test(cli): add non-dotted path tests for generate-metadata and sync pull

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix(cli): preserve non-dotted flow lock filenames
2026-03-15 04:30:21 +00:00 · 2026-03-14 22:41:59 -04:00
1428 changed files with 16122 additions and 96823 deletions
--- a/.agents/skills/commit/SKILL.md
+++ b/.agents/skills/commit/SKILL.md
@@ -1,59 +0,0 @@
---
-name: commit
-description: Create a git commit with conventional commit format. MUST use anytime you want to commit changes.
---
-
-# Git Commit Skill
-
-Create a focused, single-line commit following conventional commit conventions.
-
-## Instructions
-
-1. **Analyze changes**: Run `git status` and `git diff` to understand what was modified
-2. **Stage only modified files**: Add files individually by name. NEVER use `git add -A` or `git add .`
-3. **Write commit message**: Follow the conventional commit format as a single line
-
-## Conventional Commit Format
-
-```
-<type>: <description>
-```
-
-### Types
- `feat`: New feature or capability
- `fix`: Bug fix
- `refactor`: Code change that neither fixes a bug nor adds a feature
- `docs`: Documentation only changes
- `style`: Formatting, missing semicolons, etc (no code change)
- `test`: Adding or correcting tests
- `chore`: Maintenance tasks, dependency updates, etc
- `perf`: Performance improvement
-
-### Rules
- Message MUST be a single line (no multi-line messages)
- Description should be lowercase, imperative mood ("add" not "added")
- No period at the end
- Keep under 72 characters total
-
-### Examples
-```
-feat: add token usage tracking for AI providers
-fix: resolve null pointer in job executor
-refactor: extract common validation logic
-docs: update API endpoint documentation
-chore: upgrade sqlx to 0.7
-```
-
-## Execution Steps
-
-1. Run `git status` to see all changes
-2. Run `git diff` to understand the changes in detail
-3. Run `git log --oneline -5` to see recent commit style
-4. Stage ONLY the modified/relevant files: `git add <file1> <file2> ...`
-5. Create the commit with conventional format:
-   ```bash
-   git commit -m "<type>: <description>
-
-   Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>"
-   ```
-6. Run `git status` to verify the commit succeeded
--- a/.agents/skills/local-review/SKILL.md
+++ b/.agents/skills/local-review/SKILL.md
@@ -1,97 +0,0 @@
---
-name: local-review
-description: Code review a pull request for bugs and CLAUDE.md compliance. MUST use when asked to review code.
---
-
-# Local Code Review Skill
-
-Review a pull request for real bugs and CLAUDE.md compliance violations. This review targets HIGH SIGNAL issues only.
-
-## Review Philosophy
-
- **Only flag issues you are certain about.** If you are not sure an issue is real, do not flag it. False positives erode trust and waste reviewer time.
- Think like a senior engineer doing a final review — flag things that would cause incidents, not things that are merely imperfect.
-
-## What to Flag
-
- Code that won't compile or parse (syntax errors, type errors, missing imports)
- Code that will definitely produce wrong results regardless of inputs
- Clear, unambiguous CLAUDE.md violations (quote the exact rule being violated)
- Security issues in introduced code (injection, auth bypass, data exposure)
- Incorrect logic that will fail in production
-
-## What NOT to Flag
-
- Code style or quality concerns
- Potential issues that depend on specific inputs or runtime state
- Subjective suggestions or improvements
- Pre-existing issues not introduced by this PR
- Pedantic nitpicks a senior engineer wouldn't flag
- Issues a linter or type checker will catch
- General quality concerns unless explicitly prohibited in CLAUDE.md
- Issues silenced via lint ignore comments
-
-## Execution Steps
-
-1. **Determine the PR scope**:
-   - If an argument is provided, use it as the PR number or branch
-   - Otherwise, detect from the current branch vs main
-   - Run `gh pr view` if a PR exists, or use `git diff main...HEAD`
-
-2. **Find relevant CLAUDE.md files**:
-   - Read the root `CLAUDE.md`
-   - Check for CLAUDE.md files in directories containing changed files
-
-3. **Get the diff and metadata**:
-   - `gh pr diff` or `git diff main...HEAD` for the full diff
-   - `gh pr view` or `git log main..HEAD --oneline` for context
-
-4. **Read changed files** where the diff alone is insufficient to understand context
-
-5. **Review for**:
-   - CLAUDE.md compliance — check each rule against the changed code
-   - Bugs and logic errors — will this code work correctly?
-   - Security issues — injection, auth, data exposure in new code
-
-6. **Self-validate each finding**: Before reporting, ask yourself:
-   - "Is this definitely a real issue, not a false positive?"
-   - "Would a senior engineer flag this in review?"
-   - If the answer to either is no, discard the finding
-
-7. **Output findings** to the terminal (default) or post as PR comments (with `--comment` flag)
-
-## Output Format
-
-```
-## Code review
-
-Found N issues:
-
-1. <description> (<reason: CLAUDE.md adherence | bug | security>)
-   <file_path:line_number>
-
-2. <description> (<reason>)
-   <file_path:line_number>
-```
-
-If no issues are found:
-
-```
-## Code review
-
-No issues found. Checked for bugs and CLAUDE.md compliance.
-```
-
-## Posting Comments (--comment flag)
-
-If the user passes `--comment`, post findings as inline PR comments using:
-
-```bash
-gh pr review --comment --body "<summary>"
-```
-
-Or for inline comments on specific lines:
-
-```bash
-gh api repos/{owner}/{repo}/pulls/{pr}/reviews -f body="<summary>" -f event="COMMENT" -f comments="[...]"
-```
--- a/.agents/skills/native-trigger/SKILL.md
+++ b/.agents/skills/native-trigger/SKILL.md
@@ -1,782 +0,0 @@
---
-name: native-trigger
-description: Guidance for adding native trigger services to Windmill. Use when implementing or modifying native trigger integrations across the backend and frontend.
---
-
-# Skill: Adding Native Trigger Services
-
-This skill provides comprehensive guidance for adding new native trigger services to Windmill. Native triggers allow external services (like Nextcloud, Google Drive, etc.) to trigger Windmill scripts/flows via webhooks or push notifications.
-
-## Architecture Overview
-
-The native trigger system consists of:
-
-1. **Database Layer** - PostgreSQL tables and enum types
-2. **Backend Rust Implementation** - Core trait, handlers, and service modules in the `windmill-native-triggers` crate
-3. **Frontend Svelte Components** - Configuration forms and UI components
-
-### Key Files
-
-| Component | Path |
-|-----------|------|
-| Core module with `External` trait | `backend/windmill-native-triggers/src/lib.rs` |
-| Generic CRUD handlers | `backend/windmill-native-triggers/src/handler.rs` |
-| Background sync logic | `backend/windmill-native-triggers/src/sync.rs` |
-| OAuth/workspace integration | `backend/windmill-native-triggers/src/workspace_integrations.rs` |
-| Re-export shim (windmill-api) | `backend/windmill-api/src/native_triggers/mod.rs` |
-| TriggerKind enum | `backend/windmill-common/src/triggers.rs` |
-| JobTriggerKind enum | `backend/windmill-common/src/jobs.rs` |
-| Frontend service registry | `frontend/src/lib/components/triggers/native/utils.ts` |
-| Frontend trigger utilities | `frontend/src/lib/components/triggers/utils.ts` |
-| Trigger badges (icons + counts) | `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte` |
-| Workspace integrations UI | `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte` |
-| OAuth config form component | `frontend/src/lib/components/workspaceSettings/OAuthClientConfig.svelte` |
-| OpenAPI spec | `backend/windmill-api/openapi.yaml` |
-| Reference: Nextcloud module | `backend/windmill-native-triggers/src/nextcloud/` |
-| Reference: Google module | `backend/windmill-native-triggers/src/google/` |
-
-### Crate Structure
-
-The native trigger code lives in the `windmill-native-triggers` crate (`backend/windmill-native-triggers/`). The `windmill-api` crate re-exports everything via a shim:
-
-```rust
-// backend/windmill-api/src/native_triggers/mod.rs
-pub use windmill_native_triggers::*;
-```
-
-All new service modules go in `backend/windmill-native-triggers/src/`.
-
---
-
-## Core Concepts
-
-### The `External` Trait
-
-Every native trigger service implements the `External` trait defined in `lib.rs`:
-
-```rust
-#[async_trait]
-pub trait External: Send + Sync + 'static {
-    // Associated types:
-    type ServiceConfig: Debug + DeserializeOwned + Serialize + Send + Sync;
-    type TriggerData: Debug + Serialize + Send + Sync;
-    type OAuthData: DeserializeOwned + Serialize + Clone + Send + Sync;
-    type CreateResponse: DeserializeOwned + Send + Sync;
-
-    // Constants:
-    const SUPPORT_WEBHOOK: bool;
-    const SERVICE_NAME: ServiceName;
-    const DISPLAY_NAME: &'static str;
-    const TOKEN_ENDPOINT: &'static str;
-    const REFRESH_ENDPOINT: &'static str;
-    const AUTH_ENDPOINT: &'static str;
-
-    // Required methods:
-    async fn create(&self, w_id, oauth_data, webhook_token, data, db, tx) -> Result<Self::CreateResponse>;
-    async fn update(&self, w_id, oauth_data, external_id, webhook_token, data, db, tx) -> Result<serde_json::Value>;
-    async fn get(&self, w_id, oauth_data, external_id, db, tx) -> Result<Self::TriggerData>;
-    async fn delete(&self, w_id, oauth_data, external_id, db, tx) -> Result<()>;
-    async fn exists(&self, w_id, oauth_data, external_id, db, tx) -> Result<bool>;
-    async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors);
-    fn external_id_and_metadata_from_response(&self, resp) -> (String, Option<serde_json::Value>);
-
-    // Methods with defaults:
-    async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned>;
-    fn service_config_from_create_response(&self, data, resp) -> Option<serde_json::Value>;
-    fn additional_routes(&self) -> axum::Router;
-    async fn http_client_request<T, B>(&self, url, method, workspace_id, tx, db, headers, body) -> Result<T>;
-}
-```
-
-Key design points:
- **`update()` returns `serde_json::Value`** - the resolved service_config to store. Each service is responsible for building the final config.
- **`maintain_triggers()`** - periodic background maintenance. Each service implements its own strategy (Nextcloud: reconcile with external state; Google: renew expiring channels).
- **No `list_all()` in the trait** - services that need it (Nextcloud) implement it privately; services that don't (Google) use different maintenance strategies.
- **No `get_external_id_from_trigger_data()` or `extract_service_config_from_trigger_data()`** - removed in favor of the `maintain_triggers` pattern.
-
-### Create Lifecycle: Two Paths
-
-The `create_native_trigger` handler in `handler.rs` supports two creation flows, controlled by `service_config_from_create_response()`:
-
-**Path A: Short (Google pattern)** - `service_config_from_create_response()` returns `Some(config)`:
-1. `create()` registers on external service
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `service_config_from_create_response()` builds the config directly from input data + response metadata
-4. Stores trigger in DB -- done, no extra round-trip
-
-Use this when the external_id is known before the create call (e.g., Google generates the channel_id as a UUID upfront and includes it in the webhook URL).
-
-**Path B: Long (Nextcloud pattern)** - `service_config_from_create_response()` returns `None` (default):
-1. `create()` registers on external service (webhook URL has no external_id yet)
-2. `external_id_and_metadata_from_response()` extracts the ID
-3. `update()` is called to fix the webhook URL with the now-known external_id
-4. `update()` returns the resolved service_config
-5. Stores trigger in DB
-
-Use this when the external_id is assigned by the remote service and the webhook URL needs to be corrected after creation.
-
-### OAuth Token Storage (Three-Table Pattern)
-
-OAuth tokens are stored across three tables, NOT in `workspace_integrations.oauth_data` directly:
-
-| Table | What's Stored |
-|-------|---------------|
-| `workspace_integrations` | `oauth_data` JSON with `base_url`, `client_id`, `client_secret`, `instance_shared` flag; `resource_path` pointing to the variable |
-| `variable` | Encrypted `access_token` (at the path stored in `resource_path`), linked to `account` via `account` column |
-| `account` | `refresh_token`, keyed by `workspace_id` + `client` (service name) + `is_workspace_integration = true` |
-
-The `decrypt_oauth_data()` function in `lib.rs` assembles these into a unified struct:
-```rust
-pub struct OAuthConfig {
-    pub base_url: String,
-    pub access_token: String,      // decrypted from variable
-    pub refresh_token: Option<String>, // from account table
-    pub client_id: String,         // from oauth_data or instance settings
-    pub client_secret: String,     // from oauth_data or instance settings
-}
-```
-
-Instance-level sharing: when `oauth_data.instance_shared == true`, `client_id` and `client_secret` are read from global settings instead of workspace_integrations.
-
-### URL Resolution
-
-The `resolve_endpoint()` helper handles both absolute and relative OAuth URLs:
-
-```rust
-pub fn resolve_endpoint(base_url: &str, endpoint: &str) -> String {
-    if endpoint.starts_with("http://") || endpoint.starts_with("https://") {
-        endpoint.to_string()  // Google: absolute URLs
-    } else {
-        format!("{}{}", base_url, endpoint)  // Nextcloud: relative paths
-    }
-}
-```
-
-### ServiceName Methods
-
-`ServiceName` is the central registry enum. Each variant must implement these match arms:
-
-| Method | Purpose |
-|--------|---------|
-| `as_str()` | Lowercase identifier (e.g., `"google"`) |
-| `as_trigger_kind()` | Maps to `TriggerKind` enum |
-| `as_job_trigger_kind()` | Maps to `JobTriggerKind` enum |
-| `token_endpoint()` | OAuth token endpoint (relative or absolute) |
-| `auth_endpoint()` | OAuth authorization endpoint |
-| `oauth_scopes()` | Space-separated OAuth scopes |
-| `resource_type()` | Resource type for token storage (e.g., `"gworkspace"`) |
-| `extra_auth_params()` | Extra OAuth params (e.g., Google needs `access_type=offline`, `prompt=consent`) |
-| `integration_service()` | Maps to the workspace integration service (usually `*self`) |
-| `TryFrom<String>` | Parse from string |
-| `Display` | Delegates to `as_str()` |
-
---
-
-## Step-by-Step Implementation Guide
-
-### Step 1: Database Migration
-
-Create a new migration file: `backend/migrations/YYYYMMDDHHMMSS_newservice_trigger.up.sql`
-
-```sql
-- Add the service to the native_trigger_service enum
-ALTER TYPE native_trigger_service ADD VALUE IF NOT EXISTS 'newservice';
-
-- Add to TRIGGER_KIND enum (used for trigger tracking)
-ALTER TYPE TRIGGER_KIND ADD VALUE IF NOT EXISTS 'newservice';
-
-- Add to job_trigger_kind enum (used for job tracking)
-ALTER TYPE job_trigger_kind ADD VALUE IF NOT EXISTS 'newservice';
-```
-
-Also create the corresponding down migration.
-
-### Step 2: Update windmill-common Enums
-
-#### `backend/windmill-common/src/triggers.rs`
-
-Add variant to `TriggerKind` enum, and update `to_key()` and `fmt()` implementations.
-
-#### `backend/windmill-common/src/jobs.rs`
-
-Add variant to `JobTriggerKind` enum and update the `Display` implementation.
-
-### Step 3: Backend Service Module
-
-Create a new directory: `backend/windmill-native-triggers/src/newservice/`
-
-#### `mod.rs` - Type Definitions
-
-```rust
-use serde::{Deserialize, Serialize};
-
-pub mod external;
-// pub mod routes; // Only if you need additional service-specific routes
-
-/// OAuth data deserialized from the three-table pattern.
-/// The actual structure is built by decrypt_oauth_data() from variable + account + workspace_integrations.
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct NewServiceOAuthData {
-    pub base_url: String,              // from workspace_integrations.oauth_data
-    pub access_token: String,          // decrypted from variable table
-    pub refresh_token: Option<String>, // from account table
-    // Note: client_id and client_secret are in OAuthConfig, not here
-    // unless the service needs them at runtime for API calls
-}
-
-/// Configuration provided by user when creating/updating a trigger.
-/// Stored as JSON in native_trigger.service_config.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceConfig {
-    // Service-specific configuration fields
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-}
-
-/// Data retrieved from the external service about a trigger.
-/// Returned by the get() method and shown in the UI.
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NewServiceTriggerData {
-    pub folder_path: String,
-    pub file_filter: Option<String>,
-    // Fields that shouldn't affect service_config comparison should use #[serde(skip_serializing)]
-}
-
-/// Response from external service when creating a trigger/webhook.
-#[derive(Debug, Deserialize)]
-pub struct CreateTriggerResponse {
-    pub id: String,
-}
-
-/// Handler struct (stateless, used for routing)
-#[derive(Copy, Clone)]
-pub struct NewService;
-```
-
-#### `external.rs` - External Trait Implementation
-
-```rust
-use async_trait::async_trait;
-use reqwest::Method;
-use sqlx::PgConnection;
-use std::collections::HashMap;
-use windmill_common::{
-    error::{Error, Result},
-    BASE_URL, DB,
-};
-
-use crate::{
-    generate_webhook_service_url, External, NativeTrigger, NativeTriggerData, ServiceName,
-    sync::{SyncError, TriggerSyncInfo},
-};
-use super::{NewService, NewServiceConfig, NewServiceOAuthData, NewServiceTriggerData, CreateTriggerResponse};
-
-#[async_trait]
-impl External for NewService {
-    type ServiceConfig = NewServiceConfig;
-    type TriggerData = NewServiceTriggerData;
-    type OAuthData = NewServiceOAuthData;
-    type CreateResponse = CreateTriggerResponse;
-
-    const SERVICE_NAME: ServiceName = ServiceName::NewService;
-    const DISPLAY_NAME: &'static str = "New Service";
-    const SUPPORT_WEBHOOK: bool = true;
-    const TOKEN_ENDPOINT: &'static str = "/oauth/token";
-    const REFRESH_ENDPOINT: &'static str = "/oauth/token";
-    const AUTH_ENDPOINT: &'static str = "/oauth/authorize";
-
-    async fn create(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::CreateResponse> {
-        let base_url = &*BASE_URL.read().await;
-
-        // external_id is None during create (we get it from the response)
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            None, Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/create", oauth_data.base_url);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let response: CreateTriggerResponse = self
-            .http_client_request(&url, Method::POST, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        Ok(response)
-    }
-
-    /// Update returns the resolved service_config as JSON.
-    /// For services using the update+get pattern, call self.get() and serialize.
-    async fn update(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        webhook_token: &str,
-        data: &NativeTriggerData<Self::ServiceConfig>,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<serde_json::Value> {
-        let base_url = &*BASE_URL.read().await;
-
-        let webhook_url = generate_webhook_service_url(
-            base_url, w_id, &data.script_path, data.is_flow,
-            Some(external_id), Self::SERVICE_NAME, webhook_token,
-        );
-
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let payload = serde_json::json!({
-            "callback_url": webhook_url,
-            "folder_path": data.service_config.folder_path,
-        });
-
-        let _: serde_json::Value = self
-            .http_client_request(&url, Method::PUT, w_id, tx, db, None, Some(&payload))
-            .await?;
-
-        // Fetch back the updated state to get the resolved config
-        let trigger_data = self.get(w_id, oauth_data, external_id, db, tx).await?;
-        serde_json::to_value(&trigger_data)
-            .map_err(|e| Error::InternalErr(format!("Failed to serialize trigger data: {}", e)))
-    }
-
-    async fn get(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<Self::TriggerData> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        self.http_client_request::<_, ()>(&url, Method::GET, w_id, tx, db, None, None).await
-    }
-
-    async fn delete(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<()> {
-        let url = format!("{}/api/webhooks/{}", oauth_data.base_url, external_id);
-        let _: serde_json::Value = self
-            .http_client_request::<_, ()>(&url, Method::DELETE, w_id, tx, db, None, None)
-            .await
-            .or_else(|e| match &e {
-                Error::InternalErr(msg) if msg.contains("404") => Ok(serde_json::Value::Null),
-                _ => Err(e),
-            })?;
-        Ok(())
-    }
-
-    async fn exists(
-        &self,
-        w_id: &str,
-        oauth_data: &Self::OAuthData,
-        external_id: &str,
-        db: &DB,
-        tx: &mut PgConnection,
-    ) -> Result<bool> {
-        match self.get(w_id, oauth_data, external_id, db, tx).await {
-            Ok(_) => Ok(true),
-            Err(Error::NotFound(_)) => Ok(false),
-            Err(e) => Err(e),
-        }
-    }
-
-    /// Background maintenance. Choose the right pattern for your service:
-    /// - For services with queryable external state: use reconcile_with_external_state()
-    /// - For channel-based services with expiration: implement renewal logic
-    async fn maintain_triggers(
-        &self,
-        db: &DB,
-        workspace_id: &str,
-        triggers: &[NativeTrigger],
-        oauth_data: &Self::OAuthData,
-        synced: &mut Vec<TriggerSyncInfo>,
-        errors: &mut Vec<SyncError>,
-    ) {
-        // Option A: Reconcile with external state (Nextcloud pattern)
-        // Fetch all triggers from external service and compare with DB
-        let external_triggers = match self.list_all(workspace_id, oauth_data, db).await {
-            Ok(triggers) => triggers,
-            Err(e) => {
-                errors.push(SyncError {
-                    resource_path: format!("workspace:{}", workspace_id),
-                    error_message: format!("Failed to list triggers: {}", e),
-                    error_type: "api_error".to_string(),
-                });
-                return;
-            }
-        };
-
-        // Convert to (external_id, config_json) pairs
-        let external_pairs: Vec<(String, serde_json::Value)> = external_triggers
-            .into_iter()
-            .map(|t| (t.id.clone(), serde_json::to_value(&t).unwrap_or_default()))
-            .collect();
-
-        crate::sync::reconcile_with_external_state(
-            db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-        ).await;
-    }
-
-    fn external_id_and_metadata_from_response(
-        &self,
-        resp: &Self::CreateResponse,
-    ) -> (String, Option<serde_json::Value>) {
-        (resp.id.clone(), None)
-    }
-
-    // service_config_from_create_response: NOT overridden (returns None).
-    // This means the handler uses the update+get pattern after create.
-    // Override and return Some(...) to skip the update+get cycle (Google pattern).
-}
-
-impl NewService {
-    /// Private helper to list all triggers from the external service.
-    async fn list_all(
-        &self,
-        w_id: &str,
-        oauth_data: &<Self as External>::OAuthData,
-        db: &DB,
-    ) -> Result<Vec<<Self as External>::TriggerData>> {
-        // Implementation depends on the external service's API
-        todo!()
-    }
-}
-```
-
-### Step 4: Update lib.rs Registry
-
-In `backend/windmill-native-triggers/src/lib.rs`:
-
-```rust
-// Service modules - add new services here:
-#[cfg(feature = "native_trigger")]
-pub mod newservice;  // <-- Add this
-
-// ServiceName enum - add variant:
-pub enum ServiceName {
-    Nextcloud,
-    Google,
-    NewService,  // <-- Add this
-}
-
-// Then add match arms in ALL ServiceName methods:
-// as_str(), as_trigger_kind(), as_job_trigger_kind(), token_endpoint(),
-// auth_endpoint(), oauth_scopes(), resource_type(), extra_auth_params(),
-// integration_service(), TryFrom<String>, Display
-```
-
-### Step 5: Update handler.rs Routes
-
-In `backend/windmill-native-triggers/src/handler.rs`:
-
-```rust
-pub fn generate_native_trigger_routers() -> Router {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-        return router
-            .nest("/nextcloud", service_routes(NextCloud))
-            .nest("/google", service_routes(Google))
-            .nest("/newservice", service_routes(NewService));  // <-- Add this
-    }
-    // ...
-}
-```
-
-### Step 6: Update sync.rs
-
-In `backend/windmill-native-triggers/src/sync.rs`:
-
-```rust
-pub async fn sync_all_triggers(db: &DB) -> Result<BackgroundSyncResult> {
-    // ...
-    #[cfg(feature = "native_trigger")]
-    {
-        use crate::newservice::NewService;
-
-        // ... existing service syncs ...
-
-        // New service sync
-        let (service_name, result) = sync_service_triggers(db, NewService).await;
-        total_synced += result.synced_triggers.len();
-        total_errors += result.errors.len();
-        service_results.insert(service_name, result);
-    }
-    // ...
-}
-```
-
-### Step 7: Frontend Service Registry
-
-In `frontend/src/lib/components/triggers/native/utils.ts`:
-
-Add to `NATIVE_TRIGGER_SERVICES`, `getTriggerIconName()`, and `getServiceIcon()`.
-
-### Step 8: Frontend Trigger Form Component
-
-Create: `frontend/src/lib/components/triggers/native/services/newservice/NewServiceTriggerForm.svelte`
-
-### Step 9: Frontend Icon Component
-
-Create: `frontend/src/lib/components/icons/NewServiceIcon.svelte`
-
-### Step 10: Update NativeTriggerEditor
-
-Check `frontend/src/lib/components/triggers/native/NativeTriggerEditor.svelte` to ensure it dynamically loads form components based on service name.
-
-### Step 11: Workspace Integration UI
-
-Add your service to the `supportedServices` map in `frontend/src/lib/components/workspaceSettings/WorkspaceIntegrations.svelte`:
-
-```typescript
-const supportedServices: Record<string, ServiceConfig> = {
-    // ... existing services ...
-    newservice: {
-        name: 'newservice',
-        displayName: 'New Service',
-        description: 'Connect to New Service for triggers',
-        icon: NewServiceIcon,
-        docsUrl: 'https://www.windmill.dev/docs/integrations/newservice',
-        requiresBaseUrl: false,  // false for cloud services, true for self-hosted
-        setupInstructions: [
-            'Step 1: Create an OAuth app on the service',
-            'Step 2: Configure the redirect URI shown below',
-            'Step 3: Enter the client credentials below'
-        ]
-    }
-}
-```
-
-### Step 12: Update `frontend/src/lib/components/triggers/utils.ts`
-
-Update ALL of these maps/functions:
-1. `triggerIconMap` - import and add icon
-2. `triggerDisplayNamesMap` - add display name
-3. `triggerTypeOrder` in `sortTriggers()` - add type
-4. `getLightConfig()` - add case for your service
-5. `getTriggerLabel()` - add case for your service
-6. `jobTriggerKinds` - add to array
-7. `countPropertyMap` - add count property
-8. `triggerSaveFunctions` - add save function
-
-### Step 13: Update TriggersBadge Component
-
-In `frontend/src/lib/components/graph/renderers/triggers/TriggersBadge.svelte`:
-
-1. Import the icon
-2. Add to `baseConfig` with `countKey` (the dynamic `availableNativeServices` loop does NOT set `countKey`)
-3. Add to the `allTypes` array
-
-### Step 14: Update TriggersWrapper.svelte
-
-In `frontend/src/lib/components/triggers/TriggersWrapper.svelte`:
-
-Add a `{:else if selectedTrigger.type === 'yourservice'}` case that renders `<NativeTriggersPanel service="yourservice" ...>` with the same props pattern as the existing native trigger cases (e.g., `nextcloud`).
-
-### Step 15: Update AddTriggersButton.svelte
-
-In `frontend/src/lib/components/triggers/AddTriggersButton.svelte`:
-
-1. Add `yourserviceAvailable` state variable
-2. Add `setYourserviceState()` async function using `isServiceAvailable('yourservice', $workspaceStore!)`
-3. Call it at module level
-4. Add a dropdown entry to `addTriggerItems` with `hidden: !yourserviceAvailable`
-
-### Step 16: Update TriggersEditor.svelte Delete Handling
-
-In `frontend/src/lib/components/triggers/TriggersEditor.svelte`:
-
-Add your service to the `nativeTriggerServices` map in `deleteDeployedTrigger()`. Native triggers use `NativeTriggerService.deleteNativeTrigger({ workspace, serviceName, externalId })` instead of the standard `path`-based delete.
-
-### Step 17: Update OpenAPI Spec and Regenerate Types
-
-Add to `JobTriggerKind` enum in `backend/windmill-api/openapi.yaml`, then:
-
-```bash
-cd frontend && npm run generate-backend-client
-```
-
---
-
-## Special Patterns
-
-### Unified Service with `trigger_type` (Google Pattern)
-
-When a single service handles multiple trigger types (e.g., Google Drive + Calendar share OAuth and API patterns), use a single `ServiceName` variant with a discriminator field:
-
-```rust
-pub enum GoogleTriggerType { Drive, Calendar }
-
-pub struct GoogleServiceConfig {
-    pub trigger_type: GoogleTriggerType,
-    // Drive-specific fields (only used when trigger_type = Drive)
-    pub resource_id: Option<String>,
-    pub resource_name: Option<String>,
-    // Calendar-specific fields (only used when trigger_type = Calendar)
-    pub calendar_id: Option<String>,
-    pub calendar_name: Option<String>,
-    // Metadata set after creation
-    pub google_resource_id: Option<String>,
-    pub expiration: Option<String>,
-}
-```
-
-Branch in trait methods based on `trigger_type`. Frontend uses a `ToggleButtonGroup` to switch between types. This keeps the codebase simpler (one service, one OAuth flow, one set of routes).
-
-See `backend/windmill-native-triggers/src/google/` for the reference implementation.
-
-### Skipping update+get After Create (Google Pattern)
-
-Override `service_config_from_create_response()` to return `Some(config)` when the external_id is known before the create call:
-
-```rust
-fn service_config_from_create_response(
-    &self,
-    data: &NativeTriggerData<Self::ServiceConfig>,
-    resp: &Self::CreateResponse,
-) -> Option<serde_json::Value> {
-    // Clone input config, add metadata from response
-    let mut config = data.service_config.clone();
-    config.google_resource_id = Some(resp.resource_id.clone());
-    config.expiration = Some(resp.expiration.clone());
-    Some(serde_json::to_value(&config).unwrap())
-}
-```
-
-### Services with Absolute OAuth Endpoints (Google)
-
-Unlike self-hosted services where OAuth endpoints are relative paths appended to `base_url`, services like Google have absolute URLs:
-
-```rust
-// Nextcloud: relative paths
-ServiceName::Nextcloud => "/apps/oauth2/api/v1/token",
-// Google: absolute URLs
-ServiceName::Google => "https://oauth2.googleapis.com/token",
-```
-
-The `resolve_endpoint()` function handles both. For services with absolute endpoints:
- `base_url` can be empty
- `requiresBaseUrl: false` in the frontend workspace integration config
- Add `extra_auth_params()` if needed (Google requires `access_type=offline` and `prompt=consent`)
-
-### Channel-Based Push Notifications with Renewal (Google Pattern)
-
-For services using expiring watch channels instead of persistent webhooks:
-
-1. Store expiration in `service_config` (as part of `ServiceConfig`)
-2. In `maintain_triggers()`, implement renewal logic instead of using `reconcile_with_external_state()`:
-   ```rust
-   async fn maintain_triggers(&self, db, workspace_id, triggers, oauth_data, synced, errors) {
-       for trigger in triggers {
-           if should_renew_channel(trigger) {
-               self.renew_channel(db, trigger, oauth_data).await;
-           }
-       }
-   }
-   ```
-3. Renewal: best-effort stop old channel, create new one with same external_id, update service_config with new expiration
-4. Google example: Drive channels expire in 24h (renew when <1h left), Calendar channels expire in 7 days (renew when <1 day left)
-
-### reconcile_with_external_state (Nextcloud Pattern)
-
-The reusable function in `sync.rs` compares external triggers with DB state:
- Triggers missing externally: sets error "Trigger no longer exists on external service"
- Triggers present externally: clears errors, updates service_config if it differs
-
-Usage in `maintain_triggers()`:
-```rust
-let external_pairs: Vec<(String, serde_json::Value)> = /* fetch from external */;
-crate::sync::reconcile_with_external_state(
-    db, workspace_id, Self::SERVICE_NAME, triggers, &external_pairs, synced, errors,
-).await;
-```
-
-### Webhook Payload Processing
-
-Override `prepare_webhook()` to parse service-specific payloads into script/flow args:
-
-```rust
-async fn prepare_webhook(&self, db, w_id, headers, body, script_path, is_flow) -> Result<PushArgsOwned> {
-    let mut args = HashMap::new();
-    args.insert("event_type".to_string(), Box::new(headers.get("x-event-type").cloned()) as _);
-    args.insert("payload".to_string(), Box::new(serde_json::from_str::<serde_json::Value>(&body)?) as _);
-    Ok(PushArgsOwned { extra: None, args })
-}
-```
-
-Then register in `prepare_native_trigger_args()` in `lib.rs`:
-```rust
-pub async fn prepare_native_trigger_args(service_name, db, w_id, headers, body) -> Result<Option<PushArgsOwned>> {
-    match service_name {
-        ServiceName::Google => { /* ... */ Ok(Some(args)) }
-        ServiceName::NewService => { /* ... */ Ok(Some(args)) }
-        ServiceName::Nextcloud => Ok(None), // Uses default body parsing
-    }
-}
-```
-
-### Instance-Level OAuth Credentials
-
-When `workspace_integrations.oauth_data.instance_shared == true`, `decrypt_oauth_data()` reads `client_id` and `client_secret` from instance-level global settings instead of workspace-level. This allows admins to share OAuth app credentials across workspaces.
-
-The frontend handles this via the `generate_instance_connect_url` endpoint in `workspace_integrations.rs`.
-
---
-
-## Testing Checklist
-
- [ ] Database migration runs successfully
- [ ] `cargo check -p windmill-native-triggers --features native_trigger` passes
- [ ] `npx svelte-check --threshold error` passes (in frontend/)
- [ ] Service appears in workspace integrations list
- [ ] OAuth flow completes successfully
- [ ] Can create a new trigger
- [ ] Can view trigger details
- [ ] Can update trigger configuration
- [ ] Can delete trigger
- [ ] Webhook receives and processes payloads
- [ ] Background sync works correctly (reconciliation or channel renewal)
- [ ] Error handling works (expired tokens, service unavailable)
-
---
-
-## Reference Implementations
-
-### Nextcloud (Self-Hosted, Update+Get Pattern)
-
-| File | Purpose |
-|------|---------|
-| `nextcloud/mod.rs` | Types: NextCloudOAuthData, NextcloudServiceConfig, NextCloudTriggerData |
-| `nextcloud/external.rs` | External trait: uses update+get pattern, reconcile_with_external_state for sync |
-| `nextcloud/routes.rs` | Additional route: `GET /events` |
-
-Key patterns: relative OAuth endpoints, base_url required, list_all + reconcile for sync, update returns JSON from get().
-
-### Google (Cloud, Unified Service, Short Create)
-
-| File | Purpose |
-|------|---------|
-| `google/mod.rs` | Types: GoogleServiceConfig with trigger_type discriminator, GoogleTriggerType enum |
-| `google/external.rs` | External trait: overrides service_config_from_create_response, channel renewal for sync |
-| `google/routes.rs` | Additional routes: `GET /calendars`, `GET /drive/files`, `GET /drive/shared_drives` |
-
-Key patterns: absolute OAuth endpoints, empty base_url, trigger_type for Drive/Calendar, expiring watch channels with renewal, service_config_from_create_response skips update+get, get() reconstructs data from stored service_config (no external "get channel" API).
--- a/.agents/skills/pr/SKILL.md
+++ b/.agents/skills/pr/SKILL.md
@@ -1,109 +0,0 @@
---
-name: pr
-description: Open a draft pull request on GitHub. MUST use when you want to create/open a PR.
---
-
-# Pull Request Skill
-
-Create a draft pull request with a clear title and explicit description of changes.
-
-## Instructions
-
-1. **Analyze branch changes**: Understand all commits since diverging from main
-2. **Push to remote**: Ensure all commits are pushed
-3. **Create draft PR**: Always open as draft for review before merging
-
-## PR Title Format
-
-Follow conventional commit format for the PR title:
-```
-<type>: <description>
-```
-
-### Types
- `feat`: New feature or capability
- `fix`: Bug fix
- `refactor`: Code restructuring
- `docs`: Documentation changes
- `chore`: Maintenance tasks
- `perf`: Performance improvements
-
-### Title Rules
- Keep under 70 characters
- Use lowercase, imperative mood
- No period at the end
- If `*_ee.rs` files were modified, prefix with `[ee]`: `[ee] <type>: <description>`
-
-## PR Body Format
-
-The body MUST be explicit about what changed. Structure:
-
-```markdown
-## Summary
-<Clear description of what this PR does and why>
-
-## Changes
- <Specific change 1>
- <Specific change 2>
- <Specific change 3>
-
-## Test plan
- [ ] <How to verify change 1>
- [ ] <How to verify change 2>
-
---
-Generated with [Claude Code](https://claude.com/claude-code)
-```
-
-## Execution Steps
-
-1. Run `git status` to check for uncommitted changes
-2. Run `git log main..HEAD --oneline` to see all commits in this branch
-3. Run `git diff main...HEAD` to see the full diff against main
-4. Check if remote branch exists and is up to date:
-   ```bash
-   git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null || echo "no upstream"
-   ```
-5. Push to remote if needed: `git push -u origin HEAD`
-6. Create draft PR using gh CLI:
-   ```bash
-   gh pr create --draft --title "<type>: <description>" --body "$(cat <<'EOF'
-   ## Summary
-   <description>
-
-   ## Changes
-   - <change 1>
-   - <change 2>
-
-   ## Test plan
-   - [ ] <test 1>
-   - [ ] <test 2>
-
-   ---
-   Generated with [Claude Code](https://claude.com/claude-code)
-   EOF
-   )"
-   ```
-7. Return the PR URL to the user
-
-## EE Companion PR (when `*_ee.rs` files were modified)
-
-The `*_ee.rs` files in the windmill repo are **symlinks** to `windmill-ee-private` — changes won't appear in `git diff` of the windmill repo. Instead, check the EE repo for uncommitted or unpushed changes.
-
-Follow the full EE PR workflow in `docs/enterprise.md`. The key PR-specific details:
-
-1. Find the EE repo/worktree: see "Finding the EE Repo" in `docs/enterprise.md`
-2. Check for changes: `git -C <ee-path> status --short`
-   - If there are no changes in the EE repo, skip this entire section
-3. Follow steps 1–5 from the "EE PR Workflow" in `docs/enterprise.md`
-4. Create the companion PR (title does NOT get the `[ee]` prefix):
-   ```bash
-   gh pr create --draft --repo windmill-labs/windmill-ee-private --title "<type>: <description>" --body "$(cat <<'EOF'
-   Companion PR for windmill-labs/windmill#<PR_NUMBER>
-
-   ---
-   Generated with [Claude Code](https://claude.com/claude-code)
-   EOF
-   )"
-   ```
-5. Commit `ee-repo-ref.txt` and push the updated windmill branch
--- a/.agents/skills/refine/SKILL.md
+++ b/.agents/skills/refine/SKILL.md
@@ -1,38 +0,0 @@
---
-name: refine
-description: End-of-session reflection. Reviews friction encountered during the session and proposes updates to docs/ to capture lessons learned.
---
-
-# Refine Skill
-
-Reflect on the current session and update documentation with lessons learned.
-
-## Instructions
-
-1. **Identify friction**: Review what happened in this session:
-   - Run `git diff main...HEAD --stat` to see what files were touched
-   - Think about: what was slow, what failed, what required multiple attempts, what information was missing or hard to find
-
-2. **Read current docs**: Read the docs that were relevant to this session:
-   - `docs/validation.md`
-   - `docs/enterprise.md`
-   - `docs/autonomous-mode.md`
-   - Any skills that were invoked
-
-3. **Propose updates**: For each piece of friction, decide if it warrants a doc update:
-   - **Missing knowledge**: Information you had to discover that should be documented
-   - **Wrong guidance**: Instructions that led you astray
-   - **Missing validation rule**: A check that should be in the validation matrix
-   - **New pattern**: A codebase pattern worth capturing for next time
-
-4. **Apply updates**: Edit the relevant `docs/` files. Keep changes minimal and specific — add only what would have saved time this session.
-
-5. **Report**: Summarize what was added/changed and why.
-
-## Rules
-
- Only add knowledge confirmed by this session — no speculative additions
- Keep docs concise — add a line or two, not a paragraph
- If a whole new doc is needed, create it in `docs/` and add a pointer in `CLAUDE.md`
- Don't update skills unless a coding pattern was genuinely wrong
- Don't add things Claude already knows — only Windmill-specific knowledge
--- a/.agents/skills/rust-backend/SKILL.md
+++ b/.agents/skills/rust-backend/SKILL.md
@@ -1,107 +0,0 @@
---
-name: rust-backend
-description: Rust coding guidelines for the Windmill backend. MUST use when writing or modifying Rust code in the backend directory.
---
-
-# Windmill Rust Patterns
-
-Apply these Windmill-specific patterns when writing Rust code in `backend/`.
-
-## Error Handling
-
-Use `Error` from `windmill_common::error`. Return `Result<T, Error>` or `JsonResult<T>`:
-
-```rust
-use windmill_common::error::{Error, Result};
-
-pub async fn get_job(db: &DB, id: Uuid) -> Result<Job> {
-    sqlx::query_as!(Job, "SELECT id, workspace_id FROM v2_job WHERE id = $1", id)
-        .fetch_optional(db)
-        .await?
-        .ok_or_else(|| Error::NotFound("job not found".to_string()))?;
-}
-```
-
-Never panic in library code. Reserve `.unwrap()` for compile-time guarantees.
-
-## SQLx Patterns
-
-**Never use `SELECT *`** — always list columns explicitly. Critical for backwards compatibility when workers lag behind API version:
-
-```rust
-// Correct
-sqlx::query_as!(Job, "SELECT id, workspace_id, path FROM v2_job WHERE id = $1", id)
-
-// Wrong — breaks when columns are added
-sqlx::query_as!(Job, "SELECT * FROM v2_job WHERE id = $1", id)
-```
-
-Use batch operations to avoid N+1:
-
-```rust
-// Preferred — single query with IN clause
-sqlx::query!("SELECT ... WHERE id = ANY($1)", &ids[..]).fetch_all(db).await?
-```
-
-Use transactions for multi-step operations. Parameterize all queries.
-
-## JSON Handling
-
-Prefer `Box<serde_json::value::RawValue>` over `serde_json::Value` when storing/passing JSON without inspection:
-
-```rust
-pub struct Job {
-    pub args: Option<Box<serde_json::value::RawValue>>,
-}
-```
-
-Only use `serde_json::Value` when you need to inspect or modify the JSON.
-
-## Serde Optimizations
-
-```rust
-#[derive(Serialize, Deserialize)]
-pub struct Job {
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub parent_job: Option<Uuid>,
-    #[serde(skip_serializing_if = "Vec::is_empty")]
-    pub tags: Vec<String>,
-    #[serde(default)]
-    pub priority: i32,
-}
-```
-
-## Async & Concurrency
-
-Never block the async runtime. Use `spawn_blocking` for CPU-intensive work:
-
-```rust
-let result = tokio::task::spawn_blocking(move || expensive_computation(&data)).await?;
-```
-
-**Mutex selection**: Prefer `std::sync::Mutex` (or `parking_lot::Mutex`) for data protection. Only use `tokio::sync::Mutex` when holding locks across `.await` points.
-
-Use `tokio::sync::mpsc` (bounded) for channels. Avoid `std::thread::sleep` in async contexts.
-
-## Module Structure & Visibility
-
- Use `pub(crate)` instead of `pub` when possible
- Place new code in the appropriate crate based on functionality
- API endpoints go in `windmill-api/src/` organized by domain
- Shared functionality goes in `windmill-common/src/`
-
-## Code Navigation
-
-Always use rust-analyzer LSP for go-to-definition, find-references, and type info. Do not guess at module paths.
-
-## Axum Handlers
-
-Destructure extractors directly in function signatures:
-
-```rust
-async fn process_job(
-    Extension(db): Extension<DB>,
-    Path((workspace, job_id)): Path<(String, Uuid)>,
-    Query(pagination): Query<Pagination>,
-) -> Result<Json<Job>> { ... }
-```
--- a/.agents/skills/svelte-frontend/SKILL.md
+++ b/.agents/skills/svelte-frontend/SKILL.md
@@ -1,80 +0,0 @@
---
-name: svelte-frontend
-description: Svelte coding guidelines for the Windmill frontend. MUST use when writing or modifying code in the frontend directory.
---
-
-# Windmill Svelte Patterns
-
-Apply these Windmill-specific patterns when writing Svelte code in `frontend/`. For general Svelte 5 syntax (runes, snippets, event handling), use the Svelte MCP server.
-
-## Windmill UI Components (MUST use)
-
-Always use Windmill's design-system components. Never use raw HTML elements.
-
-### Buttons — `<Button>`
-
-```svelte
-<script>
-  import { Button } from '$lib/components/common'
-  import { ChevronLeft } from 'lucide-svelte'
-</script>
-
-<Button variant="default" onclick={handleClick}>Label</Button>
-<Button startIcon={{ icon: ChevronLeft }} iconOnly onclick={prev} />
-```
-
-Props: `variant?: 'accent' | 'accent-secondary' | 'default' | 'subtle'`, `unifiedSize?: 'sm' | 'md' | 'lg'`, `startIcon?: { icon: SvelteComponent }`, `iconOnly?: boolean`, `disabled?: boolean`
-
-### Text inputs — `<TextInput>`
-
-```svelte
-<script>
-  import { TextInput } from '$lib/components/common'
-</script>
-
-<TextInput bind:value={val} placeholder="Enter value" />
-```
-
-Props: `value?: string | number` (bindable), `placeholder?: string`, `disabled?: boolean`, `error?: string | boolean`, `size?: 'sm' | 'md' | 'lg'`
-
-### Selects — `<Select>`
-
-```svelte
-<script>
-  import Select from '$lib/components/select/Select.svelte'
-</script>
-
-<Select items={[{ label: 'Jan', value: 1 }]} bind:value={selected} />
-```
-
-Props: `items?: Array<{ label?: string; value: any }>`, `value` (bindable), `placeholder?: string`, `clearable?: boolean`, `size?: 'sm' | 'md' | 'lg'`
-
-### Icons — `lucide-svelte`
-
-Never write inline SVGs. Import from `lucide-svelte`:
-
-```svelte
-<script>
-  import { ChevronLeft, X } from 'lucide-svelte'
-</script>
-<ChevronLeft size={16} />
-```
-
-## Form Components
-
-Form components (TextInput, Toggle, Select, etc.) should use the unified size system when placed together.
-
-## Styling
-
- Use Tailwind CSS for all styling — no custom CSS
- Use Windmill's theming classes for colors/surfaces (see `frontend/brand-guidelines.md`)
- Read component props JSDoc before using them
-
-## Svelte MCP Server
-
-Use the Svelte MCP tools when working on Svelte code:
-
-1. **list-sections**: Call first to discover available docs
-2. **get-documentation**: Fetch relevant sections based on use_cases
-3. **svelte-autofixer**: MUST use on all Svelte code before finalizing — keep calling until no issues
-4. **playground-link**: Only after user confirms and code was NOT written to project files
--- a/.claude/review-prompt.md
+++ b/.claude/review-prompt.md
@@ -1,25 +0,0 @@
-# Code Review Instructions
-
-Review this pull request and provide comprehensive feedback.
-
-## Focus Areas
-
- **Code quality and best practices** — does the code follow established patterns?
- **Potential bugs or issues** — will this code work correctly in all cases?
- **Performance considerations** — are there unnecessary allocations, N+1 queries, or bottlenecks?
- **Security implications** — injection, auth bypass, data exposure?
-
-## CLAUDE.md Compliance
-
-Read all relevant CLAUDE.md files (root and in directories containing changed files). Check each rule against the changed code. Quote the exact rule when flagging a violation.
-
-## Review Guidelines
-
- Provide detailed feedback using inline comments for specific issues
- Use top-level comments for general observations or praise
- Only flag issues introduced by this PR, not pre-existing problems
- Self-validate each finding: "Is this definitely a real issue?" If uncertain, discard it
-
-## Testing Instructions
-
-At the end of your review, add complete instructions to reproduce the added changes through the app interface. These instructions will be given to a tester so they can verify the changes. It should be a short descriptive text (not a step-by-step or a list) on how to navigate the app (what page, what action, what input, etc.) to see the changes.
--- a/.claude/skills/local-review/SKILL.md
+++ b/.claude/skills/local-review/SKILL.md
@@ -6,24 +6,53 @@ description: Code review a pull request for bugs and CLAUDE.md compliance. MUST

 # Local Code Review Skill

-Run the same review locally that the GitHub Claude Auto Review action runs on PRs. The shared review instructions live in `.claude/review-prompt.md` — read that file first and follow its instructions.
+Review a pull request for real bugs and CLAUDE.md compliance violations. This review targets HIGH SIGNAL issues only.
+
+## Review Philosophy
+
+- **Only flag issues you are certain about.** If you are not sure an issue is real, do not flag it. False positives erode trust and waste reviewer time.
+- Think like a senior engineer doing a final review — flag things that would cause incidents, not things that are merely imperfect.
+
+## What to Flag
+
+- Code that won't compile or parse (syntax errors, type errors, missing imports)
+- Code that will definitely produce wrong results regardless of inputs
+- Clear, unambiguous CLAUDE.md violations (quote the exact rule being violated)
+- Security issues in introduced code (injection, auth bypass, data exposure)
+- Incorrect logic that will fail in production
+
+## What NOT to Flag
+
+- Code style or quality concerns
+- Potential issues that depend on specific inputs or runtime state
+- Subjective suggestions or improvements
+- Pre-existing issues not introduced by this PR
+- Pedantic nitpicks a senior engineer wouldn't flag
+- Issues a linter or type checker will catch
+- General quality concerns unless explicitly prohibited in CLAUDE.md
+- Issues silenced via lint ignore comments

 ## Execution Steps

-1. **Read `.claude/review-prompt.md`** for the review criteria and focus areas
-
-2. **Determine the PR scope**:
+1. **Determine the PR scope**:
   - If an argument is provided, use it as the PR number or branch
   - Otherwise, detect from the current branch vs main
   - Run `gh pr view` if a PR exists, or use `git diff main...HEAD`

+2. **Find relevant CLAUDE.md files**:
+   - Read the root `CLAUDE.md`
+   - Check for CLAUDE.md files in directories containing changed files
+
 3. **Get the diff and metadata**:
   - `gh pr diff` or `git diff main...HEAD` for the full diff
   - `gh pr view` or `git log main..HEAD --oneline` for context

 4. **Read changed files** where the diff alone is insufficient to understand context

-5. **Apply the review instructions from `.claude/review-prompt.md`**
+5. **Review for**:
+   - CLAUDE.md compliance — check each rule against the changed code
+   - Bugs and logic errors — will this code work correctly?
+   - Security issues — injection, auth, data exposure in new code

 6. **Self-validate each finding**: Before reporting, ask yourself:
   - "Is this definitely a real issue, not a false positive?"
--- a/.claude/skills/native-trigger/SKILL.md
+++ b/.claude/skills/native-trigger/SKILL.md
@@ -1,8 +1,3 @@
---
-name: native-trigger
-description: Guidance for adding native trigger services to Windmill. Use when implementing or modifying native trigger integrations across the backend and frontend.
---
-
 # Skill: Adding Native Trigger Services

 This skill provides comprehensive guidance for adding new native trigger services to Windmill. Native triggers allow external services (like Nextcloud, Google Drive, etc.) to trigger Windmill scripts/flows via webhooks or push notifications.
--- a/.claude/skills/pr/SKILL.md
+++ b/.claude/skills/pr/SKILL.md
@@ -61,13 +61,12 @@ Generated with [Claude Code](https://claude.com/claude-code)
 1. Run `git status` to check for uncommitted changes
 2. Run `git log main..HEAD --oneline` to see all commits in this branch
 3. Run `git diff main...HEAD` to see the full diff against main
-4. **Run `/local-review`** before creating the PR. If issues are found, fix them and commit before proceeding. Do not skip this step.
-5. Check if remote branch exists and is up to date:
+4. Check if remote branch exists and is up to date:
   ```bash
   git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null || echo "no upstream"
   ```
-6. Push to remote if needed: `git push -u origin HEAD`
-7. Create draft PR using gh CLI:
+5. Push to remote if needed: `git push -u origin HEAD`
+6. Create draft PR using gh CLI:
   ```bash
   gh pr create --draft --title "<type>: <description>" --body "$(cat <<'EOF'
   ## Summary
@@ -86,7 +85,7 @@ Generated with [Claude Code](https://claude.com/claude-code)
   EOF
   )"
   ```
-8. Return the PR URL to the user
+7. Return the PR URL to the user

 ## EE Companion PR (when `*_ee.rs` files were modified)

--- a/.envrc
+++ b/.envrc
@@ -1,7 +1 @@
 use flake
-
-# Per-worktree overrides (ports, DATABASE_URL, etc.) written by webmux/workmux
-# post-create hooks. Must come after `use flake` so they take precedence over
-# the flake's defaults.
-# shellcheck source=/dev/null
-[ -f .env.local ] && source .env.local
--- a/.github/codex/pr-review.prompt.md
+++ b/.github/codex/pr-review.prompt.md
@@ -1,23 +0,0 @@
-You are reviewing a GitHub pull request for this repository.
-
-Review policy:
- Read `CLAUDE.md` before reviewing code.
- Only report issues you are confident are real and introduced by this pull request.
- Focus on bugs, security problems, and clear `CLAUDE.md` violations.
- Do not report style nits, speculative concerns, pre-existing issues, or problems that a normal linter/typechecker would obviously catch.
- Keep the review high signal. If there is no clear issue, return no findings.
-
-Repository context:
- Read `./.github/codex/pr-review-context.md` for the PR metadata and the exact diff commands to use.
- Review only the changes introduced by this PR.
- Read additional files only when the diff is not enough to validate a finding.
- Do not modify any files.
-
-Output requirements:
- Return a GitHub PR comment in markdown, not JSON.
- Start with `## Codex Review`.
- Give a short overall summary first.
- If you found high-signal issues, list them in a short numbered list with file paths and line numbers when you know them confidently.
- If you found no high-signal issues, say that explicitly.
- End with a `### Reproduction instructions` section containing a short descriptive paragraph for a tester explaining how to navigate the app to observe the change. Do not make it a numbered list. If the diff is not enough to infer this safely, say that plainly.
- Prefer at most 10 findings.
--- a/.github/workflows/backend-test-windows.yml
+++ b/.github/workflows/backend-test-windows.yml
@@ -5,8 +5,6 @@ on:
  push:
    branches:
      - "ci-windows-tests"
-    tags:
-      - "v*"

 env:
  CARGO_INCREMENTAL: 0
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -290,49 +290,6 @@ jobs:
          path: |
            *.json

-  benchmark_wac:
-    runs-on: ubicloud-standard-8
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_DB: windmill
-          POSTGRES_PASSWORD: changeme
-          POSTGRES_INITDB_ARGS: "-c shared_buffers=2GB -c work_mem=32MB -c effective_cache_size=4GB"
-        options: >-
-          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
-          --health-retries 5
-          --shm-size=2g
-      windmill:
-        image: ghcr.io/windmill-labs/windmill-ee:main
-        env:
-          DATABASE_URL: postgres://postgres:changeme@postgres:5432/windmill
-          LICENSE_KEY: ${{ secrets.WM_LICENSE_KEY_CI }}
-          WORKER_GROUP: main
-          WORKER_TAGS: deno,bun,go,python3,bash,dependency,flow,nativets
-        options: >-
-          --pull always --health-interval 10s --health-timeout 5s
-          --health-retries 5 --health-cmd "curl
-          http://localhost:8000/api/version"
-        ports:
-          - 8000:8000
-    steps:
-      - uses: denoland/setup-deno@v2
-        with:
-          deno-version: v2.x
-      - name: benchmark
-        timeout-minutes: 30
-        run: deno run  -A -r
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
-          -c
-          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_wac.json
-      - name: Save benchmark results
-        uses: actions/upload-artifact@v4
-        with:
-          name: benchmark_wac
-          path: |
-            *.json
-
  benchmark_graphs:
    runs-on: ubicloud
    needs:
@@ -340,7 +297,6 @@ jobs:
      - benchmark_dedicated
      - benchmark_4workers
      - benchmark_8workers
-      - benchmark_wac
    steps:
      - uses: denoland/setup-deno@v2
        with:
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -13,10 +13,10 @@ on:
 jobs:
  check-membership:
    if: |
-      (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, '/ai') && !startsWith(github.event.comment.body, '/ai-fast')) ||
-      (github.event_name == 'pull_request_review_comment' && startsWith(github.event.comment.body, '/ai') && !startsWith(github.event.comment.body, '/ai-fast')) ||
-      (github.event_name == 'pull_request_review' && startsWith(github.event.review.body, '/ai') && !startsWith(github.event.review.body, '/ai-fast')) ||
-      (github.event_name == 'issues' && startsWith(github.event.issue.body, '/ai') && !startsWith(github.event.issue.body, '/ai-fast'))
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/ai')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/ai')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/ai')) ||
+      (github.event_name == 'issues' && contains(github.event.issue.body, '/ai'))
    uses: ./.github/workflows/check-org-membership.yml
    secrets:
      access_token: ${{ secrets.ORG_ACCESS_TOKEN }}
--- a/.github/workflows/cli-tests.yml
+++ b/.github/workflows/cli-tests.yml
@@ -1,18 +1,15 @@
 name: CLI Tests

 on:
-  workflow_dispatch:
  push:
    branches: [main]
    paths:
      - "cli/**"
-      - "backend/migrations/**"
      - ".github/workflows/cli-tests.yml"
  pull_request:
    branches: [main]
    paths:
      - "cli/**"
-      - "backend/migrations/**"
      - ".github/workflows/cli-tests.yml"

 env:
--- a/.github/workflows/codex-pr-review.yml
+++ b/.github/workflows/codex-pr-review.yml
@@ -1,145 +0,0 @@
-name: Codex Auto Review
-
-on:
-  pull_request:
-    types: [ready_for_review, opened]
-
-concurrency:
-  group: codex-review-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  codex-review:
-    runs-on: ubicloud-standard-2
-    timeout-minutes: 30
-    if: github.event.pull_request.draft == false && github.event.pull_request.head.repo.fork == false
-    permissions:
-      contents: read
-      issues: write
-    steps:
-      - name: Check Codex configuration
-        id: codex_config
-        env:
-          CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }}
-        run: |
-          if [ -n "$CODEX_AUTH_JSON" ]; then
-            echo "enabled=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "enabled=false" >> "$GITHUB_OUTPUT"
-            echo "CODEX_AUTH_JSON is not configured; skipping Codex review."
-          fi
-
-      - name: Checkout repository
-        if: steps.codex_config.outputs.enabled == 'true'
-        uses: actions/checkout@v5
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-          fetch-depth: 1
-
-      - name: Set up Node.js
-        if: steps.codex_config.outputs.enabled == 'true'
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Install Codex CLI
-        if: steps.codex_config.outputs.enabled == 'true'
-        run: npm install --global @openai/codex@0.117.0
-
-      - name: Configure file-backed Codex auth
-        if: steps.codex_config.outputs.enabled == 'true'
-        env:
-          CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }}
-        run: |
-          CODEX_HOME="$HOME/.codex"
-          echo "CODEX_HOME=$CODEX_HOME" >> "$GITHUB_ENV"
-          mkdir -p "$CODEX_HOME"
-          chmod 700 "$CODEX_HOME"
-          cat > "$CODEX_HOME/config.toml" <<'EOF'
-          cli_auth_credentials_store = "file"
-          EOF
-          printf '%s' "$CODEX_AUTH_JSON" > "$CODEX_HOME/auth.json"
-          chmod 600 "$CODEX_HOME/auth.json"
-          node -e 'JSON.parse(require("fs").readFileSync(process.argv[1], "utf8"))' "$CODEX_HOME/auth.json"
-
-      - name: Pre-fetch base and head refs for the PR
-        if: steps.codex_config.outputs.enabled == 'true'
-        env:
-          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          git fetch --no-tags origin \
-            "$PR_BASE_REF" \
-            "+refs/pull/$PR_NUMBER/head"
-
-      - name: Write Codex review context
-        if: steps.codex_config.outputs.enabled == 'true'
-        env:
-          PR_REPOSITORY: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          PR_BODY: ${{ github.event.pull_request.body || '' }}
-        run: |
-          mkdir -p .github/codex
-          node <<'NODE'
-          const fs = require('fs');
-          const lines = [
-            `Repository: ${process.env.PR_REPOSITORY}`,
-            `PR number: ${process.env.PR_NUMBER}`,
-            `Base SHA: ${process.env.PR_BASE_SHA}`,
-            `Head SHA: ${process.env.PR_HEAD_SHA}`,
-            '',
-            'PR title:',
-            process.env.PR_TITLE || '(empty)',
-            '',
-            'PR body:',
-            process.env.PR_BODY || '(empty)',
-            '',
-            'Changed commits command:',
-            `git log --oneline ${process.env.PR_BASE_SHA}...${process.env.PR_HEAD_SHA}`,
-            '',
-            'Changed files command:',
-            `git diff --stat ${process.env.PR_BASE_SHA}...${process.env.PR_HEAD_SHA}`,
-            '',
-            'Full review diff command:',
-            `git diff --unified=0 ${process.env.PR_BASE_SHA}...${process.env.PR_HEAD_SHA}`
-          ];
-          fs.writeFileSync('.github/codex/pr-review-context.md', `${lines.join('\n')}\n`);
-          NODE
-
-      - name: Run Codex review
-        if: steps.codex_config.outputs.enabled == 'true'
-        run: |
-          codex exec \
-            -C "$GITHUB_WORKSPACE" \
-            -m gpt-5.4 \
-            -c 'model_reasoning_effort="xhigh"' \
-            -s read-only \
-            -o codex-final-message.md \
-            - < .github/codex/pr-review.prompt.md
-
-      - name: Post Codex review comment
-        if: steps.codex_config.outputs.enabled == 'true'
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ github.token }}
-          script: |
-            const fs = require('fs');
-            const path = `${process.env.GITHUB_WORKSPACE}/codex-final-message.md`;
-            if (!fs.existsSync(path)) {
-              core.info('Codex did not produce a final message; skipping PR comment.');
-              return;
-            }
-            const body = fs.readFileSync(path, 'utf8').trim();
-            if (!body) {
-              core.info('Codex final message was empty; skipping PR comment.');
-              return;
-            }
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              body,
-            });
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -212,59 +212,6 @@ jobs:
            ${{ steps.extract-ee.outputs.destination }}/*
            ${{ steps.extract-duckdb-ffi-internal.outputs.destination }}/*

-  attach_ee_debug_to_release:
-    needs: [build_ee]
-    runs-on: ubicloud
-    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    strategy:
-      matrix:
-        platform: [linux/amd64, linux/arm64]
-        include:
-          - platform: linux/amd64
-            arch: amd64
-          - platform: linux/arm64
-            arch: arm64
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-
-      - name: Read EE repo commit hash
-        run: |
-          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v4
-        with:
-          repository: windmill-labs/windmill-ee-private
-          path: ./windmill-ee-private
-          ref: ${{ env.ee_repo_ref }}
-          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
-
-      - name: Substitute EE code
-        run: |
-          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
-
-      - uses: depot/setup-action@v1
-
-      - name: Extract EE debug info from builder stage (depot cache hit)
-        uses: depot/build-push-action@v1
-        with:
-          context: .
-          platforms: ${{ matrix.platform }}
-          target: debuginfo
-          build-args: |
-            features=ee
-          outputs: type=local,dest=./debuginfo
-
-      - name: Rename debug file with corresponding architecture
-        run: |
-          mv ./debuginfo/windmill.debug ./debuginfo/windmill-ee-${{ matrix.arch }}.debug
-
-      - name: Attach debug file to release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: ./debuginfo/windmill-ee-${{ matrix.arch }}.debug
-
  # attach_arm64_binary_to_release:
  #   needs: [build, build_ee]
  #   runs-on: ubicoud
--- a/.github/workflows/git-commands.yaml
+++ b/.github/workflows/git-commands.yaml
@@ -106,19 +106,6 @@ jobs:
          git config --local user.name "windmill-internal-app[bot]"
          git config pull.rebase true
          git pull origin $BRANCH_NAME
-
-          # Checkout the correct windmill-ee-private commit from ee-repo-ref.txt
-          if [ -f backend/ee-repo-ref.txt ]; then
-            EE_REF=$(cat backend/ee-repo-ref.txt | tr -d '[:space:]')
-            echo "Checking out windmill-ee-private at commit: $EE_REF"
-            cd windmill-ee-private
-            git fetch origin $EE_REF
-            git checkout $EE_REF
-            cd ..
-          else
-            echo "Warning: ee-repo-ref.txt not found, using default branch"
-          fi
-
          mkdir -p frontend/build
          cd backend
          cargo install sqlx-cli --version 0.8.5
--- a/.github/workflows/pr-ready-review.yml
+++ b/.github/workflows/pr-ready-review.yml
@@ -22,15 +22,6 @@ jobs:
        with:
          fetch-depth: 1

-      - name: Read review prompt
-        id: review-prompt
-        run: |
-          {
-            echo 'REVIEW_PROMPT<<EOF'
-            cat .claude/review-prompt.md
-            echo 'EOF'
-          } >> "$GITHUB_ENV"
-
      - name: Automatic PR Review
        uses: anthropics/claude-code-action@v1
        with:
@@ -40,7 +31,18 @@ jobs:
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}

-            ${{ env.REVIEW_PROMPT }}
+            Please review this pull request and provide comprehensive feedback.
+
+            Focus on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security implications
+
+            Provide detailed feedback using inline comments for specific issues.
+            Use top-level comments for general observations or praise.
+
+            At the end of your review, add complete instructions to reproduce the added changes through the app interface. These instructions will be given to a tester so he can verify the changes. It should be a short descriptive text (not a step by step or a list) on how to navigate the app (what page, what action, what input, etc) to see the changes.
          claude_args: |
            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
            --model opus
--- a/.github/workflows/rust-client-check.yml
+++ b/.github/workflows/rust-client-check.yml
@@ -18,7 +18,10 @@ jobs:
    runs-on: ubicloud-standard-8
    steps:
      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v31
+      - uses: cachix/install-nix-action@v20
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
      - name: Check rust client builds
        run: cd rust-client && nix develop ../ --command ./dev.nu --check
        timeout-minutes: 16
--- a/.github/workflows/rust_on_release.yml
+++ b/.github/workflows/rust_on_release.yml
@@ -10,7 +10,10 @@ jobs:
    runs-on: ubicloud-standard-8
    steps:
      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v31
+      - uses: cachix/install-nix-action@v20
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
      - run: cd rust-client && nix develop ../ --command ./dev.nu --check --publish 
        env:
          CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -16,7 +16,6 @@ rust-client/Cargo.toml

 # Worktree-generated port isolation
 .env.local
-.webmux.local.yaml

 # Worktree-specific Claude Code settings (generated by scripts/worktree-env)
 .claude/settings.local.json
@@ -29,4 +28,3 @@ frontend/.svelte-kit
 backend/chrome_profiler.json
 .fast-check/
 __pycache__/
-.playwright-mcp/
--- a/.webmux.yaml
+++ b/.webmux.yaml
@@ -43,8 +43,8 @@ profiles:
      - Pane 0: this pane (claude agent)
      - Pane 1: backend (cargo watch -x run)
      - Pane 2: frontend (npm run dev)
-      To check logs, use: \`tmux capture-pane -t $(tmux display-message -t "$TMUX_PANE" -p '#{session_name}:#{window_name}').1 -p -S -50\` (backend) or \`tmux capture-pane -t $(tmux display-message -t "$TMUX_PANE" -p '#{session_name}:#{window_name}').2 -p -S -50\` (frontend).
-      For this window specifically, backend is running on: ${BACKEND_PORT} and frontend is running on: ${FRONTEND_PORT}.
+      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).
+      When restarting backend or frontend, make sure to use ${BACKEND_PORT} and ${FRONTEND_PORT}.
      To connect to the database, use this connection string: ${DATABASE_URL}
      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check.
      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
@@ -55,13 +55,11 @@ profiles:
      - id: backend
        kind: command
        split: right
-        workingDir: backend
-        command: PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"
+        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"
      - id: frontend
        kind: command
        split: bottom
-        workingDir: frontend
-        command: npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0
+        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/frontend" && npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0
        
  frontendOnly:
    runtime: host
@@ -72,8 +70,8 @@ profiles:
      Pane layout (current window):
      - Pane 0: this pane (claude agent)
      - Pane 1: frontend (npm run dev)
-      To check logs, use: \`tmux capture-pane -t $(tmux display-message -t "$TMUX_PANE" -p '#{session_name}:#{window_name}').1 -p -S -50\` (frontend).
-      On this window specifically, frontend is running on: ${FRONTEND_PORT}.
+      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (frontend).
+      When restarting frontend, make sure to use ${FRONTEND_PORT}.
      To connect to the database, use this connection string: ${DATABASE_URL}
      Because we are running frontend with npm run dev, to verify your changes, just check the logs in the frontend pane. No need for npm run build.
      IMPORTANT: Read docs/autonomous-mode.md before starting any work.
@@ -84,8 +82,7 @@ profiles:
      - id: frontend
        kind: command
        split: right
-        workingDir: frontend
-        command: npm run generate-backend-client && npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0
+        command: ROOT="$(git rev-parse --show-toplevel)"; cd "$ROOT/frontend" && npm run generate-backend-client && npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0

  agentOnly:
    runtime: host
--- a/.workmux.yaml
+++ b/.workmux.yaml
@@ -0,0 +1,74 @@
+main_branch: main
+
+merge_strategy: rebase
+# worktree_dir: .worktrees
+
+worktree_naming: basename
+
+worktree_prefix: ""
+
+# Default: "wm-"
+window_prefix: "wm-"
+
+auto_name:
+  model: "gemini-2.5-flash-lite"
+  system_prompt: |
+    Generate a concise git branch name based on the task description.
+
+    Rules:
+    - Use kebab-case (lowercase with hyphens)
+    - Keep it short: 1-3 words, max 4 if necessary
+    - Focus on the core task/feature, not implementation details
+    - No prefixes like feat/, fix/, chore/
+
+    Examples of good branch names:
+    - "Add dark mode toggle" → dark-mode
+    - "Fix the search results not showing" → fix-search
+    - "Refactor the authentication module" → auth-refactor
+    - "Add CSV export to reports" → export-csv
+    - "Shell completion is broken" → shell-completion
+
+    Output ONLY the branch name, nothing else.
+  background: true
+
+
+# Commands to run in new worktree before tmux window opens.
+# These block window creation - use for short tasks only.
+# Use "<global>" to inherit from global config.
+# Set to empty list to disable: `post_create: []`
+# post_create:
+#   - "<global>"
+#   - mise use
+post_create:
+  - ./scripts/worktree-env
+
+pre_remove:
+  - ./scripts/worktree-cleanup
+
+panes:
+  - command: >-
+      claude --dangerously-skip-permissions  --append-system-prompt
+      "You are running inside a tmux session with other panes running services.\n
+      Pane layout (current window):\n
+      - Pane 0: this pane (claude agent)\n
+      - Pane 1: backend (cargo watch -x run)\n
+      - Pane 2: frontend (npm run dev)\n\n
+      To check logs, use: \`tmux capture-pane -t .1 -p -S -50\` (backend) or \`tmux capture-pane -t .2 -p -S -50\` (frontend).\n
+      When restarting backend or frontend, make sure to use the ports listed in .env.local.\n
+      Because we are running backend with cargo watch, to verify your changes, just check the logs in the backend pane. No need for cargo check.\n\n
+      IMPORTANT: Read docs/autonomous-mode.md before starting any work."
+    focus: true
+  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/backend" && PORT=${BACKEND_PORT:-8000} cargo watch -x "run ${CARGO_FEATURES:+--features $CARGO_FEATURES}"'
+    split: horizontal
+  - command: 'ROOT="$(git rev-parse --show-toplevel)"; [ -f "$ROOT/.env.local" ] && source "$ROOT/.env.local"; cd "$ROOT/frontend" && npm run generate-backend-client && REMOTE=${REMOTE:-http://localhost:${BACKEND_PORT:-8000}} npm run dev -- --port ${FRONTEND_PORT:-3000} --host 0.0.0.0'
+    split: vertical
+
+files:
+  copy:
+    - backend/.env
+    - scripts/
+    - wm-ts-nav/target/release/wm-ts-nav
+
+sandbox:
+  enabled: false
+  toolchain: off
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,519 +1,5 @@
 # Changelog

-## [1.679.0](https://github.com/windmill-labs/windmill/compare/v1.678.0...v1.679.0) (2026-04-07)
-
-
-### Features
-
-* Fork datatables ([#8339](https://github.com/windmill-labs/windmill/issues/8339)) ([3d4f4c6](https://github.com/windmill-labs/windmill/commit/3d4f4c6c38155396e9b2236a6a7a7ad4e02da877))
-
-## [1.678.0](https://github.com/windmill-labs/windmill/compare/v1.677.0...v1.678.0) (2026-04-07)
-
-
-### Features
-
-* accept any content type on webhooks/http triggers with fallback ([#8743](https://github.com/windmill-labs/windmill/issues/8743)) ([208a597](https://github.com/windmill-labs/windmill/commit/208a597d599b4d203f7ab817a5d8ce2c06f79d0a))
-* add download all logs button for flow jobs ([#8748](https://github.com/windmill-labs/windmill/issues/8748)) ([d938625](https://github.com/windmill-labs/windmill/commit/d938625785ba301fbd2c5f3d001c320eab1c504c))
-
-
-### Bug Fixes
-
-* delete raw_script_temp rows before workspace deletion to avoid FK violation ([#8752](https://github.com/windmill-labs/windmill/issues/8752)) ([8b9523e](https://github.com/windmill-labs/windmill/commit/8b9523e03c82c5a095b7cb2d5f70a87b7bbc8608))
-* Fix FlowTimeline duplicate key ([#8754](https://github.com/windmill-labs/windmill/issues/8754)) ([2413dbe](https://github.com/windmill-labs/windmill/commit/2413dbefe3cc3b65c28bea437cd4471cf7e9ecba))
-* remove span.enter() in dedicated worker to prevent tracing panic ([#8749](https://github.com/windmill-labs/windmill/issues/8749)) ([db55e8e](https://github.com/windmill-labs/windmill/commit/db55e8efb0c9ae198ca5ac7013439a94dfe9f550))
-* restore ai agent tool deletion ([#8744](https://github.com/windmill-labs/windmill/issues/8744)) ([2f7ba9e](https://github.com/windmill-labs/windmill/commit/2f7ba9edac1a57dfc0eb3417574c72292855fc56))
-
-## [1.677.0](https://github.com/windmill-labs/windmill/compare/v1.676.0...v1.677.0) (2026-04-06)
-
-
-### Features
-
-* add AWS Secrets Manager as secret storage backend (Beta) ([#8734](https://github.com/windmill-labs/windmill/issues/8734)) ([09bbc18](https://github.com/windmill-labs/windmill/commit/09bbc18bb773d9ffaa5aaa4bd9d7ce296f3ac468))
-
-
-### Bug Fixes
-
-* remove stale KMS openapi/description, restore stripped doc comments ([c09a431](https://github.com/windmill-labs/windmill/commit/c09a4311fd73c58acc8f3997428f002598dacce6))
-* use runnable key for file naming in generate-metadata to prevent duplicate scripts in raw apps ([#8740](https://github.com/windmill-labs/windmill/issues/8740)) ([edfe074](https://github.com/windmill-labs/windmill/commit/edfe074e98cb3955be0768de7ed19e6ed8525916))
-
-## [1.676.0](https://github.com/windmill-labs/windmill/compare/v1.675.1...v1.676.0) (2026-04-06)
-
-
-### Features
-
-* add path name autocomplete with ghost text and folder cycling ([#8731](https://github.com/windmill-labs/windmill/issues/8731)) ([e326621](https://github.com/windmill-labs/windmill/commit/e32662169a9762605de2dbe058514ddefbe07982))
-
-
-### Bug Fixes
-
-* fix custom urls not found ([d2abc0d](https://github.com/windmill-labs/windmill/commit/d2abc0d4300bb53f4035102f214d3c05bf0976a1))
-
-
-### Performance Improvements
-
-* add partial index for expired cache resource cleanup ([#8728](https://github.com/windmill-labs/windmill/issues/8728)) ([c721fac](https://github.com/windmill-labs/windmill/commit/c721fac466524747de04e3623c8cd62de8bd4dae))
-
-## [1.675.1](https://github.com/windmill-labs/windmill/compare/v1.675.0...v1.675.1) (2026-04-05)
-
-
-### Bug Fixes
-
-* log cleanup scans S3 orphans and works cross-server ([#8729](https://github.com/windmill-labs/windmill/issues/8729)) ([f703fba](https://github.com/windmill-labs/windmill/commit/f703fba1ef56c89a97b2b4da7b4c188158f4c982))
-
-
-### Performance Improvements
-
-* add indexes for cleanup deletes on concurrency_key and autoscaling_event ([#8726](https://github.com/windmill-labs/windmill/issues/8726)) ([eae46a2](https://github.com/windmill-labs/windmill/commit/eae46a21a93fe7ab191228658dd5825f472bd851))
-
-## [1.675.0](https://github.com/windmill-labs/windmill/compare/v1.674.2...v1.675.0) (2026-04-05)
-
-
-### Features
-
-* add object storage usage view and manual log cleanup ([#8724](https://github.com/windmill-labs/windmill/issues/8724)) ([02d0ee9](https://github.com/windmill-labs/windmill/commit/02d0ee919880823a33b112bcaf626a8933e1f715))
-
-
-### Bug Fixes
-
-* add admin check to count_completed_jobs_detail and document query builder SQL safety ([#8722](https://github.com/windmill-labs/windmill/issues/8722)) ([dd39c11](https://github.com/windmill-labs/windmill/commit/dd39c110a8468bf31d42428fc978cd302426fa86))
-* allow private AI base URLs in ai_proxy integration test ([#8715](https://github.com/windmill-labs/windmill/issues/8715)) ([2b865c0](https://github.com/windmill-labs/windmill/commit/2b865c0694d79ce6477e5f14a077b73837007500))
-* enrich OTEL spans with job_kind, trigger_kind, trigger, created_by, and script_hash ([#8718](https://github.com/windmill-labs/windmill/issues/8718)) ([7bf6ac2](https://github.com/windmill-labs/windmill/commit/7bf6ac2b694fc829327248ff2480c20c97e03e48))
-* split DB health endpoint and add slow query controls ([#8725](https://github.com/windmill-labs/windmill/issues/8725)) ([01e39d9](https://github.com/windmill-labs/windmill/commit/01e39d9cd1b841d085bcc28a578654a5486cf76e))
-
-## [1.674.2](https://github.com/windmill-labs/windmill/compare/v1.674.1...v1.674.2) (2026-04-04)
-
-
-### Bug Fixes
-
-* enforce RLS on $var: resolution in AI proxy (GHSA-jwg4-v3cj-rvfm) ([#8713](https://github.com/windmill-labs/windmill/issues/8713)) ([ff8e39c](https://github.com/windmill-labs/windmill/commit/ff8e39c69b1438defcaabd9d4906e7adafa7010c))
-* SSRF via X-Resource-Path header in AI proxy endpoint ([#8712](https://github.com/windmill-labs/windmill/issues/8712)) ([f394e67](https://github.com/windmill-labs/windmill/commit/f394e674f22af13bb77915f33aa1e8de402b6fe1))
-
-## [1.674.1](https://github.com/windmill-labs/windmill/compare/v1.674.0...v1.674.1) (2026-04-04)
-
-
-### Bug Fixes
-
-* create pg connection for cloud-hosted jobs instead of panicking ([#8710](https://github.com/windmill-labs/windmill/issues/8710)) ([aff95c3](https://github.com/windmill-labs/windmill/commit/aff95c33b2fd4c248dfaf595b8d18a6dbc50f0e6))
-
-## [1.674.0](https://github.com/windmill-labs/windmill/compare/v1.673.0...v1.674.0) (2026-04-03)
-
-
-### Features
-
-* add application-level heartbeat support for websocket triggers ([#8686](https://github.com/windmill-labs/windmill/issues/8686)) ([5b7fa63](https://github.com/windmill-labs/windmill/commit/5b7fa63bf1800313e9b82465b8a4399a48634371))
-* add Azure Key Vault as secret storage backend ([#8704](https://github.com/windmill-labs/windmill/issues/8704)) ([dcd615f](https://github.com/windmill-labs/windmill/commit/dcd615fdc3c66ec2a8e39c01f8142a7e7c82f534))
-* add http/protobuf support for OTEL exporters ([#8702](https://github.com/windmill-labs/windmill/issues/8702)) ([0aea49f](https://github.com/windmill-labs/windmill/commit/0aea49f9607d5cbb5bcfa3068a179c9b7bf9afd6))
-* add optional labels to scripts, flows, apps, schedules, triggers ([#8609](https://github.com/windmill-labs/windmill/issues/8609)) ([c4c9ef5](https://github.com/windmill-labs/windmill/commit/c4c9ef5fd7b41052b08ee941725434e8ca4ac970))
-* add powershell common parameters support ([#8683](https://github.com/windmill-labs/windmill/issues/8683)) ([0317d58](https://github.com/windmill-labs/windmill/commit/0317d5891cfcfbde7b04795c034c088e933ee3d0))
-* sql.raw in Typescript client ([#8706](https://github.com/windmill-labs/windmill/issues/8706)) ([ce290f6](https://github.com/windmill-labs/windmill/commit/ce290f68db866c07b30c97c2c0b3e39fee0a26d8))
-* Support .ducklake() and .datatable() in agent workers ([#8697](https://github.com/windmill-labs/windmill/issues/8697)) ([fda68a7](https://github.com/windmill-labs/windmill/commit/fda68a72e5dfcded2350d1ff33ca4c695ab337b7))
-
-
-### Bug Fixes
-
-* add secretKeyRef support for jwt_secret and rsa_keys ([#8698](https://github.com/windmill-labs/windmill/issues/8698)) ([ba21470](https://github.com/windmill-labs/windmill/commit/ba214709b94f9467738e66b016331e97ac7d5d10))
-* align script push metadata warning with generated locks ([#8690](https://github.com/windmill-labs/windmill/issues/8690)) ([6656b46](https://github.com/windmill-labs/windmill/commit/6656b46f10408e1c15961a72cde4c13b5c5b3923))
-* debounce S3 proxy logs ([#8694](https://github.com/windmill-labs/windmill/issues/8694)) ([a3073ad](https://github.com/windmill-labs/windmill/commit/a3073ad8244efd9043e27f6731f7b53dbda662c1))
-* dedicated worker dispatch, cross-workspace deps, UI improvements ([#8689](https://github.com/windmill-labs/windmill/issues/8689)) ([bffa61e](https://github.com/windmill-labs/windmill/commit/bffa61e33f2305bbeb79a2c91989a47baa7dff31))
-* gate relock_skip tests on private feature and update ee-repo-ref ([#8703](https://github.com/windmill-labs/windmill/issues/8703)) ([adc9fe7](https://github.com/windmill-labs/windmill/commit/adc9fe722d8511a5914d81faac40af757e7f5e3f))
-* hide deprecated cli metadata commands ([#8699](https://github.com/windmill-labs/windmill/issues/8699)) ([b960598](https://github.com/windmill-labs/windmill/commit/b96059843168c072f24072f93fecd80431e5d4cf))
-* optimize S3 proxy performance ([#8685](https://github.com/windmill-labs/windmill/issues/8685)) ([0cfa462](https://github.com/windmill-labs/windmill/commit/0cfa462c379e887fdb5ad5e3bbff7798648d4e91))
-* pipeline DISCARD ALL with first query on cached pg connections ([#8707](https://github.com/windmill-labs/windmill/issues/8707)) ([6d58d1a](https://github.com/windmill-labs/windmill/commit/6d58d1a74d1e69b163210a795502a7b3931001b5))
-* resolve schedule update deadlock ([#8701](https://github.com/windmill-labs/windmill/issues/8701)) ([27ca417](https://github.com/windmill-labs/windmill/commit/27ca417201c99cf6fe0ae5b52a63c0395033e196))
-* support raw app deployment history ([#8657](https://github.com/windmill-labs/windmill/issues/8657)) ([f234df9](https://github.com/windmill-labs/windmill/commit/f234df97ec3cdc480ee9d403370a3512496b024b))
-* use pre-aggregated stats for telemetry job usage queries ([#8688](https://github.com/windmill-labs/windmill/issues/8688)) ([cdf3c29](https://github.com/windmill-labs/windmill/commit/cdf3c29664e4142c0f4487c07e585d1af3f97f91))
-
-## [1.673.0](https://github.com/windmill-labs/windmill/compare/v1.672.0...v1.673.0) (2026-04-02)
-
-
-### Features
-
-* add endpoint to restart workers in a worker group ([#8659](https://github.com/windmill-labs/windmill/issues/8659)) ([f0437eb](https://github.com/windmill-labs/windmill/commit/f0437eba1925a9aa4c430008027d637a0c89ee39))
-* add Entra ID (Azure Workload Identity) database auth ([#8526](https://github.com/windmill-labs/windmill/issues/8526)) ([6a5cfbc](https://github.com/windmill-labs/windmill/commit/6a5cfbc159a0ad7925fd7ce5eefc8eaa21bbb70b))
-* add LIMIT_WINDOWS_TO_1CU env var for Windows worker memory limits ([#8681](https://github.com/windmill-labs/windmill/issues/8681)) ([d2d6810](https://github.com/windmill-labs/windmill/commit/d2d6810db954114f3333853bd3476cb8fc735f92))
-* restore bun for dedicated workers, fix dispatch & serialization, cross-workspace deps ([#8645](https://github.com/windmill-labs/windmill/issues/8645)) ([619ebb6](https://github.com/windmill-labs/windmill/commit/619ebb65ce8dce8264add31c3147919802a8286a))
-
-
-### Bug Fixes
-
-* add HMAC signature verification to Slack interactive callback endpoint ([#8611](https://github.com/windmill-labs/windmill/issues/8611)) ([55e8a5c](https://github.com/windmill-labs/windmill/commit/55e8a5cff1f185b1dbd332d37b877972efa1ed7d))
-* correct raw app flow inputs ([#8667](https://github.com/windmill-labs/windmill/issues/8667)) ([28c0730](https://github.com/windmill-labs/windmill/commit/28c073056c65d4ed1600e39679497e5af964347f))
-* pass selected language to AI agent when generating flow scripts ([#8680](https://github.com/windmill-labs/windmill/issues/8680)) ([381011a](https://github.com/windmill-labs/windmill/commit/381011a4a8e48454e9c146c64db502293e646b99))
-* poll for preview results to avoid undici headers timeout ([#8682](https://github.com/windmill-labs/windmill/issues/8682)) ([ff5fa9f](https://github.com/windmill-labs/windmill/commit/ff5fa9f64fe4aaf33e06b20f02373894b5df0f95))
-* pre-fix trigger edited_by for superadmins not in workspace ([#8669](https://github.com/windmill-labs/windmill/issues/8669)) ([350ffdc](https://github.com/windmill-labs/windmill/commit/350ffdce297ba5b84f9dd247eede6da0c6b0956c))
-* resolve race condition where flow sync push reverts to stale version ([#8673](https://github.com/windmill-labs/windmill/issues/8673)) ([d569e9e](https://github.com/windmill-labs/windmill/commit/d569e9e29c588243a90b1cd25f866efb0d178640))
-* respect disabled fields in JSON input mode ([#8663](https://github.com/windmill-labs/windmill/issues/8663)) ([7fd0bf9](https://github.com/windmill-labs/windmill/commit/7fd0bf974d2ba2644bb01dd5e9ddc84749e166f5))
-* Run typed pg queries in a single protocol conversation ([#8679](https://github.com/windmill-labs/windmill/issues/8679)) ([8581a33](https://github.com/windmill-labs/windmill/commit/8581a3300d056040b7e3ab77d629c74f034c9c97))
-* sanitize MCP tool schemas for JSON Schema draft 2020-12 compliance ([#8666](https://github.com/windmill-labs/windmill/issues/8666)) ([8c3c97f](https://github.com/windmill-labs/windmill/commit/8c3c97f7a670d47019cc666219f8187f48499672))
-* skip generate-metadata confirmation prompt in non-interactive CI ([#8678](https://github.com/windmill-labs/windmill/issues/8678)) ([39af1b7](https://github.com/windmill-labs/windmill/commit/39af1b75afc8458f85dec4fe51dfaed3d0cb000d))
-* strip f/ prefix from folder paths when deploying from workspace forks ([#8662](https://github.com/windmill-labs/windmill/issues/8662)) ([7ab0ea5](https://github.com/windmill-labs/windmill/commit/7ab0ea581d349fbfdb56d22cf9903a90efa045bb))
-* support branch-specific folder.meta.yaml in missing-meta check ([#8661](https://github.com/windmill-labs/windmill/issues/8661)) ([c87a6a0](https://github.com/windmill-labs/windmill/commit/c87a6a0f2c1346bf5e21f128d32d89bdca039243))
-* validate rd redirect on login with same rules as logout ([#8655](https://github.com/windmill-labs/windmill/issues/8655)) ([bcce627](https://github.com/windmill-labs/windmill/commit/bcce62738791a4e9b9f4dbc64731eef163230172))
-
-## [1.672.0](https://github.com/windmill-labs/windmill/compare/v1.671.0...v1.672.0) (2026-04-01)
-
-
-### Features
-
-* add R language support ([#8263](https://github.com/windmill-labs/windmill/issues/8263)) ([a46aa64](https://github.com/windmill-labs/windmill/commit/a46aa641f9d72809c52a0eb11a877a0f2d587c32))
-
-
-### Bug Fixes
-
-* approval page freeze, stale state, and missing approval link ([#8653](https://github.com/windmill-labs/windmill/issues/8653)) ([7069202](https://github.com/windmill-labs/windmill/commit/70692021909443b86ed61fa621fe49f28742fb54))
-
-## [1.671.0](https://github.com/windmill-labs/windmill/compare/v1.670.0...v1.671.0) (2026-03-31)
-
-
-### Features
-
-* add configurable preview job tag override in default tags settings ([#8649](https://github.com/windmill-labs/windmill/issues/8649)) ([da8886b](https://github.com/windmill-labs/windmill/commit/da8886be8575dd925b6d24c55ab379bc6984c5f8))
-* improve CLI flow log streaming and job inspection ([#8644](https://github.com/windmill-labs/windmill/issues/8644)) ([6c3c971](https://github.com/windmill-labs/windmill/commit/6c3c971af5aa1362632ee0deeddf91b8bc47c853))
-* support hub flows in raw app runnables ([#8627](https://github.com/windmill-labs/windmill/issues/8627)) ([040a199](https://github.com/windmill-labs/windmill/commit/040a199685cea5c99c944bacb5584a381d6ec829))
-
-
-### Bug Fixes
-
-* return default_args/enums in approval info and fix subflow resume buttons ([#8648](https://github.com/windmill-labs/windmill/issues/8648)) ([852c59e](https://github.com/windmill-labs/windmill/commit/852c59efbb04510e5e6f99919707effcf6769a2f))
-
-## [1.670.0](https://github.com/windmill-labs/windmill/compare/v1.669.1...v1.670.0) (2026-03-31)
-
-
-### Features
-
-* add OR logic support to kafka/websocket trigger filters ([#8580](https://github.com/windmill-labs/windmill/issues/8580)) ([3876902](https://github.com/windmill-labs/windmill/commit/3876902a7be798fd5ef208bc5756b28fb55e569e))
-* expose getJob and getJobLogs as MCP tools ([#8632](https://github.com/windmill-labs/windmill/issues/8632)) ([cd8edcd](https://github.com/windmill-labs/windmill/commit/cd8edcd94f2bf44c3e771000cb0bbad08accc0e7))
-* support multiline secrets in resource password fields ([#8637](https://github.com/windmill-labs/windmill/issues/8637)) ([26050f9](https://github.com/windmill-labs/windmill/commit/26050f96c34f14826298760174a45f3559d3266c))
-* support sensitive/secret fields for non-string types ([#8635](https://github.com/windmill-labs/windmill/issues/8635)) ([375fb66](https://github.com/windmill-labs/windmill/commit/375fb66abe2d1861b53dc2b36d2cf0e2eb82c3a8))
-
-
-### Bug Fixes
-
-* cap input history per_page to 100 on cloud ([#8624](https://github.com/windmill-labs/windmill/issues/8624)) ([8e973c8](https://github.com/windmill-labs/windmill/commit/8e973c892d768be2da2e6b4b7af9e40b62333052))
-* compute highest workspace role across all instance groups ([#8633](https://github.com/windmill-labs/windmill/issues/8633)) ([92b9ac7](https://github.com/windmill-labs/windmill/commit/92b9ac72c5fc9a5085fcb2e9d835ccbb53bcd4b0))
-* Ducklake UI Nits ([#8628](https://github.com/windmill-labs/windmill/issues/8628)) ([ef1757f](https://github.com/windmill-labs/windmill/commit/ef1757f5d747e513d201eb6fa48918dba8248abe))
-* preserve flow notes/groups and field ordering in generate-metadata ([#8641](https://github.com/windmill-labs/windmill/issues/8641)) ([#8642](https://github.com/windmill-labs/windmill/issues/8642)) ([52a04d2](https://github.com/windmill-labs/windmill/commit/52a04d210f476f4598007f67770bc6520b045950))
-* remove timeout on python client httpx to prevent ducklake query timeouts ([#8636](https://github.com/windmill-labs/windmill/issues/8636)) ([c5fccd2](https://github.com/windmill-labs/windmill/commit/c5fccd2f69ad8a6e46c514cf89b9aa21b380e6fe))
-* resolve missing form schema for nested suspend steps in FlowNode sub-flows ([#8643](https://github.com/windmill-labs/windmill/issues/8643)) ([12ea7e7](https://github.com/windmill-labs/windmill/commit/12ea7e74237560a9dfc99b6bc1338e3343b57640))
-* smarter secret masking based on secret length ([#8629](https://github.com/windmill-labs/windmill/issues/8629)) ([bfc2aef](https://github.com/windmill-labs/windmill/commit/bfc2aefdb8ab92b7284de7f9e485a5504502d944))
-
-## [1.669.1](https://github.com/windmill-labs/windmill/compare/v1.669.0...v1.669.1) (2026-03-30)
-
-
-### Bug Fixes
-
-* avoid doubled /oauth2 path in Okta custom authorization server URLs ([#8620](https://github.com/windmill-labs/windmill/issues/8620)) ([4817913](https://github.com/windmill-labs/windmill/commit/4817913f0cab49980bfeb442089631d7953955ff))
-* improve db health UI text and prevent label wrapping ([d532c1d](https://github.com/windmill-labs/windmill/commit/d532c1d470fcb0ef02ebc5342ad1cf22e58b1f4d))
-
-## [1.669.0](https://github.com/windmill-labs/windmill/compare/v1.668.5...v1.669.0) (2026-03-30)
-
-
-### Features
-
-* WAC workflow diagram visualization via WASM ([#8604](https://github.com/windmill-labs/windmill/issues/8604)) ([abc6b12](https://github.com/windmill-labs/windmill/commit/abc6b12d6815edc4dda3ddf5f0572ecedcb670dd))
-
-
-### Bug Fixes
-
-* add path traversal check in service_logs get_log_file endpoint ([#8605](https://github.com/windmill-labs/windmill/issues/8605)) ([5f2d3e6](https://github.com/windmill-labs/windmill/commit/5f2d3e6812f01fe6194bcfd976970a6e3c4186cc))
-* cast DuckDB IS_NULLABLE to string in metadata query ([#8607](https://github.com/windmill-labs/windmill/issues/8607)) ([f3012ee](https://github.com/windmill-labs/windmill/commit/f3012ee7ccc7a8947b5f6bd7c7df77984437f91e))
-* enable S3 bundle cache for PHP previews without lock file ([#8608](https://github.com/windmill-labs/windmill/issues/8608)) ([ee62315](https://github.com/windmill-labs/windmill/commit/ee6231590ed91063f104e6d054b52e88b569986f))
-* enforce workspace isolation on flow resume endpoint ([#8612](https://github.com/windmill-labs/windmill/issues/8612)) ([33032ed](https://github.com/windmill-labs/windmill/commit/33032ed297cf9ea867388d4ea2ece607c9d36dc7))
-* handle DuckDB boolean types in ColumnDef deserializers ([#8610](https://github.com/windmill-labs/windmill/issues/8610)) ([22da5bd](https://github.com/windmill-labs/windmill/commit/22da5bd9ea1ca000cfab3eecf1e3fb0fc01200cb))
-* use route_service instead of fallback_service for MCP router ([#8614](https://github.com/windmill-labs/windmill/issues/8614)) ([98934d5](https://github.com/windmill-labs/windmill/commit/98934d59c552325fcf88c016e31ae977970e8c9a))
-
-## [1.668.5](https://github.com/windmill-labs/windmill/compare/v1.668.4...v1.668.5) (2026-03-29)
-
-
-### Bug Fixes
-
-* add per-IP and per-account brute force protection on login endpoint ([#8601](https://github.com/windmill-labs/windmill/issues/8601)) ([06bbe7b](https://github.com/windmill-labs/windmill/commit/06bbe7b94bfb846bd73aaf6abdc83e4c14e70adc))
-* add timestamp validation to webhook signature verification ([#8596](https://github.com/windmill-labs/windmill/issues/8596)) ([74fba2a](https://github.com/windmill-labs/windmill/commit/74fba2abf3dc68b682777c01da360258786fded8))
-* disable workspace webhook events when CLOUD_HOSTED ([#8598](https://github.com/windmill-labs/windmill/issues/8598)) ([be7fbeb](https://github.com/windmill-labs/windmill/commit/be7fbeb8b1f31d15e33b0783b2a504d6a01e532e))
-* harden login rate limiting with CLOUD_HOSTED gating and memory eviction ([#8602](https://github.com/windmill-labs/windmill/issues/8602)) ([754b88a](https://github.com/windmill-labs/windmill/commit/754b88a52c4e76421cb21c1eed87ad9d8385e9aa))
-* prevent SSRF and local file read via git repository resource URLs ([#8600](https://github.com/windmill-labs/windmill/issues/8600)) ([845db72](https://github.com/windmill-labs/windmill/commit/845db72b7344fb87ac9c5e24697750549665c7bf))
-* rename snippet param to avoid svelte compiler shadowing bug in asset usages drawer ([#8595](https://github.com/windmill-labs/windmill/issues/8595)) ([8c770a2](https://github.com/windmill-labs/windmill/commit/8c770a206a3b0704642c0bda2ab2aeb199d8af3f))
-* require mcp: scope for MCP endpoints instead of blanket bypass ([#8597](https://github.com/windmill-labs/windmill/issues/8597)) ([f5fc9f8](https://github.com/windmill-labs/windmill/commit/f5fc9f8485d2ec3e20f8b451305195446b90e5a3))
-* use constant-time comparison for API key and basic auth validation ([#8593](https://github.com/windmill-labs/windmill/issues/8593)) ([b4d1f2a](https://github.com/windmill-labs/windmill/commit/b4d1f2aac789306c2e35e123ac93e12c47c26f99))
-* validate JSON before sql_builder bind to prevent injection via JSONB queries ([#8599](https://github.com/windmill-labs/windmill/issues/8599)) ([970e859](https://github.com/windmill-labs/windmill/commit/970e859a410b0144847a1a30d7059955effdd402))
-
-## [1.668.4](https://github.com/windmill-labs/windmill/compare/v1.668.3...v1.668.4) (2026-03-29)
-
-
-### Bug Fixes
-
-* update git sync version to latest cli ([0549f68](https://github.com/windmill-labs/windmill/commit/0549f682fe14f4d4b2f67941362ed2cc29d974a1))
-
-## [1.668.3](https://github.com/windmill-labs/windmill/compare/v1.668.2...v1.668.3) (2026-03-28)
-
-
-### Bug Fixes
-
-* **cli:** phantom diffs, flow safety, trigger DX, lint watch, error clarity ([#8588](https://github.com/windmill-labs/windmill/issues/8588)) ([c6ce319](https://github.com/windmill-labs/windmill/commit/c6ce3197a72ceeffd702cf2263b1074ecbf1ca33))
-
-## [1.668.2](https://github.com/windmill-labs/windmill/compare/v1.668.1...v1.668.2) (2026-03-28)
-
-
-### Bug Fixes
-
-* **cli:** app push crash, lint path, push --message, run validation, history timestamps ([#8585](https://github.com/windmill-labs/windmill/issues/8585)) ([f40cdaf](https://github.com/windmill-labs/windmill/commit/f40cdaf43453d2643800ed730d6abe6873bbe8e7))
-
-## [1.668.1](https://github.com/windmill-labs/windmill/compare/v1.668.0...v1.668.1) (2026-03-28)
-
-
-### Bug Fixes
-
-* **cli:** fix 13 CLI bugs — exit codes, sync tar fallback, variable encryption, JSON output ([#8582](https://github.com/windmill-labs/windmill/issues/8582)) ([38acaa3](https://github.com/windmill-labs/windmill/commit/38acaa3653728bf9e0ae6f746edf433703b4ab63))
-
-## [1.668.0](https://github.com/windmill-labs/windmill/compare/v1.667.0...v1.668.0) (2026-03-28)
-
-
-### Features
-
-* add DB health diagnostic dashboard for superadmins ([#8574](https://github.com/windmill-labs/windmill/issues/8574)) ([9ceab73](https://github.com/windmill-labs/windmill/commit/9ceab730d7def09c2b46527f8a586789d14f2ce0))
-* **cli:** add job, group, audit, token commands and schedule enable/disable ([#8581](https://github.com/windmill-labs/windmill/issues/8581)) ([d29cb23](https://github.com/windmill-labs/windmill/commit/d29cb234dbff07473b911e5e75e362def8a47650))
-* IAM RDS auth for PostgreSQL worker resources ([#8573](https://github.com/windmill-labs/windmill/issues/8573)) ([56253c0](https://github.com/windmill-labs/windmill/commit/56253c04cb679c58d00750da699a6cb62ed52aca))
-
-
-### Bug Fixes
-
-* add Authority Key Identifier to MITM proxy leaf certs ([#8576](https://github.com/windmill-labs/windmill/issues/8576)) ([ce2e6c8](https://github.com/windmill-labs/windmill/commit/ce2e6c8c015110d0385e6afecdc8313aabca1364))
-* Improve CLI developer experience: error handling, sync workflow, JSON output, workspace forks ([#8578](https://github.com/windmill-labs/windmill/issues/8578)) ([501a4ff](https://github.com/windmill-labs/windmill/commit/501a4ff2a94510145952686d24ccc639781beefe))
-* trigger capture filter and focus issues ([#8579](https://github.com/windmill-labs/windmill/issues/8579)) ([820f28f](https://github.com/windmill-labs/windmill/commit/820f28f8799f8dad5cfab94b51ac9921d664f04a))
-
-## [1.667.0](https://github.com/windmill-labs/windmill/compare/v1.666.0...v1.667.0) (2026-03-27)
-
-
-### Features
-
-* add schedule support to CLI branch-specific items ([#8570](https://github.com/windmill-labs/windmill/issues/8570)) ([b592996](https://github.com/windmill-labs/windmill/commit/b592996eee98ddb664f1b007b95a2096d5d4e3a6))
-* add workspace-level service accounts ([#8560](https://github.com/windmill-labs/windmill/issues/8560)) ([3959fe8](https://github.com/windmill-labs/windmill/commit/3959fe82974f5f0383e94fd83a5d78fe4212d56a))
-* **cli:** generate commented wmill.yaml and add config reference command ([#8546](https://github.com/windmill-labs/windmill/issues/8546)) ([d06b426](https://github.com/windmill-labs/windmill/commit/d06b42613f73c4a7b31c990be22b0c97efab2666))
-* DB-coordinated graceful restart staggering for settings changes ([#8555](https://github.com/windmill-labs/windmill/issues/8555)) ([2f32675](https://github.com/windmill-labs/windmill/commit/2f326758013dd1f1e6ae732e5784a32f1fb6e4bd))
-* improve-replay-ui ([#8250](https://github.com/windmill-labs/windmill/issues/8250)) ([c0aafee](https://github.com/windmill-labs/windmill/commit/c0aafee9a9923d5dc2fa3b99da4378e923933a06))
-* support multiple folder selection in MCP scope selector ([#8557](https://github.com/windmill-labs/windmill/issues/8557)) ([ad19ac9](https://github.com/windmill-labs/windmill/commit/ad19ac9b37b04591c921f93f180bdda961af6cef))
-
-
-### Bug Fixes
-
-* **cli:** preserve inline script files during flow generate-locks ([#8561](https://github.com/windmill-labs/windmill/issues/8561)) ([a8b651d](https://github.com/windmill-labs/windmill/commit/a8b651da9ff86766119e14c0b61652be8a7b453a))
-* emit 0 for OTEL queue metrics when tag queue is empty ([#8559](https://github.com/windmill-labs/windmill/issues/8559)) ([79cc4a9](https://github.com/windmill-labs/windmill/commit/79cc4a92d88486c999799826bd0c9663767103f5))
-* handle inline script deletion in sync push + flow new nonDottedPaths ([#8553](https://github.com/windmill-labs/windmill/issues/8553)) ([943fe9c](https://github.com/windmill-labs/windmill/commit/943fe9c6cc9b046e24007e45b5c37afc4804256a))
-* include importer_kind in dependency debounce key to prevent cross-kind collisions ([#8567](https://github.com/windmill-labs/windmill/issues/8567)) ([bc7007b](https://github.com/windmill-labs/windmill/commit/bc7007bb4265e1f1375c1f0678b74325882a4e92))
-* multi-script dedicated workers race on shared job_dir ([#8551](https://github.com/windmill-labs/windmill/issues/8551)) ([#8569](https://github.com/windmill-labs/windmill/issues/8569)) ([63a3573](https://github.com/windmill-labs/windmill/commit/63a3573951d1f724cc63728ed973d039a5468072))
-* preserve notes on nodes inside collapsed groups ([#8552](https://github.com/windmill-labs/windmill/issues/8552)) ([0fb1153](https://github.com/windmill-labs/windmill/commit/0fb115304afc49812420e9ce24e5048502621059))
-* sanitize flow step summaries for filesystem-safe names ([#8554](https://github.com/windmill-labs/windmill/issues/8554)) ([e15bfbf](https://github.com/windmill-labs/windmill/commit/e15bfbf91ee1517432a6861ebb48e129485006aa))
-* use admin db pool in get_copilot_settings_state ([#8564](https://github.com/windmill-labs/windmill/issues/8564)) ([70f3ee5](https://github.com/windmill-labs/windmill/commit/70f3ee5ed4470e9993be822874f2b38e83a96611))
-
-
-### Performance Improvements
-
-* enable bun bundle caching for WAC v2 scripts ([#8556](https://github.com/windmill-labs/windmill/issues/8556)) ([ab868e9](https://github.com/windmill-labs/windmill/commit/ab868e9ebceadaa55e54770d9d59dc5524da13ff))
-
-## [1.666.0](https://github.com/windmill-labs/windmill/compare/v1.665.0...v1.666.0) (2026-03-26)
-
-
-### Features
-
-* add PDF input support to AI agent ([#8525](https://github.com/windmill-labs/windmill/issues/8525)) ([e44504c](https://github.com/windmill-labs/windmill/commit/e44504c6e93e7a4ee94ced03ab626b79a4fd0754))
-
-
-### Bug Fixes
-
-* add relative imports to the dependency list in deploymentUI ([#8548](https://github.com/windmill-labs/windmill/issues/8548)) ([d760ea5](https://github.com/windmill-labs/windmill/commit/d760ea5eaf4dc33007f1fd3e5e07b86925a0aa11))
-* filter null entries in FileUpload initialValue to prevent s3 access error ([#8544](https://github.com/windmill-labs/windmill/issues/8544)) ([1a73012](https://github.com/windmill-labs/windmill/commit/1a73012e0737a6ebea8307013dc0f79982269d91))
-* pass pre-bound TcpListener to run_server to fix Windows CI test race ([#8542](https://github.com/windmill-labs/windmill/issues/8542)) ([d7f4b95](https://github.com/windmill-labs/windmill/commit/d7f4b950ce6e966ed1b410e03d48fe96bc036e73))
-* resolve parent_hash race condition in sync push with auto_parent ([#8545](https://github.com/windmill-labs/windmill/issues/8545)) ([71549c3](https://github.com/windmill-labs/windmill/commit/71549c3db053bcc209c7065ac8cd42f1e8047cc3))
-* upload_s3_file not working in VS Code extension ([#8547](https://github.com/windmill-labs/windmill/issues/8547)) ([1fa4d91](https://github.com/windmill-labs/windmill/commit/1fa4d919b30ac9eff2d1789fba2695450ba115e7))
-
-## [1.665.0](https://github.com/windmill-labs/windmill/compare/v1.664.0...v1.665.0) (2026-03-26)
-
-
-### Features
-
-* add instance setting to enforce workspace prefix for HTTP routes ([#8528](https://github.com/windmill-labs/windmill/issues/8528)) ([9b3e558](https://github.com/windmill-labs/windmill/commit/9b3e558d84f15052e9c32695a467f8ef7e4ad1f5))
-* add trashbin system for soft-deleting items ([#8519](https://github.com/windmill-labs/windmill/issues/8519)) ([69ce946](https://github.com/windmill-labs/windmill/commit/69ce946241d98ea90bc7135d44ca0c87f928be88))
-* mask sensitive values in job logs ([#8520](https://github.com/windmill-labs/windmill/issues/8520)) ([0885d8c](https://github.com/windmill-labs/windmill/commit/0885d8c986f13ac210e4db3ad38febe9be391ba4))
-* move basic git sync from EE to CE with runtime user count gating ([#8493](https://github.com/windmill-labs/windmill/issues/8493)) ([79d2bd5](https://github.com/windmill-labs/windmill/commit/79d2bd51a00654162754046308d7670242120df6))
-* runner groups for shared-process multi-script dedicated workers ([#8434](https://github.com/windmill-labs/windmill/issues/8434)) ([c28314f](https://github.com/windmill-labs/windmill/commit/c28314f424ea0e04b86565ce88e6c91e0df1a0cf))
-* SCIM user deprovisioning (active:false) + instance-level user disable ([#8484](https://github.com/windmill-labs/windmill/issues/8484)) ([0bd7568](https://github.com/windmill-labs/windmill/commit/0bd756839c0261f255111d62088bdaaecb838085))
-* show groups and notes in flow status viewer ([#8535](https://github.com/windmill-labs/windmill/issues/8535)) ([167084a](https://github.com/windmill-labs/windmill/commit/167084a0ebe73384fa0d31f0b24017a47686a072))
-
-
-### Bug Fixes
-
-* auto-generate datatable SDK reference for app mode system prompt ([#8522](https://github.com/windmill-labs/windmill/issues/8522)) ([8a32322](https://github.com/windmill-labs/windmill/commit/8a32322c187ccc60ec7eafb61a9678f267a82282))
-* consider wmill.yaml environments alias in git sync ([#8532](https://github.com/windmill-labs/windmill/issues/8532)) ([b7475c7](https://github.com/windmill-labs/windmill/commit/b7475c73094a28f520f798f6cb1a0c6b4807ccb7))
-* GitHub Enterprise Server support for self-managed GitHub Apps ([#8507](https://github.com/windmill-labs/windmill/issues/8507)) ([935fb44](https://github.com/windmill-labs/windmill/commit/935fb44c848b8bf9430b5600dd3c3bedb2f89efd))
-* raw apps bundle not found during deployment error ([#8515](https://github.com/windmill-labs/windmill/issues/8515)) ([34e3115](https://github.com/windmill-labs/windmill/commit/34e3115bcbd19a8e0b6f483435586a2ab43d0a8e))
-* require admin for workspace encryption key export ([#8523](https://github.com/windmill-labs/windmill/issues/8523)) ([0317668](https://github.com/windmill-labs/windmill/commit/031766808945aefc926f0836d011c0b2a5d2243d))
-* restrict logout redirect to whitelisted domains ([#8524](https://github.com/windmill-labs/windmill/issues/8524)) ([4c8edd5](https://github.com/windmill-labs/windmill/commit/4c8edd5e944d77ed2d41c2b87171c1115c0fdcdc))
-* serve index disk storage sizes from /srch/ endpoint ([#8511](https://github.com/windmill-labs/windmill/issues/8511)) ([e3620e0](https://github.com/windmill-labs/windmill/commit/e3620e074e1bdb46b2b8d732f35a91d300589663))
-* use /apps_raw/get/ redirect URL for raw apps set as workspace default ([#8508](https://github.com/windmill-labs/windmill/issues/8508)) ([85c52e2](https://github.com/windmill-labs/windmill/commit/85c52e2cded10606cc895d0d3b717e13c69bc9b3))
-* use resource-level scope overrides during OAuth2 token refresh ([#8540](https://github.com/windmill-labs/windmill/issues/8540)) ([55ad0ff](https://github.com/windmill-labs/windmill/commit/55ad0ff5c499c33b766f47c6f32ba5d3eeb14763))
-
-## [1.664.0](https://github.com/windmill-labs/windmill/compare/v1.663.0...v1.664.0) (2026-03-24)
-
-
-### Features
-
-* add instance-level AI settings ([#8453](https://github.com/windmill-labs/windmill/issues/8453)) ([db5e036](https://github.com/windmill-labs/windmill/commit/db5e03610da325288d53afdbca94b9cbfc7ceace))
-* add selfApproval option to WAC + inline approval buttons ([#8440](https://github.com/windmill-labs/windmill/issues/8440)) ([d578e40](https://github.com/windmill-labs/windmill/commit/d578e40101a838d3dffda14157cf72ee4d5a93c0))
-* flow group nodes with collapsible groups ([#8075](https://github.com/windmill-labs/windmill/issues/8075)) ([81eb446](https://github.com/windmill-labs/windmill/commit/81eb446eee359f44374b81320690e5345fd08c15))
-
-
-### Bug Fixes
-
-* add GIT_SSL_CAINFO to tracing proxy env vars ([#8502](https://github.com/windmill-labs/windmill/issues/8502)) ([bdfd5d5](https://github.com/windmill-labs/windmill/commit/bdfd5d57261a4bb760fc57ad41ee56aff9b9c0af))
-* create parent dirs and accept 'python' alias in script bootstrap ([#8497](https://github.com/windmill-labs/windmill/issues/8497)) ([7f27d99](https://github.com/windmill-labs/windmill/commit/7f27d996accb3c3b471d1c50df397867d89c738a))
-
-## [1.663.0](https://github.com/windmill-labs/windmill/compare/v1.662.0...v1.663.0) (2026-03-24)
-
-
-### Features
-
-* add summary field for native triggers ([#8476](https://github.com/windmill-labs/windmill/issues/8476)) ([5089a45](https://github.com/windmill-labs/windmill/commit/5089a458819abbc6f241bc354bebb91520bd1a52))
-* add typed request body to OpenAPI spec generation ([#8481](https://github.com/windmill-labs/windmill/issues/8481)) ([37ebaf4](https://github.com/windmill-labs/windmill/commit/37ebaf4d0ac342703498733f97778a552f979f6a))
-* **cli:** better stale scripts detection [#3](https://github.com/windmill-labs/windmill/issues/3) ([#8480](https://github.com/windmill-labs/windmill/issues/8480)) ([9643006](https://github.com/windmill-labs/windmill/commit/9643006f1e90b991b334bb58caf62301bc26d09d))
-* Debounce node ([#8324](https://github.com/windmill-labs/windmill/issues/8324)) ([5d1c54d](https://github.com/windmill-labs/windmill/commit/5d1c54d9b33d6ff6f2c98481a2740d1e7629cdfa))
-* surface permissioned_as selector in trigger editor UI ([#8475](https://github.com/windmill-labs/windmill/issues/8475)) ([f035b53](https://github.com/windmill-labs/windmill/commit/f035b538bbd786445526339f88be8f33a3628105))
-
-
-### Bug Fixes
-
-* clean up stale dependency map entries for renamed scripts ([#8492](https://github.com/windmill-labs/windmill/issues/8492)) ([47c0c36](https://github.com/windmill-labs/windmill/commit/47c0c363f4fc1d9af7efd07ea172e32989ce50d2))
-* **cli:** add Svelte 5 event delegation guidance and safe push to raw-app skill ([#8466](https://github.com/windmill-labs/windmill/issues/8466)) ([911df95](https://github.com/windmill-labs/windmill/commit/911df958e78d2dab9823dfa7d7e5c9824fc2d565))
-* Fix worker panic when job_isolation changed to unshare at runtime ([#8490](https://github.com/windmill-labs/windmill/issues/8490)) ([cbe47c0](https://github.com/windmill-labs/windmill/commit/cbe47c0b6c22f79452d020777e481ee26970f25b))
-* improve SQS retries ([3c8d351](https://github.com/windmill-labs/windmill/commit/3c8d351c9722a089133871019d27cf3bc3cdc159))
-* Move database manager SQL queries to backend ([#8306](https://github.com/windmill-labs/windmill/issues/8306)) ([aa30fd2](https://github.com/windmill-labs/windmill/commit/aa30fd252dcf40233d191c43a6293fb9feabf010))
-* prevent SQL injection in job query parameters ([#8494](https://github.com/windmill-labs/windmill/issues/8494)) ([54f5a19](https://github.com/windmill-labs/windmill/commit/54f5a19377e9df712e18f85f896e21b1776981ed))
-* respect NO_COLOR env variable for stdout log output ([#8483](https://github.com/windmill-labs/windmill/issues/8483)) ([f329ee7](https://github.com/windmill-labs/windmill/commit/f329ee7aaefbae0ad344743c40825440a936bd30))
-* show effective isolation level on workers page ([#8491](https://github.com/windmill-labs/windmill/issues/8491)) ([37886ed](https://github.com/windmill-labs/windmill/commit/37886edda1443293806a9b1b810196b72e076b12))
-* skip debounce arg accumulation when batch table is empty (CE) ([#8485](https://github.com/windmill-labs/windmill/issues/8485)) ([010753c](https://github.com/windmill-labs/windmill/commit/010753c73ac85237af50acadf9c08567b1bc993c))
-* stop_after_if with empty error_message prevents flow from stopping ([#8464](https://github.com/windmill-labs/windmill/issues/8464)) ([1503bf9](https://github.com/windmill-labs/windmill/commit/1503bf948e3340b8a6933d71885f8f2cb8dc1867))
-
-## [1.662.0](https://github.com/windmill-labs/windmill/compare/v1.661.0...v1.662.0) (2026-03-20)
-
-
-### Features
-
-* mcp oauth gateway ([#8443](https://github.com/windmill-labs/windmill/issues/8443)) ([51957f7](https://github.com/windmill-labs/windmill/commit/51957f7d921b624fc132ca9ea03cdd30a5810e51))
-
-
-### Bug Fixes
-
-* replace email with permissioned_as for triggers/schedules ([#8439](https://github.com/windmill-labs/windmill/issues/8439)) ([efb4a27](https://github.com/windmill-labs/windmill/commit/efb4a27d5181bf9db3deb5e8100ec60adbe45e7f))
-* strip invalid enum values from MCP schemas ([#8462](https://github.com/windmill-labs/windmill/issues/8462)) ([88ad376](https://github.com/windmill-labs/windmill/commit/88ad3767916b86c4e0b272d040ee0b75a0580d76))
-
-## [1.661.0](https://github.com/windmill-labs/windmill/compare/v1.660.1...v1.661.0) (2026-03-19)
-
-
-### Features
-
-* add OTel metrics support ([#8442](https://github.com/windmill-labs/windmill/issues/8442)) ([7de98c0](https://github.com/windmill-labs/windmill/commit/7de98c0df464d8a7c9cf5d04228753294183f759))
-
-
-### Bug Fixes
-
-* fix datatable setup on RDS ([#8450](https://github.com/windmill-labs/windmill/issues/8450)) ([446afb5](https://github.com/windmill-labs/windmill/commit/446afb5b36211e5cbe8a279ce68f2f790a5953b9))
-* full code apps deployable on merge UI and deploy UI ([#8451](https://github.com/windmill-labs/windmill/issues/8451)) ([0e022b1](https://github.com/windmill-labs/windmill/commit/0e022b14fd36e897106219010917bd7ceabf4078))
-* improve DND drag feedback in EditableSchemaForm ([#8449](https://github.com/windmill-labs/windmill/issues/8449)) ([fd7f0d3](https://github.com/windmill-labs/windmill/commit/fd7f0d3da9153d91c15df5847aaae51e67479cde))
-* prevent raw app iframe reload on userStore refresh ([#8455](https://github.com/windmill-labs/windmill/issues/8455)) ([4e59a1a](https://github.com/windmill-labs/windmill/commit/4e59a1a166847045897a6b576812bb53546e683b))
-* resolve blank inline script panel for components with underscores in ID ([#8457](https://github.com/windmill-labs/windmill/issues/8457)) ([b2c1e3d](https://github.com/windmill-labs/windmill/commit/b2c1e3de0a263f606127f0decedb11a2ce0b822b))
-
-## [1.660.1](https://github.com/windmill-labs/windmill/compare/v1.660.0...v1.660.1) (2026-03-19)
-
-
-### Bug Fixes
-
-* prevent S3 file browser crash when selecting storage ([#8444](https://github.com/windmill-labs/windmill/issues/8444)) ([a8fa0cc](https://github.com/windmill-labs/windmill/commit/a8fa0cccef870f841c68be77832d9be12109badb))
-* schema inference not updating on reset and language switch ([#8446](https://github.com/windmill-labs/windmill/issues/8446)) ([c0edbe4](https://github.com/windmill-labs/windmill/commit/c0edbe431773f878201e96a79ce291d4b37a10bb))
-
-## [1.660.0](https://github.com/windmill-labs/windmill/compare/v1.659.1...v1.660.0) (2026-03-18)
-
-
-### Features
-
-* **cli:** use local scripts when previewing flows ([#8365](https://github.com/windmill-labs/windmill/issues/8365)) ([435de95](https://github.com/windmill-labs/windmill/commit/435de95e7d5c9433dafac5369cfc533fd738fc22))
-* MCP server readiness for Anthropic connectors directory ([#8438](https://github.com/windmill-labs/windmill/issues/8438)) ([1cfb40b](https://github.com/windmill-labs/windmill/commit/1cfb40bdaa877f1616fc1c1cf5fb6b6aa1832b86))
-
-
-### Bug Fixes
-
-* exclude wm_deployers group from CE group limit check ([#8429](https://github.com/windmill-labs/windmill/issues/8429)) ([9a6ce44](https://github.com/windmill-labs/windmill/commit/9a6ce44c8414810292ebc8a1ae64950ee2c76307))
-* prevent AI agent tool jobs from becoming zombies on cancellation ([#8437](https://github.com/windmill-labs/windmill/issues/8437)) ([f4489cb](https://github.com/windmill-labs/windmill/commit/f4489cbe645489a892994c70d17df2284b494568))
-* show cancelled WAC jobs as done in workflow timeline ([#8436](https://github.com/windmill-labs/windmill/issues/8436)) ([bee9282](https://github.com/windmill-labs/windmill/commit/bee928276e098ce7b17e20af74e34458e5c5353e))
-
-
-### Performance Improvements
-
-* cache composer vendor dir to skip reinstall on repeated php executions ([#8330](https://github.com/windmill-labs/windmill/issues/8330)) ([66a8e84](https://github.com/windmill-labs/windmill/commit/66a8e844a64d91d57dcabb7ad31d9308dec99032))
-
-## [1.659.1](https://github.com/windmill-labs/windmill/compare/v1.659.0...v1.659.1) (2026-03-18)
-
-
-### Bug Fixes
-
-* add checkpoint.json mount to python nsjail config for WAC v2 ([#8421](https://github.com/windmill-labs/windmill/issues/8421)) ([4829f44](https://github.com/windmill-labs/windmill/commit/4829f447ed3df8489995c5e54955fbfe6b31e37d))
-* cleanup job debounce batch ([#8420](https://github.com/windmill-labs/windmill/issues/8420)) ([ad03a5d](https://github.com/windmill-labs/windmill/commit/ad03a5dbd7f93748115037791143249ba0ab6161))
-* **frontend:** fix output of resultnode + svelte5 nits ([#8424](https://github.com/windmill-labs/windmill/issues/8424)) ([f481ea4](https://github.com/windmill-labs/windmill/commit/f481ea4059b4e5cb01273cffeb53ff340e8bd5bd))
-* per-tab test panel in script editor for WAC v2 modules ([#8422](https://github.com/windmill-labs/windmill/issues/8422)) ([0f26169](https://github.com/windmill-labs/windmill/commit/0f261695a3cb2c3a95d16390e54aa7a6ac3e11e7))
-
-## [1.659.0](https://github.com/windmill-labs/windmill/compare/v1.658.0...v1.659.0) (2026-03-17)
-
-
-### Features
-
-* add end_user_email claim to OIDC ID tokens ([#8401](https://github.com/windmill-labs/windmill/issues/8401)) ([de5b13b](https://github.com/windmill-labs/windmill/commit/de5b13b840f90e23df1871f80317fdcc2b98174d))
-* add ws_base_url instance setting for WebSocket URL override ([#8405](https://github.com/windmill-labs/windmill/issues/8405)) ([372023e](https://github.com/windmill-labs/windmill/commit/372023e99560885a76e8da3487ae705fd2f861d4))
-* **cli:** add --env alias for --branch and environments config alias ([#8415](https://github.com/windmill-labs/windmill/issues/8415)) ([fe051aa](https://github.com/windmill-labs/windmill/commit/fe051aa22b59cc1c450b14af9c5f203448bb3dd5))
-* DB-backed instance events webhook with superadmin UI ([#8402](https://github.com/windmill-labs/windmill/issues/8402)) ([7d9fb57](https://github.com/windmill-labs/windmill/commit/7d9fb57368ad3b2c719523ef649c9bd5fddf17a5))
-* instance groups instance-level role support ([#8404](https://github.com/windmill-labs/windmill/issues/8404)) ([18b3528](https://github.com/windmill-labs/windmill/commit/18b3528ba4188721d918fd47f0f86a6b41209453))
-* script module mode with CLI sync, preview, and WAC UI improvements ([#8380](https://github.com/windmill-labs/windmill/issues/8380)) ([31d6660](https://github.com/windmill-labs/windmill/commit/31d6660d56cd23d9269133d430b0607d58314229))
-* store hashed tokens instead of plaintext ([#8217](https://github.com/windmill-labs/windmill/issues/8217)) ([f2be625](https://github.com/windmill-labs/windmill/commit/f2be625348ef308e9768d487e110abbd44d27855))
-* workspace-specific registry overrides ([#8406](https://github.com/windmill-labs/windmill/issues/8406)) ([73fe45b](https://github.com/windmill-labs/windmill/commit/73fe45b6cb97ce50d029240c6bd63917b301abe1))
-
-
-### Bug Fixes
-
-* devops getting logged out on workers page ([#8416](https://github.com/windmill-labs/windmill/issues/8416)) ([920a7f9](https://github.com/windmill-labs/windmill/commit/920a7f9fa4719015885947b9de0c35e5e618fcc8))
-* Folders as presets in FilterSearchbar ([#8409](https://github.com/windmill-labs/windmill/issues/8409)) ([ebf9347](https://github.com/windmill-labs/windmill/commit/ebf9347d3fd876689dba58bc24399e9036ef5b67))
-* improve OOM killer observability for debugging pod-level kills ([#8398](https://github.com/windmill-labs/windmill/issues/8398)) ([fd41cd1](https://github.com/windmill-labs/windmill/commit/fd41cd12b444fb2439214fcd25536280e5baacb2))
-
-## [1.658.0](https://github.com/windmill-labs/windmill/compare/v1.657.2...v1.658.0) (2026-03-16)
-
-
-### Features
-
-* add GET /api/saml/metadata endpoint ([#8394](https://github.com/windmill-labs/windmill/issues/8394)) ([50b24cf](https://github.com/windmill-labs/windmill/commit/50b24cfdc8bf54656adbdc3315037aa773632076))
-* support custom headers in customai resource type ([#8364](https://github.com/windmill-labs/windmill/issues/8364)) ([5acb367](https://github.com/windmill-labs/windmill/commit/5acb367cf9b4b96ac7129c91df229d1a25258f5b))
-* support multiple secret variables during resource creation ([#8386](https://github.com/windmill-labs/windmill/issues/8386)) ([54841b7](https://github.com/windmill-labs/windmill/commit/54841b7549d5c9719d4dc3cb43e282ba057cd0f3))
-
-
-### Bug Fixes
-
-* /updatesqlx now uses ee-repo-ref.txt commit hash ([#8387](https://github.com/windmill-labs/windmill/issues/8387)) ([a519d41](https://github.com/windmill-labs/windmill/commit/a519d4113086430ace1d7ac8795bd2c2a8cf99e9))
-* **native-triggers:** preserve API error response body in HttpRequestError ([#8392](https://github.com/windmill-labs/windmill/issues/8392)) ([1eee89d](https://github.com/windmill-labs/windmill/commit/1eee89d99fbf31751d6257a4015e0b22e3871372))
-* OutputPicker shows stale result after 'Test up to here' ([#8390](https://github.com/windmill-labs/windmill/issues/8390)) ([2907084](https://github.com/windmill-labs/windmill/commit/2907084ca653fc5540bb04a409d2789ddaeec05b))
-* propagate enterprise feature to windmill-api-schedule ([#8391](https://github.com/windmill-labs/windmill/issues/8391)) ([50ef9e7](https://github.com/windmill-labs/windmill/commit/50ef9e79fcef8ee2cccd789b5eb1aacf5647365f))
-* set nsjail time_limit from job timeout so configured defaults are respected ([#8389](https://github.com/windmill-labs/windmill/issues/8389)) ([65a92d9](https://github.com/windmill-labs/windmill/commit/65a92d98994dbe4ae90a5e554e55b3ab44463f86))
-* soft error on AI agent max iterations + rename retries tab to error handling ([#8366](https://github.com/windmill-labs/windmill/issues/8366)) ([1a1e8a1](https://github.com/windmill-labs/windmill/commit/1a1e8a164cccbfcc663b963cb062af9208ff51be))
-* use bookworm-based php image to fix glibc 2.38 incompatibility ([#8381](https://github.com/windmill-labs/windmill/issues/8381)) ([68fd900](https://github.com/windmill-labs/windmill/commit/68fd900076ecf8b20f6622cd5794f1b52c0f5cab))
-
-## [1.657.2](https://github.com/windmill-labs/windmill/compare/v1.657.1...v1.657.2) (2026-03-15)
-
-
-### Bug Fixes
-
-* **cli:** Fix nonDottedPaths handling in cli flow lock generation ([#8375](https://github.com/windmill-labs/windmill/issues/8375)) ([eb03ebb](https://github.com/windmill-labs/windmill/commit/eb03ebbb0486b33c290fba3c34ea959e6e82fd13))
-
-## [1.657.1](https://github.com/windmill-labs/windmill/compare/v1.657.0...v1.657.1) (2026-03-14)
-
-
-### Bug Fixes
-
-* powershell WindmillClient module loading on Windows workers ([#8370](https://github.com/windmill-labs/windmill/issues/8370)) ([3a268a9](https://github.com/windmill-labs/windmill/commit/3a268a9cf16add2ea2530e6eab247120a4d4754e))
-
 ## [1.657.0](https://github.com/windmill-labs/windmill/compare/v1.656.0...v1.657.0) (2026-03-14)


--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -26,7 +26,6 @@ Open-source platform for internal tools, workflows, API integrations, background
 - **DB**: `psql postgres://postgres:changeme@localhost:5432/windmill`
 - **Login**: `admin@windmill.dev` / `changeme`
 - **Instance settings**: navigate to `/#superadmin-settings`
- **Migrations**: use `cargo sqlx migrate add -r <name>` from `backend/` to create new migrations (never generate timestamps manually)

 ## Banned Patterns

@@ -59,8 +58,6 @@ let { my_prop = $bindable(default_value) }: { my_prop?: string } = $props()
 - `refs "X" --caller` instead of reading files to find which function contains each reference
 - `callers "X"` / `callees "X"` for call-graph questions

-EE files (`*_ee.rs`, `*_ee.ts`, `*_ee.svelte`) are indexed — you can `outline`, `def`, `body`, `refs` etc. on them just like regular files.
-
 ```bash
 NAV="sh wm-ts-nav/nav"
 # Use --root backend for Rust, --root frontend/src for TS/Svelte
--- a/14
+++ b/14
@@ -11,8 +11,18 @@
 {$BASE_URL} {
        bind {$ADDRESS}

-        # Extra services: LSP, Multiplayer, Debugger (windmill_extra gateway)
-        reverse_proxy /ws/* /ws_mp/* /ws_debug/* http://windmill_extra:3000
+        # LSP - Language Server Protocol for code intelligence (windmill_extra:3001)
+        reverse_proxy /ws/* http://windmill_extra:3001
+
+        # Multiplayer - Real-time collaboration, Enterprise Edition (windmill_extra:3002)
+        # Uncomment and set ENABLE_MULTIPLAYER=true in docker-compose.yml
+        # reverse_proxy /ws_mp/* http://windmill_extra:3002
+
+        # Debugger - Interactive debugging via DAP WebSocket (windmill_extra:3003)
+        # Set ENABLE_DEBUGGER=true in docker-compose.yml to enable
+        handle_path /ws_debug/* {
+                reverse_proxy http://windmill_extra:3003
+        }

        # Search indexer, Enterprise Edition (windmill_indexer:8002)
        # reverse_proxy /api/srch/* http://windmill_indexer:8002
--- a/24
+++ b/24
@@ -118,18 +118,6 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
    CARGO_NET_GIT_FETCH_WITH_CLI=true cargo build --release --features "$features"

-# Split debug info into a separate file, then strip the binary.
-# The .debug file can be extracted as a CI artifact for production debugging.
-# The debuglink allows gdb to auto-discover the debug file when placed next to the binary.
-RUN objcopy --only-keep-debug /windmill/target/release/windmill /windmill/target/release/windmill.debug \
-    && strip /windmill/target/release/windmill \
-    && objcopy --add-gnu-debuglink=/windmill/target/release/windmill.debug /windmill/target/release/windmill
-
-# Standalone stage for extracting the .debug file without including it in the final image.
-# Build with: docker build --target debuginfo --output type=local,dest=./out .
-FROM scratch AS debuginfo
-COPY --from=builder /windmill/target/release/windmill.debug /windmill.debug
-
 FROM ${DEBIAN_IMAGE}

 ARG TARGETPLATFORM
@@ -162,19 +150,11 @@ ENV PATH /usr/local/bin:/root/.local/bin:/tmp/.local/bin:$PATH


 RUN apt-get update \
-    && apt-get install -y --no-install-recommends netbase tzdata ca-certificates wget curl jq unzip build-essential unixodbc xmlsec1 software-properties-common tini gnupg lsb-release \
+    && apt-get install -y --no-install-recommends netbase tzdata ca-certificates wget curl jq unzip build-essential unixodbc xmlsec1 software-properties-common tini \
    && if echo "$features" | grep -q "ee"; then apt-get install -y --no-install-recommends libsasl2-modules-gssapi-mit krb5-user; fi \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-# Install latest PostgreSQL client (pg_dump) from official PostgreSQL apt repository
-RUN curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg \
-    && echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends postgresql-client \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
 RUN if [ "$WITH_GIT" = "true" ]; then \
    apt-get update  -y \
    && apt-get install -y git \
@@ -288,7 +268,7 @@ RUN bun install -g windmill-cli \
 RUN curl -fsSL https://claude.ai/install.sh | bash \
    && cp /root/.local/share/claude/versions/* /usr/bin/claude

-COPY --from=php:8.3.30-cli-bookworm /usr/local/bin/php /usr/bin/php
+COPY --from=php:8.3.30-cli /usr/local/bin/php /usr/bin/php
 COPY --from=composer:2.9.5 /usr/bin/composer /usr/bin/composer

 # add the docker client to call docker from a worker if enabled
--- a/backend/.sqlx/query-007fa93171b244490b94464938b9f95aca4e91bccde6da93cb151799b3398049.json
+++ b/backend/.sqlx/query-007fa93171b244490b94464938b9f95aca4e91bccde6da93cb151799b3398049.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_status\n                         SET flow_status = JSONB_SET(flow_status, ARRAY['cleanup_module', 'flow_jobs_to_clean'], COALESCE(flow_status->'cleanup_module'->'flow_jobs_to_clean', '[]'::jsonb) || $1)\n                         WHERE id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb",
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "007fa93171b244490b94464938b9f95aca4e91bccde6da93cb151799b3398049"
-}
--- a/backend/.sqlx/query-00bdac005e3fb2167c90c26b96ab267c19d4b6578736c852114df96ed5575952.json
+++ b/backend/.sqlx/query-00bdac005e3fb2167c90c26b96ab267c19d4b6578736c852114df96ed5575952.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE background_task_state\n         SET value = $1, updated_at = NOW()\n         WHERE name = $2 AND owner = $3 AND running = true",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "00bdac005e3fb2167c90c26b96ab267c19d4b6578736c852114df96ed5575952"
-}
--- a/backend/.sqlx/query-0186c1058f147e012b8120c342caf8688a6d1643747be3ec4f784c3029a59e52.json
+++ b/backend/.sqlx/query-0186c1058f147e012b8120c342caf8688a6d1643747be3ec4f784c3029a59e52.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT j.id\n             FROM v2_job_queue q JOIN v2_job j USING (id) LEFT JOIN v2_job_runtime r USING (id) LEFT JOIN v2_job_status s USING (id)\n             WHERE r.ping < now() - ($1 || ' seconds')::interval\n             AND q.running = true AND j.kind NOT IN ('flow', 'flowpreview', 'flownode', 'singlestepflow') AND j.same_worker = false AND q.suspend_until IS NULL",
+  "query": "SELECT j.id\n             FROM v2_job_queue q JOIN v2_job j USING (id) LEFT JOIN v2_job_runtime r USING (id) LEFT JOIN v2_job_status s USING (id)\n             WHERE r.ping < now() - ($1 || ' seconds')::interval\n             AND q.running = true AND j.kind NOT IN ('flow', 'flowpreview', 'flownode', 'singlestepflow') AND j.same_worker = false",
  "describe": {
    "columns": [
      {
@@ -18,5 +18,5 @@
      false
    ]
  },
-  "hash": "36b556a1c8630547cb7f5f88a1a0f02effb9e62409cd61fa4de60d11d50ee206"
+  "hash": "0186c1058f147e012b8120c342caf8688a6d1643747be3ec4f784c3029a59e52"
 }
--- a/backend/.sqlx/query-023cdbc77ea9e2c17a1aa92a5b9001f29e58e81b3f782887db6e0a627dd8ad75.json
+++ b/backend/.sqlx/query-023cdbc77ea9e2c17a1aa92a5b9001f29e58e81b3f782887db6e0a627dd8ad75.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO native_trigger (\n            external_id,\n            workspace_id,\n            service_name,\n            script_path,\n            is_flow,\n            webhook_token_hash,\n            service_config,\n            summary\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6, $7, $8\n        )\n        ON CONFLICT (external_id, workspace_id, service_name)\n        DO UPDATE SET script_path = $4, is_flow = $5, webhook_token_hash = $6, service_config = $7, summary = $8, error = NULL, updated_at = NOW()\n        ",
+  "query": "\n        INSERT INTO native_trigger (\n            external_id,\n            workspace_id,\n            service_name,\n            script_path,\n            is_flow,\n            webhook_token_prefix,\n            service_config\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6, $7\n        )\n        ON CONFLICT (external_id, workspace_id, service_name)\n        DO UPDATE SET script_path = $4, is_flow = $5, webhook_token_prefix = $6, service_config = $7, error = NULL, updated_at = NOW()\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -21,11 +21,10 @@
        "Varchar",
        "Bool",
        "Varchar",
-        "Jsonb",
-        "Varchar"
+        "Jsonb"
      ]
    },
    "nullable": []
  },
-  "hash": "1048d1c95270ce1f36c02bce31a2bc8a88935c613bd213b7156299811377db8e"
+  "hash": "023cdbc77ea9e2c17a1aa92a5b9001f29e58e81b3f782887db6e0a627dd8ad75"
 }
--- a/backend/.sqlx/query-0300afc35a880eef163dfdfd9d5299fac14562ee8595c792f3c30d042fa2d3eb.json
+++ b/backend/.sqlx/query-0300afc35a880eef163dfdfd9d5299fac14562ee8595c792f3c30d042fa2d3eb.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO postgres_trigger (\n            path, script_path, is_flow, workspace_id, edited_by, permissioned_as,\n            postgres_resource_path, replication_slot_name, publication_name\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO postgres_trigger (\n            path, script_path, is_flow, workspace_id, edited_by, email,\n            postgres_resource_path, replication_slot_name, publication_name\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -18,5 +18,5 @@
    },
    "nullable": []
  },
-  "hash": "a8245a3b29927c26894be884c38e4d848674d5318e20bb5fc6c4261da25744ca"
+  "hash": "0300afc35a880eef163dfdfd9d5299fac14562ee8595c792f3c30d042fa2d3eb"
 }
--- a/backend/.sqlx/query-035e29e775bfc5b236100135e1d94a4baf2b617b86f0c3c74ba9a00b859993f6.json
+++ b/backend/.sqlx/query-035e29e775bfc5b236100135e1d94a4baf2b617b86f0c3c74ba9a00b859993f6.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO job_delete_schedule (job_id, workspace_id, delete_at) VALUES ($1, $2, now() + make_interval(secs => $3::double precision)) ON CONFLICT (job_id) DO NOTHING",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid",
-        "Varchar",
-        "Float8"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "035e29e775bfc5b236100135e1d94a4baf2b617b86f0c3c74ba9a00b859993f6"
-}
--- a/backend/.sqlx/query-07168aaf14cb6beff0ad4274b441f7f387f5055c47f493271d26731336257384.json
+++ b/backend/.sqlx/query-07168aaf14cb6beff0ad4274b441f7f387f5055c47f493271d26731336257384.json
@@ -46,11 +46,11 @@
      ]
    },
    "nullable": [
-      false,
-      false,
-      false,
-      false,
-      false,
+      true,
+      true,
+      true,
+      true,
+      true,
      true,
      true
    ]
--- a/backend/.sqlx/query-072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04.json
+++ b/backend/.sqlx/query-072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04.json
@@ -0,0 +1,29 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n            UPDATE kafka_trigger\n            SET\n                kafka_resource_path = $1,\n                group_id = $2,\n                topics = $3,\n                filters = $4,\n                auto_offset_reset = $5,\n                auto_commit = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                edited_by = $10,\n                email = $11,\n                edited_at = now(),\n                server_id = NULL,\n                error = NULL,\n                error_handler_path = $14,\n                error_handler_args = $15,\n                retry = $16\n            WHERE\n                workspace_id = $12 AND path = $13\n            ",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "VarcharArray",
+        "JsonbArray",
+        "Varchar",
+        "Bool",
+        "Varchar",
+        "Varchar",
+        "Bool",
+        "Varchar",
+        "Varchar",
+        "Text",
+        "Text",
+        "Varchar",
+        "Jsonb",
+        "Jsonb"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "072e5ab78f929c6b7264f98c1588cb24cc635836276ee6faa2438f494bfbce04"
+}
--- a/backend/.sqlx/query-075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a.json
+++ b/backend/.sqlx/query-075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a.json
@@ -1,11 +1,11 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT permissioned_as, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
+  "query": "SELECT email, edited_by FROM websocket_trigger WHERE path = $1 AND workspace_id = $2",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "permissioned_as",
+        "name": "email",
        "type_info": "Varchar"
      },
      {
@@ -25,5 +25,5 @@
      false
    ]
  },
-  "hash": "893ff34f2b22cf89a24a0b613ed390077fe6c75f56a3419f530e542bab0fb1a4"
+  "hash": "075d4749299af2cb81162bf396bec6aa89de43ec201c911196763e03e644ca7a"
 }
--- a/backend/.sqlx/query-077467cd813d5af161cb1cc232724f26984822d4c28ba36c0a9331273b10edc0.json
+++ b/backend/.sqlx/query-077467cd813d5af161cb1cc232724f26984822d4c28ba36c0a9331273b10edc0.json
@@ -1,12 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO email_to_igroup (email, igroup) VALUES ('alice@example.com', 'admins') ON CONFLICT DO NOTHING",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": []
-  },
-  "hash": "077467cd813d5af161cb1cc232724f26984822d4c28ba36c0a9331273b10edc0"
-}
--- a/backend/.sqlx/query-07770a002a49428c4f956cfc7262d6b6792ae5b97ed90b0ee07d17480b2dffe2.json
+++ b/backend/.sqlx/query-07770a002a49428c4f956cfc7262d6b6792ae5b97ed90b0ee07d17480b2dffe2.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT setting::bigint as \"max!\" FROM pg_settings WHERE name = 'max_connections'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "max!",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "07770a002a49428c4f956cfc7262d6b6792ae5b97ed90b0ee07d17480b2dffe2"
-}
--- a/backend/.sqlx/query-08522e494e34f4ecae21460262bf0ed3c5a197dd744c87cb760aaf47001febbd.json
+++ b/backend/.sqlx/query-08522e494e34f4ecae21460262bf0ed3c5a197dd744c87cb760aaf47001febbd.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM trashbin WHERE id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Int8"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "08522e494e34f4ecae21460262bf0ed3c5a197dd744c87cb760aaf47001febbd"
-}
--- a/backend/.sqlx/query-0924c79aca648e5ec3fcc5e91ca71d524fe9d4b46c2e8ed36ae99b5810a896ab.json
+++ b/backend/.sqlx/query-0924c79aca648e5ec3fcc5e91ca71d524fe9d4b46c2e8ed36ae99b5810a896ab.json
@@ -1,14 +1,8 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO app_version (app_id, value, created_by, created_at, raw_app)\n                 VALUES ($1, $2, $3, $4, $5) RETURNING id",
+  "query": "INSERT INTO app_version (app_id, value, created_by, created_at, raw_app)\n                 VALUES ($1, $2, $3, $4, $5)",
  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "id",
-        "type_info": "Int8"
-      }
-    ],
+    "columns": [],
    "parameters": {
      "Left": [
        "Int8",
@@ -18,9 +12,7 @@
        "Bool"
      ]
    },
-    "nullable": [
-      false
-    ]
+    "nullable": []
  },
-  "hash": "da87e3c6678e4ada367dfe6bdaef2c99ea980fb89fdb1bd954c22ac3cf79624c"
+  "hash": "0924c79aca648e5ec3fcc5e91ca71d524fe9d4b46c2e8ed36ae99b5810a896ab"
 }
--- a/backend/.sqlx/query-0ca770234f3e38be3fb1c280d82e9c06440168806fe605e38808bdcb400d4034.json
+++ b/backend/.sqlx/query-0ca770234f3e38be3fb1c280d82e9c06440168806fe605e38808bdcb400d4034.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n    INSERT INTO script\n    (workspace_id, hash, path, parent_hashes, summary, description, content, created_by, schema, is_template, extra_perms, lock, language, kind, tag, draft_only, envs, concurrent_limit, concurrency_time_window_s, cache_ttl, cache_ignore_s3_path, dedicated_worker, ws_error_handler_muted, priority, restart_unless_cancelled, delete_after_use, delete_after_secs, timeout, concurrency_key, visible_to_runner_only, auto_kind, codebase, has_preprocessor, on_behalf_of_email, schema_validation, assets, debounce_key, debounce_delay_s, runnable_settings_handle, modules, labels)\n\n    SELECT  workspace_id, $1, path, array_prepend($2::bigint, COALESCE(parent_hashes, '{}'::bigint[])), summary, description, content, created_by, schema, is_template, extra_perms, NULL, language, kind, tag, draft_only, envs, concurrent_limit, concurrency_time_window_s, cache_ttl, cache_ignore_s3_path, dedicated_worker, ws_error_handler_muted, priority, restart_unless_cancelled, delete_after_use, delete_after_secs, timeout, concurrency_key, visible_to_runner_only, auto_kind, codebase, has_preprocessor, on_behalf_of_email, schema_validation, assets, debounce_key, debounce_delay_s, runnable_settings_handle, modules, labels\n\n    FROM script WHERE hash = $2 AND workspace_id = $3;\n            ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Int8",
-        "Int8",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "0ca770234f3e38be3fb1c280d82e9c06440168806fe605e38808bdcb400d4034"
-}
--- a/backend/.sqlx/query-0f26c74f604e1c3c613de8ba654cac1a41b20b1d3ea0f1a1c4ea2fcbbd314d7e.json
+++ b/backend/.sqlx/query-0f26c74f604e1c3c613de8ba654cac1a41b20b1d3ea0f1a1c4ea2fcbbd314d7e.json
@@ -1,35 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email, permissioned_as, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "permissioned_as",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 2,
-        "name": "edited_by",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false,
-      false
-    ]
-  },
-  "hash": "0f26c74f604e1c3c613de8ba654cac1a41b20b1d3ea0f1a1c4ea2fcbbd314d7e"
-}
--- a/backend/.sqlx/query-0f58d4e7e6f3e962e8a86a2d9feb921c308b6a047530eccd8966513ffdc722d0.json
+++ b/backend/.sqlx/query-0f58d4e7e6f3e962e8a86a2d9feb921c308b6a047530eccd8966513ffdc722d0.json
@@ -34,8 +34,7 @@
                "nu",
                "java",
                "duckdb",
-                "ruby",
-                "rlang"
+                "ruby"
              ]
            }
          }
--- a/backend/.sqlx/query-0f5a31f328e59befb7dd3c3cb44439a0405d479e02ac79c2f4ec9a97636bd80d.json
+++ b/backend/.sqlx/query-0f5a31f328e59befb7dd3c3cb44439a0405d479e02ac79c2f4ec9a97636bd80d.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT token_hash FROM token WHERE token_hash = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "token_hash",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0f5a31f328e59befb7dd3c3cb44439a0405d479e02ac79c2f4ec9a97636bd80d"
-}
--- a/backend/.sqlx/query-1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77.json
+++ b/backend/.sqlx/query-1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO email_trigger (\n            path, local_part, workspaced_local_part, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
+  "query": "\n        INSERT INTO email_trigger (\n            path, local_part, workspaced_local_part, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8)\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -17,5 +17,5 @@
    },
    "nullable": []
  },
-  "hash": "1e28751bb98a1c477c0e582a2a39f81bf34e2d72f35ef1ea5d8c057ec9e694d8"
+  "hash": "1074c6c98e6a0c83ac04172a39abea21c793f58947051d39931d4da0868a1d77"
 }
--- a/backend/.sqlx/query-10f6d3ffd7406146572b1becdce5c8da5242b58f6ce46ab10296cff9d6a3a6c4.json
+++ b/backend/.sqlx/query-10f6d3ffd7406146572b1becdce5c8da5242b58f6ce46ab10296cff9d6a3a6c4.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT name, summary, array_remove(array_agg(email_to_igroup.email), null) as emails, instance_role FROM email_to_igroup RIGHT JOIN instance_group ON instance_group.name = email_to_igroup.igroup GROUP BY name, instance_role",
+  "query": "SELECT name, summary, array_remove(array_agg(email_to_igroup.email), null) as emails FROM email_to_igroup RIGHT JOIN instance_group ON instance_group.name = email_to_igroup.igroup GROUP BY name, summary",
  "describe": {
    "columns": [
      {
@@ -17,11 +17,6 @@
        "ordinal": 2,
        "name": "emails",
        "type_info": "VarcharArray"
-      },
-      {
-        "ordinal": 3,
-        "name": "instance_role",
-        "type_info": "Varchar"
      }
    ],
    "parameters": {
@@ -30,9 +25,8 @@
    "nullable": [
      false,
      true,
-      null,
-      true
+      null
    ]
  },
-  "hash": "0b0f601716c6713f8b521a65dba01303a7756f654d1a2c04bd47c0f2d1122155"
+  "hash": "10f6d3ffd7406146572b1becdce5c8da5242b58f6ce46ab10296cff9d6a3a6c4"
 }
--- a/backend/.sqlx/query-11d89b437b9fe5d493e1806438dd56ef8c427aa1bbcfe2a11ba34cc8eab9fb4e.json
+++ b/backend/.sqlx/query-11d89b437b9fe5d493e1806438dd56ef8c427aa1bbcfe2a11ba34cc8eab9fb4e.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE password SET super_admin = $1, role_source = 'manual' WHERE email = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Bool",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "11d89b437b9fe5d493e1806438dd56ef8c427aa1bbcfe2a11ba34cc8eab9fb4e"
-}
--- a/backend/.sqlx/query-12d37d75a429c0ddf2b2c190ab28bea5aefd27d0ed8a1bb2c8b3c1b0ece4efb7.json
+++ b/backend/.sqlx/query-12d37d75a429c0ddf2b2c190ab28bea5aefd27d0ed8a1bb2c8b3c1b0ece4efb7.json
@@ -0,0 +1,41 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "WITH to_update AS (\n                SELECT q.id, q.workspace_id, r.ping, COALESCE(zjc.counter, 0) as counter\n                FROM v2_job_queue q\n                JOIN v2_job j ON j.id = q.id\n                JOIN v2_job_runtime r ON r.id = j.id\n                LEFT JOIN zombie_job_counter zjc ON zjc.job_id = q.id\n                WHERE ping < now() - ($1 || ' seconds')::interval\n                    AND running = true\n                    AND kind NOT IN ('flow', 'flowpreview', 'flownode', 'singlestepflow')\n                    AND same_worker = false\n                    AND (zjc.counter IS NULL OR zjc.counter <= $2)\n                FOR UPDATE of q SKIP LOCKED\n            ),\n            zombie_jobs AS (\n                UPDATE v2_job_queue q\n                SET running = false, started_at = null\n                FROM to_update tu\n                WHERE q.id = tu.id AND (tu.counter IS NULL OR tu.counter < $2)\n                RETURNING q.id, q.workspace_id, ping, tu.counter\n            ),\n            update_ping AS (\n                UPDATE v2_job_runtime r\n                SET ping = null\n                FROM zombie_jobs zj\n                WHERE r.id = zj.id\n            ),\n            increment_counter AS (\n                INSERT INTO zombie_job_counter (job_id, counter)\n                SELECT id, 1 FROM to_update WHERE counter < $2\n                ON CONFLICT (job_id) DO UPDATE\n                SET counter = zombie_job_counter.counter + 1\n            ),\n            update_concurrency AS (\n                UPDATE concurrency_counter cc\n                SET job_uuids = job_uuids - zj.id::text\n                FROM zombie_jobs zj\n                INNER JOIN concurrency_key ck ON ck.job_id = zj.id\n                WHERE cc.concurrency_id = ck.key\n            )\n            SELECT id AS \"id!\", workspace_id AS \"workspace_id!\", ping, counter + 1 AS counter FROM to_update",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id!",
+        "type_info": "Uuid"
+      },
+      {
+        "ordinal": 1,
+        "name": "workspace_id!",
+        "type_info": "Varchar"
+      },
+      {
+        "ordinal": 2,
+        "name": "ping",
+        "type_info": "Timestamptz"
+      },
+      {
+        "ordinal": 3,
+        "name": "counter",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Int4"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      true,
+      null
+    ]
+  },
+  "hash": "12d37d75a429c0ddf2b2c190ab28bea5aefd27d0ed8a1bb2c8b3c1b0ece4efb7"
+}
--- a/backend/.sqlx/query-1325d08f0d34a5e706543585186dac4ee099aefcd3ed51f10f3298a2c006da80.json
+++ b/backend/.sqlx/query-1325d08f0d34a5e706543585186dac4ee099aefcd3ed51f10f3298a2c006da80.json
@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM raw_script_temp WHERE workspace_id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1325d08f0d34a5e706543585186dac4ee099aefcd3ed51f10f3298a2c006da80"
-}
--- a/backend/.sqlx/query-14276a040cb4db88d71fccdc3579e8c0bb132b70668301b535872d1632753e30.json
+++ b/backend/.sqlx/query-14276a040cb4db88d71fccdc3579e8c0bb132b70668301b535872d1632753e30.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "WITH inserted_job AS (\n            INSERT INTO v2_job (\n                id, -- 1\n                workspace_id, -- 2\n                raw_code, -- 3\n                raw_lock, -- 4\n                raw_flow, -- 5\n                tag, -- 6\n                parent_job, -- 7\n                created_by, -- 8\n                permissioned_as, -- 9\n                runnable_id, -- 10\n                runnable_path, -- 11\n                args, -- 12\n                kind, -- 13\n                trigger, -- 14\n                script_lang, -- 15\n                same_worker, -- 16\n                pre_run_error, -- 17 \n                permissioned_as_email, -- 18\n                visible_to_owner, -- 19\n                flow_innermost_root_job, -- 20\n                root_job, -- 38\n                concurrent_limit, -- 21\n                concurrency_time_window_s, -- 22\n                timeout, -- 23\n                flow_step_id, -- 24\n                cache_ttl, -- 25\n                priority, -- 26\n                trigger_kind, -- 39\n                script_entrypoint_override, -- 12\n                preprocessed, -- 27,\n                labels -- 44\n            ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18,\n            $19, $20, $38, $21, $22, $23, $24, $25, $26, $39::job_trigger_kind,\n            ($12::JSONB)->>'_ENTRYPOINT_OVERRIDE', $27, $44)\n        ),\n        inserted_runtime AS (\n            INSERT INTO v2_job_runtime (id, ping) VALUES ($1, null)\n        ),\n        inserted_job_perms AS (\n            INSERT INTO job_perms (job_id, email, username, is_admin, is_operator, folders, groups, workspace_id, end_user_email) \n            values ($1, $32, $33, $34, $35, $36, $37, $2, $41) \n            ON CONFLICT (job_id) DO UPDATE SET email = EXCLUDED.email, username = EXCLUDED.username, is_admin = EXCLUDED.is_admin, is_operator = EXCLUDED.is_operator, folders = EXCLUDED.folders, groups = EXCLUDED.groups, workspace_id = EXCLUDED.workspace_id, end_user_email = EXCLUDED.end_user_email\n        )\n        INSERT INTO v2_job_queue\n            (workspace_id, id, running, scheduled_for, started_at, tag, priority, cache_ignore_s3_path, runnable_settings_handle)\n            VALUES ($2, $1, $28, COALESCE($29, now()), CASE WHEN $27 OR $40 THEN now() END, $30, $31, $42, $43)",
+  "query": "WITH inserted_job AS (\n            INSERT INTO v2_job (\n                id, -- 1\n                workspace_id, -- 2\n                raw_code, -- 3\n                raw_lock, -- 4\n                raw_flow, -- 5\n                tag, -- 6\n                parent_job, -- 7\n                created_by, -- 8\n                permissioned_as, -- 9\n                runnable_id, -- 10\n                runnable_path, -- 11\n                args, -- 12\n                kind, -- 13\n                trigger, -- 14\n                script_lang, -- 15\n                same_worker, -- 16\n                pre_run_error, -- 17 \n                permissioned_as_email, -- 18\n                visible_to_owner, -- 19\n                flow_innermost_root_job, -- 20\n                root_job, -- 38\n                concurrent_limit, -- 21\n                concurrency_time_window_s, -- 22\n                timeout, -- 23\n                flow_step_id, -- 24\n                cache_ttl, -- 25\n                priority, -- 26\n                trigger_kind, -- 39\n                script_entrypoint_override, -- 12\n                preprocessed -- 27,\n            ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18,\n            $19, $20, $38, $21, $22, $23, $24, $25, $26, $39::job_trigger_kind,\n            ($12::JSONB)->>'_ENTRYPOINT_OVERRIDE', $27)\n        ),\n        inserted_runtime AS (\n            INSERT INTO v2_job_runtime (id, ping) VALUES ($1, null)\n        ),\n        inserted_job_perms AS (\n            INSERT INTO job_perms (job_id, email, username, is_admin, is_operator, folders, groups, workspace_id, end_user_email) \n            values ($1, $32, $33, $34, $35, $36, $37, $2, $41) \n            ON CONFLICT (job_id) DO UPDATE SET email = EXCLUDED.email, username = EXCLUDED.username, is_admin = EXCLUDED.is_admin, is_operator = EXCLUDED.is_operator, folders = EXCLUDED.folders, groups = EXCLUDED.groups, workspace_id = EXCLUDED.workspace_id, end_user_email = EXCLUDED.end_user_email\n        )\n        INSERT INTO v2_job_queue\n            (workspace_id, id, running, scheduled_for, started_at, tag, priority, cache_ignore_s3_path, runnable_settings_handle)\n            VALUES ($2, $1, $28, COALESCE($29, now()), CASE WHEN $27 OR $40 THEN now() END, $30, $31, $42, $43)",
  "describe": {
    "columns": [],
    "parameters": {
@@ -76,8 +76,7 @@
                "nu",
                "java",
                "duckdb",
-                "ruby",
-                "rlang"
+                "ruby"
              ]
            }
          }
@@ -132,11 +131,10 @@
        "Bool",
        "Varchar",
        "Bool",
-        "Int8",
-        "TextArray"
+        "Int8"
      ]
    },
    "nullable": []
  },
-  "hash": "5425e2c5e29fc5145dde5ea53d5307ca90d8dd76da2ca560b310b12820be2576"
+  "hash": "14276a040cb4db88d71fccdc3579e8c0bb132b70668301b535872d1632753e30"
 }
--- a/backend/.sqlx/query-143acebe5d815c5d828013ebe46274f891f953c75f821499552ab7794f75063d.json
+++ b/backend/.sqlx/query-143acebe5d815c5d828013ebe46274f891f953c75f821499552ab7794f75063d.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT EXISTS(SELECT 1 FROM pg_extension WHERE extname = 'pg_stat_statements') as \"exists!\"",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "exists!",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "143acebe5d815c5d828013ebe46274f891f953c75f821499552ab7794f75063d"
-}
--- a/backend/.sqlx/query-15ef5759a2ccd7b7f9fd3f2ce0d54d01fe0a2c7e9692ac4ce29a86eb509e1a1d.json
+++ b/backend/.sqlx/query-15ef5759a2ccd7b7f9fd3f2ce0d54d01fe0a2c7e9692ac4ce29a86eb509e1a1d.json
@@ -0,0 +1,17 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO token\n                    (token, label, super_admin, email)\n                    VALUES ($1, $2, $3, $4)",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Bool",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "15ef5759a2ccd7b7f9fd3f2ce0d54d01fe0a2c7e9692ac4ce29a86eb509e1a1d"
+}
--- a/backend/.sqlx/query-1721f8b52ea265c0537fd7c742deddf0afbe5cf0d81b15e487c411ae169d3a89.json
+++ b/backend/.sqlx/query-1721f8b52ea265c0537fd7c742deddf0afbe5cf0d81b15e487c411ae169d3a89.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT igroup FROM email_to_igroup WHERE email = 'alice@example.com'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "igroup",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "1721f8b52ea265c0537fd7c742deddf0afbe5cf0d81b15e487c411ae169d3a89"
-}
--- a/backend/.sqlx/query-17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c.json
+++ b/backend/.sqlx/query-17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c.json
@@ -1,11 +1,11 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT permissioned_as, edited_by FROM http_trigger WHERE path = $1 AND workspace_id = $2",
+  "query": "SELECT email, edited_by FROM schedule WHERE path = $1 AND workspace_id = $2",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "permissioned_as",
+        "name": "email",
        "type_info": "Varchar"
      },
      {
@@ -25,5 +25,5 @@
      false
    ]
  },
-  "hash": "dbb16284b9dd98b9339816e43eebf0fef488102cd7b3fd38d8af3148545bf1a4"
+  "hash": "17aafb72843659df9594d6d2466d2afaf26e666ffe52e0ea85792ea31b63410c"
 }
--- a/backend/.sqlx/query-19478c2a3c05b2ed17b110f8ff58d48ce3ede5fdd7f8d64840f8c62cf89f99e7.json
+++ b/backend/.sqlx/query-19478c2a3c05b2ed17b110f8ff58d48ce3ede5fdd7f8d64840f8c62cf89f99e7.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n                SELECT\n                    NULLIF(script_lang, 'other')::script_lang as \"language: _\",\n                    SUM(job_count)::BIGINT as \"count!\",\n                    SUM(total_duration_ms)::BIGINT as \"total_duration!\"\n                FROM worker_group_job_stats\n                WHERE hour >= $1\n                GROUP BY script_lang\n            ",
+  "query": "\n                SELECT\n                    script_lang as \"language: _\",\n                    COUNT(*) as \"count!\",\n                    SUM(duration_ms)::BIGINT as \"total_duration!\"\n                FROM\n                    v2_job_completed\n                JOIN\n                    v2_job\n                ON\n                    v2_job.id = v2_job_completed.id\n                WHERE\n                    created_at >= CURRENT_DATE - INTERVAL '1 day'\n                    AND created_at < CURRENT_DATE\n                GROUP BY\n                    script_lang\n            ",
  "describe": {
    "columns": [
      {
@@ -33,8 +33,7 @@
                "nu",
                "java",
                "duckdb",
-                "ruby",
-                "rlang"
+                "ruby"
              ]
            }
          }
@@ -52,15 +51,13 @@
      }
    ],
    "parameters": {
-      "Left": [
-        "Int8"
-      ]
+      "Left": []
    },
    "nullable": [
-      null,
+      true,
      null,
      null
    ]
  },
-  "hash": "5c0d0c7111b70b119b3182c9195361388ead36dc6ab03c6a7c17fb97d2b60a67"
+  "hash": "19478c2a3c05b2ed17b110f8ff58d48ce3ede5fdd7f8d64840f8c62cf89f99e7"
 }
--- a/backend/.sqlx/query-1a2470da1015634d15952819f482749ef04e1a8c944c0fb7696e387d10370217.json
+++ b/backend/.sqlx/query-1a2470da1015634d15952819f482749ef04e1a8c944c0fb7696e387d10370217.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO token (token_hash, token_prefix, token, email, label, super_admin)\n         VALUES ($1, $2, $3, 'test@windmill.dev', 'webhook-test', false)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1a2470da1015634d15952819f482749ef04e1a8c944c0fb7696e387d10370217"
-}
--- a/backend/.sqlx/query-1bc77ad29b9c68b1d339b85158bc3592deb61d1111d1430ddd2879b72e6424ef.json
+++ b/backend/.sqlx/query-1bc77ad29b9c68b1d339b85158bc3592deb61d1111d1430ddd2879b72e6424ef.json
@@ -1,28 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT ws.default_app AS default_app_path, av.raw_app AS \"default_app_raw: Option<bool>\"\n         FROM workspace_settings ws\n         LEFT JOIN app ON app.path = ws.default_app AND app.workspace_id = ws.workspace_id\n         LEFT JOIN app_version av ON av.id = app.versions[array_upper(app.versions, 1)]\n         WHERE ws.workspace_id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "default_app_path",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "default_app_raw: Option<bool>",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      true,
-      false
-    ]
-  },
-  "hash": "1bc77ad29b9c68b1d339b85158bc3592deb61d1111d1430ddd2879b72e6424ef"
-}
--- a/backend/.sqlx/query-1bdf186d3b99bbd913cbf95150105470cd5f1d4ddbb147cb8ce46f9d1da5dfaf.json
+++ b/backend/.sqlx/query-1bdf186d3b99bbd913cbf95150105470cd5f1d4ddbb147cb8ce46f9d1da5dfaf.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "WITH email_lookup AS (\n                SELECT email FROM token WHERE token_hash = $1\n            )\n            DELETE FROM token\n            WHERE email = (SELECT email FROM email_lookup) AND label = 'session'\n            RETURNING email",
+  "query": "WITH email_lookup AS (\n                SELECT email FROM token WHERE token = $1\n            )\n            DELETE FROM token\n            WHERE email = (SELECT email FROM email_lookup) AND label = 'session'\n            RETURNING email",
  "describe": {
    "columns": [
      {
@@ -18,5 +18,5 @@
      true
    ]
  },
-  "hash": "215163b5a2791c51f9b28681c1ca1a47475dcf1a388c613a9e0154aef6582a23"
+  "hash": "1bdf186d3b99bbd913cbf95150105470cd5f1d4ddbb147cb8ce46f9d1da5dfaf"
 }
--- a/backend/.sqlx/query-1bf189625a4f14e12e0d0510eb534600b68125fb55f77ad3abf3333ebab22416.json
+++ b/backend/.sqlx/query-1bf189625a4f14e12e0d0510eb534600b68125fb55f77ad3abf3333ebab22416.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT git_sync FROM workspace_settings WHERE git_sync IS NOT NULL",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "git_sync",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      true
-    ]
-  },
-  "hash": "1bf189625a4f14e12e0d0510eb534600b68125fb55f77ad3abf3333ebab22416"
-}
--- a/backend/.sqlx/query-1bf8dc01326ebf6b8faa04e418b781e37bb9cedd1a89bf71a969b6db8cace48e.json
+++ b/backend/.sqlx/query-1bf8dc01326ebf6b8faa04e418b781e37bb9cedd1a89bf71a969b6db8cace48e.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n            INSERT INTO nats_trigger (\n                workspace_id,\n                path,\n                nats_resource_path,\n                subjects,\n                stream_name,\n                consumer_name,\n                use_jetstream,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                permissioned_as,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, now(), $13, $14, $15\n            )\n            ",
+  "query": "\n            INSERT INTO nats_trigger (\n                workspace_id,\n                path,\n                nats_resource_path,\n                subjects,\n                stream_name,\n                consumer_name,\n                use_jetstream,\n                script_path,\n                is_flow,\n                mode,\n                edited_by,\n                email,\n                edited_at,\n                error_handler_path,\n                error_handler_args,\n                retry\n            ) VALUES (\n                $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, now(), $13, $14, $15\n            )\n            ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -35,5 +35,5 @@
    },
    "nullable": []
  },
-  "hash": "d56a8a7291ce3141c06d79ef854ac2cf970c3e41a223e31d3991276742d2afe1"
+  "hash": "1bf8dc01326ebf6b8faa04e418b781e37bb9cedd1a89bf71a969b6db8cace48e"
 }
--- a/backend/.sqlx/query-1cad2ebfbdc46f9c0d93329897a71701f17a33b708b334d909563c9a0dcc9c23.json
+++ b/backend/.sqlx/query-1cad2ebfbdc46f9c0d93329897a71701f17a33b708b334d909563c9a0dcc9c23.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, permissioned_as\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO kafka_trigger (\n            path, kafka_resource_path, topics, group_id, script_path,\n            is_flow, workspace_id, edited_by, email\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -18,5 +18,5 @@
    },
    "nullable": []
  },
-  "hash": "066c9690d1606bf889879b7e3c686529c37db0d5f18c83706bfbc63c8c3e4315"
+  "hash": "1cad2ebfbdc46f9c0d93329897a71701f17a33b708b334d909563c9a0dcc9c23"
 }
--- a/backend/.sqlx/query-1cf2eb1426e8be89c3649272103bcd029e99b029b7f1b71eda4411d1e24e790d.json
+++ b/backend/.sqlx/query-1cf2eb1426e8be89c3649272103bcd029e99b029b7f1b71eda4411d1e24e790d.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        SELECT\n            gcp_resource_path,\n            script_path,\n            is_flow,\n            mode as \"mode: _\",\n            workspace_id,\n            path,\n            edited_by,\n            permissioned_as,\n            delivery_config AS \"delivery_config: _\",\n            retry as \"retry: _\",\n            error_handler_path,\n            error_handler_args as \"error_handler_args: _\"\n        FROM\n            gcp_trigger\n        WHERE\n            workspace_id = $1 AND\n            path = $2 AND\n            delivery_type = 'push'::DELIVERY_MODE\n        ",
+  "query": "\n        SELECT\n            gcp_resource_path,\n            script_path,\n            is_flow,\n            mode as \"mode: _\",\n            workspace_id,\n            path,\n            edited_by,\n            email,\n            delivery_config AS \"delivery_config: _\",\n            retry as \"retry: _\",\n            error_handler_path,\n            error_handler_args as \"error_handler_args: _\"\n        FROM\n            gcp_trigger\n        WHERE\n            workspace_id = $1 AND\n            path = $2 AND\n            delivery_type = 'push'::DELIVERY_MODE\n        ",
  "describe": {
    "columns": [
      {
@@ -51,7 +51,7 @@
      },
      {
        "ordinal": 7,
-        "name": "permissioned_as",
+        "name": "email",
        "type_info": "Varchar"
      },
      {
@@ -96,5 +96,5 @@
      true
    ]
  },
-  "hash": "6cfa6b5f16207863a03b77fffbb94ae91872a207ea2362e49e100ed1f0b35198"
+  "hash": "1cf2eb1426e8be89c3649272103bcd029e99b029b7f1b71eda4411d1e24e790d"
 }
--- a/backend/.sqlx/query-1d4bb4f53574ef95ef1016b760f849ec2372ac6a21bb2556d17a96dc72ea4980.json
+++ b/backend/.sqlx/query-1d4bb4f53574ef95ef1016b760f849ec2372ac6a21bb2556d17a96dc72ea4980.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, permissioned_as, server_id, error\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
+  "query": "\n        INSERT INTO websocket_trigger (\n            path, url, script_path, is_flow, workspace_id,\n            edited_by, email, server_id, error\n        )\n        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -18,5 +18,5 @@
    },
    "nullable": []
  },
-  "hash": "02748cae17e8966dbd57a33017ccb747c84fcc12fbfd93c6c749570b94d35696"
+  "hash": "1d4bb4f53574ef95ef1016b760f849ec2372ac6a21bb2556d17a96dc72ea4980"
 }
--- a/backend/.sqlx/query-1d995dd5a094631ae96c16d68026fdeb22714af38162e87c02b052a5b8ec2645.json
+++ b/backend/.sqlx/query-1d995dd5a094631ae96c16d68026fdeb22714af38162e87c02b052a5b8ec2645.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM trashbin WHERE workspace_id = $1 AND id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Int8"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1d995dd5a094631ae96c16d68026fdeb22714af38162e87c02b052a5b8ec2645"
-}
--- a/backend/.sqlx/query-1dd73eff0e89b84c0316af2760a136afdd19dc34f9f31c4f9de6b0f74bc386a6.json
+++ b/backend/.sqlx/query-1dd73eff0e89b84c0316af2760a136afdd19dc34f9f31c4f9de6b0f74bc386a6.json
@@ -1,32 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT\n            schemaname || '.' || relname as \"table_name!\",\n            pg_total_relation_size(relid) as \"total_size_bytes!\",\n            pg_size_pretty(pg_total_relation_size(relid)) as \"total_size_pretty!\"\n        FROM pg_catalog.pg_statio_user_tables\n        ORDER BY pg_total_relation_size(relid) DESC\n        LIMIT 15",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "table_name!",
-        "type_info": "Text"
-      },
-      {
-        "ordinal": 1,
-        "name": "total_size_bytes!",
-        "type_info": "Int8"
-      },
-      {
-        "ordinal": 2,
-        "name": "total_size_pretty!",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null,
-      null,
-      null
-    ]
-  },
-  "hash": "1dd73eff0e89b84c0316af2760a136afdd19dc34f9f31c4f9de6b0f74bc386a6"
-}
--- a/backend/.sqlx/query-1f1e477b27f38f410b7e6f436ced0751f77f9cb41055481bc06af6827d647041.json
+++ b/backend/.sqlx/query-1f1e477b27f38f410b7e6f436ced0751f77f9cb41055481bc06af6827d647041.json
@@ -43,8 +43,7 @@
                "nu",
                "java",
                "duckdb",
-                "ruby",
-                "rlang"
+                "ruby"
              ]
            }
          }
--- a/backend/.sqlx/query-209dc4c1b91eeab1c12ffcd9f9e16f315c689ca772c736b333dcdf07c8086087.json
+++ b/backend/.sqlx/query-209dc4c1b91eeab1c12ffcd9f9e16f315c689ca772c736b333dcdf07c8086087.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n                                SELECT\n                                    flow_version.id AS version,\n                                    flow_version.value->>'early_return' as early_return,\n                                    flow_version.value->>'preprocessor_module' IS NOT NULL as has_preprocessor,\n                                    (flow_version.value->>'chat_input_enabled')::boolean as chat_input_enabled,\n                                    flow.tag,\n                                    flow.dedicated_worker,\n                                    flow.on_behalf_of_email,\n                                    flow.edited_by,\n                                    flow.labels\n                                FROM\n                                    flow_version\n                                INNER JOIN flow\n                                    ON flow.path = flow_version.path AND\n                                       flow.workspace_id = flow_version.workspace_id\n                                WHERE\n                                    flow_version.workspace_id = $1 AND\n                                    flow_version.path = $2 AND\n                                    flow_version.id = $3\n                            ",
+  "query": "\n                                SELECT\n                                    flow_version.id AS version,\n                                    flow_version.value->>'early_return' as early_return,\n                                    flow_version.value->>'preprocessor_module' IS NOT NULL as has_preprocessor,\n                                    (flow_version.value->>'chat_input_enabled')::boolean as chat_input_enabled,\n                                    flow.tag,\n                                    flow.dedicated_worker,\n                                    flow.on_behalf_of_email,\n                                    flow.edited_by\n                                FROM\n                                    flow_version\n                                INNER JOIN flow\n                                    ON flow.path = flow_version.path AND\n                                       flow.workspace_id = flow_version.workspace_id\n                                WHERE\n                                    flow_version.workspace_id = $1 AND\n                                    flow_version.path = $2 AND\n                                    flow_version.id = $3\n                            ",
  "describe": {
    "columns": [
      {
@@ -42,11 +42,6 @@
        "ordinal": 7,
        "name": "edited_by",
        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 8,
-        "name": "labels",
-        "type_info": "TextArray"
      }
    ],
    "parameters": {
@@ -64,9 +59,8 @@
      true,
      true,
      true,
-      false,
-      true
+      false
    ]
  },
-  "hash": "6d992a933bb878733b7afd7a4295b9ad6f5276b60ce20e0378d6148976e02777"
+  "hash": "209dc4c1b91eeab1c12ffcd9f9e16f315c689ca772c736b333dcdf07c8086087"
 }
--- a/backend/.sqlx/query-21331baf02c3c798bcc215443dad16eb66acac5f40c20529b595154f4e6fd754.json
+++ b/backend/.sqlx/query-21331baf02c3c798bcc215443dad16eb66acac5f40c20529b595154f4e6fd754.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_status\n                         SET flow_status = JSONB_SET(flow_status, ARRAY['cleanup_module', 'flow_jobs_to_schedule_clean'], COALESCE(flow_status->'cleanup_module'->'flow_jobs_to_schedule_clean', '[]'::jsonb) || $1)\n                         WHERE id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Jsonb",
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "21331baf02c3c798bcc215443dad16eb66acac5f40c20529b595154f4e6fd754"
-}
--- a/backend/.sqlx/query-21f4840f60e8310d7b7efcba7483e69e4ef8821c6cbf3b4f296b3853d95692af.json
+++ b/backend/.sqlx/query-21f4840f60e8310d7b7efcba7483e69e4ef8821c6cbf3b4f296b3853d95692af.json
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT COUNT(*) FROM usr WHERE workspace_id = $1 AND disabled = false",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "count",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "21f4840f60e8310d7b7efcba7483e69e4ef8821c6cbf3b4f296b3853d95692af"
-}
--- a/backend/.sqlx/query-223fbd972728d5b3ec5b1708e3f2e1f4901b0382fca50704c9544cdec5f9352c.json
+++ b/backend/.sqlx/query-223fbd972728d5b3ec5b1708e3f2e1f4901b0382fca50704c9544cdec5f9352c.json
@@ -1,21 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO token (token_hash, token_prefix, token, email, label, expiration, scopes, workspace_id)\n         SELECT $1::varchar, $2::varchar, $3::varchar, $4::varchar, $5::varchar, now() + ($6 || ' seconds')::interval, $7::text[], $8::varchar\n         WHERE NOT EXISTS(SELECT 1 FROM workspace WHERE id = $8 AND deleted = true)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Text",
-        "TextArray",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "223fbd972728d5b3ec5b1708e3f2e1f4901b0382fca50704c9544cdec5f9352c"
-}
--- a/backend/.sqlx/query-234a278f20cb73f8ce10d2bfb67af58e5dd888581467c976e76f140b2c00f6d7.json
+++ b/backend/.sqlx/query-234a278f20cb73f8ce10d2bfb67af58e5dd888581467c976e76f140b2c00f6d7.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO instance_group (name, summary, id, scim_display_name, external_id, instance_role) VALUES ($1, $2, $3, $4, $5, $6)",
+  "query": "INSERT INTO instance_group (name, summary, id, scim_display_name, external_id) VALUES ($1, $2, $3, $4, $5)",
  "describe": {
    "columns": [],
    "parameters": {
@@ -9,11 +9,10 @@
        "Varchar",
        "Varchar",
        "Varchar",
-        "Varchar",
        "Varchar"
      ]
    },
    "nullable": []
  },
-  "hash": "88b5d7e6806b1a6f4e6ef5af5fc3fa81e8134f25b1dfcedb765a701f0dae8564"
+  "hash": "234a278f20cb73f8ce10d2bfb67af58e5dd888581467c976e76f140b2c00f6d7"
 }
--- a/backend/.sqlx/query-23b9c862d050b00aaa332527b62ef901cd3c417b9f3af03f35009213143bd443.json
+++ b/backend/.sqlx/query-23b9c862d050b00aaa332527b62ef901cd3c417b9f3af03f35009213143bd443.json
@@ -1,28 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT email, disabled FROM password WHERE email = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "email",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "disabled",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "23b9c862d050b00aaa332527b62ef901cd3c417b9f3af03f35009213143bd443"
-}
--- a/backend/.sqlx/query-23e4c6e3dc6a48f702c2b26a6b1f94668e086caaa0093a3b685f87483513b0d2.json
+++ b/backend/.sqlx/query-23e4c6e3dc6a48f702c2b26a6b1f94668e086caaa0093a3b685f87483513b0d2.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, schedule, timezone, edited_by, script_path,\n            is_flow, args, enabled, email, permissioned_as,\n            on_failure, on_failure_times, on_failure_exact, on_failure_extra_args,\n            on_recovery, on_recovery_times, on_recovery_extra_args,\n            on_success, on_success_extra_args,\n            ws_error_handler_muted, retry, summary, no_flow_overlap,\n            tag, paused_until, cron_version, description, dynamic_skip, labels\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6,\n            $7, $8, $9, $10, $11,\n            $12, $13, $14, $15,\n            $16, $17, $18,\n            $19, $20,\n            $21, $22, $23, $24,\n            $25, $26, $27, $28, $29, $30\n        )\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            permissioned_as,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args  AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip,\n            labels\n        ",
+  "query": "\n        INSERT INTO schedule (\n            workspace_id, path, schedule, timezone, edited_by, script_path,\n            is_flow, args, enabled, email,\n            on_failure, on_failure_times, on_failure_exact, on_failure_extra_args,\n            on_recovery, on_recovery_times, on_recovery_extra_args,\n            on_success, on_success_extra_args,\n            ws_error_handler_muted, retry, summary, no_flow_overlap,\n            tag, paused_until, cron_version, description, dynamic_skip\n        ) VALUES (\n            $1, $2, $3, $4, $5, $6,\n            $7, $8, $9, $10,\n            $11, $12, $13, $14,\n            $15, $16, $17,\n            $18, $19,\n            $20, $21, $22, $23,\n            $24, $25, $26, $27, $28\n        )\n        RETURNING\n            workspace_id,\n            path,\n            edited_by,\n            edited_at,\n            schedule,\n            timezone,\n            enabled,\n            script_path,\n            is_flow,\n            args AS \"args: _\",\n            extra_perms,\n            email,\n            error,\n            on_failure,\n            on_failure_times,\n            on_failure_exact,\n            on_failure_extra_args AS \"on_failure_extra_args: _\",\n            on_recovery,\n            on_recovery_times,\n            on_recovery_extra_args AS \"on_recovery_extra_args: _\",\n            on_success,\n            on_success_extra_args  AS \"on_success_extra_args: _\",\n            ws_error_handler_muted,\n            retry,\n            no_flow_overlap,\n            summary,\n            description,\n            tag,\n            paused_until,\n            cron_version,\n            dynamic_skip\n        ",
  "describe": {
    "columns": [
      {
@@ -65,108 +65,98 @@
      },
      {
        "ordinal": 12,
-        "name": "permissioned_as",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 13,
        "name": "error",
        "type_info": "Text"
      },
      {
-        "ordinal": 14,
+        "ordinal": 13,
        "name": "on_failure",
        "type_info": "Varchar"
      },
      {
-        "ordinal": 15,
+        "ordinal": 14,
        "name": "on_failure_times",
        "type_info": "Int4"
      },
      {
-        "ordinal": 16,
+        "ordinal": 15,
        "name": "on_failure_exact",
        "type_info": "Bool"
      },
      {
-        "ordinal": 17,
+        "ordinal": 16,
        "name": "on_failure_extra_args: _",
        "type_info": "Jsonb"
      },
      {
-        "ordinal": 18,
+        "ordinal": 17,
        "name": "on_recovery",
        "type_info": "Varchar"
      },
      {
-        "ordinal": 19,
+        "ordinal": 18,
        "name": "on_recovery_times",
        "type_info": "Int4"
      },
      {
-        "ordinal": 20,
+        "ordinal": 19,
        "name": "on_recovery_extra_args: _",
        "type_info": "Jsonb"
      },
      {
-        "ordinal": 21,
+        "ordinal": 20,
        "name": "on_success",
        "type_info": "Varchar"
      },
      {
-        "ordinal": 22,
+        "ordinal": 21,
        "name": "on_success_extra_args: _",
        "type_info": "Jsonb"
      },
      {
-        "ordinal": 23,
+        "ordinal": 22,
        "name": "ws_error_handler_muted",
        "type_info": "Bool"
      },
      {
-        "ordinal": 24,
+        "ordinal": 23,
        "name": "retry",
        "type_info": "Jsonb"
      },
      {
-        "ordinal": 25,
+        "ordinal": 24,
        "name": "no_flow_overlap",
        "type_info": "Bool"
      },
      {
-        "ordinal": 26,
+        "ordinal": 25,
        "name": "summary",
        "type_info": "Varchar"
      },
      {
-        "ordinal": 27,
+        "ordinal": 26,
        "name": "description",
        "type_info": "Text"
      },
      {
-        "ordinal": 28,
+        "ordinal": 27,
        "name": "tag",
        "type_info": "Varchar"
      },
      {
-        "ordinal": 29,
+        "ordinal": 28,
        "name": "paused_until",
        "type_info": "Timestamptz"
      },
      {
-        "ordinal": 30,
+        "ordinal": 29,
        "name": "cron_version",
        "type_info": "Text"
      },
      {
-        "ordinal": 31,
+        "ordinal": 30,
        "name": "dynamic_skip",
        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 32,
-        "name": "labels",
-        "type_info": "TextArray"
      }
    ],
    "parameters": {
@@ -182,7 +172,6 @@
        "Bool",
        "Varchar",
        "Varchar",
-        "Varchar",
        "Int4",
        "Bool",
        "Jsonb",
@@ -199,8 +188,7 @@
        "Timestamptz",
        "Text",
        "Text",
-        "Varchar",
-        "TextArray"
+        "Varchar"
      ]
    },
    "nullable": [
@@ -216,7 +204,6 @@
      true,
      false,
      false,
-      false,
      true,
      true,
      true,
@@ -235,9 +222,8 @@
      true,
      true,
      true,
-      true,
      true
    ]
  },
-  "hash": "2effe885aafaa0c5fc1f969b8c6ffbd38c53fb586251ba780b75a007e5a47ed6"
+  "hash": "23e4c6e3dc6a48f702c2b26a6b1f94668e086caaa0093a3b685f87483513b0d2"
 }
--- a/backend/.sqlx/query-243588f12c62aa7913bc3a4ae11ecee8a1e03863735036b1192fca143f27641c.json
+++ b/backend/.sqlx/query-243588f12c62aa7913bc3a4ae11ecee8a1e03863735036b1192fca143f27641c.json
@@ -1,26 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT workspace_id, path FROM variable WHERE is_secret = true AND value LIKE '$aws_sm:%'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "workspace_id",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "path",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "243588f12c62aa7913bc3a4ae11ecee8a1e03863735036b1192fca143f27641c"
-}
--- a/backend/.sqlx/query-250a4e3f1a1f95296f7075bf8780e9c7407e89c8f7636484895e99f5a5e71297.json
+++ b/backend/.sqlx/query-250a4e3f1a1f95296f7075bf8780e9c7407e89c8f7636484895e99f5a5e71297.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO usr (workspace_id, username, email, is_admin, operator, added_via)\n             VALUES ($1, 'alice', 'alice@example.com', false, true, $2)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "250a4e3f1a1f95296f7075bf8780e9c7407e89c8f7636484895e99f5a5e71297"
-}
--- a/backend/.sqlx/query-25ac66a1022c41267df199a95f532b0f778c25fbe0f7a7f9734c1f7e536ed6ce.json
+++ b/backend/.sqlx/query-25ac66a1022c41267df199a95f532b0f778c25fbe0f7a7f9734c1f7e536ed6ce.json
@@ -1,12 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM raw_script_temp WHERE created_at < NOW() - INTERVAL '1 week'",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": []
-  },
-  "hash": "25ac66a1022c41267df199a95f532b0f778c25fbe0f7a7f9734c1f7e536ed6ce"
-}
--- a/backend/.sqlx/query-26e62b4509e44a7548957ad4ef217fd46bc03d5dca19344cd3bf7b131fa40ed2.json
+++ b/backend/.sqlx/query-26e62b4509e44a7548957ad4ef217fd46bc03d5dca19344cd3bf7b131fa40ed2.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT value FROM global_settings WHERE name = 'retention_period_secs'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "value",
-        "type_info": "Jsonb"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "26e62b4509e44a7548957ad4ef217fd46bc03d5dca19344cd3bf7b131fa40ed2"
-}
--- a/backend/.sqlx/query-270cfaea4f888e73e21a957e0328ec1f990fce409160eb7b0e807bff56defff4.json
+++ b/backend/.sqlx/query-270cfaea4f888e73e21a957e0328ec1f990fce409160eb7b0e807bff56defff4.json
@@ -1,34 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT created_by, permissioned_as, permissioned_as_email\n           FROM v2_job\n           WHERE workspace_id = 'test-workspace'\n             AND trigger_kind = 'schedule'\n             AND trigger = $1\n           ORDER BY created_at DESC\n           LIMIT 1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "created_by",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "permissioned_as",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 2,
-        "name": "permissioned_as_email",
-        "type_info": "Varchar"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false,
-      false
-    ]
-  },
-  "hash": "270cfaea4f888e73e21a957e0328ec1f990fce409160eb7b0e807bff56defff4"
-}
--- a/backend/.sqlx/query-27ada97cb533c8595f1d73987c7823d8e54c96889e06895c57cafae9ca27bf8b.json
+++ b/backend/.sqlx/query-27ada97cb533c8595f1d73987c7823d8e54c96889e06895c57cafae9ca27bf8b.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        UPDATE native_trigger\n        SET script_path = $1, is_flow = $2, webhook_token_hash = $3, service_config = $4, summary = $8, error = NULL, updated_at = NOW()\n        WHERE\n            workspace_id = $5\n            AND service_name = $6\n            AND external_id = $7\n        ",
+  "query": "\n        UPDATE native_trigger\n        SET script_path = $1, is_flow = $2, webhook_token_prefix = $3, service_config = $4, error = NULL, updated_at = NOW()\n        WHERE\n            workspace_id = $5\n            AND service_name = $6\n            AND external_id = $7\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -21,11 +21,10 @@
            }
          }
        },
-        "Text",
-        "Varchar"
+        "Text"
      ]
    },
    "nullable": []
  },
-  "hash": "bf224f6441c36187f1402f9f01bfe15bb9edfa1dc9052f8a829e486b7334d708"
+  "hash": "27ada97cb533c8595f1d73987c7823d8e54c96889e06895c57cafae9ca27bf8b"
 }
--- a/backend/.sqlx/query-27cafd840e5f2c85d1c1e02d84a1b372e9d40dee29a10fb8fec89492fc501556.json
+++ b/backend/.sqlx/query-27cafd840e5f2c85d1c1e02d84a1b372e9d40dee29a10fb8fec89492fc501556.json
@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT encode(sha256('SECRET_TOKEN'::bytea), 'hex') AS hash",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "hash",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "27cafd840e5f2c85d1c1e02d84a1b372e9d40dee29a10fb8fec89492fc501556"
-}
--- a/backend/.sqlx/query-29673d489fbf45fc249da04c1a2fd60e2364ba87263f962ed7d4329c916620a1.json
+++ b/backend/.sqlx/query-29673d489fbf45fc249da04c1a2fd60e2364ba87263f962ed7d4329c916620a1.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        SELECT label,\n               token_prefix,\n               expiration,\n               created_at,\n               last_used_at,\n               scopes,\n               email\n        FROM token\n        WHERE workspace_id = $1\n          AND (\n               scopes @> ARRAY['jobs:run:flows:' || $2]::text[]\n               OR scopes @> ARRAY['run:flow/' || $2]::text[]\n              )\n        ",
+  "query": "\n        SELECT label,\n               concat(substring(token for 10)) AS token_prefix,\n               expiration,\n               created_at,\n               last_used_at,\n               scopes,\n               email\n        FROM token\n        WHERE workspace_id = $1\n          AND (\n               scopes @> ARRAY['jobs:run:scripts:' || $2]::text[]\n               OR scopes @> ARRAY['run:script/' || $2]::text[]\n              )\n        ",
  "describe": {
    "columns": [
      {
@@ -11,7 +11,7 @@
      {
        "ordinal": 1,
        "name": "token_prefix",
-        "type_info": "Varchar"
+        "type_info": "Text"
      },
      {
        "ordinal": 2,
@@ -47,7 +47,7 @@
    },
    "nullable": [
      true,
-      false,
+      null,
      true,
      false,
      false,
@@ -55,5 +55,5 @@
      true
    ]
  },
-  "hash": "4c7231f24fd0bcc99004c5bd4065697cd321b397422a7c689b85216bbb1fd525"
+  "hash": "29673d489fbf45fc249da04c1a2fd60e2364ba87263f962ed7d4329c916620a1"
 }
--- a/backend/.sqlx/query-29935e89475f637d765c516f1aa2be2f0f31fb50d519b42a056d0d73417599a3.json
+++ b/backend/.sqlx/query-29935e89475f637d765c516f1aa2be2f0f31fb50d519b42a056d0d73417599a3.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE v2_job_completed SET\n                            workflow_as_code_status = jsonb_set(\n                                jsonb_set(\n                                    workflow_as_code_status,\n                                    array[$1],\n                                    COALESCE(workflow_as_code_status->$1, '{}'::jsonb)\n                                ),\n                                array[$1, 'duration_ms'],\n                                to_jsonb($2::bigint)\n                            )\n                        WHERE id = $3 AND workflow_as_code_status IS NOT NULL",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Int8",
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "29935e89475f637d765c516f1aa2be2f0f31fb50d519b42a056d0d73417599a3"
-}
--- a/backend/.sqlx/query-2ba03e555d2e09dbd0e2ae5ddfd9a268a675bdb23615c78904cebe7f1e31f400.json
+++ b/backend/.sqlx/query-2ba03e555d2e09dbd0e2ae5ddfd9a268a675bdb23615c78904cebe7f1e31f400.json
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO usr (workspace_id, username, email, is_admin, operator, added_via)\n             VALUES ($1, 'alice', 'alice@example.com', true, false, $2)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "2ba03e555d2e09dbd0e2ae5ddfd9a268a675bdb23615c78904cebe7f1e31f400"
-}
--- a/backend/.sqlx/query-2be66f23536223549db9b50025932b6b1bad90b8fa47d97acb7d75aa3c37ef86.json
+++ b/backend/.sqlx/query-2be66f23536223549db9b50025932b6b1bad90b8fa47d97acb7d75aa3c37ef86.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO variable\n            (workspace_id, path, value, is_secret, description, account, is_oauth, expires_at, labels)\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+  "query": "INSERT INTO variable\n            (workspace_id, path, value, is_secret, description, account, is_oauth, expires_at)\n            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
  "describe": {
    "columns": [],
    "parameters": {
@@ -12,11 +12,10 @@
        "Varchar",
        "Int4",
        "Bool",
-        "Timestamptz",
-        "TextArray"
+        "Timestamptz"
      ]
    },
    "nullable": []
  },
-  "hash": "48efd8f89df9c1dd8f8a4eb2b2640fcb380f2470c8488371b207a42cb7d4cd26"
+  "hash": "2be66f23536223549db9b50025932b6b1bad90b8fa47d97acb7d75aa3c37ef86"
 }
--- a/backend/.sqlx/query-2c231a2cd267d8d6d28a22d166a50cc6b4df813a15c613eb1960eff202c517f8.json
+++ b/backend/.sqlx/query-2c231a2cd267d8d6d28a22d166a50cc6b4df813a15c613eb1960eff202c517f8.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "INSERT INTO mcp_oauth_refresh_token\n         (refresh_token, access_token_hash, client_id, user_email, workspace_id, scopes, token_family, expires_at)\n         VALUES ($1, $2, $3, $4, $5, $6, $7, now() + ($8 || ' seconds')::interval)",
+  "query": "INSERT INTO mcp_oauth_refresh_token\n         (refresh_token, access_token, client_id, user_email, workspace_id, scopes, token_family, expires_at)\n         VALUES ($1, $2, $3, $4, $5, $6, $7, now() + ($8 || ' seconds')::interval)",
  "describe": {
    "columns": [],
    "parameters": {
@@ -17,5 +17,5 @@
    },
    "nullable": []
  },
-  "hash": "dd8c63ac04e33e2863ff3712fc6a5209e1ff2c235df1e39ddc3dd21f60f66ef4"
+  "hash": "2c231a2cd267d8d6d28a22d166a50cc6b4df813a15c613eb1960eff202c517f8"
 }
--- a/backend/.sqlx/query-2d4ccf3ee19a70cbb5bd034c74703bbb30f217cd3673821e11bae3bf9f925720.json
+++ b/backend/.sqlx/query-2d4ccf3ee19a70cbb5bd034c74703bbb30f217cd3673821e11bae3bf9f925720.json
@@ -1,32 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT\n            ws.workspace_id as \"workspace_id!\",\n            dt.key as \"name!\",\n            dt.value->>'table_name' as \"table_name\"\n        FROM workspace_settings ws,\n             jsonb_each(ws.datatable) dt\n        WHERE dt.value->>'resource_type' = 'instance'\n          AND dt.value->>'table_name' IS NOT NULL",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "workspace_id!",
-        "type_info": "Varchar"
-      },
-      {
-        "ordinal": 1,
-        "name": "name!",
-        "type_info": "Text"
-      },
-      {
-        "ordinal": 2,
-        "name": "table_name",
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false,
-      null,
-      null
-    ]
-  },
-  "hash": "2d4ccf3ee19a70cbb5bd034c74703bbb30f217cd3673821e11bae3bf9f925720"
-}
--- a/backend/.sqlx/query-2d523cd0d5b7107b15846b885fa40af492d4c8a8871cef972980150f319fe6ff.json
+++ b/backend/.sqlx/query-2d523cd0d5b7107b15846b885fa40af492d4c8a8871cef972980150f319fe6ff.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO raw_script_temp (workspace_id, hash, content, created_at)\n         VALUES ($1, $2, $3, NOW())\n         ON CONFLICT (workspace_id, hash) DO UPDATE SET created_at = NOW()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Bpchar",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "2d523cd0d5b7107b15846b885fa40af492d4c8a8871cef972980150f319fe6ff"
-}
--- a/backend/.sqlx/query-2d6607b3c38fe72b5663c32de58dacbabed4c5ae28101e3ae2694f96fd055a91.json
+++ b/backend/.sqlx/query-2d6607b3c38fe72b5663c32de58dacbabed4c5ae28101e3ae2694f96fd055a91.json
@@ -1,11 +1,11 @@
 {
  "db_name": "PostgreSQL",
-  "query": "DELETE FROM token WHERE workspace_id = $1 AND label IS DISTINCT FROM 'session' RETURNING token_prefix",
+  "query": "DELETE FROM token WHERE workspace_id = $1 AND label IS DISTINCT FROM 'session' RETURNING token",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "token_prefix",
+        "name": "token",
        "type_info": "Varchar"
      }
    ],
@@ -18,5 +18,5 @@
      false
    ]
  },
-  "hash": "52379713a1f7312127bcd13c9a8027a85270c25c5a0f0d4d7670bd602bd3cebf"
+  "hash": "2d6607b3c38fe72b5663c32de58dacbabed4c5ae28101e3ae2694f96fd055a91"
 }
--- a/backend/.sqlx/query-2d95191e899d60385b32f36f2e38137e4173a34c54344ee522745640d48b8813.json
+++ b/backend/.sqlx/query-2d95191e899d60385b32f36f2e38137e4173a34c54344ee522745640d48b8813.json
@@ -1,32 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT\n            COUNT(*) as \"total!\",\n            COUNT(*) FILTER (WHERE state = 'active') as \"active!\",\n            COUNT(*) FILTER (WHERE state = 'idle') as \"idle!\"\n        FROM pg_stat_activity\n        WHERE backend_type = 'client backend'",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "total!",
-        "type_info": "Int8"
-      },
-      {
-        "ordinal": 1,
-        "name": "active!",
-        "type_info": "Int8"
-      },
-      {
-        "ordinal": 2,
-        "name": "idle!",
-        "type_info": "Int8"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null,
-      null,
-      null
-    ]
-  },
-  "hash": "2d95191e899d60385b32f36f2e38137e4173a34c54344ee522745640d48b8813"
-}
--- a/backend/.sqlx/query-2fcddda99dd0aacf5007ed459cb27caa754424e062427edf5ddcb95f9d96888e.json
+++ b/backend/.sqlx/query-2fcddda99dd0aacf5007ed459cb27caa754424e062427edf5ddcb95f9d96888e.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT path, value FROM variable\n           WHERE path LIKE ('u/' || $1 || '/%')\n           AND workspace_id = $2\n           AND is_secret = true\n           AND (value LIKE '$vault:%' OR value LIKE '$azure_kv:%')",
+  "query": "SELECT path, value FROM variable\n           WHERE path LIKE ('u/' || $1 || '/%')\n           AND workspace_id = $2\n           AND is_secret = true\n           AND value LIKE '$vault:%'",
  "describe": {
    "columns": [
      {
@@ -25,5 +25,5 @@
      false
    ]
  },
-  "hash": "bda9fc0c6e41d8afebee538e6997c6bad7843f93d0a5780632b02fa215aa404b"
+  "hash": "2fcddda99dd0aacf5007ed459cb27caa754424e062427edf5ddcb95f9d96888e"
 }
--- a/backend/.sqlx/query-2fd0d3224382b000028d98b0af4c431d3cadd54cca65d83c1ab7f2d2972e2282.json
+++ b/backend/.sqlx/query-2fd0d3224382b000028d98b0af4c431d3cadd54cca65d83c1ab7f2d2972e2282.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n            UPDATE\n                http_trigger\n            SET\n                route_path = $1,\n                route_path_key = $2,\n                workspaced_route = $3,\n                wrap_body = $4,\n                raw_string = $5,\n                authentication_resource_path = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                mode = $10,\n                http_method = $11,\n                static_asset_config = $12,\n                edited_by = $13,\n                permissioned_as = $14,\n                request_type = $15,\n                authentication_method = $16,\n                summary = $17,\n                description = $18,\n                edited_at = now(),\n                is_static_website = $19,\n                error_handler_path = $20,\n                error_handler_args = $21,\n                retry = $22\n            WHERE\n                workspace_id = $23 AND\n                path = $24\n            ",
+  "query": "\n            UPDATE\n                http_trigger\n            SET\n                route_path = $1,\n                route_path_key = $2,\n                workspaced_route = $3,\n                wrap_body = $4,\n                raw_string = $5,\n                authentication_resource_path = $6,\n                script_path = $7,\n                path = $8,\n                is_flow = $9,\n                mode = $10,\n                http_method = $11,\n                static_asset_config = $12,\n                edited_by = $13,\n                email = $14,\n                request_type = $15,\n                authentication_method = $16,\n                summary = $17,\n                description = $18,\n                edited_at = now(),\n                is_static_website = $19,\n                error_handler_path = $20,\n                error_handler_args = $21,\n                retry = $22\n            WHERE\n                workspace_id = $23 AND\n                path = $24\n            ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -82,5 +82,5 @@
    },
    "nullable": []
  },
-  "hash": "5efbf92ac7347e73769c66ffdc4037c7e56a5939d9ffcbee13e0264cbb2a6dfe"
+  "hash": "2fd0d3224382b000028d98b0af4c431d3cadd54cca65d83c1ab7f2d2972e2282"
 }
--- a/backend/.sqlx/query-2fd22c4ffa2d222bb116260994a748e0639c2f73cbc1d8be66420c70b14c96e1.json
+++ b/backend/.sqlx/query-2fd22c4ffa2d222bb116260994a748e0639c2f73cbc1d8be66420c70b14c96e1.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "\n        UPDATE native_trigger\n        SET service_config = $1,\n            webhook_token_hash = COALESCE($5, webhook_token_hash),\n            updated_at = NOW()\n        WHERE\n            workspace_id = $2\n            AND service_name = $3\n            AND external_id = $4\n        ",
+  "query": "\n        UPDATE native_trigger\n        SET service_config = $1, updated_at = NOW()\n        WHERE\n            workspace_id = $2\n            AND service_name = $3\n            AND external_id = $4\n        ",
  "describe": {
    "columns": [],
    "parameters": {
@@ -18,11 +18,10 @@
            }
          }
        },
-        "Text",
-        "Varchar"
+        "Text"
      ]
    },
    "nullable": []
  },
-  "hash": "95e77019bca83ce43b629e7aac429b09a60d732099a2de9e001d2b40a8e919a9"
+  "hash": "2fd22c4ffa2d222bb116260994a748e0639c2f73cbc1d8be66420c70b14c96e1"
 }
--- a/backend/.sqlx/query-32f26d69b15a74fc96dd585f9eb3c998447ca8b97894bb1a2b238f984c1dc588.json
+++ b/backend/.sqlx/query-32f26d69b15a74fc96dd585f9eb3c998447ca8b97894bb1a2b238f984c1dc588.json
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE flow SET versions = array_append(versions, $1) WHERE path = $2 AND workspace_id = $3 AND (versions[array_upper(versions, 1)] IS DISTINCT FROM $1)",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Int8",
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "32f26d69b15a74fc96dd585f9eb3c998447ca8b97894bb1a2b238f984c1dc588"
-}
--- a/backend/.sqlx/query-3317484a9c09c07c2c9db9debaecc4a4d518093ab48e79365dbb808068e0b8ff.json
+++ b/backend/.sqlx/query-3317484a9c09c07c2c9db9debaecc4a4d518093ab48e79365dbb808068e0b8ff.json
@@ -1,16 +1,17 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT igroup FROM email_to_igroup WHERE email = $1",
+  "query": "DELETE FROM variable WHERE path = $1 AND workspace_id = $2 RETURNING path",
  "describe": {
    "columns": [
      {
        "ordinal": 0,
-        "name": "igroup",
+        "name": "path",
        "type_info": "Varchar"
      }
    ],
    "parameters": {
      "Left": [
+        "Text",
        "Text"
      ]
    },
@@ -18,5 +19,5 @@
      false
    ]
  },
-  "hash": "5d160ba4958583f1ad42de846c544d8d8e81e1b54925a0c5f2cedc1817d99a1b"
+  "hash": "3317484a9c09c07c2c9db9debaecc4a4d518093ab48e79365dbb808068e0b8ff"
 }
--- a/backend/.sqlx/query-33367c42e87e78ae987c0966dc4d445c5eff75b2e2843ffd7a46b03cbaea9ae8.json
+++ b/backend/.sqlx/query-33367c42e87e78ae987c0966dc4d445c5eff75b2e2843ffd7a46b03cbaea9ae8.json
@@ -1,6 +1,6 @@
 {
  "db_name": "PostgreSQL",
-  "query": "SELECT\n                    path,\n                    summary,\n                    description\n                FROM\n                    flow\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
+  "query": "SELECT \n                    path,\n                    summary,\n                    description\n                FROM\n                    flow\n                WHERE\n                    path ~ ANY($1) AND\n                    workspace_id = $2 AND\n                    archived is FALSE\n            ",
  "describe": {
    "columns": [
      {
@@ -31,5 +31,5 @@
      false
    ]
  },
-  "hash": "4615b37cb848f9589622426d291c721e532b230c527deb701e24605c7027e38b"
+  "hash": "33367c42e87e78ae987c0966dc4d445c5eff75b2e2843ffd7a46b03cbaea9ae8"
 }
--- a/backend/.sqlx/query-3453c0b7dd3c4d2c9bc639f379901741955502c9345e82a9b7fbbf3d3c7ab517.json
+++ b/backend/.sqlx/query-3453c0b7dd3c4d2c9bc639f379901741955502c9345e82a9b7fbbf3d3c7ab517.json
@@ -1,12 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM trashbin WHERE expires_at <= now()",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": []
-  },
-  "hash": "3453c0b7dd3c4d2c9bc639f379901741955502c9345e82a9b7fbbf3d3c7ab517"
-}
--- a/backend/.sqlx/query-359cd29f531d263a8cf7205e0869229a610767087f01e0154be8da0620fa114b.json
+++ b/backend/.sqlx/query-359cd29f531d263a8cf7205e0869229a610767087f01e0154be8da0620fa114b.json
@@ -1,38 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "WITH all_audit AS (SELECT username, operation, timestamp FROM audit_partitioned UNION ALL SELECT username, operation, timestamp FROM audit),\n        active_users as (SELECT distinct username as email FROM all_audit WHERE timestamp > NOW() - INTERVAL '1 month' AND (operation = 'users.login' OR operation = 'oauth.login' OR operation = 'users.token.refresh')),\n        active_authors as (SELECT distinct email FROM usr WHERE usr.operator IS false AND email IN (SELECT email FROM active_users)),\n        active_authors_agg as (SELECT array_agg(email) as authors FROM active_authors),\n        active_ops_agg as (SELECT array_agg(email) as operators from active_users WHERE email NOT IN (SELECT email FROM active_authors))\n        SELECT active_authors_agg.authors, active_ops_agg.operators, array_length(active_authors_agg.authors, 1) as author_count, array_length(active_ops_agg.operators, 1) as operator_count FROM active_authors_agg, active_ops_agg",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "authors",
-        "type_info": "VarcharArray"
-      },
-      {
-        "ordinal": 1,
-        "name": "operators",
-        "type_info": "VarcharArray"
-      },
-      {
-        "ordinal": 2,
-        "name": "author_count",
-        "type_info": "Int4"
-      },
-      {
-        "ordinal": 3,
-        "name": "operator_count",
-        "type_info": "Int4"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      null,
-      null,
-      null,
-      null
-    ]
-  },
-  "hash": "359cd29f531d263a8cf7205e0869229a610767087f01e0154be8da0620fa114b"
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ruben Fiszel	1aac43977e	test(cli): add non-dotted path tests for generate-metadata and sync pull Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-15 04:30:21 +00:00
Travis	05d4d6dd48	fix(cli): preserve non-dotted flow lock filenames	2026-03-14 22:41:59 -04:00