1. **Database Layer** - PostgreSQL tables and enum types
+2. **Backend Rust Implementation** - Core trait, handlers, and service modules in the `windmill-native-triggers` crate
+3. **Frontend Svelte Components** - Configuration forms and UI components
+
+### Key Files
+
+| Component | Path |
+|-----------|------|
+| Core module with `External` trait | `backend/windmill-native-triggers/src/lib.rs` |
+| Generic CRUD handlers | `backend/windmill-native-triggers/src/handler.rs` |
+| Background sync logic | `backend/windmill-native-triggers/src/sync.rs` |
+| OAuth/workspace integration | `backend/windmill-native-triggers/src/workspace_integrations.rs` |
+| Re-export shim (windmill-api) | `backend/windmill-api/src/native_triggers/mod.rs` |
+| TriggerKind enum | `backend/windmill-common/src/triggers.rs` |
+| JobTriggerKind enum | `backend/windmill-common/src/jobs.rs` |
+| Frontend service registry | `frontend/src/lib/components/triggers/native/utils.ts` |
+| Frontend trigger utilities | `frontend/src/lib/components/triggers/utils.ts` |
+| Trigger badges (icons + counts) | `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte` |
+| Workspace integrations UI | `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte` |
+| OAuth config form component | `frontend/src/lib/components/workspaceSettings/OAuthClientConfig.svelte` |
+| OpenAPI spec | `backend/windmill-api/openapi.yaml` |
+| Reference: Nextcloud module | `backend/windmill-native-triggers/src/nextcloud/` |
+| Reference: Google module | `backend/windmill-native-triggers/src/google/` |
+
+### Crate Structure
+
+The native trigger code lives in the `windmill-native-triggers` crate (`backend/windmill-native-triggers/`). The `windmill-api` crate re-exports everything via a shim:
+
+```rust
+// backend/windmill-api/src/native_triggers/mod.rs
+pub use windmill_native_triggers::*;
+```
+
+All new service modules go in `backend/windmill-native-triggers/src/`.
+
+---
+
+## Core Concepts
+
+### The `External` Trait
+
+Every native trigger service implements the `External` trait defined in `lib.rs`:
+
+```rust
+#[async_trait]
+pub trait External: Send + Sync + 'static {
+    // Associated types:
+    type ServiceConfig: Debug + DeserializeOwned + Serialize + Send + Sync;
+    type TriggerData: Debug + Serialize + Send + Sync;
+    type OAuthData: DeserializeOwned + Serialize + Clone + Send + Sync;
+    type CreateResponse: DeserializeOwned + Send + Sync;
+
+    // Constants:
+    const SUPPORT_WEBHOOK: bool;
+    const SERVICE_NAME: ServiceName;
+    const DISPLAY_NAME: &'static str;
+    const TOKEN_ENDPOINT: &'static str;
+    const REFRESH_ENDPOINT: &'static str;
+    const AUTH_ENDPOINT: &'static str;
+
+    // Required methods:
+    async fn create(&self, w_id, oauth_data, webhook_token, data, db, tx) -> Result<Self::CreateResponse>;
+    async fn update(&self, w_id, oauth_data, external_id, webhook_token, data, db, tx) -> Result<serde_json::Value>;
+    async fn get(&self, w_id, oauth_data, external_id, db, tx) -> Result<Self::TriggerData>;
+    async fn delete(&self, w_id, oauth_data, external_id, db, tx) -> Result<()>;
+    async fn exists(&self, w_id, oauth_data, external_id, db, tx) -> Result<bool>;
+    async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors);
+    fn external_id_and_metadata_from_response(&self, resp) -> (String, Option<serde_json::Value>);
+
+    // Methods with defaults:
+    async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned>;
+    fn service_config_from_create_response(&self, data, resp) -> Option<serde_json::Value>;
+    fn additional_routes(&self) -> axum::Router;
+    async fn http_client_request<T, B>(&self, url, method, workspace_id, tx, db, headers, body) -> Result<T>;
+}
+```
+
+Key design points:
+- **`update()` returns `serde_json::Value`** - the resolved service_config to store. Each service is responsible for building the final config.
+- **`maintain_triggers()`** - periodic background maintenance. Each service implements its own strategy (Nextcloud: reconcile with external state; Google: renew expiring channels).
+- **No `list_all()` in the trait** - services that need it (Nextcloud) implement it privately; services that don't (Google) use different maintenance strategies.
+- **No `get_external_id_from_trigger_data()` or `extract_service_config_from_trigger_data()`** - removed in favor of the `maintain_triggers` pattern.
+
+### Create Lifecycle: Two Paths
+
+The `create_native_trigger` handler in `handler.rs` supports two creation flows, controlled by `service_config_from_create_response()`:
+
+**Path A: Short (Google pattern)** - `service_config_from_create_response()` returns `Some(config)`:
+1. `create()` registers on external service
+2. `external_id_and_metadata_from_response()` extracts the ID
+3. `service_config_from_create_response()` builds the config directly from input data + response metadata
+4. Stores trigger in DB -- done, no extra round-trip
+
+Use this when the external_id is known before the create call (e.g., Google generates the channel_id as a UUID upfront and includes it in the webhook URL).
+
+**Path B: Long (Nextcloud pattern)** - `service_config_from_create_response()` returns `None` (default):
+1. `create()` registers on external service (webhook URL has no external_id yet)
+2. `external_id_and_metadata_from_response()` extracts the ID
+3. `update()` is called to fix the webhook URL with the now-known external_id
+4. `update()` returns the resolved service_config
+5. Stores trigger in DB
+
+Use this when the external_id is assigned by the remote service and the webhook URL needs to be corrected after creation.
+
+### OAuth Token Storage (Three-Table Pattern)
+
+OAuth tokens are stored across three tables, NOT in `workspace_integrations.oauth_data` directly:
+
+| Table | What's Stored |
+|-------|---------------|
+| `workspace_integrations` | `oauth_data` JSON with `base_url`, `client_id`, `client_secret`, `instance_shared` flag; `resource_path` pointing to the variable |
+| `variable` | Encrypted `access_token` (at the path stored in `resource_path`), linked to `account` via `account` column |
+| `account` | `refresh_token`, keyed by `workspace_id` + `client` (service name) + `is_workspace_integration = true` |
+
+The `decrypt_oauth_data()` function in `lib.rs` assembles these into a unified struct:
+```rust
+pub struct OAuthConfig {
+    pub base_url: String,
+    pub access_token: String,      // decrypted from variable
+    pub refresh_token: Option<String>, // from account table
+    pub client_id: String,         // from oauth_data or instance settings
+    pub client_secret: String,     // from oauth_data or instance settings
+}
+```
+
+Instance-level sharing: when `oauth_data.instance_shared == true`, `client_id` and `client_secret` are read from global settings instead of workspace_integrations.
+
+### URL Resolution
+
+The `resolve_endpoint()` helper handles both absolute and relative OAuth URLs:
+
+```rust
+pub fn resolve_endpoint(base_url: &str, endpoint: &str) -> String {
+    if endpoint.starts_with("http://") || endpoint.starts_with("https://") {
+        endpoint.to_string()  // Google: absolute URLs
+    } else {
+        format!("{}{}", base_url, endpoint)  // Nextcloud: relative paths
+    }
+}
+```
+
+### ServiceName Methods
+
+`ServiceName` is the central registry enum. Each variant must implement these match arms:
+
+| Method | Purpose |
+|--------|---------|
+| `as_str()` | Lowercase identifier (e.g., `"google"`) |
+| `as_trigger_kind()` | Maps to `TriggerKind` enum |
+| `as_job_trigger_kind()` | Maps to `JobTriggerKind` enum |
+| `token_endpoint()` | OAuth token endpoint (relative or absolute) |
+| `auth_endpoint()` | OAuth authorization endpoint |
+| `oauth_scopes()` | Space-separated OAuth scopes |
+| `resource_type()` | Resource type for token storage (e.g., `"gworkspace"`) |
+| `extra_auth_params()` | Extra OAuth params (e.g., Google needs `access_type=offline`, `prompt=consent`) |
+| `integration_service()` | Maps to the workspace integration service (usually `*self`) |
+| `TryFrom<String>` | Parse from string |
+| `Display` | Delegates to `as_str()` |
+
+---
+
+## Step-by-Step Implementation Guide
+
+### Step 1: Database Migration
+
+Create a new migration file: `backend/migrations/YYYYMMDDHHMMSS_newservice_trigger.up.sql`
+
+```sql
+-- Add the service to the native_trigger_service enum
+ALTER TYPE native_trigger_service ADD VALUE IF NOT EXISTS 'newservice';
+
+-- Add to TRIGGER_KIND enum (used for trigger tracking)
+ALTER TYPE TRIGGER_KIND ADD VALUE IF NOT EXISTS 'newservice';
+
+-- Add to job_trigger_kind enum (used for job tracking)
+ALTER TYPE job_trigger_kind ADD VALUE IF NOT EXISTS 'newservice';
+```
+
+Also create the corresponding down migration.
+
+### Step 2: Update windmill-common Enums
+
+#### `backend/windmill-common/src/triggers.rs`
+
+Add variant to `TriggerKind` enum, and update `to_key()` and `fmt()` implementations.
+
+#### `backend/windmill-common/src/jobs.rs`
+
+Add variant to `JobTriggerKind` enum and update the `Display` implementation.
+
+### Step 3: Backend Service Module
+
+Create a new directory: `backend/windmill-native-triggers/src/newservice/`
+
+#### `mod.rs` - Type Definitions
+
+```rust
+use serde::{Deserialize, Serialize};
+
+pub mod external;
+// pub mod routes; // Only if you need additional service-specific routes
+
+/// OAuth data deserialized from the three-table pattern.
+/// The actual structure is built by decrypt_oauth_data() from variable + account + workspace_integrations.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct NewServiceOAuthData {
+    pub base_url: String,              // from workspace_integrations.oauth_data
+    pub access_token: String,          // decrypted from variable table
+    pub refresh_token: Option<String>, // from account table
+    // Note: client_id and client_secret are in OAuthConfig, not here
+    // unless the service needs them at runtime for API calls
+}
+
+/// Configuration provided by user when creating/updating a trigger.
+/// Stored as JSON in native_trigger.service_config.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct NewServiceConfig {
+    // Service-specific configuration fields
+    pub folder_path: String,
+    pub file_filter: Option<String>,
+}
+
+/// Data retrieved from the external service about a trigger.
+/// Returned by the get() method and shown in the UI.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct NewServiceTriggerData {
+    pub folder_path: String,
+    pub file_filter: Option<String>,
+    // Fields that shouldn't affect service_config comparison should use #[serde(skip_serializing)]
+}
+
+/// Response from external service when creating a trigger/webhook.
+#[derive(Debug, Deserialize)]
+pub struct CreateTriggerResponse {
+    pub id: String,
+}
+
+/// Handler struct (stateless, used for routing)
+#[derive(Copy, Clone)]
+pub struct NewService;
+```
+
+#### `external.rs` - External Trait Implementation
+
+```rust
+use async_trait::async_trait;
+use reqwest::Method;
+use sqlx::PgConnection;
+use std::collections::HashMap;
+use windmill_common::{
+    error::{Error, Result},
+    BASE_URL, DB,
+};
+
+use crate::{
+    generate_webhook_service_url, External, NativeTrigger, NativeTriggerData, ServiceName,
+    sync::{SyncError, TriggerSyncInfo},
+};
+use super::{NewService, NewServiceConfig, NewServiceOAuthData, NewServiceTriggerData, CreateTriggerResponse};
+
+#[async_trait]
+impl External for NewService {
+    type ServiceConfig = NewServiceConfig;
+    type TriggerData = NewServiceTriggerData;
+    type OAuthData = NewServiceOAuthData;
+    type CreateResponse = CreateTriggerResponse;
+
+    const SERVICE_NAME: ServiceName = ServiceName::NewService;
+    const DISPLAY_NAME: &'static str = "New Service";
+    const SUPPORT_WEBHOOK: bool = true;
+    const TOKEN_ENDPOINT: &'static str = "/oauth/token";
+    const REFRESH_ENDPOINT: &'static str = "/oauth/token";
+    const AUTH_ENDPOINT: &'static str = "/oauth/authorize";
+
+    async fn create(
+        &self,
+        w_id: &str,
+        oauth_data: &Self::OAuthData,
+        webhook_token: &str,
+        data: &NativeTriggerData<Self::ServiceConfig>,
+        db: &DB,
+        tx: &mut PgConnection,
+    ) -> Result<Self::CreateResponse> {
+        let base_url = &*BASE_URL.read().await;
+
+        // external_id is None during create (we get it from the response)
+        let webhook_url = generate_webhook_service_url(
+            base_url, w_id, &data.script_path, data.is_flow,
+            None, Self::SERVICE_NAME, webhook_token,
+        );
+
+        let url = format!("{}/api/webhooks/create", oauth_data.base_url);
+        let payload = serde_json::json!({
+            "callback_url": webhook_url,
+            "folder_path": data.service_config.folder_path,
+        });
+
+        let response: CreateTriggerResponse = self
+            .http_client_request(&url, Method::POST, w_id, tx, db, None, Some(&payload))
+            .await?;
+
+        Ok(response)
+    }
+
+    /// Update returns the resolved service_config as JSON.
+    /// For services using the update+get pattern, call self.get() and serialize.
+    async fn update(
+        &self,
+        w_id: &str,
+        oauth_data: &Self::OAuthData,
+        external_id: &str,
+        webhook_token: &str,
+        data: &NativeTriggerData<Self::ServiceConfig>,
+        db: &DB,
+        tx: &mut PgConnection,
+    ) -> Result<serde_json::Value> {
+        let base_url = &*BASE_URL.read().await;
+
+        let webhook_url = generate_webhook_service_url(
+            base_url, w_id, &data.script_path, data.is_flow,
+            Some(external_id), Self::SERVICE_NAME, webhook_token,
+        );
+
+        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
+        let payload = serde_json::json!({
+            "callback_url": webhook_url,
+            "folder_path": data.service_config.folder_path,
+        });
+
+        let _: serde_json::Value = self
+            .http_client_request(&url, Method::PUT, w_id, tx, db, None, Some(&payload))
+            .await?;
+
+        // Fetch back the updated state to get the resolved config
+        let trigger_data = self.get(w_id, oauth_data, external_id, db, tx).await?;
+        serde_json::to_value(&trigger_data)
+            .map_err(|e| Error::InternalErr(format!("Failed to serialize trigger data: {}", e)))
+    }
+
+    async fn get(
+        &self,
+        w_id: &str,
+        oauth_data: &Self::OAuthData,
+        external_id: &str,
+        db: &DB,
+        tx: &mut PgConnection,
+    ) -> Result<Self::TriggerData> {
+        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
+        self.http_client_request::<_, ()>(&url, Method::GET, w_id, tx, db, None, None).await
+    }
+
+    async fn delete(
+        &self,
+        w_id: &str,
+        oauth_data: &Self::OAuthData,
+        external_id: &str,
+        db: &DB,
+        tx: &mut PgConnection,
+    ) -> Result<()> {
+        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
+        let _: serde_json::Value = self
+            .http_client_request::<_, ()>(&url, Method::DELETE, w_id, tx, db, None, None)
+            .await
+            .or_else(|e| match &e {
+                Error::InternalErr(msg) if msg.contains("404") => Ok(serde_json::Value::Null),
+                _ => Err(e),
+            })?;
+        Ok(())
+    }
+
+    async fn exists(
+        &self,
+        w_id: &str,
+        oauth_data: &Self::OAuthData,
+        external_id: &str,
+        db: &DB,
+        tx: &mut PgConnection,
+    ) -> Result<bool> {
+        match self.get(w_id, oauth_data, external_id, db, tx).await {
+            Ok(_) => Ok(true),
+            Err(Error::NotFound(_)) => Ok(false),
+            Err(e) => Err(e),
+        }
+    }
+
+    /// Background maintenance. Choose the right pattern for your service:
+    /// - For services with queryable external state: use reconcile_with_external_state()
+    /// - For channel-based services with expiration: implement renewal logic
+    async fn maintain_triggers(
+        &self,
+        db: &DB,
+        workspace_id: &str,
+        triggers: &[NativeTrigger],
+        oauth_data: &Self::OAuthData,
+        synced: &mut Vec<TriggerSyncInfo>,
+        errors: &mut Vec<SyncError>,
+    ) {
+        // Option A: Reconcile with external state (Nextcloud pattern)
+        // Fetch all triggers from external service and compare with DB
+        let external_triggers = match self.list_all(workspace_id, oauth_data, db).await {
+            Ok(triggers) => triggers,
+            Err(e) => {
+                errors.push(SyncError {
+                    resource_path: format!("workspace:{}", workspace_id),
+                    error_message: format!("Failed to list triggers: {}", e),
+                    error_type: "api_error".to_string(),
+                });
+                return;
+            }
+        };
+
+        // Convert to (external_id, config_json) pairs
+        let external_pairs: Vec<(String, serde_json::Value)> = external_triggers
+            .into_iter()
+            .map(|t| (t.id.clone(), serde_json::to_value(&t).unwrap_or_default()))
+            .collect();
+
+        crate::sync::reconcile_with_external_state(
+            db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
+        ).await;
+    }
+
+    fn external_id_and_metadata_from_response(
+        &self,
+        resp: &Self::CreateResponse,
+    ) -> (String, Option<serde_json::Value>) {
+        (resp.id.clone(), None)
+    }
+
+    // service_config_from_create_response: NOT overridden (returns None).
+    // This means the handler uses the update+get pattern after create.
+    // Override and return Some(...) to skip the update+get cycle (Google pattern).
+}
+
+impl NewService {
+    /// Private helper to list all triggers from the external service.
+    async fn list_all(
+        &self,
+        w_id: &str,
+        oauth_data: &<Self as External>::OAuthData,
+        db: &DB,
+    ) -> Result<Vec<<Self as External>::TriggerData>> {
+        // Implementation depends on the external service's API
+        todo!()
+    }
+}
+```
+
+### Step 4: Update lib.rs Registry
+
+In `backend/windmill-native-triggers/src/lib.rs`:
+
+```rust
+// Service modules - add new services here:
+#[cfg(feature = "native_trigger")]
+pub mod newservice;  // <-- Add this
+
+// ServiceName enum - add variant:
+pub enum ServiceName {
+    Nextcloud,
+    Google,
+    NewService,  // <-- Add this
+}
+
+// Then add match arms in ALL ServiceName methods:
+// as_str(), as_trigger_kind(), as_job_trigger_kind(), token_endpoint(),
+// auth_endpoint(), oauth_scopes(), resource_type(), extra_auth_params(),
+// integration_service(), TryFrom<String>, Display
+```
+
+### Step 5: Update handler.rs Routes
+
+In `backend/windmill-native-triggers/src/handler.rs`:
+
+```rust
+pub fn generate_native_trigger_routers() -> Router {
+    // ...
+    #[cfg(feature = "native_trigger")]
+    {
+        use crate::newservice::NewService;
+        return router
+            .nest("/nextcloud", service_routes(NextCloud))
+            .nest("/google", service_routes(Google))
+            .nest("/newservice", service_routes(NewService));  // <-- Add this
+    }
+    // ...
+}
+```
+
+### Step 6: Update sync.rs
+
+In `backend/windmill-native-triggers/src/sync.rs`:
+
+```rust
+pub async fn sync_all_triggers(db: &DB) -> Result<BackgroundSyncResult> {
+    // ...
+    #[cfg(feature = "native_trigger")]
+    {
+        use crate::newservice::NewService;
+
+        // ... existing service syncs ...
+
+        // New service sync
+        let (service_name, result) = sync_service_triggers(db, NewService).await;
+        total_synced += result.synced_triggers.len();
+        total_errors += result.errors.len();
+        service_results.insert(service_name, result);
+    }
+    // ...
+}
+```
+
+### Step 7: Frontend Service Registry
+
+In `frontend/src/lib/components/triggers/native/utils.ts`:
+
+Add to `NATIVE_TRIGGER_SERVICES`, `getTriggerIconName()`, and `getServiceIcon()`.
+
+### Step 8: Frontend Trigger Form Component
+
+Create: `frontend/src/lib/components/triggers/native/services/newservice/NewServiceTriggerForm.svelte`
+
+### Step 9: Frontend Icon Component
+
+Create: `frontend/src/lib/components/icons/NewServiceIcon.svelte`
+
+### Step 10: Update NativeTriggerEditor
+
+Check `frontend/src/lib/components/triggers/native/NativeTriggerEditor.svelte` to ensure it dynamically loads form components based on service name.
+
+### Step 11: Workspace Integration UI
+
+Add your service to the `supportedServices` map in `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte`:
+
+```typescript
+const supportedServices: Record<string, ServiceConfig> = {
+    // ... existing services ...
+    newservice: {
+        name: 'newservice',
+        displayName: 'New Service',
+        description: 'Connect to New Service for triggers',
+        icon: NewServiceIcon,
+        docsUrl: 'https://www.windmill.dev/docs/integrations/newservice',
+        requiresBaseUrl: false,  // false for cloud services, true for self-hosted
+        setupInstructions: [
+            'Step 1: Create an OAuth app on the service',
+            'Step 2: Configure the redirect URI shown below',
+            'Step 3: Enter the client credentials below'
+        ]
+    }
+}
+```
+
+### Step 12: Update `frontend/src/lib/components/triggers/utils.ts`
+
+Update ALL of these maps/functions:
+1. `triggerIconMap` - import and add icon
+2. `triggerDisplayNamesMap` - add display name
+3. `triggerTypeOrder` in `sortTriggers()` - add type
+4. `getLightConfig()` - add case for your service
+5. `getTriggerLabel()` - add case for your service
+6. `jobTriggerKinds` - add to array
+7. `countPropertyMap` - add count property
+8. `triggerSaveFunctions` - add save function
+
+### Step 13: Update TriggersBadge Component
+
+In `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte`:
+
+1. Import the icon
+2. Add to `baseConfig` with `countKey` (the dynamic `availableNativeServices` loop does NOT set `countKey`)
+3. Add to the `allTypes` array
+
+### Step 14: Update TriggersWrapper.svelte
+
+In `frontend/src/lib/components/triggers/TriggersWrapper.svelte`:
+
+Add a `{:else if selectedTrigger.type === 'yourservice'}` case that renders `<NativeTriggersPanel service="yourservice" ...>` with the same props pattern as the existing native trigger cases (e.g., `nextcloud`).
+
+### Step 15: Update AddTriggersButton.svelte
+
+In `frontend/src/lib/components/triggers/AddTriggersButton.svelte`:
+
+1. Add `yourserviceAvailable` state variable
+2. Add `setYourserviceState()` async function using `isServiceAvailable('yourservice', $workspaceStore!)`
+3. Call it at module level
+4. Add a dropdown entry to `addTriggerItems` with `hidden: !yourserviceAvailable`
+
+### Step 16: Update TriggersEditor.svelte Delete Handling
+
+In `frontend/src/lib/components/triggers/TriggersEditor.svelte`:
+
+Add your service to the `nativeTriggerServices` map in `deleteDeployedTrigger()`. Native triggers use `NativeTriggerService.deleteNativeTrigger({ workspace, serviceName, externalId })` instead of the standard `path`-based delete.
+
+### Step 17: Update OpenAPI Spec and Regenerate Types
+
+Add to `JobTriggerKind` enum in `backend/windmill-api/openapi.yaml`, then:
+
+```bash
+cd frontend && npm run generate-backend-client
+```
+
+---
+
+## Special Patterns
+
+### Unified Service with `trigger_type` (Google Pattern)
+
+When a single service handles multiple trigger types (e.g., Google Drive + Calendar share OAuth and API patterns), use a single `ServiceName` variant with a discriminator field:
+
+```rust
+pub enum GoogleTriggerType { Drive, Calendar }
+
+pub struct GoogleServiceConfig {
+    pub trigger_type: GoogleTriggerType,
+    // Drive-specific fields (only used when trigger_type = Drive)
+    pub resource_id: Option<String>,
+    pub resource_name: Option<String>,
+    // Calendar-specific fields (only used when trigger_type = Calendar)
+    pub calendar_id: Option<String>,
+    pub calendar_name: Option<String>,
+    // Metadata set after creation
+    pub google_resource_id: Option<String>,
+    pub expiration: Option<String>,
+}
+```
+
+Branch in trait methods based on `trigger_type`. Frontend uses a `ToggleButtonGroup` to switch between types. This keeps the codebase simpler (one service, one OAuth flow, one set of routes).
+
+See `backend/windmill-native-triggers/src/google/` for the reference implementation.
+
+### Skipping update+get After Create (Google Pattern)
+
+Override `service_config_from_create_response()` to return `Some(config)` when the external_id is known before the create call:
+
+```rust
+fn service_config_from_create_response(
+    &self,
+    data: &NativeTriggerData<Self::ServiceConfig>,
+    resp: &Self::CreateResponse,
+) -> Option<serde_json::Value> {
+    // Clone input config, add metadata from response
+    let mut config = data.service_config.clone();
+    config.google_resource_id = Some(resp.resource_id.clone());
+    config.expiration = Some(resp.expiration.clone());
+    Some(serde_json::to_value(&config).unwrap())
+}
+```
+
+### Services with Absolute OAuth Endpoints (Google)
+
+Unlike self-hosted services where OAuth endpoints are relative paths appended to `base_url`, services like Google have absolute URLs:
+
+```rust
+// Nextcloud: relative paths
+ServiceName::Nextcloud => "/apps/oauth2/api/v1/token",
+// Google: absolute URLs
+ServiceName::Google => "https://oauth2.googleapis.com/token",
+```
+
+The `resolve_endpoint()` function handles both. For services with absolute endpoints:
+- `base_url` can be empty
+- `requiresBaseUrl: false` in the frontend workspace integration config
+- Add `extra_auth_params()` if needed (Google requires `access_type=offline` and `prompt=consent`)
+
+### Channel-Based Push Notifications with Renewal (Google Pattern)
+
+For services using expiring watch channels instead of persistent webhooks:
+
+1. Store expiration in `service_config` (as part of `ServiceConfig`)
+2. In `maintain_triggers()`, implement renewal logic instead of using `reconcile_with_external_state()`:
+   ```rust
+   async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors) {
+       for trigger in triggers {
+           if should_renew_channel(trigger) {
+               self.renew_channel(db, trigger, oauth_data).await;
+           }
+       }
+   }
+   ```
+3. Renewal: best-effort stop old channel, create new one with same external_id, update service_config with new expiration
+4. Google example: Drive channels expire in 24h (renew when <1h left), Calendar channels expire in 7 days (renew when <1 day left)
+
+### reconcile_with_external_state (Nextcloud Pattern)
+
+The reusable function in `sync.rs` compares external triggers with DB state:
+- Triggers missing externally: sets error "Trigger no longer exists on external service"
+- Triggers present externally: clears errors, updates service_config if it differs
+
+Usage in `maintain_triggers()`:
+```rust
+let external_pairs: Vec<(String, serde_json::Value)> = /* fetch from external */;
+crate::sync::reconcile_with_external_state(
+    db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
+).await;
+```
+
+### Webhook Payload Processing
+
+Override `prepare_webhook()` to parse service-specific payloads into script/flow args:
+
+```rust
+async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned> {
+    let mut args = HashMap::new();
+    args.insert("event_type".to_string(), Box::new(headers.get("x-event-type").cloned()) as _);
+    args.insert("payload".to_string(), Box::new(serde_json::from_str::<serde_json::Value>(&body)?) as _);
+    Ok(PushArgsOwned { extra: None, args })
+}
+```
+
+Then register in `prepare_native_trigger_args()` in `lib.rs`:
+```rust
+pub async fn prepare_native_trigger_args(service_name, db, w_id, headers, body) -> Result<Option<PushArgsOwned>> {
+    match service_name {
+        ServiceName::Google => { /* ... */ Ok(Some(args)) }
+        ServiceName::NewService => { /* ... */ Ok(Some(args)) }
+        ServiceName::Nextcloud => Ok(None), // Uses default body parsing
+    }
+}
+```
+
+### Instance-Level OAuth Credentials
+
+When `workspace_integrations.oauth_data.instance_shared == true`, `decrypt_oauth_data()` reads `client_id` and `client_secret` from instance-level global settings instead of workspace-level. This allows admins to share OAuth app credentials across workspaces.
+
+The frontend handles this via the `generate_instance_connect_url` endpoint in `workspace_integrations.rs`.
+
+---
+
+## Testing Checklist
+
+- [ ] Database migration runs successfully
+- [ ] `cargo check -p windmill-native-triggers --features native_trigger` passes
+- [ ] `npx svelte-check --threshold error` passes (in frontend/)
+- [ ] Service appears in workspace integrations list
+- [ ] OAuth flow completes successfully
+- [ ] Can create a new trigger
+- [ ] Can view trigger details
+- [ ] Can update trigger configuration
+- [ ] Can delete trigger
+- [ ] Webhook receives and processes payloads
+- [ ] Background sync works correctly (reconciliation or channel renewal)
+- [ ] Error handling works (expired tokens, service unavailable)
+
+---
+
+## Reference Implementations
+
+### Nextcloud (Self-Hosted, Update+Get Pattern)
+
+| File | Purpose |
+|------|---------|
+| `nextcloud/mod.rs` | Types: NextCloudOAuthData, NextcloudServiceConfig, NextCloudTriggerData |
+| `nextcloud/external.rs` | External trait: uses update+get pattern, reconcile_with_external_state for sync |
+| `nextcloud/routes.rs` | Additional route: `GET /events` |
+
+Key patterns: relative OAuth endpoints, base_url required, list_all + reconcile for sync, update returns JSON from get().
+
+### Google (Cloud, Unified Service, Short Create)
+
+| File | Purpose |
+|------|---------|
+| `google/mod.rs` | Types: GoogleServiceConfig with trigger_type discriminator, GoogleTriggerType enum |
+| `google/external.rs` | External trait: overrides service_config_from_create_response, channel renewal for sync |
+| `google/routes.rs` | Additional routes: `GET /calendars`, `GET /drive/files`, `GET /drive/shared_drives` |
+
+Key patterns: absolute OAuth endpoints, empty base_url, trigger_type for Drive/Calendar, expiring watch channels with renewal, service_config_from_create_response skips update+get, get() reconstructs data from stored service_config (no external "get channel" API).

.agents/skills/pr/SKILL.md

@@ -0,0 +1,109 @@
+---
+name: pr
+description: Open a draft pull request on GitHub. MUST use when you want to create/open a PR.
+---
+
+# Pull Request Skill
+
+Create a draft pull request with a clear title and explicit description of changes.
+
+## Instructions
+
+1. **Analyze branch changes**: Understand all commits since diverging from main
+2. **Push to remote**: Ensure all commits are pushed
+3. **Create draft PR**: Always open as draft for review before merging
+
+## PR Title Format
+
+Follow conventional commit format for the PR title:
+```
+<type>: <description>
+```
+
+### Types
+- `feat`: New feature or capability
+- `fix`: Bug fix
+- `refactor`: Code restructuring
+- `docs`: Documentation changes
+- `chore`: Maintenance tasks
+- `perf`: Performance improvements
+
+### Title Rules
+- Keep under 70 characters
+- Use lowercase, imperative mood
+- No period at the end
+- If `*_ee.rs` files were modified, prefix with `[ee]`: `[ee] <type>: <description>`
+
+## PR Body Format
+
+The body MUST be explicit about what changed. Structure:
+
+```markdown
+## Summary
+<Clear description of what this PR does and why>
+
+## Changes
+- <Specific change 1>
+- <Specific change 2>
+- <Specific change 3>
+
+## Test plan
+- [ ] <How to verify change 1>
+- [ ] <How to verify change 2>
+
+---
+Generated with [Claude Code](https://claude.com/claude-code)
+```
+
+## Execution Steps
+
+1. Run `git status` to check for uncommitted changes
+2. Run `git log main..HEAD --oneline` to see all commits in this branch
+3. Run `git diff main...HEAD` to see the full diff against main
+4. Check if remote branch exists and is up to date:
+   ```bash
+   git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null || echo "no upstream"
+   ```
+5. Push to remote if needed: `git push -u origin HEAD`
+6. Create draft PR using gh CLI:
+   ```bash
+   gh pr create --draft --title "<type>: <description>" --body "$(cat <<'EOF'
+   ## Summary
+   <description>
+
+   ## Changes
+   - <change 1>
+   - <change 2>
+
+   ## Test plan
+   - [ ] <test 1>
+   - [ ] <test 2>
+
+   ---
+   Generated with [Claude Code](https://claude.com/claude-code)
+   EOF
+   )"
+   ```
+7. Return the PR URL to the user
+
+## EE Companion PR (when `*_ee.rs` files were modified)
+
+The `*_ee.rs` files in the windmill repo are **symlinks** to `windmill-ee-private` — changes won't appear in `git diff` of the windmill repo. Instead, check the EE repo for uncommitted or unpushed changes.
+
+Follow the full EE PR workflow in `docs/enterprise.md`. The key PR-specific details:
+
+1. Find the EE repo/worktree: see "Finding the EE Repo" in `docs/enterprise.md`
+2. Check for changes: `git -C <ee-path> status --short`
+   - If there are no changes in the EE repo, skip this entire section
+3. Follow steps 1–5 from the "EE PR Workflow" in `docs/enterprise.md`
+4. Create the companion PR (title does NOT get the `[ee]` prefix):
+   ```bash
+   gh pr create --draft --repo windmill-labs/windmill-ee-private --title "<type>: <description>" --body "$(cat <<'EOF'
+   Companion PR for windmill-labs/windmill#<PR_NUMBER>
+
+   ---
+   Generated with [Claude Code](https://claude.com/claude-code)
+   EOF
+   )"
+   ```
+5. Commit `ee-repo-ref.txt` and push the updated windmill branch

.agents/skills/refine/SKILL.md

@@ -0,0 +1,38 @@
+---
+name: refine
+description: End-of-session reflection. Reviews friction encountered during the session and proposes updates to docs/ to capture lessons learned.
+---
+
+# Refine Skill
+
+Reflect on the current session and update documentation with lessons learned.
+
+## Instructions
+
+1. **Identify friction**: Review what happened in this session:
+   - Run `git diff main...HEAD --stat` to see what files were touched
+   - Think about: what was slow, what failed, what required multiple attempts, what information was missing or hard to find
+
+2. **Read current docs**: Read the docs that were relevant to this session:
+   - `docs/validation.md`
+   - `docs/enterprise.md`
+   - `docs/autonomous-mode.md`
+   - Any skills that were invoked
+
+3. **Propose updates**: For each piece of friction, decide if it warrants a doc update:
+   - **Missing knowledge**: Information you had to discover that should be documented
+   - **Wrong guidance**: Instructions that led you astray
+   - **Missing validation rule**: A check that should be in the validation matrix
+   - **New pattern**: A codebase pattern worth capturing for next time
+
+4. **Apply updates**: Edit the relevant `docs/` files. Keep changes minimal and specific — add only what would have saved time this session.
+
+5. **Report**: Summarize what was added/changed and why.
+
+## Rules
+
+- Only add knowledge confirmed by this session — no speculative additions
+- Keep docs concise — add a line or two, not a paragraph
+- If a whole new doc is needed, create it in `docs/` and add a pointer in `CLAUDE.md`
+- Don't update skills unless a coding pattern was genuinely wrong
+- Don't add things Claude already knows — only Windmill-specific knowledge

.agents/skills/rust-backend/SKILL.md

@@ -0,0 +1,107 @@
+---
+name: rust-backend
+description: Rust coding guidelines for the Windmill backend. MUST use when writing or modifying Rust code in the backend directory.
+---
+
+# Windmill Rust Patterns
+
+Apply these Windmill-specific patterns when writing Rust code in `backend/`.
+
+## Error Handling
+
+Use `Error` from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>`:
+
+```rust
+use windmill_common::error::{Error, Result};
+
+pub async fn get_job(db: &DB, id: Uuid) -> Result<Job> {
+    sqlx::query_as!(Job, "SELECT id, workspace_id FROM v2_job WHERE id = $1", id)
+        .fetch_optional(db)
+        .await?
+        .ok_or_else(|| Error::NotFound("job not found".to_string()))?;
+}
+```
+
+Never panic in library code. Reserve `.unwrap()` for compile-time guarantees.
+
+## SQLx Patterns
+
+**Never use `SELECT *`** — always list columns explicitly. Critical for backwards compatibility when workers lag behind API version:
+
+```rust
+// Correct
+sqlx::query_as!(Job, "SELECT id, workspace_id, path FROM v2_job WHERE id = $1", id)
+
+// Wrong — breaks when columns are added
+sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", id)
+```
+
+Use batch operations to avoid N+1:
+
+```rust
+// Preferred — single query with IN clause
+sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
+```
+
+Use transactions for multi-step operations. Parameterize all queries.
+
+## JSON Handling
+
+Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when storing/passing JSON without inspection:
+
+```rust
+pub struct Job {
+    pub args: Option<Box<serde_json::value::RawValue>>,
+}
+```
+
+Only use `serde_json::Value` when you need to inspect or modify the JSON.
+
+## Serde Optimizations
+
+```rust
+#[derive(Serialize, Deserialize)]
+pub struct Job {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub parent_job: Option<Uuid>,
+    #[serde(skip_serializing_if = "Vec::is_empty")]
+    pub tags: Vec<String>,
+    #[serde(default)]
+    pub priority: i32,
+}
+```
+
+## Async & Concurrency
+
+Never block the async runtime. Use `spawn_blocking` for CPU-intensive work:
+
+```rust
+let result = tokio::task::spawn_blocking(move || expensive_computation(&data)).await?;
+```
+
+**Mutex selection**: Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) for data protection. Only use `tokio::sync::Mutex` when holding locks across `.await` points.
+
+Use `tokio::sync::mpsc` (bounded) for channels. Avoid `std::thread::sleep` in async contexts.
+
+## Module Structure & Visibility
+
+- Use `pub(crate)` instead of `pub` when possible
+- Place new code in the appropriate crate based on functionality
+- API endpoints go in `windmill-api/src/` organized by domain
+- Shared functionality goes in `windmill-common/src/`
+
+## Code Navigation
+
+Always use rust-analyzer LSP for go-to-definition, find-references, and type info. Do not guess at module paths.
+
+## Axum Handlers
+
+Destructure extractors directly in function signatures:
+
+```rust
+async fn process_job(
+    Extension(db): Extension<DB>,
+    Path((workspace, job_id)): Path<(String, Uuid)>,
+    Query(pagination): Query<Pagination>,
+) -> Result<Json<Job>> { ... }
+```

.agents/skills/svelte-frontend/SKILL.md

@@ -0,0 +1,80 @@
+---
+name: svelte-frontend
+description: Svelte coding guidelines for the Windmill frontend. MUST use when writing or modifying code in the frontend directory.
+---
+
+# Windmill Svelte Patterns
+
+Apply these Windmill-specific patterns when writing Svelte code in `frontend/`. For general Svelte 5 syntax (runes, snippets, event handling), use the Svelte MCP server.
+
+## Windmill UI Components (MUST use)
+
+Always use Windmill's design-system components. Never use raw HTML elements.
+
+### Buttons — `<Button>`
+
+```svelte
+<script>
+  import { Button } from '$lib/components/common'
+  import { ChevronLeft } from 'lucide-svelte'
+</script>
+
+<Button variant="default" onclick={handleClick}>Label</Button>
+<Button startIcon={{ icon: ChevronLeft }} iconOnly onclick={prev} />
+```
+
+Props: `variant?: 'accent' | 'accent-secondary' | 'default' | 'subtle'`, `unifiedSize?: 'sm' | 'md' | 'lg'`, `startIcon?: { icon: SvelteComponent }`, `iconOnly?: boolean`, `disabled?: boolean`
+
+### Text inputs — `<TextInput>`
+
+```svelte
+<script>
+  import { TextInput } from '$lib/components/common'
+</script>
+
+<TextInput bind:value={val} placeholder="Enter value" />
+```
+
+Props: `value?: string | number` (bindable), `placeholder?: string`, `disabled?: boolean`, `error?: string | boolean`, `size?: 'sm' | 'md' | 'lg'`
+
+### Selects — `<Select>`
+
+```svelte
+<script>
+  import Select from '$lib/components/select/Select.svelte'
+</script>
+
+<Select items={[{ label: 'Jan', value: 1 }]} bind:value={selected} />
+```
+
+Props: `items?: Array<{ label?: string; value: any }>`, `value` (bindable), `placeholder?: string`, `clearable?: boolean`, `size?: 'sm' | 'md' | 'lg'`
+
+### Icons — `lucide-svelte`
+
+Never write inline SVGs. Import from `lucide-svelte`:
+
+```svelte
+<script>
+  import { ChevronLeft, X } from 'lucide-svelte'
+</script>
+<ChevronLeft size={16} />
+```
+
+## Form Components
+
+Form components (TextInput, Toggle, Select, etc.) should use the unified size system when placed together.
+
+## Styling
+
+- Use Tailwind CSS for all styling — no custom CSS
+- Use Windmill's theming classes for colors/surfaces (see `frontend/brand-guidelines.md`)
+- Read component props JSDoc before using them
+
+## Svelte MCP Server
+
+Use the Svelte MCP tools when working on Svelte code:
+
+1. **list-sections**: Call first to discover available docs
+2. **get-documentation**: Fetch relevant sections based on use_cases
+3. **svelte-autofixer**: MUST use on all Svelte code before finalizing — keep calling until no issues
+4. **playground-link**: Only after user confirms and code was NOT written to project files

.github/workflows/claude.yml

@@ -13,10 +13,10 @@ on:
 jobs:
   check-membership:
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai'))
+      (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, '/ai') && !startsWith(github.event.comment.body, '/ai-fast')) ||
+      (github.event_name == 'pull_request_review_comment' && startsWith(github.event.comment.body, '/ai') && !startsWith(github.event.comment.body, '/ai-fast')) ||
+      (github.event_name == 'pull_request_review' && startsWith(github.event.review.body, '/ai') && !startsWith(github.event.review.body, '/ai-fast')) ||
+      (github.event_name == 'issues' && startsWith(github.event.issue.body, '/ai') && !startsWith(github.event.issue.body, '/ai-fast'))
     uses: ./.github/workflows/check-org-membership.yml
     secrets:
       access_token: ${{ secrets.ORG_ACCESS_TOKEN }}

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [1.662.0](https://github.com/windmill-labs/windmill/compare/v1.661.0...v1.662.0) (2026-03-20)
+
+
+### Features
+
+* mcp oauth gateway ([#8443](https://github.com/windmill-labs/windmill/issues/8443)) ([51957f7](https://github.com/windmill-labs/windmill/commit/51957f7d921b624fc132ca9ea03cdd30a5810e51))
+
+
+### Bug Fixes
+
+* replace email with permissioned_as for triggers/schedules ([#8439](https://github.com/windmill-labs/windmill/issues/8439)) ([efb4a27](https://github.com/windmill-labs/windmill/commit/efb4a27d5181bf9db3deb5e8100ec60adbe45e7f))
+* strip invalid enum values from MCP schemas ([#8462](https://github.com/windmill-labs/windmill/issues/8462)) ([88ad376](https://github.com/windmill-labs/windmill/commit/88ad3767916b86c4e0b272d040ee0b75a0580d76))
+
 ## [1.661.0](https://github.com/windmill-labs/windmill/compare/v1.660.1...v1.661.0) (2026-03-19)
 
 

backend/.sqlx/query-02748cae17e8966dbd57a33017ccb747c84fcc12fbfd93c6c749570b94d35696.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, email, server_id, error\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, permissioned_as, server_id, error\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -18,5 +18,5 @@
     },
     "nullable": []
   },
-  "hash": "1d4bb4f53574ef95ef1016b760f849ec2372ac6a21bb2556d17a96dc72ea4980"
+  "hash": "02748cae17e8966dbd57a33017ccb747c84fcc12fbfd93c6c749570b94d35696"
 }

backend/.sqlx/query-02e04f9ebc0e14f98f290bf2dc3eb00bc613ba7d29f8dd5ff31a4acd0ef3adfd.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO websocket_trigger (\n                path, url, script_path, is_flow, workspace_id,\n                edited_by, email, mode\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8::trigger_mode)\n            ",
+  "query": "\n            INSERT INTO websocket_trigger (\n                path, url, script_path, is_flow, workspace_id,\n                edited_by, permissioned_as, mode\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8::trigger_mode)\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -28,5 +28,5 @@
     },
     "nullable": []
   },
-  "hash": "7c1ae9cac13d1387cfa94149f039054dd8c30c16b4657e73cdb0d7c7f1cb3b6d"
+  "hash": "02e04f9ebc0e14f98f290bf2dc3eb00bc613ba7d29f8dd5ff31a4acd0ef3adfd"
 }

backend/.sqlx/query-066c9690d1606bf889879b7e3c686529c37db0d5f18c83706bfbc63c8c3e4315.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -18,5 +18,5 @@
     },
     "nullable": []
   },
-  "hash": "1cad2ebfbdc46f9c0d93329897a71701f17a33b708b334d909563c9a0dcc9c23"
+  "hash": "066c9690d1606bf889879b7e3c686529c37db0d5f18c83706bfbc63c8c3e4315"
 }

backend/.sqlx/query-07168aaf14cb6beff0ad4274b441f7f387f5055c47f493271d26731336257384.json

@@ -46,11 +46,11 @@
       ]
     },
     "nullable": [
-      true,
-      true,
-      true,
-      true,
-      true,
+      false,
+      false,
+      false,
+      false,
+      false,
       true,
       true
     ]

backend/.sqlx/query-0f26c74f604e1c3c613de8ba654cac1a41b20b1d3ea0f1a1c4ea2fcbbd314d7e.json

@@ -0,0 +1,35 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT email, permissioned_as, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "email",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 1,
+        "name": "permissioned_as",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 2,
+        "name": "edited_by",
+        "type_info": "Varchar"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "0f26c74f604e1c3c613de8ba654cac1a41b20b1d3ea0f1a1c4ea2fcbbd314d7e"
+}

backend/.sqlx/query-13d60d85694b5a5fcfc7687a07b78a54ff53245271466b1f3a9d9edf43cdaa1f.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO http_trigger (\n                path, route_path, route_path_key, script_path, is_flow,\n                workspace_id, edited_by, email, http_method,\n                authentication_method, is_static_website, workspaced_route,\n                wrap_body, raw_string\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                    $10::authentication_method, $11, $12, $13, $14)\n            ",
+  "query": "\n            INSERT INTO http_trigger (\n                path, route_path, route_path_key, script_path, is_flow,\n                workspace_id, edited_by, permissioned_as, http_method,\n                authentication_method, is_static_website, workspaced_route,\n                wrap_body, raw_string\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                    $10::authentication_method, $11, $12, $13, $14)\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -50,5 +50,5 @@
     },
     "nullable": []
   },
-  "hash": "6afa076744233fc5e92188ff978990fa3a704afe3eec523f4e203f7f6e247261"
+  "hash": "13d60d85694b5a5fcfc7687a07b78a54ff53245271466b1f3a9d9edf43cdaa1f"
 }

backend/.sqlx/query-1b7803a2060a19cb6e71f1e97619891ea8449b4a9433908cf717738846f7eec5.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                UPDATE email_trigger\n                SET\n                    script_path = $1,\n                    path = $2,\n                    is_flow = $3,\n                    local_part = $4,\n                    workspaced_local_part = $5,\n                    edited_by = $6,\n                    email = $7,\n                    edited_at = now(),\n                    error_handler_path = $8,\n                    error_handler_args = $9,\n                    retry = $10,\n                    mode = $11\n                WHERE\n                    workspace_id = $12 AND path = $13\n                ",
+  "query": "\n                UPDATE email_trigger\n                SET\n                    script_path = $1,\n                    path = $2,\n                    is_flow = $3,\n                    local_part = $4,\n                    workspaced_local_part = $5,\n                    edited_by = $6,\n                    permissioned_as = $7,\n                    edited_at = now(),\n                    error_handler_path = $8,\n                    error_handler_args = $9,\n                    retry = $10,\n                    mode = $11\n                WHERE\n                    workspace_id = $12 AND path = $13\n                ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -33,5 +33,5 @@
     },
     "nullable": []
   },
-  "hash": "388ff2abd495cf71e87cf0c4ddc73b6c84867fb966df91b320c54acdd5e61315"
+  "hash": "1b7803a2060a19cb6e71f1e97619891ea8449b4a9433908cf717738846f7eec5"
 }

backend/.sqlx/query-1cb21a66ffc89ebe53fd8f58690eec4cf11cb4b7816738202b474e8d3ffef427.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            route_path,\n            http_method AS \"http_method: _\",\n            request_type AS \"request_type: _\",\n            workspaced_route,\n            summary,\n            description,\n            authentication_method AS \"authentication_method: _\",\n            authentication_resource_path\n        FROM\n            http_trigger\n        WHERE\n           path ~ ANY($1) AND\n           route_path ~ ANY($2) AND\n           workspace_id = $3\n        ",
+  "query": "\n        SELECT\n            route_path,\n            http_method AS \"http_method: _\",\n            request_type AS \"request_type: _\",\n            workspaced_route,\n            summary,\n            description,\n            authentication_method AS \"authentication_method: _\",\n            authentication_resource_path,\n            script_path,\n            is_flow,\n            wrap_body\n        FROM\n            http_trigger\n        WHERE\n           path ~ ANY($1) AND\n           route_path ~ ANY($2) AND\n           workspace_id = $3\n        ",
   "describe": {
     "columns": [
       {
@@ -80,6 +80,21 @@
         "ordinal": 7,
         "name": "authentication_resource_path",
         "type_info": "Varchar"
+      },
+      {
+        "ordinal": 8,
+        "name": "script_path",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 9,
+        "name": "is_flow",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 10,
+        "name": "wrap_body",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -97,8 +112,11 @@
       true,
       true,
       false,
-      true
+      true,
+      false,
+      false,
+      false
     ]
   },
-  "hash": "9360d00990822f153ff09c7905ae3180f07d02f38ac12d07a5664d93f160e7ee"
+  "hash": "1cb21a66ffc89ebe53fd8f58690eec4cf11cb4b7816738202b474e8d3ffef427"
 }

backend/.sqlx/query-1d2514b3d75ffb6cc0eb09ceb8fde974a07881eb08164e885448d9a17c4ca6db.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE sqs_trigger\n            SET\n                queue_url = $1,\n                aws_resource_path = $2,\n                message_attributes = $3,\n                aws_auth_resource_type = $4,\n                script_path = $5,\n                path = $6,\n                is_flow = $7,\n                edited_by = $8,\n                email = $9,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $12,\n                error_handler_args = $13,\n                retry = $14\n            WHERE\n                workspace_id = $10 AND path = $11\n            ",
+  "query": "\n            UPDATE sqs_trigger\n            SET\n                queue_url = $1,\n                aws_resource_path = $2,\n                message_attributes = $3,\n                aws_auth_resource_type = $4,\n                script_path = $5,\n                path = $6,\n                is_flow = $7,\n                edited_by = $8,\n                permissioned_as = $9,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $12,\n                error_handler_args = $13,\n                retry = $14\n            WHERE\n                workspace_id = $10 AND path = $11\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -33,5 +33,5 @@
     },
     "nullable": []
   },
-  "hash": "c723c3a5066a487b93e2642993f3bf624a1f50d06c7de75157420d97cf144763"
+  "hash": "1d2514b3d75ffb6cc0eb09ceb8fde974a07881eb08164e885448d9a17c4ca6db"
 }

backend/.sqlx/query-1e28751bb98a1c477c0e582a2a39f81bf34e2d72f35ef1ea5d8c057ec9e694d8.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO email_trigger (\n            path, local_part, workspaced_local_part, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
+  "query": "\n        INSERT INTO email_trigger (\n            path, local_part, workspaced_local_part, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -17,5 +17,5 @@
     },
     "nullable": []
   },
-  "hash": "1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77"
+  "hash": "1e28751bb98a1c477c0e582a2a39f81bf34e2d72f35ef1ea5d8c057ec9e694d8"
 }

backend/.sqlx/query-1ef63255389bdc47d5392a84aad38adf1ccc3a4923f988d8abaafc9749307c0e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, email, auto_commit\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)\n        ",
+  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as, auto_commit\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -19,5 +19,5 @@
     },
     "nullable": []
   },
-  "hash": "45fc21026fa76e5d69f00a68a7be81abb3ec627578f2d14f0ce33896dc6ab4cf"
+  "hash": "1ef63255389bdc47d5392a84aad38adf1ccc3a4923f988d8abaafc9749307c0e"
 }

backend/.sqlx/query-1f693e2fba9885f7fc49bd2994240c4421fdae4aab496a3397c5c07d960582f2.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE\n                mqtt_trigger\n            SET\n                mqtt_resource_path = $1,\n                subscribe_topics = $2,\n                client_version = $3,\n                client_id = $4,\n                v3_config = $5,\n                v5_config = $6,\n                is_flow = $7,\n                edited_by = $8,\n                email = $9,\n                script_path = $10,\n                path = $11,\n                edited_at = now(),\n                error = NULL,\n                server_id = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND\n                path = $13\n            ",
+  "query": "\n            UPDATE\n                mqtt_trigger\n            SET\n                mqtt_resource_path = $1,\n                subscribe_topics = $2,\n                client_version = $3,\n                client_id = $4,\n                v3_config = $5,\n                v5_config = $6,\n                is_flow = $7,\n                edited_by = $8,\n                permissioned_as = $9,\n                script_path = $10,\n                path = $11,\n                edited_at = now(),\n                error = NULL,\n                server_id = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND\n                path = $13\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -35,5 +35,5 @@
     },
     "nullable": []
   },
-  "hash": "e486a64b76da5de97e404c81dd6e29d333ada2dcfbbddb028f37794b85778ca8"
+  "hash": "1f693e2fba9885f7fc49bd2994240c4421fdae4aab496a3397c5c07d960582f2"
 }

backend/.sqlx/query-21d7ce033b5f67499f579aeae98806599401fcfa9765a58b8cd45a20b411d0ca.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO postgres_trigger (\n                workspace_id,\n                path,\n                postgres_resource_path,\n                replication_slot_name,\n                publication_name,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, now(), $11, $12, $13\n            )\n            ",
+  "query": "\n            INSERT INTO postgres_trigger (\n                workspace_id,\n                path,\n                postgres_resource_path,\n                replication_slot_name,\n                publication_name,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, now(), $11, $12, $13\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -33,5 +33,5 @@
     },
     "nullable": []
   },
-  "hash": "fb942aa7894b4ae904f0233405f62f201e3f5deed593128017b886342ef6d210"
+  "hash": "21d7ce033b5f67499f579aeae98806599401fcfa9765a58b8cd45a20b411d0ca"
 }

backend/.sqlx/query-25ac66a1022c41267df199a95f532b0f778c25fbe0f7a7f9734c1f7e536ed6ce.json

@@ -0,0 +1,12 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "DELETE FROM raw_script_temp WHERE created_at < NOW() - INTERVAL '1 week'",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": []
+  },
+  "hash": "25ac66a1022c41267df199a95f532b0f778c25fbe0f7a7f9734c1f7e536ed6ce"
+}

backend/.sqlx/query-270cfaea4f888e73e21a957e0328ec1f990fce409160eb7b0e807bff56defff4.json

@@ -0,0 +1,34 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT created_by, permissioned_as, permissioned_as_email\n           FROM v2_job\n           WHERE workspace_id = 'test-workspace'\n             AND trigger_kind = 'schedule'\n             AND trigger = $1\n           ORDER BY created_at DESC\n           LIMIT 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "created_by",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 1,
+        "name": "permissioned_as",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 2,
+        "name": "permissioned_as_email",
+        "type_info": "Varchar"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "270cfaea4f888e73e21a957e0328ec1f990fce409160eb7b0e807bff56defff4"
+}

backend/.sqlx/query-2d523cd0d5b7107b15846b885fa40af492d4c8a8871cef972980150f319fe6ff.json

@@ -0,0 +1,16 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO raw_script_temp (workspace_id, hash, content, created_at)\n         VALUES ($1, $2, $3, NOW())\n         ON CONFLICT (workspace_id, hash) DO UPDATE SET created_at = NOW()",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Bpchar",
+        "Text"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "2d523cd0d5b7107b15846b885fa40af492d4c8a8871cef972980150f319fe6ff"
+}

backend/.sqlx/query-32ca7941db013dacd2479962fa9ed5c8c64daec45ba820a6c8f7d7ab76cc40c9.json

@@ -0,0 +1,28 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT parent_job, flow_step_id FROM v2_job WHERE id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "parent_job",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 1,
+        "name": "flow_step_id",
+        "type_info": "Varchar"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      true,
+      true
+    ]
+  },
+  "hash": "32ca7941db013dacd2479962fa9ed5c8c64daec45ba820a6c8f7d7ab76cc40c9"
+}

backend/.sqlx/query-372ec62fad93831b00d44f6c52a148b6bfa6008e49b2a80bec06c76d9432ec77.json

@@ -0,0 +1,29 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT\n                f.schema AS \"schema: serde_json::Value\",\n                fv.value->>'preprocessor_module' IS NOT NULL AS \"has_preprocessor: bool\"\n            FROM flow f\n            LEFT JOIN flow_version fv ON fv.id = f.versions[array_length(f.versions, 1)]\n                AND fv.workspace_id = f.workspace_id\n            WHERE f.path = $1 AND f.workspace_id = $2 AND NOT f.archived",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "schema: serde_json::Value",
+        "type_info": "Json"
+      },
+      {
+        "ordinal": 1,
+        "name": "has_preprocessor: bool",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      true,
+      null
+    ]
+  },
+  "hash": "372ec62fad93831b00d44f6c52a148b6bfa6008e49b2a80bec06c76d9432ec77"
+}

backend/.sqlx/query-39062cdb183b97906c25602000321a76d4e629ba027364190a2487cc9bd93235.json

@@ -1,11 +1,11 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT email, edited_by FROM websocket_trigger WHERE path = $1 AND workspace_id = $2",
+  "query": "SELECT permissioned_as, edited_by FROM websocket_trigger WHERE path = $1 AND workspace_id = $2",
   "describe": {
     "columns": [
       {
         "ordinal": 0,
-        "name": "email",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
@@ -25,5 +25,5 @@
       false
     ]
   },
-  "hash": "075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a"
+  "hash": "39062cdb183b97906c25602000321a76d4e629ba027364190a2487cc9bd93235"
 }

backend/.sqlx/query-3aa3d0362fa8ed97dd034454b05f14880c9bb43d0c3ce4ea9b4511aa2d092d0c.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO email_trigger (\n                workspace_id,\n                path,\n                script_path,\n                is_flow,\n                local_part,\n                workspaced_local_part,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry,\n                mode\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, now(), $9, $10, $11, $12\n            )\n            ",
+  "query": "\n            INSERT INTO email_trigger (\n                workspace_id,\n                path,\n                script_path,\n                is_flow,\n                local_part,\n                workspaced_local_part,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry,\n                mode\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, now(), $9, $10, $11, $12\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -32,5 +32,5 @@
     },
     "nullable": []
   },
-  "hash": "3d763dbb411e28ce026cc9ab525b20b409cfe17bf1cdef22aaffc719cf6c53e3"
+  "hash": "3aa3d0362fa8ed97dd034454b05f14880c9bb43d0c3ce4ea9b4511aa2d092d0c"
 }

backend/.sqlx/query-41ad9954bebe31b0545837147b1616da2e6743f3a45775cd556a7414bc8f9726.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO http_trigger (\n                workspace_id,\n                path,\n                route_path,\n                route_path_key,\n                workspaced_route,\n                authentication_resource_path,\n                wrap_body,\n                raw_string,\n                script_path,\n                summary,\n                description,\n                is_flow,\n                mode,\n                request_type,\n                authentication_method,\n                http_method,\n                static_asset_config,\n                edited_by,\n                email,\n                edited_at,\n                is_static_website,\n                error_handler_path,\n                error_handler_args,\n                retry\n            )\n            VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, now(), $20, $21, $22, $23\n            )\n            ",
+  "query": "\n            INSERT INTO http_trigger (\n                workspace_id,\n                path,\n                route_path,\n                route_path_key,\n                workspaced_route,\n                authentication_resource_path,\n                wrap_body,\n                raw_string,\n                script_path,\n                summary,\n                description,\n                is_flow,\n                mode,\n                request_type,\n                authentication_method,\n                http_method,\n                static_asset_config,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                is_static_website,\n                error_handler_path,\n                error_handler_args,\n                retry\n            )\n            VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, now(), $20, $21, $22, $23\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -81,5 +81,5 @@
     },
     "nullable": []
   },
-  "hash": "ee9ee0fbf5dd72d190e18c56622244b984fdb36fbf70197d9f8cb6306c9670db"
+  "hash": "41ad9954bebe31b0545837147b1616da2e6743f3a45775cd556a7414bc8f9726"
 }

backend/.sqlx/query-4461fe84370e7f07b4423ea5e71b913dd6ee9c655f9ec7087cc0fec9b9c3099a.json

@@ -0,0 +1,27 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n        WITH step_index AS (\n            SELECT idx::text AS idx\n            FROM v2_job_status,\n                 jsonb_array_elements(flow_status->'modules') WITH ORDINALITY arr(elem, idx)\n            WHERE id = $1\n              AND elem->>'id' = $5\n            LIMIT 1\n        ), completed AS (\n            INSERT INTO v2_job_completed\n                (workspace_id, id, started_at, duration_ms, result,\n                 flow_status, workflow_as_code_status, status, worker)\n            SELECT\n                q.workspace_id, q.id, q.started_at,\n                (EXTRACT('epoch' FROM now()) - EXTRACT('epoch' FROM COALESCE(q.started_at, now()))) * 1000,\n                $3::text::jsonb,\n                CASE WHEN si.idx IS NOT NULL\n                    THEN jsonb_set(\n                        s.flow_status,\n                        ARRAY['modules', (si.idx::int - 1)::text],\n                        $6::jsonb\n                    )\n                    ELSE s.flow_status\n                END,\n                s.workflow_as_code_status,\n                'skipped'::job_status,\n                q.worker\n            FROM v2_job_queue q\n            LEFT JOIN v2_job_status s ON s.id = q.id\n            LEFT JOIN step_index si ON true\n            WHERE q.id = $1\n            ON CONFLICT (id) DO UPDATE SET status = EXCLUDED.status, result = EXCLUDED.result\n            RETURNING 1 AS x\n        ), _deleted AS (\n            DELETE FROM v2_job_queue WHERE id = $1\n        ), _logged AS (\n            INSERT INTO job_logs (logs, job_id, workspace_id)\n            VALUES ($4, $1, $2)\n            ON CONFLICT (job_id) DO UPDATE SET logs = concat(job_logs.logs, EXCLUDED.logs)\n        )\n        SELECT x FROM completed\n        ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "x",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Varchar",
+        "Text",
+        "Text",
+        "Text",
+        "Jsonb"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "4461fe84370e7f07b4423ea5e71b913dd6ee9c655f9ec7087cc0fec9b9c3099a"
+}

backend/.sqlx/query-4538bea4159677d8e653159d7d01649cae08e6ffef668a7cbac49b312bf30766.json

@@ -0,0 +1,16 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO v2_job (id, kind, tag, created_by, permissioned_as, permissioned_as_email, workspace_id, parent_job)\n             VALUES ($1, 'noop', 'deno', 'test-user', 'u/test-user', 'test@windmill.dev', $2, $3)",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Varchar",
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "4538bea4159677d8e653159d7d01649cae08e6ffef668a7cbac49b312bf30766"
+}

backend/.sqlx/query-45de6be332f4ec89482782e3b1640649ed1a6f6d4f1e1b636c71bdd36c31b618.json

@@ -0,0 +1,35 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n            INSERT INTO debounce_key (job_id, key)\n            VALUES ($1, $2)\n            ON CONFLICT (key)\n            DO UPDATE SET\n                previous_job_id = debounce_key.job_id,\n                job_id = EXCLUDED.job_id,\n                debounced_times = debounce_key.debounced_times + 1\n            RETURNING\n                debounced_times,\n                first_started_at,\n                previous_job_id AS job_id_to_debounce\n            ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "debounced_times",
+        "type_info": "Int4"
+      },
+      {
+        "ordinal": 1,
+        "name": "first_started_at",
+        "type_info": "Timestamptz"
+      },
+      {
+        "ordinal": 2,
+        "name": "job_id_to_debounce",
+        "type_info": "Uuid"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Varchar"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      true
+    ]
+  },
+  "hash": "45de6be332f4ec89482782e3b1640649ed1a6f6d4f1e1b636c71bdd36c31b618"
+}

backend/.sqlx/query-4615b37cb848f9589622426d291c721e532b230c527deb701e24605c7027e38b.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \n                    path,\n                    summary,\n                    description\n                FROM\n                    flow\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
+  "query": "SELECT\n                    path,\n                    summary,\n                    description\n                FROM\n                    flow\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
   "describe": {
     "columns": [
       {
@@ -31,5 +31,5 @@
       false
     ]
   },
-  "hash": "33367c42e87e78ae987c0966dc4d445c5eff75b2e2843ffd7a46b03cbaea9ae8"
+  "hash": "4615b37cb848f9589622426d291c721e532b230c527deb701e24605c7027e38b"
 }

backend/.sqlx/query-4ba114f54ed88c27dd4aed05a273c91e98913397b310ff760c1dbb9077764e9b.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE nats_trigger\n            SET\n                nats_resource_path = $1,\n                subjects = $2,\n                stream_name = $3,\n                consumer_name = $4,\n                use_jetstream = $5,\n                script_path = $6,\n                path = $7,\n                is_flow = $8,\n                edited_by = $9,\n                email = $10,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $13,\n                error_handler_args = $14,\n                retry = $15\n            WHERE\n                workspace_id = $11 AND path = $12\n            ",
+  "query": "\n            UPDATE nats_trigger\n            SET\n                nats_resource_path = $1,\n                subjects = $2,\n                stream_name = $3,\n                consumer_name = $4,\n                use_jetstream = $5,\n                script_path = $6,\n                path = $7,\n                is_flow = $8,\n                edited_by = $9,\n                permissioned_as = $10,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $13,\n                error_handler_args = $14,\n                retry = $15\n            WHERE\n                workspace_id = $11 AND path = $12\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -24,5 +24,5 @@
     },
     "nullable": []
   },
-  "hash": "9f41ea5cbe4cffa74e4a283fe8f023c813e349956487f7b6599da452c068e9b9"
+  "hash": "4ba114f54ed88c27dd4aed05a273c91e98913397b310ff760c1dbb9077764e9b"
 }

backend/.sqlx/query-54b4c762add9b1ebfdb2a6d5abd6d20e86dc0e6544f0bb22fa4ec68aa54a4dc8.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        UPDATE schedule SET\n            schedule                = $1,\n            timezone                = $2,\n            args                    = $3,\n            on_failure              = $4,\n            on_failure_times        = $5,\n            on_failure_exact        = $6,\n            on_failure_extra_args   = $7,\n            on_recovery             = $8,\n            on_recovery_times       = $9,\n            on_recovery_extra_args  = $10,\n            on_success              = $11,\n            on_success_extra_args   = $12,\n            ws_error_handler_muted  = $13,\n            retry                   = $14,\n            summary                 = $15,\n            no_flow_overlap         = $16,\n            tag                     = $17,\n            paused_until            = $18,\n            path                    = $19,\n            workspace_id            = $20,\n            cron_version            = COALESCE($21, cron_version),\n            description             = $22,\n            dynamic_skip            = $23,\n            email                   = COALESCE($24, email),\n            edited_by               = $25\n        WHERE path = $19 AND workspace_id = $20\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
+  "query": "\n        UPDATE schedule SET\n            schedule                = $1,\n            timezone                = $2,\n            args                    = $3,\n            on_failure              = $4,\n            on_failure_times        = $5,\n            on_failure_exact        = $6,\n            on_failure_extra_args   = $7,\n            on_recovery             = $8,\n            on_recovery_times       = $9,\n            on_recovery_extra_args  = $10,\n            on_success              = $11,\n            on_success_extra_args   = $12,\n            ws_error_handler_muted  = $13,\n            retry                   = $14,\n            summary                 = $15,\n            no_flow_overlap         = $16,\n            tag                     = $17,\n            paused_until            = $18,\n            path                    = $19,\n            workspace_id            = $20,\n            cron_version            = COALESCE($21, cron_version),\n            description             = $22,\n            dynamic_skip            = $23,\n            email                   = $24,\n            edited_by               = $25,\n            permissioned_as         = $26\n        WHERE path = $19 AND workspace_id = $20\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            permissioned_as,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
   "describe": {
     "columns": [
       {
@@ -65,96 +65,101 @@
       },
       {
         "ordinal": 12,
+        "name": "permissioned_as",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 13,
         "name": "error",
         "type_info": "Text"
       },
       {
-        "ordinal": 13,
+        "ordinal": 14,
         "name": "on_failure",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 14,
+        "ordinal": 15,
         "name": "on_failure_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 15,
+        "ordinal": 16,
         "name": "on_failure_exact",
         "type_info": "Bool"
       },
       {
-        "ordinal": 16,
+        "ordinal": 17,
         "name": "on_failure_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 17,
+        "ordinal": 18,
         "name": "on_recovery",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 18,
+        "ordinal": 19,
         "name": "on_recovery_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 19,
+        "ordinal": 20,
         "name": "on_recovery_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 20,
+        "ordinal": 21,
         "name": "on_success",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 21,
+        "ordinal": 22,
         "name": "on_success_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 22,
+        "ordinal": 23,
         "name": "ws_error_handler_muted",
         "type_info": "Bool"
       },
       {
-        "ordinal": 23,
+        "ordinal": 24,
         "name": "retry",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 24,
+        "ordinal": 25,
         "name": "no_flow_overlap",
         "type_info": "Bool"
       },
       {
-        "ordinal": 25,
+        "ordinal": 26,
         "name": "summary",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 26,
+        "ordinal": 27,
         "name": "description",
         "type_info": "Text"
       },
       {
-        "ordinal": 27,
+        "ordinal": 28,
         "name": "tag",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 28,
+        "ordinal": 29,
         "name": "paused_until",
         "type_info": "Timestamptz"
       },
       {
-        "ordinal": 29,
+        "ordinal": 30,
         "name": "cron_version",
         "type_info": "Text"
       },
       {
-        "ordinal": 30,
+        "ordinal": 31,
         "name": "dynamic_skip",
         "type_info": "Varchar"
       }
@@ -185,6 +190,7 @@
         "Text",
         "Varchar",
         "Varchar",
+        "Varchar",
         "Varchar"
       ]
     },
@@ -201,6 +207,7 @@
       true,
       false,
       false,
+      false,
       true,
       true,
       true,
@@ -222,5 +229,5 @@
       true
     ]
   },
-  "hash": "987d79f7c6d7bc148cc8aab67e47161cfca045966e995e28c7a7ad090cffeda0"
+  "hash": "54b4c762add9b1ebfdb2a6d5abd6d20e86dc0e6544f0bb22fa4ec68aa54a4dc8"
 }

backend/.sqlx/query-5a219a2532517869578c4504ff3153c43903f929ae5d62fbba12610f89c36d55.json

@@ -15,7 +15,7 @@
       ]
     },
     "nullable": [
-      true
+      null
     ]
   },
   "hash": "5a219a2532517869578c4504ff3153c43903f929ae5d62fbba12610f89c36d55"

backend/.sqlx/query-5efbf92ac7347e73769c66ffdc4037c7e56a5939d9ffcbee13e0264cbb2a6dfe.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE\n                http_trigger\n            SET\n                route_path = $1,\n                route_path_key = $2,\n                workspaced_route = $3,\n                wrap_body = $4,\n                raw_string = $5,\n                authentication_resource_path = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                mode = $10,\n                http_method = $11,\n                static_asset_config = $12,\n                edited_by = $13,\n                email = $14,\n                request_type = $15,\n                authentication_method = $16,\n                summary = $17,\n                description = $18,\n                edited_at = now(),\n                is_static_website = $19,\n                error_handler_path = $20,\n                error_handler_args = $21,\n                retry = $22\n            WHERE\n                workspace_id = $23 AND\n                path = $24\n            ",
+  "query": "\n            UPDATE\n                http_trigger\n            SET\n                route_path = $1,\n                route_path_key = $2,\n                workspaced_route = $3,\n                wrap_body = $4,\n                raw_string = $5,\n                authentication_resource_path = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                mode = $10,\n                http_method = $11,\n                static_asset_config = $12,\n                edited_by = $13,\n                permissioned_as = $14,\n                request_type = $15,\n                authentication_method = $16,\n                summary = $17,\n                description = $18,\n                edited_at = now(),\n                is_static_website = $19,\n                error_handler_path = $20,\n                error_handler_args = $21,\n                retry = $22\n            WHERE\n                workspace_id = $23 AND\n                path = $24\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -82,5 +82,5 @@
     },
     "nullable": []
   },
-  "hash": "2fd0d3224382b000028d98b0af4c431d3cadd54cca65d83c1ab7f2d2972e2282"
+  "hash": "5efbf92ac7347e73769c66ffdc4037c7e56a5939d9ffcbee13e0264cbb2a6dfe"
 }

backend/.sqlx/query-6009cf60c43608bb1c7924dbd0a9cdc01986d787eb24f0fffe4550d939851e22.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT debounced_times FROM debounce_key WHERE key = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "debounced_times",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "6009cf60c43608bb1c7924dbd0a9cdc01986d787eb24f0fffe4550d939851e22"
+}

backend/.sqlx/query-69b44efb0144fececccafc8a77d040649bb17e239e5afbc27b915efc4c95d54e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \n                    path,\n                    summary,\n                    description\n                FROM\n                    script\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
+  "query": "SELECT\n                    path,\n                    summary,\n                    description\n                FROM\n                    script\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
   "describe": {
     "columns": [
       {
@@ -31,5 +31,5 @@
       false
     ]
   },
-  "hash": "dc36b46b9eb80cb7c92fa72519d117eda99a6f482a073ccd36a6431ef689a3fd"
+  "hash": "69b44efb0144fececccafc8a77d040649bb17e239e5afbc27b915efc4c95d54e"
 }

backend/.sqlx/query-6cfa6b5f16207863a03b77fffbb94ae91872a207ea2362e49e100ed1f0b35198.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            gcp_resource_path,\n            script_path,\n            is_flow,\n            mode as \"mode: _\",\n            workspace_id,\n            path,\n            edited_by,\n            email,\n            delivery_config AS \"delivery_config: _\",\n            retry as \"retry: _\",\n            error_handler_path,\n            error_handler_args as \"error_handler_args: _\"\n        FROM\n            gcp_trigger\n        WHERE\n            workspace_id = $1 AND\n            path = $2 AND\n            delivery_type = 'push'::DELIVERY_MODE\n        ",
+  "query": "\n        SELECT\n            gcp_resource_path,\n            script_path,\n            is_flow,\n            mode as \"mode: _\",\n            workspace_id,\n            path,\n            edited_by,\n            permissioned_as,\n            delivery_config AS \"delivery_config: _\",\n            retry as \"retry: _\",\n            error_handler_path,\n            error_handler_args as \"error_handler_args: _\"\n        FROM\n            gcp_trigger\n        WHERE\n            workspace_id = $1 AND\n            path = $2 AND\n            delivery_type = 'push'::DELIVERY_MODE\n        ",
   "describe": {
     "columns": [
       {
@@ -51,7 +51,7 @@
       },
       {
         "ordinal": 7,
-        "name": "email",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
@@ -96,5 +96,5 @@
       true
     ]
   },
-  "hash": "1cf2eb1426e8be89c3649272103bcd029e99b029b7f1b71eda4411d1e24e790d"
+  "hash": "6cfa6b5f16207863a03b77fffbb94ae91872a207ea2362e49e100ed1f0b35198"
 }

backend/.sqlx/query-72bc0b4acb3fb155436df74b0bb11600df8e55d50fa48d21ce2c5ae82eaf9f1c.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7)\n        ",
+  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -16,5 +16,5 @@
     },
     "nullable": []
   },
-  "hash": "57b7236cae0b6a1940f4c2d4b202692450ee231488d9a55ca59ff53a6f674626"
+  "hash": "72bc0b4acb3fb155436df74b0bb11600df8e55d50fa48d21ce2c5ae82eaf9f1c"
 }

backend/.sqlx/query-7402639802ba5f286db8436d21dcce24aa615fe1db7e8b4fc468963216aab69d.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                    SELECT\n                        path,\n                        script_path,\n                        is_flow,\n                        route_path,\n                        authentication_resource_path,\n                        workspace_id,\n                        request_type AS \"request_type: _\",\n                        authentication_method  AS \"authentication_method: _\",\n                        edited_by,\n                        email,\n                        static_asset_config AS \"static_asset_config: _\",\n                        wrap_body,\n                        raw_string,\n                        workspaced_route,\n                        is_static_website,\n                        error_handler_path,\n                        error_handler_args as \"error_handler_args: _\",\n                        retry as \"retry: _\",\n                        mode as \"mode: _\"\n                    FROM\n                        http_trigger\n                    WHERE\n                        http_method = $1 AND\n                        (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                    ",
+  "query": "\n                    SELECT\n                        path,\n                        script_path,\n                        is_flow,\n                        route_path,\n                        authentication_resource_path,\n                        workspace_id,\n                        request_type AS \"request_type: _\",\n                        authentication_method  AS \"authentication_method: _\",\n                        edited_by,\n                        permissioned_as,\n                        static_asset_config AS \"static_asset_config: _\",\n                        wrap_body,\n                        raw_string,\n                        workspaced_route,\n                        is_static_website,\n                        error_handler_path,\n                        error_handler_args as \"error_handler_args: _\",\n                        retry as \"retry: _\",\n                        mode as \"mode: _\"\n                    FROM\n                        http_trigger\n                    WHERE\n                        http_method = $1 AND\n                        (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                    ",
   "describe": {
     "columns": [
       {
@@ -75,7 +75,7 @@
       },
       {
         "ordinal": 9,
-        "name": "email",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
@@ -175,5 +175,5 @@
       false
     ]
   },
-  "hash": "3cd37daa80bc3697d331c19e01a49916fc03fdf9eceff73fa153020b4a48f4a2"
+  "hash": "7402639802ba5f286db8436d21dcce24aa615fe1db7e8b4fc468963216aab69d"
 }

backend/.sqlx/query-75b9a2153ba12ef443212d83743605e0f9d8c1f0fbe3271f0e65b1dc5cd47987.json

@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO nats_trigger (path, nats_resource_path, subjects, use_jetstream, script_path, is_flow, workspace_id, edited_by, permissioned_as) VALUES ($1, $2, $3, $4, $5, false, 'test-workspace', 'test-user', 'u/test-user')",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "VarcharArray",
+        "Bool",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "75b9a2153ba12ef443212d83743605e0f9d8c1f0fbe3271f0e65b1dc5cd47987"
+}

backend/.sqlx/query-79b82ae996fba2e2ab53fcf84c108cb1ca21fbdba3373af54fadf1f4af324073.json

@@ -0,0 +1,35 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n        WITH dk AS (\n            INSERT INTO debounce_key (job_id, key)\n            VALUES ($1, $2)\n            ON CONFLICT (key)\n            DO UPDATE SET\n                previous_job_id = debounce_key.job_id,\n                job_id = EXCLUDED.job_id,\n                debounced_times = debounce_key.debounced_times + 1\n            RETURNING\n                debounced_times,\n                first_started_at,\n                previous_job_id AS job_id_to_debounce\n        ), _batch AS (\n            INSERT INTO v2_job_debounce_batch (id, debounce_batch)\n            SELECT\n                $1,\n                COALESCE(\n                    (SELECT debounce_batch FROM v2_job_debounce_batch WHERE id = dk.job_id_to_debounce LIMIT 1),\n                    nextval('debounce_batch_seq')\n                )\n            FROM dk\n        )\n        SELECT debounced_times, first_started_at, job_id_to_debounce FROM dk\n        ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "debounced_times",
+        "type_info": "Int4"
+      },
+      {
+        "ordinal": 1,
+        "name": "first_started_at",
+        "type_info": "Timestamptz"
+      },
+      {
+        "ordinal": 2,
+        "name": "job_id_to_debounce",
+        "type_info": "Uuid"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Varchar"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      true
+    ]
+  },
+  "hash": "79b82ae996fba2e2ab53fcf84c108cb1ca21fbdba3373af54fadf1f4af324073"
+}

backend/.sqlx/query-8657c21ace89a9bafe4d184b30e3fc104a2c83f698f7dd657d6e6c95c4ff1f3b.json

@@ -0,0 +1,35 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n            WITH dk AS (\n                INSERT INTO debounce_key (job_id, key)\n                VALUES ($1, $2)\n                ON CONFLICT (key)\n                DO UPDATE SET\n                    previous_job_id = debounce_key.job_id,\n                    job_id = EXCLUDED.job_id,\n                    debounced_times = debounce_key.debounced_times + 1\n                RETURNING\n                    debounced_times,\n                    first_started_at,\n                    previous_job_id AS job_id_to_debounce\n            ), _batch AS (\n                INSERT INTO v2_job_debounce_batch (id, debounce_batch)\n                SELECT\n                    $1,\n                    COALESCE(\n                        (SELECT debounce_batch FROM v2_job_debounce_batch WHERE id = dk.job_id_to_debounce LIMIT 1),\n                        nextval('debounce_batch_seq')\n                    )\n                FROM dk\n            )\n            SELECT debounced_times, first_started_at, job_id_to_debounce FROM dk\n            ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "debounced_times",
+        "type_info": "Int4"
+      },
+      {
+        "ordinal": 1,
+        "name": "first_started_at",
+        "type_info": "Timestamptz"
+      },
+      {
+        "ordinal": 2,
+        "name": "job_id_to_debounce",
+        "type_info": "Uuid"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Varchar"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      true
+    ]
+  },
+  "hash": "8657c21ace89a9bafe4d184b30e3fc104a2c83f698f7dd657d6e6c95c4ff1f3b"
+}

backend/.sqlx/query-88ec0ddcc86fb67089b551ccbce7b932800e33cd462a651f7e6716929ee9b6f2.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT content FROM raw_script_temp WHERE hash = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "content",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Bpchar"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "88ec0ddcc86fb67089b551ccbce7b932800e33cd462a651f7e6716929ee9b6f2"
+}

backend/.sqlx/query-893ff34f2b22cf89a24a0b613ed390077fe6c75f56a3419f530e542bab0fb1a4.json

@@ -1,11 +1,11 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT email, edited_by FROM http_trigger WHERE path = $1 AND workspace_id = $2",
+  "query": "SELECT permissioned_as, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
   "describe": {
     "columns": [
       {
         "ordinal": 0,
-        "name": "email",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
@@ -25,5 +25,5 @@
       false
     ]
   },
-  "hash": "8311a553c44221751ffdbbe6a997d6feba8d43292daf6c5433b66bd8450e8854"
+  "hash": "893ff34f2b22cf89a24a0b613ed390077fe6c75f56a3419f530e542bab0fb1a4"
 }

backend/.sqlx/query-8d53b0f2df5fdb6c43b9f5e92c8a97669676249dbf512ff39db94ecacc51e04e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO http_trigger (\n                path, route_path, route_path_key, script_path, is_flow,\n                workspace_id, edited_by, email, http_method,\n                authentication_method, is_static_website, workspaced_route,\n                wrap_body, raw_string, mode\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                    $10::authentication_method, $11, $12, $13, $14, $15::trigger_mode)\n            ",
+  "query": "\n            INSERT INTO http_trigger (\n                path, route_path, route_path_key, script_path, is_flow,\n                workspace_id, edited_by, permissioned_as, http_method,\n                authentication_method, is_static_website, workspaced_route,\n                wrap_body, raw_string, mode\n            )\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                    $10::authentication_method, $11, $12, $13, $14, $15::trigger_mode)\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -62,5 +62,5 @@
     },
     "nullable": []
   },
-  "hash": "57eca702e951f5303a74643c7ba64472e2c2a781fbb6366d998a0f1ca22fcdf2"
+  "hash": "8d53b0f2df5fdb6c43b9f5e92c8a97669676249dbf512ff39db94ecacc51e04e"
 }

backend/.sqlx/query-906773b0de209734e9cf9c6421d4b3bf95ed2e00ac07942d8bba2b11b8462d3b.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, edited_by, schedule, enabled,\n            script_path, is_flow, email, timezone\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, edited_by, schedule, enabled,\n            script_path, is_flow, email, timezone, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -13,10 +13,11 @@
         "Varchar",
         "Bool",
         "Varchar",
+        "Varchar",
         "Varchar"
       ]
     },
     "nullable": []
   },
-  "hash": "75ce9753a8acc8eccb3f2e0baaa5a871f866a8d21961fac8a003bc40c406ee79"
+  "hash": "906773b0de209734e9cf9c6421d4b3bf95ed2e00ac07942d8bba2b11b8462d3b"
 }

backend/.sqlx/query-909a095d679ee7b8266fc93fe0c598e4b6583daa2b0d7c593fc72ff9b8d1d06b.json

@@ -0,0 +1,29 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT\n                schema AS \"schema: serde_json::Value\",\n                has_preprocessor\n            FROM script\n            WHERE path = $1 AND workspace_id = $2\n                AND NOT archived AND NOT deleted\n            ORDER BY created_at DESC\n            LIMIT 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "schema: serde_json::Value",
+        "type_info": "Json"
+      },
+      {
+        "ordinal": 1,
+        "name": "has_preprocessor",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      true,
+      true
+    ]
+  },
+  "hash": "909a095d679ee7b8266fc93fe0c598e4b6583daa2b0d7c593fc72ff9b8d1d06b"
+}

backend/.sqlx/query-942c0abb55c910862fd45d3fa56a4eb6729f1a658101bda2d0b0fca96b3cfee5.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO websocket_trigger (\n                workspace_id,\n                path,\n                url,\n                script_path,\n                is_flow,\n                mode,\n                filters,\n                initial_messages,\n                url_runnable_args,\n                edited_by,\n                can_return_message,\n                can_return_error_result,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, now(), $14, $15, $16\n            )\n            ",
+  "query": "\n            INSERT INTO websocket_trigger (\n                workspace_id,\n                path,\n                url,\n                script_path,\n                is_flow,\n                mode,\n                filters,\n                initial_messages,\n                url_runnable_args,\n                edited_by,\n                can_return_message,\n                can_return_error_result,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, now(), $14, $15, $16\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -36,5 +36,5 @@
     },
     "nullable": []
   },
-  "hash": "e99c958628d83e3fea054eaa182b1301e0b04c7eb9801d9de13b37bd908d902f"
+  "hash": "942c0abb55c910862fd45d3fa56a4eb6729f1a658101bda2d0b0fca96b3cfee5"
 }

backend/.sqlx/query-950f364c9fa3c680eea895558a559f29220c08e94e1822e3bcb5c6ed6aa7d2bb.json

@@ -0,0 +1,46 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n        WITH RECURSIVE chain AS (\n            SELECT\n                j.id,\n                j.parent_job,\n                j.flow_step_id,\n                1 AS depth\n            FROM v2_job j\n            WHERE j.id = $1\n          UNION ALL\n            SELECT\n                pj.id,\n                pj.parent_job,\n                pj.flow_step_id,\n                c.depth + 1\n            FROM chain c\n            JOIN v2_job pj ON pj.id = c.parent_job\n            WHERE c.parent_job IS NOT NULL\n        )\n        SELECT\n            c.id,\n            c.parent_job,\n            c.flow_step_id,\n            EXISTS(SELECT 1 FROM v2_job_queue q WHERE q.id = c.parent_job) AS \"parent_in_queue!\",\n            EXISTS(\n                SELECT 1 FROM v2_job sib\n                WHERE sib.parent_job = c.parent_job\n                  AND sib.id != c.id\n                  AND sib.id IN (SELECT sq.id FROM v2_job_queue sq)\n            ) AS \"has_other_active_siblings!\"\n        FROM chain c\n        WHERE c.depth >= 1\n        ORDER BY c.depth ASC\n        ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 1,
+        "name": "parent_job",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 2,
+        "name": "flow_step_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 3,
+        "name": "parent_in_queue!",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 4,
+        "name": "has_other_active_siblings!",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      null,
+      null,
+      null,
+      null,
+      null
+    ]
+  },
+  "hash": "950f364c9fa3c680eea895558a559f29220c08e94e1822e3bcb5c6ed6aa7d2bb"
+}

backend/.sqlx/query-96f6163a164b9ffb4ec52372d7fea158db101f54f0908551b5a4f5e6655e122b.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                SELECT content FROM script WHERE path = $1 AND workspace_id = $2\n                AND archived = false ORDER BY created_at DESC LIMIT 1\n                ",
+  "query": "\n                        SELECT content FROM script WHERE path = $1 AND workspace_id = $2\n                        AND archived = false ORDER BY created_at DESC LIMIT 1\n                        ",
   "describe": {
     "columns": [
       {
@@ -19,5 +19,5 @@
       false
     ]
   },
-  "hash": "c7cae4cf872fce0a989cf89aa35929218a9d459ee1c2b36a28b110e9741ab623"
+  "hash": "96f6163a164b9ffb4ec52372d7fea158db101f54f0908551b5a4f5e6655e122b"
 }

backend/.sqlx/query-9883cff4f988767aeea7bce8b66672029b2a4c90e06c05d4356b3ec6bd8d2748.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO nats_trigger (\n            path, nats_resource_path, subjects, script_path,\n            is_flow, workspace_id, edited_by, email, use_jetstream\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO nats_trigger (\n            path, nats_resource_path, subjects, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as, use_jetstream\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -18,5 +18,5 @@
     },
     "nullable": []
   },
-  "hash": "97c60a4193a75b611db41543e7fe6da81fc631cc6ac43576f8a18afedad4d4a4"
+  "hash": "9883cff4f988767aeea7bce8b66672029b2a4c90e06c05d4356b3ec6bd8d2748"
 }

backend/.sqlx/query-a0a545fda5f3ebea0113d5daaf13358c964d9fb0f41bf2a1c834305b4d2398f2.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO kafka_trigger (\n                workspace_id,\n                path,\n                kafka_resource_path,\n                group_id,\n                topics,\n                filters,\n                auto_offset_reset,\n                auto_commit,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, now(), $14, $15, $16\n            )\n            ",
+  "query": "\n            INSERT INTO kafka_trigger (\n                workspace_id,\n                path,\n                kafka_resource_path,\n                group_id,\n                topics,\n                filters,\n                auto_offset_reset,\n                auto_commit,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, now(), $14, $15, $16\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -36,5 +36,5 @@
     },
     "nullable": []
   },
-  "hash": "5dd6315ec270c268e905262e4b0a920837354d91a0ae16b1236c1267da71765f"
+  "hash": "a0a545fda5f3ebea0113d5daaf13358c964d9fb0f41bf2a1c834305b4d2398f2"
 }

backend/.sqlx/query-a37cfc632dd37cf37c06743239b5ebc784e5da5ee25d47af187a75220d8fded7.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE kafka_trigger\n            SET\n                kafka_resource_path = $1,\n                group_id = $2,\n                topics = $3,\n                filters = $4,\n                auto_offset_reset = $5,\n                auto_commit = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                edited_by = $10,\n                email = $11,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND path = $13\n            ",
+  "query": "\n            UPDATE kafka_trigger\n            SET\n                kafka_resource_path = $1,\n                group_id = $2,\n                topics = $3,\n                filters = $4,\n                auto_offset_reset = $5,\n                auto_commit = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                edited_by = $10,\n                permissioned_as = $11,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND path = $13\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -25,5 +25,5 @@
     },
     "nullable": []
   },
-  "hash": "072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04"
+  "hash": "a37cfc632dd37cf37c06743239b5ebc784e5da5ee25d47af187a75220d8fded7"
 }

backend/.sqlx/query-a5b6ca174b7a3be1b6507ef40b9cc67d85089199c900afc6668f2336b803562e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO gcp_trigger (\n            gcp_resource_path,\n            subscription_id,\n            topic_id,\n            delivery_type,\n            delivery_config,\n            workspace_id,\n            path,\n            script_path,\n            is_flow,\n            email,\n            mode,\n            edited_by,\n            error_handler_path,\n            error_handler_args,\n            retry,\n            auto_acknowledge_msg,\n            ack_deadline\n        )\n        VALUES (\n            $1,\n            $2,\n            $3,\n            $4,\n            $5,\n            $6,\n            $7,\n            $8,\n            $9,\n            $10,\n            $11,\n            $12,\n            $13,\n            $14,\n            $15,\n            $16,\n            $17\n        )",
+  "query": "\n        INSERT INTO gcp_trigger (\n            gcp_resource_path,\n            subscription_id,\n            topic_id,\n            delivery_type,\n            delivery_config,\n            workspace_id,\n            path,\n            script_path,\n            is_flow,\n            permissioned_as,\n            mode,\n            edited_by,\n            error_handler_path,\n            error_handler_args,\n            retry,\n            auto_acknowledge_msg,\n            ack_deadline\n        )\n        VALUES (\n            $1,\n            $2,\n            $3,\n            $4,\n            $5,\n            $6,\n            $7,\n            $8,\n            $9,\n            $10,\n            $11,\n            $12,\n            $13,\n            $14,\n            $15,\n            $16,\n            $17\n        )",
   "describe": {
     "columns": [],
     "parameters": {
@@ -47,5 +47,5 @@
     },
     "nullable": []
   },
-  "hash": "aa59a96bf2d7edfa7c550e66c4d52ddc8e84eacc633e361e49a5219d0bec94b9"
+  "hash": "a5b6ca174b7a3be1b6507ef40b9cc67d85089199c900afc6668f2336b803562e"
 }

backend/.sqlx/query-a8245a3b29927c26894be884c38e4d848674d5318e20bb5fc6c4261da25744ca.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO postgres_trigger (\n            path, script_path, is_flow, workspace_id, edited_by, email,\n            postgres_resource_path, replication_slot_name, publication_name\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO postgres_trigger (\n            path, script_path, is_flow, workspace_id, edited_by, permissioned_as,\n            postgres_resource_path, replication_slot_name, publication_name\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -18,5 +18,5 @@
     },
     "nullable": []
   },
-  "hash": "0300afc35a880eef163dfdfd9d5299fac14562ee8595c792f3c30d042fa2d3eb"
+  "hash": "a8245a3b29927c26894be884c38e4d848674d5318e20bb5fc6c4261da25744ca"
 }

backend/.sqlx/query-a9c2019c7bafb172dfb353870238c02673113b806bc3c7a71354c34255ecd31c.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT scheduled_for FROM v2_job_queue WHERE id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "scheduled_for",
+        "type_info": "Timestamptz"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "a9c2019c7bafb172dfb353870238c02673113b806bc3c7a71354c34255ecd31c"
+}

backend/.sqlx/query-aa7d3d159943250787a8ebc964cb46e5fbb157d1ec0684789a8d37eff1adf9a5.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                UPDATE email_trigger\n                SET\n                    script_path = $1,\n                    path = $2,\n                    is_flow = $3,\n                    edited_by = $4,\n                    email = $5,\n                    edited_at = now(),\n                    error_handler_path = $6,\n                    error_handler_args = $7,\n                    retry = $8,\n                    mode = $9\n                WHERE\n                    workspace_id = $10 AND path = $11\n                ",
+  "query": "\n                UPDATE email_trigger\n                SET\n                    script_path = $1,\n                    path = $2,\n                    is_flow = $3,\n                    edited_by = $4,\n                    permissioned_as = $5,\n                    edited_at = now(),\n                    error_handler_path = $6,\n                    error_handler_args = $7,\n                    retry = $8,\n                    mode = $9\n                WHERE\n                    workspace_id = $10 AND path = $11\n                ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -31,5 +31,5 @@
     },
     "nullable": []
   },
-  "hash": "b5cda8eb32384f315689001f45676d4bf44cb4397dd0a722e7c9d035b58a09c1"
+  "hash": "aa7d3d159943250787a8ebc964cb46e5fbb157d1ec0684789a8d37eff1adf9a5"
 }

backend/.sqlx/query-ad96768ff61fab1cfb9421683bb13b64f5f157fafe114d50fb910dc36ebe0f91.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        UPDATE schedule SET\n            enabled = $1,\n            email = $2\n        WHERE path = $3 AND workspace_id = $4\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
+  "query": "\n        UPDATE schedule SET\n            enabled = $1,\n            email = $2\n        WHERE path = $3 AND workspace_id = $4\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            permissioned_as,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
   "describe": {
     "columns": [
       {
@@ -65,96 +65,101 @@
       },
       {
         "ordinal": 12,
+        "name": "permissioned_as",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 13,
         "name": "error",
         "type_info": "Text"
       },
       {
-        "ordinal": 13,
+        "ordinal": 14,
         "name": "on_failure",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 14,
+        "ordinal": 15,
         "name": "on_failure_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 15,
+        "ordinal": 16,
         "name": "on_failure_exact",
         "type_info": "Bool"
       },
       {
-        "ordinal": 16,
+        "ordinal": 17,
         "name": "on_failure_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 17,
+        "ordinal": 18,
         "name": "on_recovery",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 18,
+        "ordinal": 19,
         "name": "on_recovery_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 19,
+        "ordinal": 20,
         "name": "on_recovery_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 20,
+        "ordinal": 21,
         "name": "on_success",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 21,
+        "ordinal": 22,
         "name": "on_success_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 22,
+        "ordinal": 23,
         "name": "ws_error_handler_muted",
         "type_info": "Bool"
       },
       {
-        "ordinal": 23,
+        "ordinal": 24,
         "name": "retry",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 24,
+        "ordinal": 25,
         "name": "no_flow_overlap",
         "type_info": "Bool"
       },
       {
-        "ordinal": 25,
+        "ordinal": 26,
         "name": "summary",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 26,
+        "ordinal": 27,
         "name": "description",
         "type_info": "Text"
       },
       {
-        "ordinal": 27,
+        "ordinal": 28,
         "name": "tag",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 28,
+        "ordinal": 29,
         "name": "paused_until",
         "type_info": "Timestamptz"
       },
       {
-        "ordinal": 29,
+        "ordinal": 30,
         "name": "cron_version",
         "type_info": "Text"
       },
       {
-        "ordinal": 30,
+        "ordinal": 31,
         "name": "dynamic_skip",
         "type_info": "Varchar"
       }
@@ -180,6 +185,7 @@
       true,
       false,
       false,
+      false,
       true,
       true,
       true,
@@ -201,5 +207,5 @@
       true
     ]
   },
-  "hash": "7927b80ce75d99b2a30f6b29196af000578a3c166509f032d14452cc637d884f"
+  "hash": "ad96768ff61fab1cfb9421683bb13b64f5f157fafe114d50fb910dc36ebe0f91"
 }

backend/.sqlx/query-ae8d7c07a4027bccf404951e75992bf3048c58bdf6fc67cb344eeb6cf72a9156.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO http_trigger (\n            path, route_path, route_path_key, script_path, is_flow,\n            workspace_id, edited_by, email, http_method,\n            authentication_method, is_static_website, workspaced_route,\n            wrap_body, raw_string\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                $10::authentication_method, $11, $12, $13, $14)\n        ",
+  "query": "\n        INSERT INTO http_trigger (\n            path, route_path, route_path_key, script_path, is_flow,\n            workspace_id, edited_by, permissioned_as, http_method,\n            authentication_method, is_static_website, workspaced_route,\n            wrap_body, raw_string\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::http_method,\n                $10::authentication_method, $11, $12, $13, $14)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -50,5 +50,5 @@
     },
     "nullable": []
   },
-  "hash": "74c11f5a0315424574fe3e7429f967f7b94f9d9db7be628f9cb411d789085711"
+  "hash": "ae8d7c07a4027bccf404951e75992bf3048c58bdf6fc67cb344eeb6cf72a9156"
 }

backend/.sqlx/query-b1979a8249557d29e9055fde06191688f3ed0efd3a43e81f4ea296255248092c.json

@@ -0,0 +1,16 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE v2_job_status SET flow_status = (\n                    SELECT jsonb_set(\n                        flow_status,\n                        ARRAY['modules', (idx - 1)::text],\n                        $2::jsonb\n                    )\n                    FROM jsonb_array_elements(flow_status->'modules')\n                        WITH ORDINALITY arr(elem, idx)\n                    WHERE elem->>'id' = $3\n                    LIMIT 1\n                ) WHERE id = $1 AND (\n                    SELECT COUNT(*) FROM jsonb_array_elements(flow_status->'modules')\n                        WITH ORDINALITY arr(elem, idx)\n                    WHERE elem->>'id' = $3\n                ) > 0",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Jsonb",
+        "Text"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "b1979a8249557d29e9055fde06191688f3ed0efd3a43e81f4ea296255248092c"
+}

backend/.sqlx/query-b418f7ae7c0dc6fbe55a9b479e7304475fadab8613b0f541fec33a819e15807b.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT workspace_id FROM token WHERE token_hash = $1 AND workspace_id IS NOT NULL AND (expiration > NOW() OR expiration IS NULL)",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "workspace_id",
+        "type_info": "Varchar"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      true
+    ]
+  },
+  "hash": "b418f7ae7c0dc6fbe55a9b479e7304475fadab8613b0f541fec33a819e15807b"
+}

backend/.sqlx/query-c301e668a5b88741e6c20700909be55518fabafcadaf6458fdcf1095643534c5.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO mqtt_trigger (\n                mqtt_resource_path,\n                subscribe_topics,\n                client_version,\n                client_id,\n                v3_config,\n                v5_config,\n                workspace_id,\n                path,\n                script_path,\n                is_flow,\n                email,\n                mode,\n                edited_by,\n                error_handler_path,\n                error_handler_args,\n                retry\n            )\n            VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16\n            )",
+  "query": "\n            INSERT INTO mqtt_trigger (\n                mqtt_resource_path,\n                subscribe_topics,\n                client_version,\n                client_id,\n                v3_config,\n                v5_config,\n                workspace_id,\n                path,\n                script_path,\n                is_flow,\n                permissioned_as,\n                mode,\n                edited_by,\n                error_handler_path,\n                error_handler_args,\n                retry\n            )\n            VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16\n            )",
   "describe": {
     "columns": [],
     "parameters": {
@@ -46,5 +46,5 @@
     },
     "nullable": []
   },
-  "hash": "e25aa749cfc9f0bb1649d162e36f2c0ce2187e47d745aa5ba96f9453c722750c"
+  "hash": "c301e668a5b88741e6c20700909be55518fabafcadaf6458fdcf1095643534c5"
 }

backend/.sqlx/query-c5b650748a4ac0d0a04e287d1b3c89a5cc2af0439fe3c3c5829fd0776ec0734e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE\n                http_trigger\n            SET\n                wrap_body = $1,\n                raw_string = $2,\n                authentication_resource_path = $3,\n                script_path = $4,\n                path = $5,\n                is_flow = $6,\n                mode = $7,\n                http_method = $8,\n                static_asset_config = $9,\n                edited_by = $10,\n                email = $11,\n                request_type = $12,\n                authentication_method = $13,\n                summary = $14,\n                description = $15,\n                edited_at = now(),\n                is_static_website = $16,\n                error_handler_path = $17,\n                error_handler_args = $18,\n                retry = $19\n            WHERE\n                workspace_id = $20 AND\n                path = $21\n            ",
+  "query": "\n            UPDATE\n                http_trigger\n            SET\n                wrap_body = $1,\n                raw_string = $2,\n                authentication_resource_path = $3,\n                script_path = $4,\n                path = $5,\n                is_flow = $6,\n                mode = $7,\n                http_method = $8,\n                static_asset_config = $9,\n                edited_by = $10,\n                permissioned_as = $11,\n                request_type = $12,\n                authentication_method = $13,\n                summary = $14,\n                description = $15,\n                edited_at = now(),\n                is_static_website = $16,\n                error_handler_path = $17,\n                error_handler_args = $18,\n                retry = $19\n            WHERE\n                workspace_id = $20 AND\n                path = $21\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -79,5 +79,5 @@
     },
     "nullable": []
   },
-  "hash": "888f7e82c25b677172a276d042ae7066113f2a522068f04c8cee0895a49b787f"
+  "hash": "c5b650748a4ac0d0a04e287d1b3c89a5cc2af0439fe3c3c5829fd0776ec0734e"
 }

backend/.sqlx/query-c79501b30fc28a3ae761579d05f2296e848554e62a00ff7c164109bf3d97f44f.json

@@ -0,0 +1,40 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n        WITH RECURSIVE chain AS (\n            SELECT\n                j.id,\n                j.parent_job,\n                j.flow_step_id,\n                1 AS depth\n            FROM v2_job j\n            WHERE j.id = $1\n          UNION ALL\n            SELECT\n                pj.id,\n                pj.parent_job,\n                pj.flow_step_id,\n                c.depth + 1\n            FROM chain c\n            JOIN v2_job pj ON pj.id = c.parent_job\n            WHERE c.parent_job IS NOT NULL\n        )\n        SELECT\n            c.id,\n            c.parent_job,\n            c.flow_step_id,\n            EXISTS(SELECT 1 FROM v2_job_queue q WHERE q.id = c.parent_job) AS \"parent_in_queue!\"\n        FROM chain c\n        WHERE c.depth >= 1\n        ORDER BY c.depth ASC\n        ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 1,
+        "name": "parent_job",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 2,
+        "name": "flow_step_id",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 3,
+        "name": "parent_in_queue!",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      null,
+      null,
+      null,
+      null
+    ]
+  },
+  "hash": "c79501b30fc28a3ae761579d05f2296e848554e62a00ff7c164109bf3d97f44f"
+}

backend/.sqlx/query-c7aed7fe3b6774477d403bc3e7fcbce7cdbdd1feb553718cbde60bb8ccff4733.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        UPDATE\n            websocket_trigger\n        SET\n            url = $1,\n            script_path = $2,\n            path = $3,\n            is_flow = $4,\n            filters = $5,\n            initial_messages = $6,\n            url_runnable_args = $7,\n            edited_by = $8,\n            email = $9,\n            can_return_message = $10,\n            can_return_error_result = $11,\n            edited_at = now(),\n            server_id = NULL,\n            error = NULL,\n            error_handler_path = $14,\n            error_handler_args = $15,\n            retry = $16\n        WHERE\n            workspace_id = $12 AND path = $13\n    ",
+  "query": "\n        UPDATE\n            websocket_trigger\n        SET\n            url = $1,\n            script_path = $2,\n            path = $3,\n            is_flow = $4,\n            filters = $5,\n            initial_messages = $6,\n            url_runnable_args = $7,\n            edited_by = $8,\n            permissioned_as = $9,\n            can_return_message = $10,\n            can_return_error_result = $11,\n            edited_at = now(),\n            server_id = NULL,\n            error = NULL,\n            error_handler_path = $14,\n            error_handler_args = $15,\n            retry = $16\n        WHERE\n            workspace_id = $12 AND path = $13\n    ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -25,5 +25,5 @@
     },
     "nullable": []
   },
-  "hash": "6c3c38ed5a0e6de0c97954fe4581daa788a7551b4a00dd33f78d36e246b98dd7"
+  "hash": "c7aed7fe3b6774477d403bc3e7fcbce7cdbdd1feb553718cbde60bb8ccff4733"
 }

backend/.sqlx/query-ccd76be88fa9c11b3dc2e6d7711437ab3e02d8c3c10c53decc664533b8d04bc0.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id,\n            script_path, is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id,\n            script_path, is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -18,5 +18,5 @@
     },
     "nullable": []
   },
-  "hash": "8c3cc09c1bbb6209467c75723dd02e97dddb99789422012e85e86c3151a9f2e9"
+  "hash": "ccd76be88fa9c11b3dc2e6d7711437ab3e02d8c3c10c53decc664533b8d04bc0"
 }

backend/.sqlx/query-cd410aa458ad23d47945084a0b9614babda8e6f9fe1ce71224773b2d5f307161.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                SELECT \n                    script_path, \n                    is_flow, \n                    workspace_id, \n                    mode as \"mode: _\",\n                    edited_by, \n                    email, \n                    path, \n                    error_handler_path as \"error_handler_path: _\", \n                    error_handler_args as \"error_handler_args: _\", \n                    retry as \"retry: _\" \n                FROM email_trigger \n                WHERE local_part = $1 \n                    AND workspaced_local_part = FALSE\n                    AND (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                ",
+  "query": "\n                SELECT \n                    script_path, \n                    is_flow, \n                    workspace_id, \n                    mode as \"mode: _\",\n                    permissioned_as,\n                    path,\n                    error_handler_path as \"error_handler_path: _\",\n                    error_handler_args as \"error_handler_args: _\",\n                    retry as \"retry: _\"\n                FROM email_trigger\n                WHERE local_part = $1\n                    AND workspaced_local_part = FALSE\n                    AND (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                ",
   "describe": {
     "columns": [
       {
@@ -36,31 +36,26 @@
       },
       {
         "ordinal": 4,
-        "name": "edited_by",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
         "ordinal": 5,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 6,
         "name": "path",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 7,
+        "ordinal": 6,
         "name": "error_handler_path: _",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 8,
+        "ordinal": 7,
         "name": "error_handler_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 9,
+        "ordinal": 8,
         "name": "retry: _",
         "type_info": "Jsonb"
       }
@@ -77,11 +72,10 @@
       false,
       false,
       false,
-      false,
       true,
       true,
       true
     ]
   },
-  "hash": "de656102e898ebc90e53af8d36c882cf47e798567bb733e8b528dcedc48ad4bf"
+  "hash": "cd410aa458ad23d47945084a0b9614babda8e6f9fe1ce71224773b2d5f307161"
 }

backend/.sqlx/query-d082ff0fcc2bb02257ab82376d87ff8535dfcb7c2b1143b7016fa17bc42a595d.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE postgres_trigger\n            SET\n                postgres_resource_path = $1,\n                replication_slot_name = $2,\n                publication_name = $3,\n                script_path = $4,\n                path = $5,\n                is_flow = $6,\n                edited_by = $7,\n                email = $8,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $11,\n                error_handler_args = $12,\n                retry = $13\n            WHERE\n                workspace_id = $9 AND path = $10\n            ",
+  "query": "\n            UPDATE postgres_trigger\n            SET\n                postgres_resource_path = $1,\n                replication_slot_name = $2,\n                publication_name = $3,\n                script_path = $4,\n                path = $5,\n                is_flow = $6,\n                edited_by = $7,\n                permissioned_as = $8,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $11,\n                error_handler_args = $12,\n                retry = $13\n            WHERE\n                workspace_id = $9 AND path = $10\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -22,5 +22,5 @@
     },
     "nullable": []
   },
-  "hash": "f4340e31adddc9a37bab64957b2b1b9b29f978c73f003dfbf81d5c487f666358"
+  "hash": "d082ff0fcc2bb02257ab82376d87ff8535dfcb7c2b1143b7016fa17bc42a595d"
 }

backend/.sqlx/query-d35300ab94202c181ee5d1e1c76ec9cf1044ff173375a82c529babe053acb24f.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            UPDATE\n                gcp_trigger\n            SET\n                gcp_resource_path = $1,\n                subscription_id = $2,\n                topic_id = $3,\n                delivery_type = $4,\n                delivery_config = $5,\n                is_flow = $6,\n                edited_by = $7,\n                email = $8,\n                script_path = $9,\n                path = $10,\n                mode = $11,\n                edited_at = now(),\n                error = NULL,\n                server_id = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16,\n                auto_acknowledge_msg = $17,\n                ack_deadline = $18\n            WHERE\n                workspace_id = $12 AND\n                path = $13\n            ",
+  "query": "\n            UPDATE\n                gcp_trigger\n            SET\n                gcp_resource_path = $1,\n                subscription_id = $2,\n                topic_id = $3,\n                delivery_type = $4,\n                delivery_config = $5,\n                is_flow = $6,\n                edited_by = $7,\n                permissioned_as = $8,\n                script_path = $9,\n                path = $10,\n                mode = $11,\n                edited_at = now(),\n                error = NULL,\n                server_id = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16,\n                auto_acknowledge_msg = $17,\n                ack_deadline = $18\n            WHERE\n                workspace_id = $12 AND\n                path = $13\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -48,5 +48,5 @@
     },
     "nullable": []
   },
-  "hash": "8642e4fc3efb011a8b7f98d2080a165ec4046c3a7172b5635b818c0fa133411f"
+  "hash": "d35300ab94202c181ee5d1e1c76ec9cf1044ff173375a82c529babe053acb24f"
 }

backend/.sqlx/query-d56a8a7291ce3141c06d79ef854ac2cf970c3e41a223e31d3991276742d2afe1.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO nats_trigger (\n                workspace_id,\n                path,\n                nats_resource_path,\n                subjects,\n                stream_name,\n                consumer_name,\n                use_jetstream,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, now(), $13, $14, $15\n            )\n            ",
+  "query": "\n            INSERT INTO nats_trigger (\n                workspace_id,\n                path,\n                nats_resource_path,\n                subjects,\n                stream_name,\n                consumer_name,\n                use_jetstream,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, now(), $13, $14, $15\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -35,5 +35,5 @@
     },
     "nullable": []
   },
-  "hash": "1bf8dc01326ebf6b8faa04e418b781e37bb9cedd1a89bf71a969b6db8cace48e"
+  "hash": "d56a8a7291ce3141c06d79ef854ac2cf970c3e41a223e31d3991276742d2afe1"
 }

backend/.sqlx/query-db9957ea9b5b326c27ff62f96a3981787a91ac587b1936c774de7a2a2094bf91.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO sqs_trigger (\n            path, queue_url, aws_resource_path, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
+  "query": "\n        INSERT INTO sqs_trigger (\n            path, queue_url, aws_resource_path, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -17,5 +17,5 @@
     },
     "nullable": []
   },
-  "hash": "c659cfe81441bb1b62a9f23f5d9b7f5b1f354b6bb0a78d007114fed084cfe292"
+  "hash": "db9957ea9b5b326c27ff62f96a3981787a91ac587b1936c774de7a2a2094bf91"
 }

backend/.sqlx/query-dbb16284b9dd98b9339816e43eebf0fef488102cd7b3fd38d8af3148545bf1a4.json

@@ -1,11 +1,11 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT email, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
+  "query": "SELECT permissioned_as, edited_by FROM http_trigger WHERE path = $1 AND workspace_id = $2",
   "describe": {
     "columns": [
       {
         "ordinal": 0,
-        "name": "email",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
@@ -25,5 +25,5 @@
       false
     ]
   },
-  "hash": "17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c"
+  "hash": "dbb16284b9dd98b9339816e43eebf0fef488102cd7b3fd38d8af3148545bf1a4"
 }

backend/.sqlx/query-dd20f94d560238096390371c98ded1f80825a11cd61c0bb431678ad9ab4a138e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, schedule, timezone, edited_by, script_path,\n            is_flow, args, enabled, email,\n            on_failure, on_failure_times, on_failure_exact, on_failure_extra_args,\n            on_recovery, on_recovery_times, on_recovery_extra_args,\n            on_success, on_success_extra_args,\n            ws_error_handler_muted, retry, summary, no_flow_overlap,\n            tag, paused_until, cron_version, description, dynamic_skip\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6,\n            $7, $8, $9, $10,\n            $11, $12, $13, $14,\n            $15, $16, $17,\n            $18, $19,\n            $20, $21, $22, $23,\n            $24, $25, $26, $27, $28\n        )\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args  AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
+  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, schedule, timezone, edited_by, script_path,\n            is_flow, args, enabled, email, permissioned_as,\n            on_failure, on_failure_times, on_failure_exact, on_failure_extra_args,\n            on_recovery, on_recovery_times, on_recovery_extra_args,\n            on_success, on_success_extra_args,\n            ws_error_handler_muted, retry, summary, no_flow_overlap,\n            tag, paused_until, cron_version, description, dynamic_skip\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6,\n            $7, $8, $9, $10, $11,\n            $12, $13, $14, $15,\n            $16, $17, $18,\n            $19, $20,\n            $21, $22, $23, $24,\n            $25, $26, $27, $28, $29\n        )\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            permissioned_as,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args  AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
   "describe": {
     "columns": [
       {
@@ -65,96 +65,101 @@
       },
       {
         "ordinal": 12,
+        "name": "permissioned_as",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 13,
         "name": "error",
         "type_info": "Text"
       },
       {
-        "ordinal": 13,
+        "ordinal": 14,
         "name": "on_failure",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 14,
+        "ordinal": 15,
         "name": "on_failure_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 15,
+        "ordinal": 16,
         "name": "on_failure_exact",
         "type_info": "Bool"
       },
       {
-        "ordinal": 16,
+        "ordinal": 17,
         "name": "on_failure_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 17,
+        "ordinal": 18,
         "name": "on_recovery",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 18,
+        "ordinal": 19,
         "name": "on_recovery_times",
         "type_info": "Int4"
       },
       {
-        "ordinal": 19,
+        "ordinal": 20,
         "name": "on_recovery_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 20,
+        "ordinal": 21,
         "name": "on_success",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 21,
+        "ordinal": 22,
         "name": "on_success_extra_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 22,
+        "ordinal": 23,
         "name": "ws_error_handler_muted",
         "type_info": "Bool"
       },
       {
-        "ordinal": 23,
+        "ordinal": 24,
         "name": "retry",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 24,
+        "ordinal": 25,
         "name": "no_flow_overlap",
         "type_info": "Bool"
       },
       {
-        "ordinal": 25,
+        "ordinal": 26,
         "name": "summary",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 26,
+        "ordinal": 27,
         "name": "description",
         "type_info": "Text"
       },
       {
-        "ordinal": 27,
+        "ordinal": 28,
         "name": "tag",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 28,
+        "ordinal": 29,
         "name": "paused_until",
         "type_info": "Timestamptz"
       },
       {
-        "ordinal": 29,
+        "ordinal": 30,
         "name": "cron_version",
         "type_info": "Text"
       },
       {
-        "ordinal": 30,
+        "ordinal": 31,
         "name": "dynamic_skip",
         "type_info": "Varchar"
       }
@@ -172,6 +177,7 @@
         "Bool",
         "Varchar",
         "Varchar",
+        "Varchar",
         "Int4",
         "Bool",
         "Jsonb",
@@ -204,6 +210,7 @@
       true,
       false,
       false,
+      false,
       true,
       true,
       true,
@@ -225,5 +232,5 @@
       true
     ]
   },
-  "hash": "23e4c6e3dc6a48f702c2b26a6b1f94668e086caaa0093a3b685f87483513b0d2"
+  "hash": "dd20f94d560238096390371c98ded1f80825a11cd61c0bb431678ad9ab4a138e"
 }

backend/.sqlx/query-de4879b8e3002ca48005406c4e107df2663aca35b60e3c528f564da3114f0af1.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO sqs_trigger (\n                workspace_id,\n                path,\n                queue_url,\n                aws_resource_path,\n                message_attributes,\n                aws_auth_resource_type,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, now(), $12, $13, $14\n            )\n            ",
+  "query": "\n            INSERT INTO sqs_trigger (\n                workspace_id,\n                path,\n                queue_url,\n                aws_resource_path,\n                message_attributes,\n                aws_auth_resource_type,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, now(), $12, $13, $14\n            )\n            ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -44,5 +44,5 @@
     },
     "nullable": []
   },
-  "hash": "cad914554762b6be72b289814f77072600f8f1bc1fa73ef6f63972775aedf044"
+  "hash": "de4879b8e3002ca48005406c4e107df2663aca35b60e3c528f564da3114f0af1"
 }

backend/.sqlx/query-e3f09fe777cbbc009ca1af31989b542ec2d585ef672f0e1496944f4dd0d082f4.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                SELECT \n                    script_path, \n                    is_flow, \n                    workspace_id, \n                    mode as \"mode: _\",\n                    edited_by, \n                    email, \n                    path, \n                    error_handler_path as \"error_handler_path: _\", \n                    error_handler_args as \"error_handler_args: _\", \n                    retry as \"retry: _\" \n                FROM email_trigger \n                WHERE workspace_id = $1 \n                    AND local_part = $2 \n                    AND (workspaced_local_part = TRUE OR $3 IS TRUE)\n                    AND (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                ",
+  "query": "\n                SELECT \n                    script_path, \n                    is_flow, \n                    workspace_id, \n                    mode as \"mode: _\",\n                    permissioned_as,\n                    path,\n                    error_handler_path as \"error_handler_path: _\",\n                    error_handler_args as \"error_handler_args: _\",\n                    retry as \"retry: _\"\n                FROM email_trigger\n                WHERE workspace_id = $1\n                    AND local_part = $2\n                    AND (workspaced_local_part = TRUE OR $3 IS TRUE)\n                    AND (mode = 'enabled'::TRIGGER_MODE OR mode = 'suspended'::TRIGGER_MODE)\n                ",
   "describe": {
     "columns": [
       {
@@ -36,31 +36,26 @@
       },
       {
         "ordinal": 4,
-        "name": "edited_by",
+        "name": "permissioned_as",
         "type_info": "Varchar"
       },
       {
         "ordinal": 5,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 6,
         "name": "path",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 7,
+        "ordinal": 6,
         "name": "error_handler_path: _",
         "type_info": "Varchar"
       },
       {
-        "ordinal": 8,
+        "ordinal": 7,
         "name": "error_handler_args: _",
         "type_info": "Jsonb"
       },
       {
-        "ordinal": 9,
+        "ordinal": 8,
         "name": "retry: _",
         "type_info": "Jsonb"
       }
@@ -79,11 +74,10 @@
       false,
       false,
       false,
-      false,
       true,
       true,
       true
     ]
   },
-  "hash": "3aad6340ea1f8dc8411742ef5de5a77d5de903845da9e686aef804bc09db1687"
+  "hash": "e3f09fe777cbbc009ca1af31989b542ec2d585ef672f0e1496944f4dd0d082f4"
 }

backend/.sqlx/query-e998bb8195b4fafe6de20fb0bf4315b3a10db9aca72447b8b8afd9474baa0614.json

@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO kafka_trigger (path, kafka_resource_path, group_id, topics, script_path, is_flow, workspace_id, edited_by, permissioned_as) VALUES ($1, $2, $3, $4, $5, false, 'test-workspace', 'test-user', 'u/test-user')",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "VarcharArray",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "e998bb8195b4fafe6de20fb0bf4315b3a10db9aca72447b8b8afd9474baa0614"
+}

backend/.sqlx/query-ecf67b08d327c351909b7ba80218903bec93ef79a71053c00227e17c6f0415a2.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT EXISTS(\n                SELECT 1 FROM v2_job\n                WHERE parent_job = $1 AND id != $2\n                AND id IN (SELECT id FROM v2_job_queue)\n            ) as has",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "has",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "ecf67b08d327c351909b7ba80218903bec93ef79a71053c00227e17c6f0415a2"
+}

backend/.sqlx/query-f57a891d1b507ec6767099a388be7deb97a89168fd7f74040e73033075140655.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, email, initial_messages\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
+  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, permissioned_as, initial_messages\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
   "describe": {
     "columns": [],
     "parameters": {
@@ -17,5 +17,5 @@
     },
     "nullable": []
   },
-  "hash": "e485c82978d10379c6d1b7cd850f3bf764e6c5bf775f3d710ba36a79f5e424eb"
+  "hash": "f57a891d1b507ec6767099a388be7deb97a89168fd7f74040e73033075140655"
 }

backend/.sqlx/query-f5f18e6c5b7376b2760915ee3c859fb2306f16c0c601668adaf30baf66f0fd0d.json

@@ -0,0 +1,17 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO sqs_trigger (path, queue_url, aws_resource_path, script_path, is_flow, workspace_id, edited_by, permissioned_as) VALUES ($1, $2, $3, $4, false, 'test-workspace', 'test-user', 'u/test-user')",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "f5f18e6c5b7376b2760915ee3c859fb2306f16c0c601668adaf30baf66f0fd0d"
+}

backend/.sqlx/query-f9eabfab66ae102c8a61ae5e6349b5b167ff7939828a747ad09bb06c9d6c6d8d.json

@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE v2_job_queue SET scheduled_for = $1 WHERE id = $2",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Timestamptz",
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "f9eabfab66ae102c8a61ae5e6349b5b167ff7939828a747ad09bb06c9d6c6d8d"
+}

backend/Cargo.lock

@@ -860,9 +860,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.1"
+version = "1.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
 dependencies = [
  "aws-lc-sys",
  "zeroize",
@@ -870,9 +870,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-sys"
-version = "0.38.0"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
 dependencies = [
  "cc",
  "cmake",
@@ -7525,9 +7525,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "jni"
@@ -13844,9 +13844,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tar"
-version = "0.4.44"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",
@@ -15742,7 +15742,7 @@ dependencies = [
 
 [[package]]
 name = "windmill"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -15787,6 +15787,7 @@ dependencies = [
  "uuid",
  "windmill-api",
  "windmill-api-agent-workers",
+ "windmill-api-auth",
  "windmill-api-client",
  "windmill-api-settings",
  "windmill-autoscaling",
@@ -15800,6 +15801,14 @@ dependencies = [
  "windmill-queue",
  "windmill-runtime-nativets",
  "windmill-test-utils",
+ "windmill-trigger",
+ "windmill-trigger-gcp",
+ "windmill-trigger-kafka",
+ "windmill-trigger-mqtt",
+ "windmill-trigger-nats",
+ "windmill-trigger-postgres",
+ "windmill-trigger-sqs",
+ "windmill-trigger-websocket",
  "windmill-types",
  "windmill-worker",
  "windmill-worker-volumes",
@@ -15809,7 +15818,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-alerting"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -15822,7 +15831,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "argon2",
@@ -15963,7 +15972,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-agent-workers"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -15986,7 +15995,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-assets"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -15999,7 +16008,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-auth"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16025,7 +16034,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-client"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "reqwest 0.12.28",
  "serde",
@@ -16035,7 +16044,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-configs"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16052,7 +16061,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-debug"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "base64 0.22.1",
@@ -16075,7 +16084,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-embeddings"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16098,7 +16107,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-flow-conversations"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16114,7 +16123,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-flows"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16134,7 +16143,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-groups"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16154,7 +16163,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-inputs"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16168,7 +16177,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-integration-tests"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -16196,7 +16205,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-jobs"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16221,7 +16230,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-npm-proxy"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "flate2",
@@ -16239,7 +16248,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-openapi"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16260,7 +16269,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-schedule"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16280,7 +16289,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-scripts"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16310,7 +16319,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-settings"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16337,7 +16346,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-sse"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "lazy_static",
  "serde",
@@ -16349,7 +16358,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-users"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "argon2",
  "axum 0.7.9",
@@ -16372,7 +16381,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-workers"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16386,7 +16395,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-api-workspaces"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "axum 0.7.9",
  "chrono",
@@ -16417,7 +16426,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-audit"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "chrono",
  "lazy_static",
@@ -16431,7 +16440,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-autoscaling"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -16450,7 +16459,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-common"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "aes-gcm",
  "anyhow",
@@ -16477,6 +16486,7 @@ dependencies = [
  "cron",
  "croner",
  "datafusion",
+ "equivalent",
  "futures",
  "futures-core",
  "gethostname",
@@ -16549,7 +16559,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-dep-map"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "chrono",
  "itertools 0.14.0",
@@ -16568,7 +16578,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-git-sync"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "regex",
  "serde",
@@ -16583,7 +16593,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-indexer"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "astral-tokio-tar",
@@ -16607,7 +16617,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-jseval"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "futures",
@@ -16624,7 +16634,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-macros"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "itertools 0.14.0",
  "lazy_static",
@@ -16640,7 +16650,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-mcp"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -16661,7 +16671,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-native-triggers"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -16692,7 +16702,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-oauth"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-oauth2",
@@ -16716,7 +16726,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-object-store"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-stream",
@@ -16750,7 +16760,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-operator"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "futures",
@@ -16768,7 +16778,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "convert_case 0.6.0",
  "serde",
@@ -16777,7 +16787,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-bash"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "lazy_static",
@@ -16789,7 +16799,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-csharp"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "serde_json",
@@ -16801,7 +16811,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-go"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "gosyn",
@@ -16813,7 +16823,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-graphql"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "lazy_static",
@@ -16825,7 +16835,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-java"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "serde_json",
@@ -16837,7 +16847,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-nu"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "nu-parser",
@@ -16848,7 +16858,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-php"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "itertools 0.14.0",
@@ -16859,7 +16869,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-py"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "itertools 0.14.0",
@@ -16871,7 +16881,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-py-asset"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "rustpython-ast",
@@ -16882,14 +16892,12 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-py-imports"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-recursion",
  "itertools 0.14.0",
  "lazy_static",
- "malachite",
- "malachite-bigint",
  "pep440_rs",
  "phf 0.11.3",
  "regex",
@@ -16906,7 +16914,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-ruby"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "lazy_static",
@@ -16920,7 +16928,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-rust"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "convert_case 0.6.0",
@@ -16937,7 +16945,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-sql"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "lazy_static",
@@ -16946,12 +16954,11 @@ dependencies = [
  "serde",
  "serde_json",
  "windmill-parser",
- "windmill-types",
 ]
 
 [[package]]
 name = "windmill-parser-sql-asset"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "serde",
@@ -16963,7 +16970,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-ts"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "lazy_static",
@@ -16981,7 +16988,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-ts-asset"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "serde-wasm-bindgen",
@@ -16997,7 +17004,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-wac"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "rustpython-ast",
@@ -17013,7 +17020,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-parser-yaml"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "serde",
@@ -17024,7 +17031,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-queue"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-recursion",
@@ -17061,7 +17068,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-runtime-nativets"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "const_format",
@@ -17099,7 +17106,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-sql-datatype-parser-wasm"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "getrandom 0.3.4",
  "wasm-bindgen",
@@ -17110,7 +17117,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-store"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-recursion",
@@ -17139,7 +17146,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-test-utils"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "axum 0.7.9",
@@ -17162,7 +17169,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17195,7 +17202,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-email"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17215,7 +17222,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-gcp"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17249,7 +17256,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-http"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17284,7 +17291,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-kafka"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17307,7 +17314,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-mqtt"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17331,7 +17338,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-nats"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -17355,7 +17362,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-postgres"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17390,7 +17397,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-sqs"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17418,7 +17425,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-trigger-websocket"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -17441,7 +17448,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-types"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "bitflags 2.9.4",
@@ -17455,11 +17462,12 @@ dependencies = [
  "strum 0.27.2",
  "tracing",
  "uuid",
+ "windmill-parser",
 ]
 
 [[package]]
 name = "windmill-worker"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "anyhow",
  "async-once-cell",
@@ -17566,7 +17574,7 @@ dependencies = [
 
 [[package]]
 name = "windmill-worker-volumes"
-version = "1.661.0"
+version = "1.662.0"
 dependencies = [
  "bytes",
  "futures",
@@ -18455,18 +18463,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.46"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c5030500cb2d66bdfbb4ebc9563be6ce7005a4b5d0f26be0c523870fe372ca6"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.46"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5f86989a046a79640b9d8867c823349a139367bda96549794fcc3313ce91f4e"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",

backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "windmill"
-version = "1.661.0"
+version = "1.662.0"
 authors.workspace = true
 edition.workspace = true
 
@@ -82,7 +82,7 @@ members = [
 exclude = ["./windmill-duckdb-ffi-internal"]
 
 [workspace.package]
-version = "1.661.0"
+version = "1.662.0"
 authors = ["Ruben Fiszel <ruben@windmill.dev>"]
 edition = "2021"
 
@@ -260,6 +260,15 @@ windmill-dep-map.workspace = true
 windmill-test-utils.workspace = true
 windmill-worker-volumes.workspace = true
 windmill-types.workspace = true
+windmill-trigger.workspace = true
+windmill-trigger-websocket.workspace = true
+windmill-trigger-postgres.workspace = true
+windmill-trigger-mqtt.workspace = true
+windmill-trigger-kafka.workspace = true
+windmill-trigger-nats.workspace = true
+windmill-trigger-sqs.workspace = true
+windmill-trigger-gcp.workspace = true
+windmill-api-auth.workspace = true
 axum.workspace = true
 serde.workspace = true
 windmill-api-client.workspace = true

backend/ee-repo-ref.txt

@@ -1 +1 @@
-b3b8005d45e3f2aa7228c61d2e4ae86a17d89a30
+c04f3851c03758662e4936ff4b6e71bc56dbae7e

backend/migrations/20260304000000_raw_script_temp.down.sql

@@ -0,0 +1,2 @@
+DROP INDEX IF EXISTS idx_raw_script_temp_created_at;
+DROP TABLE IF EXISTS raw_script_temp;

backend/migrations/20260304000000_raw_script_temp.up.sql

@@ -0,0 +1,11 @@
+-- Temporary storage for raw script content during CLI lock generation
+-- Content is stored with hash as key, cleaned up after 1 week
+CREATE TABLE raw_script_temp (
+    workspace_id VARCHAR(50) NOT NULL REFERENCES workspace(id),
+    hash CHAR(64) NOT NULL,
+    content TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (workspace_id, hash)
+);
+
+CREATE INDEX IF NOT EXISTS idx_raw_script_temp_created_at ON raw_script_temp (created_at);

backend/migrations/20260318000000_add_permissioned_as.down.sql

@@ -0,0 +1,30 @@
+-- Revert: re-add email columns to trigger tables, drop permissioned_as
+
+ALTER TABLE http_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE http_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE websocket_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE websocket_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE postgres_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE postgres_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE mqtt_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE mqtt_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE kafka_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE kafka_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE nats_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE nats_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE sqs_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE sqs_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE gcp_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE gcp_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE email_trigger ADD COLUMN email VARCHAR(255) NOT NULL DEFAULT '';
+ALTER TABLE email_trigger DROP COLUMN permissioned_as;
+
+ALTER TABLE schedule DROP COLUMN permissioned_as;

backend/migrations/20260318000000_add_permissioned_as.up.sql

@@ -0,0 +1,64 @@
+-- Add permissioned_as column to all trigger tables and schedule
+-- permissioned_as stores 'u/{username}', 'g/{group}', or raw email
+-- We add nullable first, populate, then set NOT NULL to avoid a DEFAULT '' that could mask bugs.
+
+-- Trigger tables: add permissioned_as, drop email
+ALTER TABLE http_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE http_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE http_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE http_trigger DROP COLUMN email;
+
+ALTER TABLE websocket_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE websocket_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE websocket_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE websocket_trigger DROP COLUMN email;
+
+ALTER TABLE postgres_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE postgres_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE postgres_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE postgres_trigger DROP COLUMN email;
+
+ALTER TABLE mqtt_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE mqtt_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE mqtt_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE mqtt_trigger DROP COLUMN email;
+
+ALTER TABLE kafka_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE kafka_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE kafka_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE kafka_trigger DROP COLUMN email;
+
+ALTER TABLE nats_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE nats_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE nats_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE nats_trigger DROP COLUMN email;
+
+ALTER TABLE sqs_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE sqs_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE sqs_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE sqs_trigger DROP COLUMN email;
+
+ALTER TABLE gcp_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE gcp_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE gcp_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE gcp_trigger DROP COLUMN email;
+
+ALTER TABLE email_trigger ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE email_trigger SET permissioned_as = CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END;
+ALTER TABLE email_trigger ALTER COLUMN permissioned_as SET NOT NULL;
+ALTER TABLE email_trigger DROP COLUMN email;
+
+-- Schedule table: add permissioned_as, keep email for backwards compat with old workers
+-- For superadmin-owned schedules, use the email to find the actual username (since edited_by
+-- may have been overwritten by a later edit). Otherwise use edited_by as the source.
+ALTER TABLE schedule ADD COLUMN permissioned_as VARCHAR(255);
+UPDATE schedule SET permissioned_as = CASE
+    WHEN EXISTS (
+        SELECT 1 FROM password p WHERE p.email = schedule.email AND p.super_admin = true
+    ) THEN COALESCE(
+        'u/' || (SELECT u.username FROM usr u WHERE u.email = schedule.email AND u.workspace_id = schedule.workspace_id LIMIT 1),
+        schedule.email
+    )
+    ELSE CASE WHEN edited_by LIKE '%@%' THEN edited_by ELSE 'u/' || edited_by END
+END;
+ALTER TABLE schedule ALTER COLUMN permissioned_as SET NOT NULL;

backend/parsers/windmill-parser-py-imports/Cargo.toml

@@ -13,21 +13,19 @@ regex-lite.workspace = true
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 regex.workspace = true
-
-[dependencies]
-windmill-parser.workspace = true
 windmill-common.workspace = true
-rustpython-parser.workspace = true
-malachite.workspace = true
-malachite-bigint.workspace = true
-phf.workspace = true
-itertools.workspace = true
-serde_json.workspace = true
-anyhow.workspace = true
-lazy_static.workspace = true
 sqlx.workspace = true
 async-recursion.workspace = true
 toml.workspace = true
 serde.workspace = true
 pep440_rs.workspace = true
 tracing.workspace = true
+
+[dependencies]
+windmill-parser.workspace = true
+rustpython-parser.workspace = true
+phf.workspace = true
+itertools.workspace = true
+serde_json.workspace = true
+anyhow.workspace = true
+lazy_static.workspace = true

backend/parsers/windmill-parser-py-imports/src/lib.rs

@@ -8,10 +8,14 @@
 
 mod mapping;
 
+#[cfg(not(target_arch = "wasm32"))]
 use async_recursion::async_recursion;
 use itertools::Itertools;
 use lazy_static::lazy_static;
-use std::{collections::HashMap, str::FromStr};
+#[cfg(not(target_arch = "wasm32"))]
+use std::str::FromStr;
+#[cfg(not(target_arch = "wasm32"))]
+use std::collections::HashMap;
 
 use mapping::{FULL_IMPORTS_MAP, SHORT_IMPORTS_MAP};
 #[cfg(not(target_arch = "wasm32"))]
@@ -24,7 +28,9 @@ use rustpython_parser::{
     text_size::TextRange,
     Parse,
 };
+#[cfg(not(target_arch = "wasm32"))]
 use sqlx::{Pool, Postgres};
+#[cfg(not(target_arch = "wasm32"))]
 use windmill_common::{
     error::{self, to_anyhow},
     worker::{
@@ -46,10 +52,14 @@ fn replace_full_import(x: &str) -> Option<String> {
     FULL_IMPORTS_MAP.get(x).map(|x| (*x).to_owned())
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 lazy_static! {
     static ref RE: Regex = Regex::new(r"^\#\s?(\S+)\s*$").unwrap();
-    static ref PIN_RE: Regex = Regex::new(r"(?:\s*#\s*(pin|repin):\s*)(\S*)").unwrap();
     static ref PKG_RE: Regex = Regex::new(r"^([^!=<>]+)(?:[!=<>]|$)").unwrap();
+}
+
+lazy_static! {
+    static ref PIN_RE: Regex = Regex::new(r"(?:\s*#\s*(pin|repin):\s*)(\S*)").unwrap();
     // Regex to properly match main function definition at line start,
     // capturing both sync and async variants
     static ref DEF_MAIN_RE: Regex = Regex::new(r"(?m)^(async\s+)?def\s+main\s*\(").unwrap();
@@ -82,7 +92,7 @@ fn process_import(module: Option<String>, path: &str, level: usize) -> Vec<NImpo
     }
 }
 
-pub fn parse_relative_imports(code: &str, path: &str) -> error::Result<Vec<String>> {
+pub fn parse_relative_imports(code: &str, path: &str) -> anyhow::Result<Vec<String>> {
     let nimports = parse_code_for_imports(code, path)?;
     return Ok(nimports
         .into_iter()
@@ -94,7 +104,7 @@ pub fn parse_relative_imports(code: &str, path: &str) -> error::Result<Vec<Strin
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
-enum NImport {
+pub enum NImport {
     // Order matters! First we want to resolve all repins
 
     // manually repinned requirement
@@ -134,6 +144,8 @@ enum NImport {
     // Relative imports
     Relative(String),
 }
+
+#[cfg(not(target_arch = "wasm32"))]
 #[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
 enum NImportResolved {
     Repin { pin: ImportPin, key: String },
@@ -142,12 +154,12 @@ enum NImportResolved {
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
-struct ImportPin {
-    pkg: String,
-    path: String,
+pub struct ImportPin {
+    pub pkg: String,
+    pub path: String,
 }
 
-fn parse_code_for_imports(code: &str, path: &str) -> error::Result<Vec<NImport>> {
+pub fn parse_code_for_imports(code: &str, path: &str) -> anyhow::Result<Vec<NImport>> {
     // Use regex to safely find the main function definition
     let mut code = DEF_MAIN_RE
         .split(code)
@@ -175,7 +187,7 @@ fn parse_code_for_imports(code: &str, path: &str) -> error::Result<Vec<NImport>>
     let code_with_fake_main = format!("{}\n\ndef main(): pass", code);
 
     let ast = Suite::parse(&code_with_fake_main, "main.py").map_err(|e| {
-        error::Error::ExecutionErr(format!("Error parsing code for imports: {}", e.to_string()))
+        anyhow::anyhow!("Error parsing code for imports: {}", e.to_string())
     })?;
     // Note: We're still using the original code for finding pins,
     // as the TextRange values from the parsed AST would be based on code_with_fake_main
@@ -256,6 +268,7 @@ fn parse_code_for_imports(code: &str, path: &str) -> error::Result<Vec<NImport>>
     return Ok(nimports);
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 pub async fn parse_python_imports(
     code: &str,
     w_id: &str,
@@ -264,6 +277,7 @@ pub async fn parse_python_imports(
     version_specifiers: &mut Vec<pep440_rs::VersionSpecifier>,
     locked_v: &mut Option<pep440_rs::Version>,
     raw_workspace_dependencies_o: &Option<RawWorkspaceDependencies>,
+    temp_script_refs: &Option<HashMap<String, String>>,
 ) -> error::Result<(Vec<String>, Option<String>)> {
     let mut compile_error_hint: Option<String> = None;
     let mut imports = parse_python_imports_inner(
@@ -276,6 +290,7 @@ pub async fn parse_python_imports(
         &mut None,
         locked_v,
         raw_workspace_dependencies_o,
+        temp_script_refs,
     )
     .await?
     .into_values()
@@ -313,6 +328,7 @@ pub async fn parse_python_imports(
     Ok((imports, compile_error_hint))
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 fn extract_pkg_name(requirement: &str) -> String {
     PKG_RE
         .captures(requirement)
@@ -320,6 +336,7 @@ fn extract_pkg_name(requirement: &str) -> String {
         .unwrap_or_default()
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 #[async_recursion]
 async fn parse_python_imports_inner(
     code: &str,
@@ -331,6 +348,7 @@ async fn parse_python_imports_inner(
     path_where_annotated_pyv: &mut Option<String>,
     locked_v: &mut Option<pep440_rs::Version>,
     raw_workspace_dependencies_o: &Option<RawWorkspaceDependencies>,
+    temp_script_refs: &Option<HashMap<String, String>>,
 ) -> error::Result<HashMap<String, NImportResolved>> {
     tracing::debug!("Parsing python imports for path: {}", path);
     let PythonAnnotations { py310, py311, py312, py313, .. } = PythonAnnotations::parse(&code);
@@ -494,17 +512,37 @@ async fn parse_python_imports_inner(
     for n in nimports.into_iter() {
         let mut nested = match n {
             NImport::Relative(rpath) => {
-                let code = sqlx::query_scalar!(
-                    r#"
-                SELECT content FROM script WHERE path = $1 AND workspace_id = $2
-                AND archived = false ORDER BY created_at DESC LIMIT 1
-                "#,
-                    &rpath,
-                    w_id
-                )
-                .fetch_optional(db)
-                .await?
-                .unwrap_or_else(|| "".to_string());
+                // First try to get content from temp_script_refs cache if available
+                let code_from_cache = if let Some(hash) = temp_script_refs.as_ref().and_then(|dt| dt.get(&rpath)) {
+                    tracing::debug!("Found relative import '{}' in temp_script_refs with hash '{}'", rpath, hash);
+                    match windmill_common::cache::raw_script_temp::load(hash.clone(), db).await {
+                        Ok(content) => Some(content),
+                        Err(e) => {
+                            tracing::warn!("temp_script_refs hash '{}' not found in cache: {}, falling back to deployed script", hash, e);
+                            None
+                        }
+                    }
+                } else {
+                    None
+                };
+
+                // Use cached content if available, otherwise fall back to deployed script
+                let code = match code_from_cache {
+                    Some(content) => content,
+                    None => {
+                        sqlx::query_scalar!(
+                            r#"
+                        SELECT content FROM script WHERE path = $1 AND workspace_id = $2
+                        AND archived = false ORDER BY created_at DESC LIMIT 1
+                        "#,
+                            &rpath,
+                            w_id
+                        )
+                        .fetch_optional(db)
+                        .await?
+                        .unwrap_or_else(|| "".to_string())
+                    }
+                };
 
                 if already_visited.contains(&rpath) {
                     vec![]
@@ -522,6 +560,7 @@ async fn parse_python_imports_inner(
                         path_where_annotated_pyv,
                         locked_v,
                         raw_workspace_dependencies_o,
+                        temp_script_refs,
                     )
                     .await?
                     .into_values()
@@ -646,6 +685,7 @@ async fn parse_python_imports_inner(
     Ok(final_imports)
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 fn extract_nimports_from_content(
     content: &str,
     hm: &mut HashMap<String, NImportResolved>,

backend/parsers/windmill-parser-py-imports/tests/tests.rs

@@ -26,6 +26,7 @@ def main():
             &mut vec![],
             &mut None,
             &None,
+            &None,
         )
         .await?;
         // println!("{}", serde_json::to_string(&r)?);
@@ -67,6 +68,7 @@ def main():
             &mut vec![],
             &mut None,
             &None,
+            &None,
         )
         .await?;
         println!("{}", serde_json::to_string(&r)?);
@@ -98,6 +100,7 @@ def main():
             &mut vec![],
             &mut None,
             &None,
+            &None,
         )
         .await?;
         println!("{}", serde_json::to_string(&r)?);

backend/parsers/windmill-parser-sql/Cargo.toml

@@ -16,7 +16,6 @@ regex.workspace = true
 
 [dependencies]
 windmill-parser.workspace = true
-windmill-types.workspace = true
 anyhow.workspace = true
 lazy_static.workspace = true
 serde_json.workspace = true

backend/parsers/windmill-parser-sql/src/lib.rs

@@ -15,7 +15,7 @@ use std::{
     iter::Peekable,
     str::CharIndices,
 };
-pub use windmill_parser::{Arg, MainArgSignature, ObjectType, Typ};
+pub use windmill_parser::{s3_mode_extension, Arg, MainArgSignature, ObjectType, S3ModeFormat, Typ};
 
 pub const SANITIZED_ENUM_STR: &str = "__sanitized_enum__";
 pub const SANITIZED_RAW_STRING_STR: &str = "__sanitized_raw_string__";
@@ -143,7 +143,6 @@ pub fn parse_db_resource(code: &str) -> Option<String> {
     cap.map(|x| x.get(1).map(|x| x.as_str().to_string()).unwrap())
 }
 
-pub use windmill_types::s3::{s3_mode_extension, S3ModeFormat};
 pub struct S3ModeArgs {
     pub prefix: Option<String>,
     pub storage: Option<String>,

backend/parsers/windmill-parser-ts/src/lib.rs

@@ -117,6 +117,12 @@ impl Visit for ImportsFinder {
     }
 }
 
+/// Parse TypeScript/JavaScript code and extract all import paths as raw strings.
+///
+/// Returns import paths exactly as written in the code (e.g., `"./module"`, `"../utils"`, `"lodash"`).
+/// Does not resolve relative paths to absolute Windmill paths.
+///
+/// See also: [`parse_relative_imports`] for resolved absolute paths.
 pub fn parse_expr_for_imports(code: &str, skip_type_only: bool) -> anyhow::Result<Vec<String>> {
     let cm: Lrc<SourceMap> = Default::default();
     let fm = cm.new_source_file(FileName::Custom("main.d.ts".into()).into(), code.into());
@@ -151,6 +157,82 @@ pub fn parse_expr_for_imports(code: &str, skip_type_only: bool) -> anyhow::Resul
     Ok(imports)
 }
 
+/// Parse TypeScript/JavaScript code and extract relative imports resolved to absolute Windmill paths.
+///
+/// Takes the script's Windmill path (e.g., `"f/folder/script"`) and resolves relative imports
+/// like `"./module"` or `"../utils"` to absolute paths like `"f/folder/module"` or `"f/utils"`.
+///
+/// Only returns relative imports (those starting with `./`, `../`, or `/`).
+/// External package imports (e.g., `"lodash"`) are filtered out.
+///
+/// See also: [`parse_expr_for_imports`] for raw import strings without resolution.
+///
+/// # Arguments
+/// * `code` - The TypeScript/JavaScript source code
+/// * `path` - The Windmill path of the script (e.g., `"f/folder/script"`)
+///
+/// # Returns
+/// A sorted, deduplicated list of resolved absolute Windmill paths.
+///
+/// # Examples
+/// ```ignore
+/// // Script at "f/folder/script" with: import { x } from "../utils"
+/// // Returns: ["f/utils"]
+/// ```
+pub fn parse_relative_imports(code: &str, path: &str) -> anyhow::Result<Vec<String>> {
+    let imports = parse_expr_for_imports(code, false)?;
+    let script_dir = path.rsplit_once('/').map(|(dir, _)| dir).unwrap_or("");
+
+    let mut resolved: Vec<String> = imports
+        .into_iter()
+        .filter(|imp| is_relative_import(imp))
+        .map(|imp| {
+            // Remove .ts extension if present
+            let imp = imp.strip_suffix(".ts").unwrap_or(&imp);
+
+            if imp.starts_with("/") {
+                // Absolute path (e.g., /f/folder/script) - remove leading slash
+                imp[1..].to_string()
+            } else {
+                // Relative path (e.g., ./script or ../folder/script)
+                let combined = format!("{}/{}", script_dir, imp);
+                normalize_path(&combined)
+            }
+        })
+        .collect();
+
+    resolved.sort();
+    resolved.dedup();
+    Ok(resolved)
+}
+
+/// Check if an import path is a relative import (starts with `./`, `../`, or `/`)
+fn is_relative_import(import_path: &str) -> bool {
+    import_path.starts_with("./")
+        || import_path.starts_with("../")
+        || import_path.starts_with("/")
+}
+
+/// Normalize a path by resolving `.` and `..` components
+fn normalize_path(input_path: &str) -> String {
+    let parts: Vec<&str> = input_path.split('/').filter(|p| !p.is_empty()).collect();
+    let mut result: Vec<&str> = Vec::new();
+
+    for part in parts {
+        if part == "." {
+            continue;
+        } else if part == ".." {
+            if !result.is_empty() {
+                result.pop();
+            }
+        } else {
+            result.push(part);
+        }
+    }
+
+    result.join("/")
+}
+
 struct OutputFinder {
     idents: HashSet<(String, String)>,
 }

backend/parsers/windmill-parser-ts/tests/tests.rs

@@ -2,7 +2,7 @@
 mod tests {
     use serde_json::json;
     use windmill_parser::{Arg, MainArgSignature, ObjectProperty, ObjectType, Typ};
-    use windmill_parser_ts::{parse_deno_signature, parse_expr_for_imports};
+    use windmill_parser_ts::{parse_deno_signature, parse_expr_for_imports, parse_relative_imports};
 
     #[test]
     fn test_imports_basic() {
@@ -798,7 +798,7 @@ mod tests {
         // Test case where there are exports but no preprocessor
         let code = r#"
         export { foo, bar } from "./utils";
-        
+
         export async function main(param: string) {
             return param;
         }
@@ -806,4 +806,84 @@ mod tests {
         let sig = parse_deno_signature(code, false, false, None).unwrap();
         assert_eq!(sig.has_preprocessor, Some(false));
     }
+
+    // ==========================================================================
+    // Tests for parse_relative_imports
+    // ==========================================================================
+
+    #[test]
+    fn test_relative_imports_dot() {
+        let code = r#"
+        import { helper } from "./helper";
+        export async function main() { return helper(); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/script").unwrap();
+        assert_eq!(result, vec!["f/folder/helper"]);
+    }
+
+    #[test]
+    fn test_relative_imports_double_dot() {
+        let code = r#"
+        import { utils } from "../utils/helper";
+        export async function main() { return utils(); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/subfolder/script").unwrap();
+        assert_eq!(result, vec!["f/folder/utils/helper"]);
+    }
+
+    #[test]
+    fn test_relative_imports_absolute_path() {
+        let code = r#"
+        import { shared } from "/f/shared/utils";
+        export async function main() { return shared(); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/script").unwrap();
+        assert_eq!(result, vec!["f/shared/utils"]);
+    }
+
+    #[test]
+    fn test_relative_imports_mixed() {
+        let code = r#"
+        import { helper } from "./helper";
+        import { utils } from "../utils";
+        import { shared } from "/f/shared/lib";
+        import lodash from "lodash";
+        export async function main() { return helper() + utils() + shared(); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/script").unwrap();
+        // Should only include relative imports, not external packages like lodash
+        assert_eq!(result, vec!["f/folder/helper", "f/shared/lib", "f/utils"]);
+    }
+
+    #[test]
+    fn test_relative_imports_with_ts_extension() {
+        let code = r#"
+        import { helper } from "./helper.ts";
+        export async function main() { return helper(); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/script").unwrap();
+        assert_eq!(result, vec!["f/folder/helper"]);
+    }
+
+    #[test]
+    fn test_relative_imports_external_only() {
+        let code = r#"
+        import lodash from "lodash";
+        import { something } from "@scope/package";
+        export async function main() { return lodash.map([]); }
+        "#;
+        let result = parse_relative_imports(code, "f/folder/script").unwrap();
+        assert!(result.is_empty());
+    }
+
+    #[test]
+    fn test_relative_imports_deeply_nested() {
+        let code = r#"
+        import { a } from "../../a";
+        import { b } from "../../../b";
+        export async function main() { return a() + b(); }
+        "#;
+        let result = parse_relative_imports(code, "f/one/two/three/script").unwrap();
+        assert_eq!(result, vec!["f/b", "f/one/a"]);
+    }
 }

backend/parsers/windmill-parser-wasm/Cargo.toml

@@ -40,6 +40,7 @@ java-parser = [ "dep:windmill-parser-java"]
 ruby-parser = [ "dep:windmill-parser-ruby"]
 wac-parser = [ "dep:windmill-parser-wac"]
 asset-parser = [ "dep:windmill-parser-ts-asset", "dep:windmill-parser-py-asset", "dep:windmill-parser-sql-asset"]
+py-imports-parser = [ "dep:windmill-parser-py-imports"]
 
 [dependencies]
 anyhow.workspace = true
@@ -61,6 +62,7 @@ windmill-parser-wac = { workspace = true, optional = true }
 windmill-parser-ts-asset = { workspace = true, optional = true }
 windmill-parser-py-asset = { workspace = true, optional = true }
 windmill-parser-sql-asset = { workspace = true, optional = true }
+windmill-parser-py-imports = { workspace = true, optional = true }
 wasm-bindgen.workspace = true
 
 serde_json.workspace = true

backend/parsers/windmill-parser-wasm/build.nu

@@ -67,6 +67,12 @@ const targets = [
     features: "asset-parser",
     env: "default",
   },
+  {
+    ident: "py-imports",
+    desc: "Python imports"
+    features: "py-imports-parser",
+    env: "default",
+  },
   # ^^^ Add new entry here ^^^
 ];
 # NOTE: This is legacy command for building all, but it is not more used