windmill-cli 1.681.0 → 1.683.0

package/esm/main.js

@@ -11812,7 +11812,7 @@ var init_OpenAPI = __esm(() => {
     PASSWORD: undefined,
     TOKEN: getEnv2("WM_TOKEN"),
     USERNAME: undefined,
-    VERSION: "1.681.0",
+    VERSION: "1.683.0",
     WITH_CREDENTIALS: true,
     interceptors: {
       request: new Interceptors,
@@ -12350,6 +12350,7 @@ __export(exports_services_gen, {
   listExtJwtTokens: () => listExtJwtTokens,
   listEmailTriggers: () => listEmailTriggers,
   listDucklakes: () => listDucklakes,
+  listDeploymentRequestEligibleDeployers: () => listDeploymentRequestEligibleDeployers,
   listDedicatedWithDeps: () => listDedicatedWithDeps,
   listDataTables: () => listDataTables,
   listDataTableSchemas: () => listDataTableSchemas,
@@ -12434,6 +12435,7 @@ __export(exports_services_gen, {
   getScheduledFor: () => getScheduledFor,
   getSchedule: () => getSchedule,
   getRunnable: () => getRunnable,
+  getRuffConfig: () => getRuffConfig,
   getRootJobId: () => getRootJobId,
   getResumeUrls: () => getResumeUrls,
   getResourceValueInterpolated: () => getResourceValueInterpolated,
@@ -12453,6 +12455,7 @@ __export(exports_services_gen, {
   getPostgresVersion: () => getPostgresVersion,
   getPostgresTrigger: () => getPostgresTrigger,
   getPostgresPublication: () => getPostgresPublication,
+  getOpenDeploymentRequest: () => getOpenDeploymentRequest,
   getOpenApiYaml: () => getOpenApiYaml,
   getOidcToken: () => getOidcToken,
   getObjectStorageUsage: () => getObjectStorageUsage,
@@ -12716,6 +12719,8 @@ __export(exports_services_gen, {
   createFlow: () => createFlow,
   createEmailTrigger: () => createEmailTrigger,
   createDraft: () => createDraft,
+  createDeploymentRequestComment: () => createDeploymentRequestComment,
+  createDeploymentRequest: () => createDeploymentRequest,
   createCustomerPortalSession: () => createCustomerPortalSession,
   createAppRaw: () => createAppRaw,
   createApp: () => createApp,
@@ -12733,6 +12738,7 @@ __export(exports_services_gen, {
   computeObjectStorageUsage: () => computeObjectStorageUsage,
   compareWorkspaces: () => compareWorkspaces,
   commitKafkaOffsets: () => commitKafkaOffsets,
+  closeDeploymentRequestMerged: () => closeDeploymentRequestMerged,
   clearIndex: () => clearIndex,
   checkS3FolderExists: () => checkS3FolderExists,
   checkInstanceSharingAvailable: () => checkInstanceSharingAvailable,
@@ -12746,6 +12752,7 @@ __export(exports_services_gen, {
   cancelSelection: () => cancelSelection,
   cancelQueuedJob: () => cancelQueuedJob,
   cancelPersistentQueuedJobs: () => cancelPersistentQueuedJobs,
+  cancelDeploymentRequest: () => cancelDeploymentRequest,
   blacklistAgentToken: () => blacklistAgentToken,
   batchReRunJobs: () => batchReRunJobs,
   backendVersion: () => backendVersion,
@@ -13191,6 +13198,11 @@ var backendVersion = () => {
     body: data2.requestBody,
     mediaType: "application/json"
   });
+}, getRuffConfig = () => {
+  return request(OpenAPI, {
+    method: "GET",
+    url: "/settings_u/ruff_config"
+  });
 }, getLocal = () => {
   return request(OpenAPI, {
     method: "GET",
@@ -14544,6 +14556,68 @@ var backendVersion = () => {
       404: "protection rule not found"
     }
   });
+}, listDeploymentRequestEligibleDeployers = (data2) => {
+  return request(OpenAPI, {
+    method: "GET",
+    url: "/w/{workspace}/deployment_request/eligible_deployers",
+    path: {
+      workspace: data2.workspace
+    }
+  });
+}, getOpenDeploymentRequest = (data2) => {
+  return request(OpenAPI, {
+    method: "GET",
+    url: "/w/{workspace}/deployment_request/open",
+    path: {
+      workspace: data2.workspace
+    }
+  });
+}, createDeploymentRequest = (data2) => {
+  return request(OpenAPI, {
+    method: "POST",
+    url: "/w/{workspace}/deployment_request",
+    path: {
+      workspace: data2.workspace
+    },
+    body: data2.requestBody,
+    mediaType: "application/json",
+    errors: {
+      400: "invalid assignees",
+      409: "a deployment request is already open for this fork"
+    }
+  });
+}, cancelDeploymentRequest = (data2) => {
+  return request(OpenAPI, {
+    method: "POST",
+    url: "/w/{workspace}/deployment_request/{id}/cancel",
+    path: {
+      workspace: data2.workspace,
+      id: data2.id
+    }
+  });
+}, closeDeploymentRequestMerged = (data2) => {
+  return request(OpenAPI, {
+    method: "POST",
+    url: "/w/{workspace}/deployment_request/{id}/close_merged",
+    path: {
+      workspace: data2.workspace,
+      id: data2.id
+    }
+  });
+}, createDeploymentRequestComment = (data2) => {
+  return request(OpenAPI, {
+    method: "POST",
+    url: "/w/{workspace}/deployment_request/{id}/comment",
+    path: {
+      workspace: data2.workspace,
+      id: data2.id
+    },
+    body: data2.requestBody,
+    mediaType: "application/json",
+    errors: {
+      400: "invalid input or request closed"
+    }
+  });
 }, logAiChat = (data2) => {
   return request(OpenAPI, {
     method: "POST",
@@ -26322,6 +26396,7 @@ __export(exports_conf, {
   showDiffs: () => showDiffs,
   setShowDiffs: () => setShowDiffs,
   readConfigFile: () => readConfigFile,
+  parseSyncBehavior: () => parseSyncBehavior,
   mergeConfigWithConfigFile: () => mergeConfigWithConfigFile,
   getWorkspaceNames: () => getWorkspaceNames,
   getWmillYamlPath: () => getWmillYamlPath,
@@ -26330,6 +26405,7 @@ __export(exports_conf, {
   getEffectiveGitBranch: () => getEffectiveGitBranch,
   findWorkspaceByGitBranch: () => findWorkspaceByGitBranch,
   convertGitBranchesToWorkspaces: () => convertGitBranchesToWorkspaces,
+  SUPPORTED_SYNC_BEHAVIOR_VERSION: () => SUPPORTED_SYNC_BEHAVIOR_VERSION,
   GLOBAL_CONFIG_OPT: () => GLOBAL_CONFIG_OPT,
   DEFAULT_SYNC_OPTIONS: () => DEFAULT_SYNC_OPTIONS
 });
@@ -26340,6 +26416,13 @@ import { execSync as execSync2 } from "node:child_process";
 function setShowDiffs(value) {
   showDiffs = value;
 }
+function parseSyncBehavior(value) {
+  if (!value && value !== 0)
+    return 0;
+  const s = String(value);
+  const match = s.match(/^v(\d+)$/);
+  return match ? parseInt(match[1], 10) : 0;
+}
 function getGitRepoRoot() {
   try {
     const result = execSync2("git rev-parse --show-toplevel", {
@@ -26441,6 +26524,11 @@ async function readConfigFile(opts) {
       warn("No defaultTs defined in your wmill.yaml. Using 'bun' as default.");
     }
     setNonDottedPaths(conf?.nonDottedPaths ?? false);
+    const syncBehaviorVersion = parseSyncBehavior(conf?.syncBehavior);
+    if (syncBehaviorVersion > SUPPORTED_SYNC_BEHAVIOR_VERSION) {
+      error(`Your wmill.yaml specifies syncBehavior: ${conf.syncBehavior}, but this CLI only supports up to v${SUPPORTED_SYNC_BEHAVIOR_VERSION}. Run 'wmill upgrade' to update.`);
+      process.exit(1);
+    }
     return typeof conf == "object" ? conf : {};
   } catch (e) {
     if (e instanceof Error && (e.message.includes("overrides") || e.message.includes("Obsolete configuration format"))) {
@@ -26637,7 +26725,7 @@ function convertGitBranchesToWorkspaces(gitBranches) {
   }
   return workspaces;
 }
-var import_yaml4, showDiffs = false, GLOBAL_CONFIG_OPT, legacyConfigWarned = false, DEFAULT_SYNC_OPTIONS, RESERVED_WORKSPACE_KEYS;
+var import_yaml4, showDiffs = false, SUPPORTED_SYNC_BEHAVIOR_VERSION = 1, GLOBAL_CONFIG_OPT, legacyConfigWarned = false, DEFAULT_SYNC_OPTIONS, RESERVED_WORKSPACE_KEYS;
 var init_conf = __esm(async () => {
   init_log();
   init_yaml();
@@ -26666,7 +26754,8 @@ var init_conf = __esm(async () => {
     includeSettings: false,
     includeKey: false,
     skipWorkspaceDependencies: false,
-    nonDottedPaths: false
+    nonDottedPaths: false,
+    syncBehavior: "v1"
   };
   RESERVED_WORKSPACE_KEYS = new Set(["commonSpecificItems"]);
 });
@@ -33910,6 +33999,22 @@ var escape2 = (s, { windowsPathsNoEscape = false, magicalBraces = false } = {})
 };
 
 // node_modules/minimatch/dist/esm/index.js
+var exports_esm = {};
+__export(exports_esm, {
+  unescape: () => unescape2,
+  sep: () => sep2,
+  minimatch: () => minimatch,
+  match: () => match,
+  makeRe: () => makeRe,
+  filter: () => filter,
+  escape: () => escape2,
+  defaults: () => defaults,
+  braceExpand: () => braceExpand,
+  Minimatch: () => Minimatch,
+  GLOBSTAR: () => GLOBSTAR,
+  AST: () => AST
+});
+
 class Minimatch {
   options;
   set;
@@ -60930,17 +61035,17 @@ async function findResourceFile(path7) {
   }
   return validCandidates[0];
 }
-async function handleScriptMetadata(path7, workspace, alreadySynced, message, rawWorkspaceDependencies, codebases, opts) {
+async function handleScriptMetadata(path7, workspace, alreadySynced, message, rawWorkspaceDependencies, codebases, opts, permissionedAsContext) {
   const isFlatMeta = path7.endsWith(".script.json") || path7.endsWith(".script.yaml") || path7.endsWith(".script.lock");
   const isFolderMeta = !isFlatMeta && isScriptModulePath(path7) && (path7.endsWith("/script.yaml") || path7.endsWith("/script.json") || path7.endsWith("/script.lock"));
   if (isFlatMeta || isFolderMeta) {
     const contentPath = await findContentFile(path7);
-    return handleFile(contentPath, workspace, alreadySynced, message, opts, rawWorkspaceDependencies, codebases);
+    return handleFile(contentPath, workspace, alreadySynced, message, opts, rawWorkspaceDependencies, codebases, permissionedAsContext);
   } else {
     return false;
   }
 }
-async function handleFile(path7, workspace, alreadySynced, message, opts, rawWorkspaceDependencies, codebases) {
+async function handleFile(path7, workspace, alreadySynced, message, opts, rawWorkspaceDependencies, codebases, permissionedAsContext) {
   const moduleEntryPoint = isModuleEntryPoint(path7);
   if (!isAppInlineScriptPath2(path7) && !isFlowInlineScriptPath2(path7) && !isRawAppBackendPath2(path7) && (!isScriptModulePath(path7) || moduleEntryPoint) && exts.some((exts) => path7.endsWith(exts))) {
     if (alreadySynced.includes(path7)) {
@@ -61085,10 +61190,19 @@ async function handleFile(path7, workspace, alreadySynced, message, opts, rawWor
       modules,
       labels: typed?.labels
     };
+    const hasOnBehalfOf = typed?.has_on_behalf_of ?? !!typed?.on_behalf_of_email;
+    delete typed?.has_on_behalf_of;
+    if (permissionedAsContext?.userIsAdminOrDeployer && hasOnBehalfOf) {
+      if (remote && remote.on_behalf_of_email) {
+        requestBodyCommon.on_behalf_of_email = remote.on_behalf_of_email;
+        requestBodyCommon.preserve_on_behalf_of = true;
+        info(`Preserving ${remote.on_behalf_of_email} as on_behalf_of for script ${remotePath}`);
+      }
+    }
     if (remote) {
       if (content === remote.content) {
         if (typed == undefined || typed.description === remote.description && typed.summary === remote.summary && typed.kind == remote.kind && !remote.archived && (Array.isArray(remote?.lock) ? remote?.lock?.join(`
-`) : remote?.lock ?? "").trim() == (typed?.lock ?? "").trim() && deepEqual(typed.schema, remote.schema) && typed.tag == remote.tag && (typed.ws_error_handler_muted ?? false) == remote.ws_error_handler_muted && typed.dedicated_worker == remote.dedicated_worker && typed.cache_ttl == remote.cache_ttl && typed.concurrency_time_window_s == remote.concurrency_time_window_s && typed.concurrent_limit == remote.concurrent_limit && Boolean(typed.restart_unless_cancelled) == Boolean(remote.restart_unless_cancelled) && Boolean(typed.visible_to_runner_only) == Boolean(remote.visible_to_runner_only) && Boolean(typed.has_preprocessor) == Boolean(remote.has_preprocessor) && typed.priority == Boolean(remote.priority) && typed.timeout == remote.timeout && typed.concurrency_key == remote["concurrency_key"] && typed.debounce_key == remote["debounce_key"] && typed.debounce_delay_s == remote["debounce_delay_s"] && typed.codebase == remote.codebase && typed.on_behalf_of_email == remote.on_behalf_of_email && deepEqual(typed.envs, remote.envs) && deepEqual(modules ?? null, remote.modules ?? null)) {
+`) : remote?.lock ?? "").trim() == (typed?.lock ?? "").trim() && deepEqual(typed.schema, remote.schema) && typed.tag == remote.tag && (typed.ws_error_handler_muted ?? false) == remote.ws_error_handler_muted && typed.dedicated_worker == remote.dedicated_worker && typed.cache_ttl == remote.cache_ttl && typed.concurrency_time_window_s == remote.concurrency_time_window_s && typed.concurrent_limit == remote.concurrent_limit && Boolean(typed.restart_unless_cancelled) == Boolean(remote.restart_unless_cancelled) && Boolean(typed.visible_to_runner_only) == Boolean(remote.visible_to_runner_only) && Boolean(typed.has_preprocessor) == Boolean(remote.has_preprocessor) && typed.priority == Boolean(remote.priority) && typed.timeout == remote.timeout && typed.concurrency_key == remote["concurrency_key"] && typed.debounce_key == remote["debounce_key"] && typed.debounce_delay_s == remote["debounce_delay_s"] && typed.codebase == remote.codebase && (hasOnBehalfOf ? true : typed.on_behalf_of_email == remote.on_behalf_of_email) && deepEqual(typed.envs, remote.envs) && deepEqual(modules ?? null, remote.modules ?? null)) {
           info(colors.green(`Script ${remotePath} is up to date`));
           return true;
         }
@@ -61805,6 +61919,28 @@ async function history(opts, scriptPath) {
     ])).render();
   }
 }
+async function setPermissionedAs(opts, scriptPath, email) {
+  const workspace = await resolveWorkspace(opts);
+  await requireLogin(opts);
+  const remote = await getScriptByPath({
+    workspace: workspace.workspaceId,
+    path: scriptPath
+  });
+  if (!remote)
+    throw new Error(`Script ${scriptPath} not found`);
+  await createScript({
+    workspace: workspace.workspaceId,
+    requestBody: {
+      ...remote,
+      lock: Array.isArray(remote.lock) ? remote.lock.join(`
+`) : remote.lock ?? undefined,
+      parent_hash: remote.hash,
+      on_behalf_of_email: email,
+      preserve_on_behalf_of: true
+    }
+  });
+  info(colors.green(`Updated permissioned_as for script ${scriptPath} to ${email}`));
+}
 var import_yaml6, exts, POLL_INTERVAL_MS = 2000, languageAliases, command4, script_default;
 var init_script = __esm(async () => {
   init_colors2();
@@ -61862,7 +61998,7 @@ var init_script = __esm(async () => {
   languageAliases = {
     python: "python3"
   };
-  command4 = new Command().description("script related commands").option("--show-archived", "Show archived scripts instead of active ones").option("--json", "Output as JSON (for piping to jq)").action(list4).command("list", "list all scripts").option("--show-archived", "Show archived scripts instead of active ones").option("--json", "Output as JSON (for piping to jq)").action(list4).command("push", "push a local script spec. This overrides any remote versions. Use the script file (.ts, .js, .py, .sh)").arguments("<path:file>").option("--message <message:string>", "Deployment message").action(push2).command("get", "get a script's details").arguments("<path:file>").option("--json", "Output as JSON (for piping to jq)").action(get2).command("show", "show a script's content (alias for get)").arguments("<path:file>").action(show).command("run", "run a script by path").arguments("<path:file>").option("-d --data <data:file>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other then the final output. Useful for scripting.").action(run2).command("preview", "preview a local script without deploying it. Supports both regular and codebase scripts.").arguments("<path:file>").option("-d --data <data:file>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other than the final output. Useful for scripting.").action(preview).command("new", "create a new script").arguments("<path:file> <language:string>").option("--summary <summary:string>", "script summary").option("--description <description:string>", "script description").action(bootstrap).command("bootstrap", "create a new script (alias for new)").arguments("<path:file> <language:string>").option("--summary <summary:string>", "script summary").option("--description <description:string>", "script description").action(bootstrap).command("generate-metadata", 'DEPRECATED: re-generate script metadata. Use top-level "wmill generate-metadata" instead.').arguments("[script:file]").option("--yes", "Skip confirmation prompt").option("--dry-run", "Perform a dry run without making changes").option("--lock-only", "re-generate only the lock").option("--schema-only", "re-generate only script schema").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").action(generateMetadata).command("history", "show version history for a script").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(history);
+  command4 = new Command().description("script related commands").option("--show-archived", "Show archived scripts instead of active ones").option("--json", "Output as JSON (for piping to jq)").action(list4).command("list", "list all scripts").option("--show-archived", "Show archived scripts instead of active ones").option("--json", "Output as JSON (for piping to jq)").action(list4).command("push", "push a local script spec. This overrides any remote versions. Use the script file (.ts, .js, .py, .sh)").arguments("<path:file>").option("--message <message:string>", "Deployment message").action(push2).command("get", "get a script's details").arguments("<path:file>").option("--json", "Output as JSON (for piping to jq)").action(get2).command("show", "show a script's content (alias for get)").arguments("<path:file>").action(show).command("run", "run a script by path").arguments("<path:file>").option("-d --data <data:file>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other then the final output. Useful for scripting.").action(run2).command("preview", "preview a local script without deploying it. Supports both regular and codebase scripts.").arguments("<path:file>").option("-d --data <data:file>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other than the final output. Useful for scripting.").action(preview).command("new", "create a new script").arguments("<path:file> <language:string>").option("--summary <summary:string>", "script summary").option("--description <description:string>", "script description").action(bootstrap).command("bootstrap", "create a new script (alias for new)").arguments("<path:file> <language:string>").option("--summary <summary:string>", "script summary").option("--description <description:string>", "script description").action(bootstrap).command("generate-metadata", 'DEPRECATED: re-generate script metadata. Use top-level "wmill generate-metadata" instead.').arguments("[script:file]").option("--yes", "Skip confirmation prompt").option("--dry-run", "Perform a dry run without making changes").option("--lock-only", "re-generate only the lock").option("--schema-only", "re-generate only script schema").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").action(generateMetadata).command("set-permissioned-as", "Set the on_behalf_of_email for a script (requires admin or wm_deployers group)").arguments("<path:string> <email:string>").action(setPermissionedAs).command("history", "show version history for a script").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(history);
   script_default = command4;
 });
 
@@ -62420,6 +62556,154 @@ var init_lint = __esm(async () => {
   lint_default = command5;
 });
 
+// src/core/permissioned_as.ts
+var exports_permissioned_as = {};
+__export(exports_permissioned_as, {
+  preCheckPermissionedAs: () => preCheckPermissionedAs,
+  lookupUsernameByEmail: () => lookupUsernameByEmail
+});
+async function ensureUserCache(workspace, cache3) {
+  if (cache3.size > 0)
+    return;
+  const users = await listUsers({ workspace });
+  for (const user of users) {
+    cache3.set(user.username, { username: user.username, email: user.email });
+    cache3.set(user.email, { username: user.username, email: user.email });
+  }
+}
+async function lookupUsernameByEmail(workspace, email, cache3) {
+  await ensureUserCache(workspace, cache3);
+  const entry = cache3.get(email);
+  if (!entry) {
+    throw new Error(`Could not find username for email '${email}' in workspace. ` + `Make sure the user exists in the workspace.`);
+  }
+  return entry.username;
+}
+function contentHasOnBehalfOf(content, typeStr) {
+  if (typeStr === "script") {
+    return !!content.match(/has_on_behalf_of:\s*(true)/) || !!content.match(/on_behalf_of_email:\s*["']?([^\s"']+)["']?/);
+  }
+  if (typeStr === "flow") {
+    return !!content.match(/has_on_behalf_of:\s*(true)/);
+  }
+  return false;
+}
+async function preCheckPermissionedAs(changes, userEmail, userIsAdminOrDeployer, acceptOverride, isInteractive) {
+  if (userIsAdminOrDeployer)
+    return;
+  const wouldChangeItems = [];
+  for (const change of changes) {
+    let typeStr;
+    try {
+      typeStr = getTypeStrFromPath(change.path);
+    } catch {
+      continue;
+    }
+    if (change.name === "added") {
+      const content = change.content;
+      if (!content)
+        continue;
+      const isScriptMeta = typeStr === "script" && (change.path.endsWith(".script.yaml") || change.path.endsWith(".script.json"));
+      const isFlowMeta = typeStr === "flow" && (change.path.endsWith("flow.yaml") || change.path.endsWith("flow.json"));
+      if ((isScriptMeta || isFlowMeta) && contentHasOnBehalfOf(content, typeStr)) {
+        const label = typeStr === "script" ? "(script owner)" : "(flow owner)";
+        wouldChangeItems.push({ path: change.path, currentOwner: label });
+      } else if (typeStr === "app") {
+        wouldChangeItems.push({
+          path: change.path,
+          currentOwner: "(app policy owner)"
+        });
+      }
+      continue;
+    }
+    if (change.name !== "edited")
+      continue;
+    const beforeContent = change.before;
+    if (!beforeContent)
+      continue;
+    let currentOwner;
+    if (typeStr === "script") {
+      if (change.path.endsWith(".script.yaml") || change.path.endsWith(".script.json")) {
+        const hasOboMatch = beforeContent.match(/has_on_behalf_of:\s*(true)/);
+        if (hasOboMatch) {
+          currentOwner = "(script owner)";
+        } else {
+          const emailMatch = beforeContent.match(/on_behalf_of_email:\s*["']?([^\s"']+)["']?/);
+          if (emailMatch) {
+            currentOwner = emailMatch[1];
+          }
+        }
+      }
+    } else if (typeStr === "flow") {
+      if (change.path.endsWith("flow.yaml") || change.path.endsWith("flow.json")) {
+        const hasOboMatch = beforeContent.match(/has_on_behalf_of:\s*(true)/);
+        if (hasOboMatch) {
+          wouldChangeItems.push({
+            path: change.path,
+            currentOwner: "(flow owner)"
+          });
+        }
+      }
+      continue;
+    } else if (typeStr === "app") {
+      wouldChangeItems.push({
+        path: change.path,
+        currentOwner: "(app policy owner)"
+      });
+      continue;
+    } else if (typeStr === "schedule") {
+      const match2 = beforeContent.match(/email:\s*["']?([^\s"']+)["']?/);
+      if (match2) {
+        currentOwner = match2[1];
+      }
+    } else if (typeStr.endsWith("_trigger")) {
+      wouldChangeItems.push({
+        path: change.path,
+        currentOwner: "(trigger owner)"
+      });
+      continue;
+    }
+    if (currentOwner && currentOwner !== userEmail) {
+      wouldChangeItems.push({ path: change.path, currentOwner });
+    }
+  }
+  if (wouldChangeItems.length === 0)
+    return;
+  const itemList = wouldChangeItems.map((item) => `  - ${item.path} (current owner: ${item.currentOwner})`).join(`
+`);
+  const message = `You are not an admin or member of 'wm_deployers'. The following ${wouldChangeItems.length} item(s) ` + `will have their permissioned_as/email changed to your user (${userEmail}):
+${itemList}`;
+  if (acceptOverride) {
+    warn(colors.yellow(`Warning: ${message}`));
+    return;
+  }
+  if (isInteractive) {
+    warn(colors.yellow(message));
+    const proceed = await Confirm.prompt({
+      message: "Do you want to proceed? (use --accept-overriding-permissioned-as-with-self to skip this prompt)",
+      default: false
+    });
+    if (!proceed) {
+      info("Push cancelled.");
+      process.exit(0);
+    }
+  } else {
+    error(colors.red(`${message}
+
+Use --accept-overriding-permissioned-as-with-self to proceed anyway.`));
+    process.exit(1);
+  }
+}
+var init_permissioned_as = __esm(async () => {
+  init_services_gen();
+  init_log();
+  init_colors2();
+  await __promiseAll([
+    init_confirm(),
+    init_types()
+  ]);
+});
+
 // src/commands/resource/resource.ts
 import { mkdir as mkdir4, stat as stat6, writeFile as writeFile6, readdir as readdir3, readFile as readFile6 } from "node:fs/promises";
 import nodePath from "node:path";
@@ -63652,7 +63936,7 @@ async function findFilesetResourceFile(changePath) {
   }
   throw new Error(`No resource metadata file found for fileset resource: ${changePath}`);
 }
-function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, resourceTypeToIsFileset, ignoreCodebaseChanges) {
+function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, resourceTypeToIsFileset, ignoreCodebaseChanges, stripOnBehalfOf) {
   let _moduleScriptPaths = null;
   async function getModuleScriptPaths() {
     if (_moduleScriptPaths === null) {
@@ -63739,6 +64023,10 @@ function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, re
                 }
               };
             }
+            if (stripOnBehalfOf) {
+              flow.has_on_behalf_of = !!flow.on_behalf_of_email;
+              delete flow.on_behalf_of_email;
+            }
             yield {
               isDirectory: false,
               path: path9.join(finalPath, "flow.yaml"),
@@ -63942,6 +64230,10 @@ function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, re
             if (ignoreCodebaseChanges && parsed["codebase"]) {
               parsed["codebase"] = undefined;
             }
+            if (stripOnBehalfOf) {
+              parsed["has_on_behalf_of"] = !!parsed["on_behalf_of_email"];
+              delete parsed["on_behalf_of_email"];
+            }
             delete parsed["modules"];
             return useYaml ? import_yaml11.stringify(parsed, yamlOptions) : JSON.stringify(parsed, null, 2);
           }
@@ -63964,14 +64256,30 @@ function ZipFSElement(zip, useYaml, defaultTs, resourceTypeToFormatExtension, re
             }
             return useYaml ? import_yaml11.stringify(parsed, yamlOptions) : JSON.stringify(parsed, null, 2);
           }
-          return useYaml && isJson && kind != "dependencies" ? (() => {
+          if (isJson && kind != "dependencies") {
             try {
-              return import_yaml11.stringify(JSON.parse(content), yamlOptions);
+              const parsed = JSON.parse(content);
+              if (stripOnBehalfOf) {
+                const isSchedule = p.endsWith(".schedule.json");
+                const isTrigger = p.endsWith("_trigger.json");
+                if (isSchedule) {
+                  parsed["has_permissioned_as"] = !!parsed["permissioned_as"];
+                  delete parsed["permissioned_as"];
+                  delete parsed["email"];
+                  delete parsed["edited_by"];
+                } else if (isTrigger) {
+                  parsed["has_permissioned_as"] = !!parsed["permissioned_as"];
+                  delete parsed["permissioned_as"];
+                  delete parsed["edited_by"];
+                }
+              }
+              return useYaml ? import_yaml11.stringify(parsed, yamlOptions) : JSON.stringify(parsed, null, 2);
             } catch (error2) {
               error(`Failed to parse JSON content at path: ${p}`);
               throw error2;
             }
-          })() : content;
+          }
+          return content;
         }
       }
     ];
@@ -64692,7 +65000,7 @@ async function pull(opts) {
     resourceTypeToIsFileset = parsed.filesetMap;
   } catch {}
   const zipFile = await downloadZip(workspace, opts.plainSecrets, opts.skipVariables, opts.skipResources, opts.skipResourceTypes, opts.skipSecrets, opts.includeSchedules, opts.includeTriggers, opts.includeUsers, opts.includeGroups, opts.includeSettings, opts.includeKey, opts.skipWorkspaceDependencies, opts.defaultTs);
-  const remote = ZipFSElement(zipFile, !opts.json, opts.defaultTs ?? "bun", resourceTypeToFormatExtension, resourceTypeToIsFileset, true);
+  const remote = ZipFSElement(zipFile, !opts.json, opts.defaultTs ?? "bun", resourceTypeToFormatExtension, resourceTypeToIsFileset, true, parseSyncBehavior(opts.syncBehavior) >= 1);
   const local = !opts.stateful ? await FSFSElement(process.cwd(), codebases, true) : await FSFSElement(path9.join(process.cwd(), ".wmill"), [], true);
   const changes = await compareDynFSElement(remote, local, await ignoreF(opts), opts.json ?? false, opts, false, codebases, true, specificItems, wsNameForFiles, true);
   info(`remote (${workspace.name}) -> local: ${changes.length} changes to apply`);
@@ -64859,7 +65167,7 @@ Done! All ${changes.length} changes applied locally and wmill-lock.yaml updated.
     console.log(JSON.stringify({ success: true, message: "No changes to apply", total: 0 }, null, 2));
   }
 }
-function prettyChanges(changes, specificItems, branchOverride) {
+function prettyChanges(changes, specificItems, branchOverride, folderDefaultAnnotations) {
   for (const change of changes) {
     let displayPath = change.path;
     let wsNote = "";
@@ -64870,8 +65178,10 @@ function prettyChanges(changes, specificItems, branchOverride) {
         wsNote = " (workspace-specific)";
       }
     }
+    const folderNote = folderDefaultAnnotations?.get(change.path);
+    const extraNote = folderNote ? colors.cyan(` (will be permissioned as ${folderNote} via folder default)`) : "";
     if (change.name === "added") {
-      info(colors.green(`+ ${getTypeStrFromPath(change.path)} ` + displayPath + colors.gray(wsNote)));
+      info(colors.green(`+ ${getTypeStrFromPath(change.path)} ` + displayPath + colors.gray(wsNote)) + extraNote);
     } else if (change.name === "deleted") {
       info(colors.red(`- ${getTypeStrFromPath(change.path)} ` + displayPath + colors.gray(wsNote)));
     } else if (change.name === "edited") {
@@ -64979,7 +65289,7 @@ Push aborted: ${lockIssues.length} script(s) missing locks.`));
     resourceTypeToFormatExtension = parsed.formatExtMap;
     resourceTypeToIsFileset = parsed.filesetMap;
   } catch {}
-  const remote = ZipFSElement(await downloadZip(workspace, opts.plainSecrets, opts.skipVariables, opts.skipResources, opts.skipResourceTypes, opts.skipSecrets, opts.includeSchedules, opts.includeTriggers, opts.includeUsers, opts.includeGroups, opts.includeSettings, opts.includeKey, opts.skipWorkspaceDependencies, opts.defaultTs), !opts.json, opts.defaultTs ?? "bun", resourceTypeToFormatExtension, resourceTypeToIsFileset, false);
+  const remote = ZipFSElement(await downloadZip(workspace, opts.plainSecrets, opts.skipVariables, opts.skipResources, opts.skipResourceTypes, opts.skipSecrets, opts.includeSchedules, opts.includeTriggers, opts.includeUsers, opts.includeGroups, opts.includeSettings, opts.includeKey, opts.skipWorkspaceDependencies, opts.defaultTs), !opts.json, opts.defaultTs ?? "bun", resourceTypeToFormatExtension, resourceTypeToIsFileset, false, parseSyncBehavior(opts.syncBehavior) >= 1);
   const local = await FSFSElement(path9.join(process.cwd(), ""), codebases, false);
   const changes = await compareDynFSElement(local, remote, await ignoreF(opts), opts.json ?? false, opts, true, codebases, false, specificItems, wsNameForFiles, false);
   const rawWorkspaceDependencies = await getRawWorkspaceDependencies(true);
@@ -65152,13 +65462,59 @@ ${folderList}
     return;
   }
   if (changes.length > 0) {
+    let folderDefaultAnnotations;
+    if (parseSyncBehavior(opts.syncBehavior) >= 1) {
+      folderDefaultAnnotations = new Map;
+      const folderRulesCache = new Map;
+      for (const change of changes) {
+        if (change.name !== "added")
+          continue;
+        const match2 = change.path.match(/^f\/([^/]+)\//);
+        if (!match2)
+          continue;
+        const folderName2 = match2[1];
+        if (!folderRulesCache.has(folderName2)) {
+          try {
+            const folder = await getFolder({ workspace: workspace.workspaceId, name: folderName2 });
+            folderRulesCache.set(folderName2, folder.default_permissioned_as ?? []);
+          } catch {
+            folderRulesCache.set(folderName2, []);
+          }
+        }
+        const rules = folderRulesCache.get(folderName2);
+        const remotePath = change.path.replace(/\.(script|schedule|http_trigger|websocket_trigger|kafka_trigger|nats_trigger|postgres_trigger|mqtt_trigger|sqs_trigger|gcp_trigger|email_trigger)\.(yaml|json)$/, "").replace(/(\.flow|__flow)\/flow\.(yaml|json)$/, "").replace(/\.(app|raw_app)(\/app\.(yaml|json))?$/, "");
+        const relative6 = remotePath.slice(`f/${folderName2}/`.length);
+        if (!relative6)
+          continue;
+        for (const rule of rules) {
+          if (minimatch(relative6, rule.path_glob)) {
+            folderDefaultAnnotations.set(change.path, rule.permissioned_as);
+            break;
+          }
+        }
+      }
+    }
     if (!opts.jsonOutput) {
-      prettyChanges(changes, specificItems, wsNameForFiles);
+      prettyChanges(changes, specificItems, wsNameForFiles, folderDefaultAnnotations);
     }
     if (opts.dryRun) {
       info(colors.gray(`Dry run complete.`));
       return;
     }
+    let permissionedAsContext = undefined;
+    if (parseSyncBehavior(opts.syncBehavior) >= 1) {
+      const user = await whoami({ workspace: workspace.workspaceId });
+      const userIsAdminOrDeployer = user.is_admin || (user.groups ?? []).includes("wm_deployers");
+      debug(`permissioned_as: user=${user.email}, is_admin=${user.is_admin}, groups=${JSON.stringify(user.groups)}, isAdminOrDeployer=${userIsAdminOrDeployer}`);
+      permissionedAsContext = {
+        userCache: new Map,
+        userIsAdminOrDeployer,
+        userEmail: user.email
+      };
+      await preCheckPermissionedAs(changes, user.email, userIsAdminOrDeployer, opts.acceptOverridingPermissionedAsWithSelf ?? false, !!process.stdin.isTTY);
+    } else if (folderDefaultAnnotations && folderDefaultAnnotations.size > 0) {
+      warn(colors.yellow(`This workspace has folder default_permissioned_as rules that affect ${folderDefaultAnnotations.size} item(s) being pushed, ` + `but syncBehavior is not set in wmill.yaml. Add 'syncBehavior: v1' to enable ownership preservation on update and on_behalf_of stripping on pull.`));
+    }
     if (!opts.yes && !await Confirm.prompt({
       message: `Do you want to apply these ${changes.length} changes to the remote?`,
       default: true
@@ -65187,17 +65543,24 @@ ${folderList}
     if (parallelizationFactor <= 0) {
       parallelizationFactor = 1;
     }
-    const groupedChangesArray = Array.from(groupedChanges.entries());
-    info(`found changes for ${groupedChangesArray.length} items with a total of ${groupedChangesArray.reduce((acc, [_, changes2]) => acc + changes2.length, 0)} files to process`);
+    const allGrouped = Array.from(groupedChanges.entries());
+    const isFolderMetaGroup = ([basePath]) => basePath.endsWith(`${SEP8}folder`) || basePath === "folder";
+    const folderMetaGroups = allGrouped.filter(isFolderMetaGroup);
+    const groupedChangesArray = allGrouped.filter((g) => !isFolderMetaGroup(g));
+    info(`found changes for ${allGrouped.length} items with a total of ${allGrouped.reduce((acc, [_, changes2]) => acc + changes2.length, 0)} files to process`);
     if (parallelizationFactor > 1) {
       info(`Parallelizing ${parallelizationFactor} changes at a time`);
     }
     const pool = new Set;
-    const queue = [...groupedChangesArray];
+    const queue = [...folderMetaGroups, ...groupedChangesArray];
+    let folderPhaseRemaining = folderMetaGroups.length;
+    const effectiveParallelism = () => folderPhaseRemaining > 0 ? 1 : parallelizationFactor;
     const cachedWsNameForPush = wsNameForFiles || (isGitRepository() ? getCurrentGitBranch() : null);
     while (queue.length > 0 || pool.size > 0) {
-      while (pool.size < parallelizationFactor && queue.length > 0) {
-        let [_basePath, changes2] = queue.shift();
+      while (pool.size < effectiveParallelism() && queue.length > 0) {
+        const [groupBasePath, initialChanges] = queue.shift();
+        let changes2 = initialChanges;
+        const isFolderGroup = groupBasePath.endsWith(`${SEP8}folder`) || groupBasePath === "folder";
         const promise = (async () => {
           const alreadySynced = [];
           const deletedVarsResPaths = [];
@@ -65221,12 +65584,12 @@ ${folderList}
               }
             }
             if (change.name === "edited") {
-              if (await handleScriptMetadata(change.path, workspace, alreadySynced, opts.message, rawWorkspaceDependencies, codebases, opts)) {
+              if (await handleScriptMetadata(change.path, workspace, alreadySynced, opts.message, rawWorkspaceDependencies, codebases, opts, permissionedAsContext)) {
                 if (stateTarget) {
                   await writeFile7(stateTarget, change.after, "utf-8");
                 }
                 continue;
-              } else if (await handleFile(change.path, workspace, alreadySynced, opts.message, opts, rawWorkspaceDependencies, codebases)) {
+              } else if (await handleFile(change.path, workspace, alreadySynced, opts.message, opts, rawWorkspaceDependencies, codebases, permissionedAsContext)) {
                 if (stateTarget) {
                   await writeFile7(stateTarget, change.after, "utf-8");
                 }
@@ -65282,14 +65645,14 @@ ${folderList}
               if (specificItems && isSpecificItem(change.path, specificItems)) {
                 originalWorkspaceSpecificPath = getWorkspaceSpecificPath(change.path, specificItems, wsNameForFiles);
               }
-              await pushObj(workspace.workspaceId, change.path, oldObj, newObj, opts.plainSecrets ?? false, alreadySynced, opts.message, originalWorkspaceSpecificPath);
+              await pushObj(workspace.workspaceId, change.path, oldObj, newObj, opts.plainSecrets ?? false, alreadySynced, opts.message, originalWorkspaceSpecificPath, permissionedAsContext);
               if (stateTarget) {
                 await writeFile7(stateTarget, change.after, "utf-8");
               }
             } else if (change.name === "added") {
               if (change.path.endsWith(".script.json") || change.path.endsWith(".script.yaml") || change.path.endsWith(".lock") || isFileResource(change.path) || isFilesetResource(change.path)) {
                 continue;
-              } else if (await handleFile(change.path, workspace, alreadySynced, opts.message, opts, rawWorkspaceDependencies, codebases)) {
+              } else if (await handleFile(change.path, workspace, alreadySynced, opts.message, opts, rawWorkspaceDependencies, codebases, permissionedAsContext)) {
                 continue;
               } else if (isScriptModulePath(change.path)) {
                 await pushParentScriptForModule(change.path, workspace, alreadySynced, opts.message, opts, rawWorkspaceDependencies, codebases);
@@ -65307,7 +65670,7 @@ ${folderList}
                   localFilePath = workspaceSpecificPath;
                 }
               }
-              await pushObj(workspace.workspaceId, change.path, undefined, obj, opts.plainSecrets ?? false, [], opts.message, localFilePath);
+              await pushObj(workspace.workspaceId, change.path, undefined, obj, opts.plainSecrets ?? false, [], opts.message, localFilePath, permissionedAsContext);
               if (stateTarget) {
                 await writeFile7(stateTarget, change.content, "utf-8");
               }
@@ -65583,7 +65946,11 @@ ${folderList}
           }
         })();
         pool.add(promise);
-        promise.then(() => pool.delete(promise));
+        promise.then(() => {
+          pool.delete(promise);
+          if (isFolderGroup)
+            folderPhaseRemaining--;
+        });
       }
       if (pool.size > 0) {
         await Promise.race(pool);
@@ -65659,6 +66026,7 @@ var init_sync = __esm(async () => {
     init_script(),
     init_utils(),
     init_conf(),
+    init_permissioned_as(),
     init_specific_items(),
     init_types(),
     init_codebase(),
@@ -65676,7 +66044,7 @@ var init_sync = __esm(async () => {
     aliasDuplicateObjects: false,
     singleQuote: true
   };
-  command7 = new Command().description("sync local with a remote workspaces or the opposite (push or pull)").action(() => info("2 actions available, pull and push. Use -h to display help.")).command("pull").description("Pull any remote changes and apply them locally.").option("--yes", "Pull without needing confirmation").option("--dry-run", "Show changes that would be pulled without actually pushing").option("--plain-secrets", "Pull secrets as plain text").option("--json", "Use JSON instead of YAML").option("--skip-variables", "Skip syncing variables (including secrets)").option("--skip-secrets", "Skip syncing only secrets variables").option("--include-secrets", "Include secrets in sync (overrides skipSecrets in wmill.yaml)").option("--skip-resources", "Skip syncing  resources").option("--skip-resource-types", "Skip syncing  resource types").option("--skip-scripts", "Skip syncing scripts").option("--skip-flows", "Skip syncing flows").option("--skip-apps", "Skip syncing apps").option("--skip-folders", "Skip syncing folders").option("--skip-workspace-dependencies", "Skip syncing workspace dependencies").option("--include-schedules", "Include syncing  schedules").option("--include-triggers", "Include syncing triggers").option("--include-users", "Include syncing users").option("--include-groups", "Include syncing groups").option("--include-settings", "Include syncing workspace settings").option("--include-key", "Include workspace encryption key").option("--skip-branch-validation", "Skip git branch validation and prompts").option("--json-output", "Output results in JSON format").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Overrides wmill.yaml includes").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account. Overrides wmill.yaml excludes").option("--extra-includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy").option("--repository <repo:string>", "Specify repository path (e.g., u/user/repo) when multiple repositories exist").option("--promotion <branch:string>", "Use promotionOverrides from the specified branch instead of regular overrides").option("--branch, --env <branch:string>", "[Deprecated: use --workspace] Override the current git branch/environment").action(pull).command("push").description("Push any local changes and apply them remotely.").option("--yes", "Push without needing confirmation").option("--dry-run", "Show changes that would be pushed without actually pushing").option("--plain-secrets", "Push secrets as plain text").option("--json", "Use JSON instead of YAML").option("--skip-variables", "Skip syncing variables (including secrets)").option("--skip-secrets", "Skip syncing only secrets variables").option("--include-secrets", "Include secrets in sync (overrides skipSecrets in wmill.yaml)").option("--skip-resources", "Skip syncing  resources").option("--skip-resource-types", "Skip syncing  resource types").option("--skip-scripts", "Skip syncing scripts").option("--skip-flows", "Skip syncing flows").option("--skip-apps", "Skip syncing apps").option("--skip-folders", "Skip syncing folders").option("--skip-workspace-dependencies", "Skip syncing workspace dependencies").option("--include-schedules", "Include syncing schedules").option("--include-triggers", "Include syncing triggers").option("--include-users", "Include syncing users").option("--include-groups", "Include syncing groups").option("--include-settings", "Include syncing workspace settings").option("--include-key", "Include workspace encryption key").option("--skip-branch-validation", "Skip git branch validation and prompts").option("--json-output", "Output results in JSON format").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").option("--extra-includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy").option("--message <message:string>", "Include a message that will be added to all scripts/flows/apps updated during this push").option("--parallel <number>", "Number of changes to process in parallel").option("--repository <repo:string>", "Specify repository path (e.g., u/user/repo) when multiple repositories exist").option("--branch, --env <branch:string>", "[Deprecated: use --workspace] Override the current git branch/environment").option("--lint", "Run lint validation before pushing").option("--locks-required", "Fail if scripts or flow inline scripts that need locks have no locks").option("--auto-metadata", "Automatically regenerate stale metadata (locks and schemas) before pushing").action(push4);
+  command7 = new Command().description("sync local with a remote workspaces or the opposite (push or pull)").action(() => info("2 actions available, pull and push. Use -h to display help.")).command("pull").description("Pull any remote changes and apply them locally.").option("--yes", "Pull without needing confirmation").option("--dry-run", "Show changes that would be pulled without actually pushing").option("--plain-secrets", "Pull secrets as plain text").option("--json", "Use JSON instead of YAML").option("--skip-variables", "Skip syncing variables (including secrets)").option("--skip-secrets", "Skip syncing only secrets variables").option("--include-secrets", "Include secrets in sync (overrides skipSecrets in wmill.yaml)").option("--skip-resources", "Skip syncing  resources").option("--skip-resource-types", "Skip syncing  resource types").option("--skip-scripts", "Skip syncing scripts").option("--skip-flows", "Skip syncing flows").option("--skip-apps", "Skip syncing apps").option("--skip-folders", "Skip syncing folders").option("--skip-workspace-dependencies", "Skip syncing workspace dependencies").option("--include-schedules", "Include syncing  schedules").option("--include-triggers", "Include syncing triggers").option("--include-users", "Include syncing users").option("--include-groups", "Include syncing groups").option("--include-settings", "Include syncing workspace settings").option("--include-key", "Include workspace encryption key").option("--skip-branch-validation", "Skip git branch validation and prompts").option("--json-output", "Output results in JSON format").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Overrides wmill.yaml includes").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account. Overrides wmill.yaml excludes").option("--extra-includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy").option("--repository <repo:string>", "Specify repository path (e.g., u/user/repo) when multiple repositories exist").option("--promotion <branch:string>", "Use promotionOverrides from the specified branch instead of regular overrides").option("--branch, --env <branch:string>", "[Deprecated: use --workspace] Override the current git branch/environment").action(pull).command("push").description("Push any local changes and apply them remotely.").option("--yes", "Push without needing confirmation").option("--dry-run", "Show changes that would be pushed without actually pushing").option("--plain-secrets", "Push secrets as plain text").option("--json", "Use JSON instead of YAML").option("--skip-variables", "Skip syncing variables (including secrets)").option("--skip-secrets", "Skip syncing only secrets variables").option("--include-secrets", "Include secrets in sync (overrides skipSecrets in wmill.yaml)").option("--skip-resources", "Skip syncing  resources").option("--skip-resource-types", "Skip syncing  resource types").option("--skip-scripts", "Skip syncing scripts").option("--skip-flows", "Skip syncing flows").option("--skip-apps", "Skip syncing apps").option("--skip-folders", "Skip syncing folders").option("--skip-workspace-dependencies", "Skip syncing workspace dependencies").option("--include-schedules", "Include syncing schedules").option("--include-triggers", "Include syncing triggers").option("--include-users", "Include syncing users").option("--include-groups", "Include syncing groups").option("--include-settings", "Include syncing workspace settings").option("--include-key", "Include workspace encryption key").option("--skip-branch-validation", "Skip git branch validation and prompts").option("--json-output", "Output results in JSON format").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").option("--extra-includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy").option("--message <message:string>", "Include a message that will be added to all scripts/flows/apps updated during this push").option("--parallel <number>", "Number of changes to process in parallel").option("--repository <repo:string>", "Specify repository path (e.g., u/user/repo) when multiple repositories exist").option("--branch, --env <branch:string>", "[Deprecated: use --workspace] Override the current git branch/environment").option("--lint", "Run lint validation before pushing").option("--locks-required", "Fail if scripts or flow inline scripts that need locks have no locks").option("--auto-metadata", "Automatically regenerate stale metadata (locks and schemas) before pushing").option("--accept-overriding-permissioned-as-with-self", "Accept that items with a different permissioned_as will be updated with your own user").action(push4);
   sync_default = command7;
 });
 
@@ -69487,7 +69855,7 @@ function replaceInlineScripts2(rec, localPath, addType) {
 function isExecutionModeAnonymous(app) {
   return app?.["policy"]?.["execution_mode"] == "anonymous";
 }
-async function pushApp(workspace, remotePath, localPath, message) {
+async function pushApp(workspace, remotePath, localPath, message, permissionedAsContext) {
   if (alreadySynced2.includes(localPath)) {
     return;
   }
@@ -69500,6 +69868,12 @@ async function pushApp(workspace, remotePath, localPath, message) {
       path: remotePath
     });
   } catch {}
+  let remoteOnBehalfOf;
+  let remoteOnBehalfOfEmail;
+  if (app?.policy) {
+    remoteOnBehalfOf = app.policy.on_behalf_of;
+    remoteOnBehalfOfEmail = app.policy.on_behalf_of_email;
+  }
   if (isExecutionModeAnonymous(app)) {
     app.public = true;
   }
@@ -69513,6 +69887,17 @@ async function pushApp(workspace, remotePath, localPath, message) {
   const localApp = await yamlParseFile(path17);
   replaceInlineScripts2(localApp.value, localPath, true);
   await generatingPolicy2(localApp, remotePath, localApp?.["public"] ?? localApp?.["policy"]?.["execution_mode"] == "anonymous");
+  const preserveFields = {};
+  if (permissionedAsContext?.userIsAdminOrDeployer) {
+    if (app) {
+      if (localApp.policy && remoteOnBehalfOf) {
+        localApp.policy.on_behalf_of = remoteOnBehalfOf;
+        localApp.policy.on_behalf_of_email = remoteOnBehalfOfEmail;
+        preserveFields.preserve_on_behalf_of = true;
+        info(`Preserving ${remoteOnBehalfOfEmail ?? remoteOnBehalfOf} as permissioned_as for app ${remotePath}`);
+      }
+    }
+  }
   if (app) {
     if (isSuperset(localApp, app)) {
       info(colors.green(`App ${remotePath} is up to date`));
@@ -69524,7 +69909,8 @@ async function pushApp(workspace, remotePath, localPath, message) {
       path: remotePath,
       requestBody: {
         deployment_message: message,
-        ...localApp
+        ...localApp,
+        ...preserveFields
       }
     });
   } else {
@@ -69534,7 +69920,8 @@ async function pushApp(workspace, remotePath, localPath, message) {
       requestBody: {
         path: remotePath,
         deployment_message: message,
-        ...localApp
+        ...localApp,
+        ...preserveFields
       }
     });
   }
@@ -69639,6 +70026,31 @@ var init_app = __esm(async () => {
     warn(colors.yellow('This command is deprecated. Use "wmill generate-metadata" instead.'));
     const { generateLocksCommand: generateLocksCommand2 } = await init_app_metadata().then(() => exports_app_metadata);
     await generateLocksCommand2(opts, appFolder);
+  }).command("set-permissioned-as", "Set the on_behalf_of_email for an app (requires admin or wm_deployers group)").arguments("<path:string> <email:string>").action(async (opts, appPath, email) => {
+    const workspace = await resolveWorkspace(opts);
+    await requireLogin(opts);
+    const { lookupUsernameByEmail: lookupUsernameByEmail2 } = await init_permissioned_as().then(() => exports_permissioned_as);
+    const cache3 = new Map;
+    const username = await lookupUsernameByEmail2(workspace.workspaceId, email, cache3);
+    const remote = await getAppByPath({
+      workspace: workspace.workspaceId,
+      path: appPath
+    });
+    if (!remote)
+      throw new Error(`App ${appPath} not found`);
+    await updateApp({
+      workspace: workspace.workspaceId,
+      path: appPath,
+      requestBody: {
+        policy: {
+          ...remote.policy,
+          on_behalf_of: `u/${username}`,
+          on_behalf_of_email: email
+        },
+        preserve_on_behalf_of: true
+      }
+    });
+    info(colors.green(`Updated permissioned_as for app ${appPath} to ${email}`));
   });
   app_default = command12;
 });
@@ -69818,7 +70230,54 @@ var init_folder = __esm(async () => {
     init_types()
   ]);
   import_yaml24 = __toESM(require_dist(), 1);
-  command13 = new Command().description("folder related commands").option("--json", "Output as JSON (for piping to jq)").action(list7).command("list", "list all folders").option("--json", "Output as JSON (for piping to jq)").action(list7).command("get", "get a folder's details").arguments("<name:string>").option("--json", "Output as JSON (for piping to jq)").action(get5).command("new", "create a new folder locally").arguments("<name:string>").option("--summary <summary:string>", "folder summary").action(newFolder).command("push", "push a local folder to the remote by name. This overrides any remote versions.").arguments("<name:string>").action(push6).command("add-missing", "create default folder.meta.yaml for all subdirectories of f/ that are missing one").option("-y, --yes", "skip confirmation prompt").action(addMissing);
+  command13 = new Command().description("folder related commands").option("--json", "Output as JSON (for piping to jq)").action(list7).command("list", "list all folders").option("--json", "Output as JSON (for piping to jq)").action(list7).command("get", "get a folder's details").arguments("<name:string>").option("--json", "Output as JSON (for piping to jq)").action(get5).command("new", "create a new folder locally").arguments("<name:string>").option("--summary <summary:string>", "folder summary").action(newFolder).command("push", "push a local folder to the remote by name. This overrides any remote versions.").arguments("<name:string>").action(push6).command("add-missing", "create default folder.meta.yaml for all subdirectories of f/ that are missing one").option("-y, --yes", "skip confirmation prompt").action(addMissing).command("show-rules", "Show default_permissioned_as rules for a folder. Use --test-path to see which rule matches a given item path.").arguments("<name:string>").option("--test-path <path:string>", "Test which rule matches this item path (e.g. f/prod/jobs/my_script)").option("--json", "Output as JSON").action(async (opts, folderName2) => {
+    const workspace = await resolveWorkspace(opts);
+    await requireLogin(opts);
+    const folder = await getFolder({
+      workspace: workspace.workspaceId,
+      name: folderName2
+    });
+    const rules = folder.default_permissioned_as ?? [];
+    if (opts.json && !opts.testPath) {
+      console.log(JSON.stringify(rules, null, 2));
+      return;
+    }
+    if (rules.length === 0) {
+      info(`Folder '${folderName2}' has no default_permissioned_as rules.`);
+      return;
+    }
+    if (!opts.testPath) {
+      info(colors.bold(`Rules for folder '${folderName2}' (first match wins):
+`));
+      new Table2().header(["#", "path_glob", "permissioned_as"]).padding(2).border(true).body(rules.map((r, i) => [String(i + 1), r.path_glob, r.permissioned_as])).render();
+      return;
+    }
+    const testPath = opts.testPath;
+    const prefix = `f/${folderName2}/`;
+    if (!testPath.startsWith(prefix)) {
+      error(`Path '${testPath}' is not under folder '${folderName2}' (expected prefix '${prefix}')`);
+      return;
+    }
+    const relative7 = testPath.slice(prefix.length);
+    const { minimatch: minimatch2 } = await Promise.resolve().then(() => (init_esm2(), exports_esm));
+    for (let i = 0;i < rules.length; i++) {
+      const rule = rules[i];
+      if (minimatch2(relative7, rule.path_glob)) {
+        if (opts.json) {
+          console.log(JSON.stringify({ matched: true, rule_index: i, rule, relative_path: relative7 }));
+        } else {
+          info(colors.green(`✓ Rule #${i + 1} matches: path_glob='${rule.path_glob}' → permissioned_as='${rule.permissioned_as}'`));
+          info(colors.gray(`  (relative path tested: '${relative7}')`));
+        }
+        return;
+      }
+    }
+    if (opts.json) {
+      console.log(JSON.stringify({ matched: false, relative_path: relative7 }));
+    } else {
+      info(colors.yellow(`No rule matches path '${testPath}' (relative: '${relative7}')`));
+    }
+  });
   folder_default = command13;
 });
 
@@ -70053,7 +70512,7 @@ async function get7(opts, path17) {
     console.log(colors.bold("Enabled:") + " " + (s.enabled ? "true" : "false"));
   }
 }
-async function pushSchedule(workspace, path17, schedule, localSchedule) {
+async function pushSchedule(workspace, path17, schedule, localSchedule, permissionedAsContext) {
   path17 = removeType(path17, "schedule").replaceAll(SEP16, "/");
   debug(`Processing local schedule ${path17}`);
   try {
@@ -70062,6 +70521,17 @@ async function pushSchedule(workspace, path17, schedule, localSchedule) {
   } catch {
     debug(`Schedule ${path17} does not exist on remote`);
   }
+  delete localSchedule.has_permissioned_as;
+  const preserveFields = {};
+  if (permissionedAsContext?.userIsAdminOrDeployer) {
+    if (schedule) {
+      preserveFields.preserve_permissioned_as = true;
+      if (schedule.permissioned_as) {
+        preserveFields.permissioned_as = schedule.permissioned_as;
+        info(`Preserving ${schedule.permissioned_as} as permissioned_as for schedule ${path17}`);
+      }
+    }
+  }
   if (schedule) {
     if (isSuperset(localSchedule, schedule)) {
       debug(`Schedule ${path17} is up to date`);
@@ -70074,7 +70544,8 @@ async function pushSchedule(workspace, path17, schedule, localSchedule) {
         workspace,
         path: path17,
         requestBody: {
-          ...localSchedule
+          ...localSchedule,
+          ...preserveFields
         }
       });
       if (localSchedule.enabled != schedule.enabled) {
@@ -70098,7 +70569,8 @@ async function pushSchedule(workspace, path17, schedule, localSchedule) {
         workspace,
         requestBody: {
           path: path17,
-          ...localSchedule
+          ...localSchedule,
+          ...preserveFields
         }
       });
     } catch (e) {
@@ -70154,10 +70626,32 @@ var init_schedule = __esm(async () => {
     init_auth(),
     init_context(),
     init_conf(),
+    init_permissioned_as(),
     init_types()
   ]);
   import_yaml26 = __toESM(require_dist(), 1);
-  command15 = new Command().description("schedule related commands").option("--json", "Output as JSON (for piping to jq)").action(list9).command("list", "list all schedules").option("--json", "Output as JSON (for piping to jq)").action(list9).command("get", "get a schedule's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(get7).command("new", "create a new schedule locally").arguments("<path:string>").action(newSchedule).command("push", "push a local schedule spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").action(push8).command("enable", "Enable a schedule").arguments("<path:string>").action(enable).command("disable", "Disable a schedule").arguments("<path:string>").action(disable);
+  command15 = new Command().description("schedule related commands").option("--json", "Output as JSON (for piping to jq)").action(list9).command("list", "list all schedules").option("--json", "Output as JSON (for piping to jq)").action(list9).command("get", "get a schedule's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(get7).command("new", "create a new schedule locally").arguments("<path:string>").action(newSchedule).command("push", "push a local schedule spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").action(push8).command("enable", "Enable a schedule").arguments("<path:string>").action(enable).command("disable", "Disable a schedule").arguments("<path:string>").action(disable).command("set-permissioned-as", "Set the email (run-as user) for a schedule (requires admin or wm_deployers group)").arguments("<path:string> <email:string>").action(async (opts, schedulePath, email) => {
+    const workspace = await resolveWorkspace(opts);
+    await requireLogin(opts);
+    const cache3 = new Map;
+    const username = await lookupUsernameByEmail(workspace.workspaceId, email, cache3);
+    const remote = await getSchedule({
+      workspace: workspace.workspaceId,
+      path: schedulePath
+    });
+    if (!remote)
+      throw new Error(`Schedule ${schedulePath} not found`);
+    await updateSchedule({
+      workspace: workspace.workspaceId,
+      path: schedulePath,
+      requestBody: {
+        ...remote,
+        permissioned_as: `u/${username}`,
+        preserve_permissioned_as: true
+      }
+    });
+    info(colors.green(`Updated permissioned_as for schedule ${schedulePath} to ${email} (username: ${username})`));
+  });
   schedule_default = command15;
 });
 
@@ -71729,7 +72223,7 @@ async function createTrigger(triggerType, workspace, path18, trigger) {
   const triggerFunction = triggerFunctions[triggerType];
   await triggerFunction({ workspace, path: path18, requestBody: trigger });
 }
-async function pushTrigger(triggerType, workspace, path18, trigger, localTrigger) {
+async function pushTrigger(triggerType, workspace, path18, trigger, localTrigger, permissionedAsContext) {
   path18 = removeType(path18, triggerType + "_trigger").replaceAll(SEP17, "/");
   debug(`Processing local ${triggerType} trigger ${path18}`);
   try {
@@ -71738,6 +72232,17 @@ async function pushTrigger(triggerType, workspace, path18, trigger, localTrigger
   } catch {
     debug(`${triggerType} trigger ${path18} does not exist on remote`);
   }
+  delete localTrigger.has_permissioned_as;
+  const preserveFields = {};
+  if (permissionedAsContext?.userIsAdminOrDeployer) {
+    if (trigger) {
+      preserveFields.preserve_permissioned_as = true;
+      if (trigger.permissioned_as) {
+        preserveFields.permissioned_as = trigger.permissioned_as;
+        info(`Preserving ${trigger.permissioned_as} as permissioned_as for trigger ${path18}`);
+      }
+    }
+  }
   if (trigger) {
     if (isSuperset(localTrigger, trigger)) {
       debug(`${triggerType} trigger ${path18} is up to date`);
@@ -71747,6 +72252,7 @@ async function pushTrigger(triggerType, workspace, path18, trigger, localTrigger
     try {
       await updateTrigger(triggerType, workspace, path18, {
         ...localTrigger,
+        ...preserveFields,
         path: path18
       });
     } catch (e) {
@@ -71758,6 +72264,7 @@ async function pushTrigger(triggerType, workspace, path18, trigger, localTrigger
     try {
       await createTrigger(triggerType, workspace, path18, {
         ...localTrigger,
+        ...preserveFields,
         path: path18
       });
     } catch (e) {
@@ -72116,7 +72623,29 @@ var init_trigger = __esm(async () => {
     }
   };
   TRIGGER_SKIP_FIELDS = new Set(["workspace_id", "extra_perms", "edited_by", "edited_at"]);
-  command19 = new Command().description("trigger related commands").option("--json", "Output as JSON (for piping to jq)").action(list11).command("list", "list all triggers").option("--json", "Output as JSON (for piping to jq)").action(list11).command("get", "get a trigger's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").option("--kind <kind:string>", "Trigger kind (http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email). Recommended for faster lookup").action(get8).command("new", "create a new trigger locally").arguments("<path:string>").option("--kind <kind:string>", "Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email)").action(newTrigger).command("push", "push a local trigger spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").action(push10);
+  command19 = new Command().description("trigger related commands").option("--json", "Output as JSON (for piping to jq)").action(list11).command("list", "list all triggers").option("--json", "Output as JSON (for piping to jq)").action(list11).command("get", "get a trigger's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").option("--kind <kind:string>", "Trigger kind (http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email). Recommended for faster lookup").action(get8).command("new", "create a new trigger locally").arguments("<path:string>").option("--kind <kind:string>", "Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email)").action(newTrigger).command("push", "push a local trigger spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").action(push10).command("set-permissioned-as", "Set the email (run-as user) for a trigger (requires admin or wm_deployers group)").arguments("<path:string> <email:string>").option("--kind <kind:string>", "Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email)").action(async (opts, triggerPath, email) => {
+    const workspace = await resolveWorkspace(opts);
+    await requireLogin(opts);
+    if (!opts.kind) {
+      throw new Error("--kind is required. Valid kinds: " + TRIGGER_TYPES.join(", "));
+    }
+    if (!checkIfValidTrigger(opts.kind)) {
+      throw new Error("Invalid trigger kind: " + opts.kind + ". Valid kinds: " + TRIGGER_TYPES.join(", "));
+    }
+    const { lookupUsernameByEmail: lookupUsernameByEmail2 } = await init_permissioned_as().then(() => exports_permissioned_as);
+    const cache3 = new Map;
+    const username = await lookupUsernameByEmail2(workspace.workspaceId, email, cache3);
+    const remote = await getTrigger(opts.kind, workspace.workspaceId, triggerPath);
+    if (!remote)
+      throw new Error(`${opts.kind} trigger ${triggerPath} not found`);
+    await updateTrigger(opts.kind, workspace.workspaceId, triggerPath, {
+      ...remote,
+      permissioned_as: `u/${username}`,
+      preserve_permissioned_as: true,
+      path: triggerPath
+    });
+    info(colors.green(`Updated permissioned_as for ${opts.kind} trigger ${triggerPath} to ${email} (username: ${username})`));
+  });
   trigger_default = command19;
 });
 
@@ -72173,14 +72702,14 @@ function showConflict(path19, local, remote) {
   info(`
 `);
 }
-async function pushObj(workspace, p, befObj, newObj, plainSecrets, alreadySynced3, message, originalLocalPath) {
+async function pushObj(workspace, p, befObj, newObj, plainSecrets, alreadySynced3, message, originalLocalPath, permissionedAsContext) {
   const typeEnding = getTypeStrFromPath(p);
   if (typeEnding === "app") {
     const appName = extractResourceName(p, "app");
     if (!appName) {
       throw new Error(`Could not extract app name from path: ${p}`);
     }
-    await pushApp(workspace, appName, buildFolderPath(appName, "app"), message);
+    await pushApp(workspace, appName, buildFolderPath(appName, "app"), message, permissionedAsContext);
   } else if (typeEnding === "raw_app") {
     const rawAppName = extractResourceName(p, "raw_app");
     if (!rawAppName) {
@@ -72196,7 +72725,7 @@ async function pushObj(workspace, p, befObj, newObj, plainSecrets, alreadySynced
     if (!flowName) {
       throw new Error(`Could not extract flow name from path: ${p}`);
     }
-    await pushFlow(workspace, flowName, buildFolderPath(flowName, "flow"), message);
+    await pushFlow(workspace, flowName, buildFolderPath(flowName, "flow"), message, permissionedAsContext);
   } else if (typeEnding === "resource") {
     if (!alreadySynced3.includes(p)) {
       alreadySynced3.push(p);
@@ -72205,25 +72734,25 @@ async function pushObj(workspace, p, befObj, newObj, plainSecrets, alreadySynced
   } else if (typeEnding === "resource-type") {
     await pushResourceType(workspace, p, befObj, newObj);
   } else if (typeEnding === "schedule") {
-    await pushSchedule(workspace, p, befObj, newObj);
+    await pushSchedule(workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "http_trigger") {
-    await pushTrigger("http", workspace, p, befObj, newObj);
+    await pushTrigger("http", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "websocket_trigger") {
-    await pushTrigger("websocket", workspace, p, befObj, newObj);
+    await pushTrigger("websocket", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "kafka_trigger") {
-    await pushTrigger("kafka", workspace, p, befObj, newObj);
+    await pushTrigger("kafka", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "nats_trigger") {
-    await pushTrigger("nats", workspace, p, befObj, newObj);
+    await pushTrigger("nats", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "postgres_trigger") {
-    await pushTrigger("postgres", workspace, p, befObj, newObj);
+    await pushTrigger("postgres", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "mqtt_trigger") {
-    await pushTrigger("mqtt", workspace, p, befObj, newObj);
+    await pushTrigger("mqtt", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "sqs_trigger") {
-    await pushTrigger("sqs", workspace, p, befObj, newObj);
+    await pushTrigger("sqs", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "gcp_trigger") {
-    await pushTrigger("gcp", workspace, p, befObj, newObj);
+    await pushTrigger("gcp", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "email_trigger") {
-    await pushTrigger("email", workspace, p, befObj, newObj);
+    await pushTrigger("email", workspace, p, befObj, newObj, permissionedAsContext);
   } else if (typeEnding === "native_trigger") {
     await pushNativeTrigger(workspace, p, befObj, newObj);
   } else if (typeEnding === "user") {
@@ -72547,7 +73076,7 @@ ${details.join(`
 `)}
 Use --remote to preview deployed workspace scripts instead.`);
 }
-async function pushFlow(workspace, remotePath, localPath, message) {
+async function pushFlow(workspace, remotePath, localPath, message, permissionedAsContext) {
   if (alreadySynced3.includes(localPath)) {
     return;
   }
@@ -72576,6 +73105,16 @@ async function pushFlow(workspace, remotePath, localPath, message) {
   if (missingFiles.length > 0) {
     warn(colors.yellow(`Warning: missing inline script file(s): ${missingFiles.join(", ")}. ` + `The flow will be pushed with unresolved !inline references.`));
   }
+  const hasOnBehalfOf = localFlow.has_on_behalf_of ?? !!localFlow.on_behalf_of_email;
+  delete localFlow.has_on_behalf_of;
+  const preserveFields = {};
+  if (permissionedAsContext?.userIsAdminOrDeployer && hasOnBehalfOf) {
+    if (flow && flow.on_behalf_of_email) {
+      preserveFields.on_behalf_of_email = flow.on_behalf_of_email;
+      preserveFields.preserve_on_behalf_of = true;
+      info(`Preserving ${flow.on_behalf_of_email} as on_behalf_of for flow ${remotePath}`);
+    }
+  }
   if (flow) {
     if (isSuperset(localFlow, flow)) {
       info(colors.green(`Flow ${remotePath} is up to date`));
@@ -72588,7 +73127,8 @@ async function pushFlow(workspace, remotePath, localPath, message) {
       requestBody: {
         path: remotePath.replaceAll(SEP19, "/"),
         deployment_message: message,
-        ...localFlow
+        ...localFlow,
+        ...preserveFields
       }
     });
   } else {
@@ -72599,7 +73139,8 @@ async function pushFlow(workspace, remotePath, localPath, message) {
         requestBody: {
           path: remotePath.replaceAll(SEP19, "/"),
           deployment_message: message,
-          ...localFlow
+          ...localFlow,
+          ...preserveFields
         }
       });
     } catch (e) {
@@ -73046,7 +73587,27 @@ var init_flow = __esm(async () => {
   ]);
   import_yaml36 = __toESM(require_dist(), 1);
   alreadySynced3 = [];
-  command20 = new Command().description("flow related commands").option("--show-archived", "Enable archived flows in output").option("--json", "Output as JSON (for piping to jq)").action(list12).command("list", "list all flows").option("--show-archived", "Enable archived flows in output").option("--json", "Output as JSON (for piping to jq)").action(list12).command("get", "get a flow's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(get9).command("push", "push a local flow spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").option("--message <message:string>", "Deployment message").action(push11).command("run", "run a flow by path.").arguments("<path:string>").option("-d --data <data:string>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not ouput anything other then the final output. Useful for scripting.").action(run3).command("preview", "preview a local flow without deploying it. Runs the flow definition from local files and uses local PathScripts by default.").arguments("<flow_path:string>").option("-d --data <data:string>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other then the final output. Useful for scripting.").option("--remote", "Use deployed workspace scripts for PathScript steps instead of local files.").action(preview2).command("generate-locks", 'DEPRECATED: re-generate flow lock files. Use "wmill generate-metadata" instead.').arguments("[flow:file]").option("--yes", "Skip confirmation prompt").option("--dry-run", "Perform a dry run without making changes").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").action(generateLocks).command("new", "create a new empty flow").arguments("<flow_path:string>").option("--summary <summary:string>", "flow summary").option("--description <description:string>", "flow description").action(bootstrap2).command("bootstrap", "create a new empty flow (alias for new)").arguments("<flow_path:string>").option("--summary <summary:string>", "flow summary").option("--description <description:string>", "flow description").action(bootstrap2).command("history", "Show version history for a flow").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(history2).command("show-version", "Show a specific version of a flow").arguments("<path:string> <version:string>").option("--json", "Output as JSON (for piping to jq)").action(showVersion);
+  command20 = new Command().description("flow related commands").option("--show-archived", "Enable archived flows in output").option("--json", "Output as JSON (for piping to jq)").action(list12).command("list", "list all flows").option("--show-archived", "Enable archived flows in output").option("--json", "Output as JSON (for piping to jq)").action(list12).command("get", "get a flow's details").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(get9).command("push", "push a local flow spec. This overrides any remote versions.").arguments("<file_path:string> <remote_path:string>").option("--message <message:string>", "Deployment message").action(push11).command("run", "run a flow by path.").arguments("<path:string>").option("-d --data <data:string>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not ouput anything other then the final output. Useful for scripting.").action(run3).command("preview", "preview a local flow without deploying it. Runs the flow definition from local files and uses local PathScripts by default.").arguments("<flow_path:string>").option("-d --data <data:string>", "Inputs specified as a JSON string or a file using @<filename> or stdin using @-.").option("-s --silent", "Do not output anything other then the final output. Useful for scripting.").option("--remote", "Use deployed workspace scripts for PathScript steps instead of local files.").action(preview2).command("generate-locks", 'DEPRECATED: re-generate flow lock files. Use "wmill generate-metadata" instead.').arguments("[flow:file]").option("--yes", "Skip confirmation prompt").option("--dry-run", "Perform a dry run without making changes").option("-i --includes <patterns:file[]>", "Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)").option("-e --excludes <patterns:file[]>", "Comma separated patterns to specify which file to NOT take into account.").action(generateLocks).command("new", "create a new empty flow").arguments("<flow_path:string>").option("--summary <summary:string>", "flow summary").option("--description <description:string>", "flow description").action(bootstrap2).command("bootstrap", "create a new empty flow (alias for new)").arguments("<flow_path:string>").option("--summary <summary:string>", "flow summary").option("--description <description:string>", "flow description").action(bootstrap2).command("history", "Show version history for a flow").arguments("<path:string>").option("--json", "Output as JSON (for piping to jq)").action(history2).command("show-version", "Show a specific version of a flow").arguments("<path:string> <version:string>").option("--json", "Output as JSON (for piping to jq)").action(showVersion).command("set-permissioned-as", "Set the on_behalf_of_email for a flow (requires admin or wm_deployers group)").arguments("<path:string> <email:string>").action(async (opts, flowPath, email) => {
+    const workspace = await resolveWorkspace(opts);
+    await requireLogin(opts);
+    const remote = await getFlowByPath({
+      workspace: workspace.workspaceId,
+      path: flowPath
+    });
+    if (!remote)
+      throw new Error(`Flow ${flowPath} not found`);
+    await updateFlow({
+      workspace: workspace.workspaceId,
+      path: flowPath,
+      requestBody: {
+        ...remote,
+        path: flowPath,
+        on_behalf_of_email: email,
+        preserve_on_behalf_of: true
+      }
+    });
+    info(colors.green(`Updated permissioned_as for flow ${flowPath} to ${email}`));
+  });
   flow_default = command20;
 });
 
@@ -76044,7 +76605,59 @@ await __promiseAll([
   init_workspace(),
   init_resource_type()
 ]);
-import { stat as stat17, writeFile as writeFile19, rm as rm4, mkdir as mkdir13 } from "node:fs/promises";
+import { stat as stat18, writeFile as writeFile20, rm as rm4 } from "node:fs/promises";
+
+// src/guidance/writer.ts
+import { cp, mkdir as mkdir13, readdir as readdir9, readFile as readFile17, stat as stat17, writeFile as writeFile19 } from "node:fs/promises";
+import { join as join17 } from "node:path";
+
+// src/guidance/core.ts
+function generateAgentsMdContent(skillsReference) {
+  return `# Windmill AI Agent Instructions
+
+You are a helpful assistant that can help with Windmill scripts, flows, apps, and resources management.
+
+## Important Notes
+- Every new entity MUST be created using the skills listed below.
+- Every modification of an entity MUST be done using the skills listed below.
+- User MUST be asked where to create the entity. It can be in its user folder, under u/{user_name} folder, or in a new folder, /f/{folder_name}/. folder_name and user_name must be provided by the user.
+
+## Script Writing Guide
+
+You MUST use the \`write-script-<language>\` skill to write or modify scripts in the language specified by the user. Use bun by default.
+
+## Flow Writing Guide
+
+You MUST use the \`write-flow\` skill to create or modify flows.
+
+## Raw App Development
+
+You MUST use the \`raw-app\` skill to create or modify raw apps.
+Whenever a new app needs to be created you MUST ask the user to run \`wmill app new\` in its terminal first.
+
+## Triggers
+
+You MUST use the \`triggers\` skill to configure HTTP routes, WebSocket, Kafka, NATS, SQS, MQTT, GCP, or Postgres CDC triggers.
+
+## Schedules
+
+You MUST use the \`schedules\` skill to configure cron schedules.
+
+## Resources
+
+You MUST use the \`resources\` skill to manage resource types and credentials.
+
+## CLI Reference
+
+You MUST use the \`cli-commands\` skill to use the CLI.
+
+## Skills
+
+For specific guidance, ALWAYS use the skills listed below.
+
+${skillsReference}
+`;
+}
 
 // src/guidance/skills.ts
 var SKILLS = [
@@ -81148,6 +81761,7 @@ app related commands
   - \`--fix\` - Attempt to fix common issues (not implemented yet)
 - \`app new\` - create a new raw app from a template
 - \`app generate-agents [app_folder:string]\` - regenerate AGENTS.md and DATATABLES.md from remote workspace
+- \`app set-permissioned-as <path:string> <email:string>\` - Set the on_behalf_of_email for an app (requires admin or wm_deployers group)
 
 ### audit
 
@@ -81230,6 +81844,7 @@ flow related commands
   - \`--json\` - Output as JSON (for piping to jq)
 - \`flow show-version <path:string> <version:string>\` - Show a specific version of a flow
   - \`--json\` - Output as JSON (for piping to jq)
+- \`flow set-permissioned-as <path:string> <email:string>\` - Set the on_behalf_of_email for a flow (requires admin or wm_deployers group)
 
 ### folder
 
@@ -81249,6 +81864,9 @@ folder related commands
 - \`folder push <name:string>\` - push a local folder to the remote by name. This overrides any remote versions.
 - \`folder add-missing\` - create default folder.meta.yaml for all subdirectories of f/ that are missing one
   - \`-y, --yes\` - skip confirmation prompt
+- \`folder show-rules <name:string>\` - Show default_permissioned_as rules for a folder. Use --test-path to see which rule matches a given item path.
+  - \`--test-path <path:string>\` - Test which rule matches this item path (e.g. f/prod/jobs/my_script)
+  - \`--json\` - Output as JSON
 
 ### generate-metadata
 
@@ -81472,6 +82090,7 @@ schedule related commands
 - \`schedule push <file_path:string> <remote_path:string>\` - push a local schedule spec. This overrides any remote versions.
 - \`schedule enable <path:string>\` - Enable a schedule
 - \`schedule disable <path:string>\` - Disable a schedule
+- \`schedule set-permissioned-as <path:string> <email:string>\` - Set the email (run-as user) for a schedule (requires admin or wm_deployers group)
 
 ### script
 
@@ -81503,6 +82122,7 @@ script related commands
 - \`script bootstrap <path:file> <language:string>\` - create a new script (alias for new)
   - \`--summary <summary:string>\` - script summary
   - \`--description <description:string>\` - script description
+- \`script set-permissioned-as <path:string> <email:string>\` - Set the on_behalf_of_email for a script (requires admin or wm_deployers group)
 - \`script history <path:string>\` - show version history for a script
   - \`--json\` - Output as JSON (for piping to jq)
 
@@ -81576,6 +82196,7 @@ sync local with a remote workspaces or the opposite (push or pull)
   - \`--lint\` - Run lint validation before pushing
   - \`--locks-required\` - Fail if scripts or flow inline scripts that need locks have no locks
   - \`--auto-metadata\` - Automatically regenerate stale metadata (locks and schemas) before pushing
+  - \`--accept-overriding-permissioned-as-with-self\` - Accept that items with a different permissioned_as will be updated with your own user
 
 ### token
 
@@ -81610,6 +82231,8 @@ trigger related commands
 - \`trigger new <path:string>\` - create a new trigger locally
   - \`--kind <kind:string>\` - Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email)
 - \`trigger push <file_path:string> <remote_path:string>\` - push a local trigger spec. This overrides any remote versions.
+- \`trigger set-permissioned-as <path:string> <email:string>\` - Set the email (run-as user) for a trigger (requires admin or wm_deployers group)
+  - \`--kind <kind:string>\` - Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, email)
 
 ### user
 
@@ -82647,52 +83270,165 @@ var SCHEMA_MAPPINGS = {
   ]
 };
 
-// src/guidance/core.ts
-function generateAgentsMdContent(skillsReference) {
-  return `# Windmill AI Agent Instructions
-
-You are a helpful assistant that can help with Windmill scripts, flows, apps, and resources management.
-
-## Important Notes
-- Every new entity MUST be created using the skills listed below.
-- Every modification of an entity MUST be done using the skills listed below.
-- User MUST be asked where to create the entity. It can be in its user folder, under u/{user_name} folder, or in a new folder, /f/{folder_name}/. folder_name and user_name must be provided by the user.
-
-## Script Writing Guide
-
-You MUST use the \`write-script-<language>\` skill to write or modify scripts in the language specified by the user. Use bun by default.
-
-## Flow Writing Guide
-
-You MUST use the \`write-flow\` skill to create or modify flows.
-
-## Raw App Development
-
-You MUST use the \`raw-app\` skill to create or modify raw apps.
-Whenever a new app needs to be created you MUST ask the user to run \`wmill app new\` in its terminal first.
-
-## Triggers
-
-You MUST use the \`triggers\` skill to configure HTTP routes, WebSocket, Kafka, NATS, SQS, MQTT, GCP, or Postgres CDC triggers.
-
-## Schedules
-
-You MUST use the \`schedules\` skill to configure cron schedules.
-
-## Resources
-
-You MUST use the \`resources\` skill to manage resource types and credentials.
-
-## CLI Reference
+// src/guidance/writer.ts
+var WMILL_INIT_AI_SKILLS_SOURCE_ENV = "WMILL_INIT_AI_SKILLS_SOURCE";
+var WMILL_INIT_AI_AGENTS_SOURCE_ENV = "WMILL_INIT_AI_AGENTS_SOURCE";
+var WMILL_INIT_AI_CLAUDE_SOURCE_ENV = "WMILL_INIT_AI_CLAUDE_SOURCE";
+var CLAUDE_MD_DEFAULT = `Instructions are in @AGENTS.md
+`;
+async function writeAiGuidanceFiles(options) {
+  const nonDottedPaths = options.nonDottedPaths ?? true;
+  const skillMetadata = options.skillsSourcePath ? await readSkillMetadataFromDirectory(options.skillsSourcePath) : getGeneratedSkillMetadata();
+  const agentsWritten = await writeProjectGuidanceFile({
+    targetPath: join17(options.targetDir, "AGENTS.md"),
+    overwrite: options.overwriteProjectGuidance ?? false,
+    content: options.agentsSourcePath != null ? await readFile17(options.agentsSourcePath, "utf8") : generateAgentsMdContent(buildSkillsReference(skillMetadata))
+  });
+  const claudeWritten = await writeProjectGuidanceFile({
+    targetPath: join17(options.targetDir, "CLAUDE.md"),
+    overwrite: options.overwriteProjectGuidance ?? false,
+    content: options.claudeSourcePath != null ? await readFile17(options.claudeSourcePath, "utf8") : CLAUDE_MD_DEFAULT
+  });
+  if (options.skillsSourcePath) {
+    await copySkillsFromSource(options.targetDir, options.skillsSourcePath);
+  } else {
+    await writeGeneratedSkills(options.targetDir, nonDottedPaths);
+  }
+  return {
+    agentsWritten,
+    claudeWritten,
+    skillCount: skillMetadata.length
+  };
+}
+function buildSkillsReference(skills) {
+  return skills.map((skill) => `- \`.claude/skills/${skill.directoryName}/SKILL.md\` - ${skill.description}`).join(`
+`);
+}
+async function copySkillsFromSource(targetDir, skillsSourcePath) {
+  const skillsDir = await ensureSkillsDirectory(targetDir);
+  await copyDirectoryContents(skillsSourcePath, skillsDir);
+  return await readSkillMetadataFromDirectory(skillsDir);
+}
+async function writeGeneratedSkills(targetDir, nonDottedPaths) {
+  const skillsDir = await ensureSkillsDirectory(targetDir);
+  await Promise.all(SKILLS.map(async (skill) => {
+    const skillDir = join17(skillsDir, skill.name);
+    await mkdir13(skillDir, { recursive: true });
+    await writeFile19(join17(skillDir, "SKILL.md"), renderGeneratedSkillContent(skill.name, nonDottedPaths), "utf8");
+  }));
+  return SKILLS.map((skill) => ({
+    ...skill,
+    directoryName: skill.name
+  }));
+}
+function getGeneratedSkillMetadata() {
+  return SKILLS.map((skill) => ({
+    ...skill,
+    directoryName: skill.name
+  }));
+}
+async function ensureSkillsDirectory(targetDir) {
+  const skillsDir = join17(targetDir, ".claude", "skills");
+  await mkdir13(skillsDir, { recursive: true });
+  return skillsDir;
+}
+async function copyDirectoryContents(sourceDir, targetDir) {
+  const entries = await readdir9(sourceDir, { withFileTypes: true });
+  await Promise.all(entries.map(async (entry) => {
+    await cp(join17(sourceDir, entry.name), join17(targetDir, entry.name), {
+      recursive: true,
+      force: true
+    });
+  }));
+}
+function renderGeneratedSkillContent(skillName, nonDottedPaths) {
+  let skillContent = SKILL_CONTENT[skillName];
+  if (!skillContent) {
+    throw new Error(`Missing generated skill content for ${skillName}`);
+  }
+  if (nonDottedPaths) {
+    skillContent = skillContent.replaceAll("{{FLOW_SUFFIX}}", "__flow").replaceAll("{{APP_SUFFIX}}", "__app").replaceAll("{{RAW_APP_SUFFIX}}", "__raw_app").replaceAll("{{INLINE_SCRIPT_NAMING}}", "Inline script files should NOT include `.inline_script.` in their names (e.g. use `a.ts`, not `a.inline_script.ts`).");
+  } else {
+    skillContent = skillContent.replaceAll("{{FLOW_SUFFIX}}", ".flow").replaceAll("{{APP_SUFFIX}}", ".app").replaceAll("{{RAW_APP_SUFFIX}}", ".raw_app").replaceAll("{{INLINE_SCRIPT_NAMING}}", "Inline script files use the `.inline_script.` naming convention (e.g. `a.inline_script.ts`).");
+  }
+  const schemaMappings = SCHEMA_MAPPINGS[skillName];
+  if (!schemaMappings || schemaMappings.length === 0) {
+    return skillContent;
+  }
+  const schemaDocs = schemaMappings.map((mapping) => {
+    const schemaYaml = SCHEMAS[mapping.schemaKey];
+    if (!schemaYaml) {
+      return null;
+    }
+    return formatSchemaForMarkdown(schemaYaml, mapping.name, mapping.filePattern);
+  }).filter((entry) => entry !== null);
+  if (schemaDocs.length === 0) {
+    return skillContent;
+  }
+  return `${skillContent}
 
-You MUST use the \`cli-commands\` skill to use the CLI.
+${schemaDocs.join(`
 
-## Skills
+`)}`;
+}
+async function readSkillMetadataFromDirectory(skillsDir) {
+  const entries = await readdir9(skillsDir, { withFileTypes: true });
+  const skills = [];
+  for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    const skillPath = join17(skillsDir, entry.name, "SKILL.md");
+    if (!await stat17(skillPath).catch(() => null)) {
+      continue;
+    }
+    const content = await readFile17(skillPath, "utf8");
+    skills.push(parseSkillMetadata(content, entry.name));
+  }
+  return skills;
+}
+function parseSkillMetadata(content, fallbackName) {
+  const frontMatterMatch = content.match(/^---\s*\n([\s\S]*?)\n---/);
+  if (!frontMatterMatch) {
+    return {
+      name: fallbackName,
+      description: `Skill loaded from ${fallbackName}`,
+      directoryName: fallbackName
+    };
+  }
+  let name = fallbackName;
+  let description = `Skill loaded from ${fallbackName}`;
+  for (const line of frontMatterMatch[1].split(`
+`)) {
+    const separatorIndex = line.indexOf(":");
+    if (separatorIndex === -1) {
+      continue;
+    }
+    const key = line.slice(0, separatorIndex).trim();
+    const value = line.slice(separatorIndex + 1).trim();
+    if (key === "name" && value) {
+      name = value;
+    } else if (key === "description" && value) {
+      description = value;
+    }
+  }
+  return { name, description, directoryName: fallbackName };
+}
+async function writeProjectGuidanceFile(options) {
+  if (!options.overwrite && await stat17(options.targetPath).catch(() => null)) {
+    return false;
+  }
+  await writeFile19(options.targetPath, options.content, "utf8");
+  return true;
+}
+function formatSchemaForMarkdown(schemaYaml, schemaName, filePattern) {
+  return `## ${schemaName} (\`${filePattern}\`)
 
-For specific guidance, ALWAYS use the skills listed below.
+Must be a YAML file that adheres to the following schema:
 
-${skillsReference}
-`;
+\`\`\`yaml
+${schemaYaml.trim()}
+\`\`\``;
 }
 
 // src/commands/init/template.ts
@@ -82893,6 +83629,13 @@ var CONFIG_REFERENCE = [
     description: "Use __flow/__app/__raw_app suffixes instead of .flow/.app/.raw_app",
     inlineComment: "recommended for new projects"
   },
+  {
+    name: "syncBehavior",
+    type: "string",
+    default: "v1",
+    description: "Sync behavior version — controls ownership handling during push/pull (v1: preserve permissioned_as on update, strip on_behalf_of_email on pull)",
+    inlineComment: "v1 enables ownership preservation"
+  },
   {
     name: "codebases",
     type: "array",
@@ -83156,19 +83899,10 @@ function formatConfigReferenceJson() {
 }
 
 // src/commands/init/init.ts
-function formatSchemaForMarkdown(schemaYaml, schemaName, filePattern) {
-  return `## ${schemaName} (\`${filePattern}\`)
-
-Must be a YAML file that adheres to the following schema:
-
-\`\`\`yaml
-${schemaYaml.trim()}
-\`\`\``;
-}
 async function initAction(opts) {
   let didBindWorkspace = false;
   let boundProfile;
-  if (await stat17("wmill.yaml").catch(() => null)) {
+  if (await stat18("wmill.yaml").catch(() => null)) {
     info("wmill.yaml already exists, skipping config generation");
   } else {
     const { isGitRepository: isGitRepository2, getCurrentGitBranch: getCurrentGitBranch2 } = await Promise.resolve().then(() => (init_git(), exports_git));
@@ -83240,7 +83974,7 @@ async function initAction(opts) {
         boundProfile = activeWorkspace;
       }
     }
-    await writeFile19("wmill.yaml", generateCommentedTemplate(branchName, undefined, wsBindings), "utf-8");
+    await writeFile20("wmill.yaml", generateCommentedTemplate(branchName, undefined, wsBindings), "utf-8");
     info(colors.green("wmill.yaml created with default settings"));
     if (wsBindings && wsBindings.length > 0) {
       didBindWorkspace = true;
@@ -83312,58 +84046,21 @@ async function initAction(opts) {
     nonDottedPaths = config.nonDottedPaths ?? true;
   } catch {}
   try {
-    const skills_base_dir = ".claude/skills";
-    const skillsReference = SKILLS.map((s) => `- \`${skills_base_dir}/${s.name}/SKILL.md\` - ${s.description}`).join(`
-`);
-    if (!await stat17("AGENTS.md").catch(() => null)) {
-      await writeFile19("AGENTS.md", generateAgentsMdContent(skillsReference), "utf-8");
+    const guidanceResult = await writeAiGuidanceFiles({
+      targetDir: ".",
+      nonDottedPaths,
+      overwriteProjectGuidance: false,
+      skillsSourcePath: process.env[WMILL_INIT_AI_SKILLS_SOURCE_ENV],
+      agentsSourcePath: process.env[WMILL_INIT_AI_AGENTS_SOURCE_ENV],
+      claudeSourcePath: process.env[WMILL_INIT_AI_CLAUDE_SOURCE_ENV]
+    });
+    if (guidanceResult.agentsWritten) {
       info(colors.green("Created AGENTS.md"));
     }
-    if (!await stat17("CLAUDE.md").catch(() => null)) {
-      await writeFile19("CLAUDE.md", `Instructions are in @AGENTS.md
-`, "utf-8");
+    if (guidanceResult.claudeWritten) {
       info(colors.green("Created CLAUDE.md"));
     }
-    try {
-      await mkdir13(".claude/skills", { recursive: true });
-      await Promise.all(SKILLS.map(async (skill) => {
-        const skillDir = `.claude/skills/${skill.name}`;
-        await mkdir13(skillDir, { recursive: true });
-        let skillContent = SKILL_CONTENT[skill.name];
-        if (skillContent) {
-          if (nonDottedPaths) {
-            skillContent = skillContent.replaceAll("{{FLOW_SUFFIX}}", "__flow").replaceAll("{{APP_SUFFIX}}", "__app").replaceAll("{{RAW_APP_SUFFIX}}", "__raw_app").replaceAll("{{INLINE_SCRIPT_NAMING}}", "Inline script files should NOT include `.inline_script.` in their names (e.g. use `a.ts`, not `a.inline_script.ts`).");
-          } else {
-            skillContent = skillContent.replaceAll("{{FLOW_SUFFIX}}", ".flow").replaceAll("{{APP_SUFFIX}}", ".app").replaceAll("{{RAW_APP_SUFFIX}}", ".raw_app").replaceAll("{{INLINE_SCRIPT_NAMING}}", "Inline script files use the `.inline_script.` naming convention (e.g. `a.inline_script.ts`).");
-          }
-          const schemaMappings = SCHEMA_MAPPINGS[skill.name];
-          if (schemaMappings && schemaMappings.length > 0) {
-            const schemaDocs = schemaMappings.map((mapping) => {
-              const schemaYaml = SCHEMAS[mapping.schemaKey];
-              if (schemaYaml) {
-                return formatSchemaForMarkdown(schemaYaml, mapping.name, mapping.filePattern);
-              }
-              return null;
-            }).filter((doc) => doc !== null);
-            if (schemaDocs.length > 0) {
-              skillContent = skillContent + `
-
-` + schemaDocs.join(`
-
-`);
-            }
-          }
-          await writeFile19(`${skillDir}/SKILL.md`, skillContent, "utf-8");
-        }
-      }));
-      info(colors.green(`Created .claude/skills/ with ${SKILLS.length} skills`));
-    } catch (skillError) {
-      if (skillError instanceof Error) {
-        warn(`Could not create skills: ${skillError.message}`);
-      } else {
-        warn(`Could not create skills: ${skillError}`);
-      }
-    }
+    info(colors.green(`Created .claude/skills/ with ${guidanceResult.skillCount} skills`));
   } catch (error2) {
     if (error2 instanceof Error) {
       warn(`Could not create guidance files: ${error2.message}`);
@@ -84406,7 +85103,7 @@ init_mod3();
 init_log();
 init_colors2();
 var import_yaml40 = __toESM(require_dist(), 1);
-import { writeFile as writeFile21 } from "node:fs/promises";
+import { writeFile as writeFile22 } from "node:fs/promises";
 init_yaml();
 await init_conf();
 async function configAction(opts) {
@@ -84458,7 +85155,7 @@ async function migrateAction() {
   } else {
     newConf.workspaces = workspaces;
   }
-  await writeFile21(wmillYamlPath, import_yaml40.stringify(newConf), "utf-8");
+  await writeFile22(wmillYamlPath, import_yaml40.stringify(newConf), "utf-8");
   info(colors.green(`✅ Migrated '${legacyKey}' to 'workspaces' in ${wmillYamlPath}`));
   if (wsNames.length > 0) {
     info(`   Workspace entries: ${wsNames.join(", ")}`);
@@ -84472,8 +85169,36 @@ var config_default = command35;
 
 // src/main.ts
 await init_context();
-var VERSION = "1.681.0";
-var command36 = new Command().name("wmill").action(() => info(`Welcome to Windmill CLI ${VERSION}. Use -h for help.`)).description("Windmill CLI").globalOption("--workspace <workspace:string>", "Specify the target workspace. This overrides the default workspace.").globalOption("--debug --verbose", "Show debug/verbose logs").globalOption("--show-diffs", "Show diff informations when syncing (may show sensitive informations)").globalOption("--token <token:string>", "Specify an API token. This will override any stored token.").globalOption("--base-url <baseUrl:string>", "Specify the base URL of the API. If used, --token and --workspace are required and no local remote/workspace already set will be used.").globalOption("--config-dir <configDir:string>", "Specify a custom config directory. Overrides WMILL_CONFIG_DIR environment variable and default ~/.config location.").env("HEADERS <headers:string>", `Specify headers to use for all requests. e.g: "HEADERS='h1: v1, h2: v2'"`).version(VERSION).versionOption(false).command("init", init_default).command("app", app_default).command("flow", flow_default).command("script", script_default).command("workspace", workspace_default).command("resource", resource_default).command("resource-type", resource_type_default).command("user", user_default).command("variable", variable_default).command("hub", hub_default).command("folder", folder_default).command("schedule", schedule_default).command("trigger", trigger_default).command("dev", dev_default2).command("sync", sync_default).command("lint", lint_default).command("gitsync-settings", gitsync_settings_default).command("instance", instance_default).command("worker-groups", worker_groups_default).command("workers", workers_default).command("queues", queues_default).command("dependencies", dependencies_default).command("jobs", jobs_default).command("job", job_default).command("group", group_default).command("audit", audit_default).command("token", token_default).command("generate-metadata", generate_metadata_default).command("docs", docs_default).command("config", config_default).command("version --version", "Show version information").action(async (opts) => {
+var VERSION = "1.683.0";
+async function checkVersionSafe(cmd) {
+  const mainCommand = cmd.getMainCommand();
+  const upgradeCommand = mainCommand.getCommand("upgrade");
+  if (!upgradeCommand || typeof upgradeCommand.getLatestVersion !== "function" || typeof upgradeCommand.hasRequiredPermissions !== "function") {
+    return;
+  }
+  if (!await upgradeCommand.hasRequiredPermissions()) {
+    return;
+  }
+  const latestVersion = await upgradeCommand.getLatestVersion();
+  const currentVersion = mainCommand.getVersion();
+  if (!currentVersion || currentVersion === latestVersion) {
+    return;
+  }
+  mainCommand.version(`${currentVersion}  (New version available: ${latestVersion}. Run '${mainCommand.getName()} upgrade' to upgrade to the latest version!)`);
+}
+var command36 = new Command().name("wmill").action(() => info(`Welcome to Windmill CLI ${VERSION}. Use -h for help.`)).description("Windmill CLI").globalOption("--workspace <workspace:string>", "Specify the target workspace. This overrides the default workspace.").globalOption("--debug --verbose", "Show debug/verbose logs").globalOption("--show-diffs", "Show diff informations when syncing (may show sensitive informations)").globalOption("--token <token:string>", "Specify an API token. This will override any stored token.").globalOption("--base-url <baseUrl:string>", "Specify the base URL of the API. If used, --token and --workspace are required and no local remote/workspace already set will be used.").globalOption("--config-dir <configDir:string>", "Specify a custom config directory. Overrides WMILL_CONFIG_DIR environment variable and default ~/.config location.").env("HEADERS <headers:string>", `Specify headers to use for all requests. e.g: "HEADERS='h1: v1, h2: v2'"`).version(VERSION).versionOption(false).helpOption("-h, --help", "Show this help.", {
+  action: async function() {
+    const self2 = this;
+    const long = self2.getRawArgs().includes(`--${self2.getHelpOption()?.name}`);
+    try {
+      await checkVersionSafe(self2);
+    } catch (e) {
+      warn(`Skipping latest-version check: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    self2.showHelp({ long });
+    self2.exit();
+  }
+}).command("init", init_default).command("app", app_default).command("flow", flow_default).command("script", script_default).command("workspace", workspace_default).command("resource", resource_default).command("resource-type", resource_type_default).command("user", user_default).command("variable", variable_default).command("hub", hub_default).command("folder", folder_default).command("schedule", schedule_default).command("trigger", trigger_default).command("dev", dev_default2).command("sync", sync_default).command("lint", lint_default).command("gitsync-settings", gitsync_settings_default).command("instance", instance_default).command("worker-groups", worker_groups_default).command("workers", workers_default).command("queues", queues_default).command("dependencies", dependencies_default).command("jobs", jobs_default).command("job", job_default).command("group", group_default).command("audit", audit_default).command("token", token_default).command("generate-metadata", generate_metadata_default).command("docs", docs_default).command("config", config_default).command("version --version", "Show version information").action(async (opts) => {
   console.log("CLI version: " + VERSION);
   try {
     const provider2 = new NpmProvider({ package: "windmill-cli" });