fixing docker compose distribution

fixing audit finding
2026-03-26 15:39:07 -05:00 · 2026-03-26 14:05:53 -05:00 · 2026-03-26 14:04:57 -05:00 · 2026-03-26 12:26:23 -05:00 · 2026-03-26 08:46:18 -05:00 · 2026-03-26 07:40:07 -05:00
82 changed files with 15497 additions and 144 deletions
--- a/.gitea/workflows/publish.yml
+++ b/.gitea/workflows/publish.yml
@@ -20,6 +20,7 @@ on:
          - executor
          - notifier
          - agent
+          - docker-dist
          - web
        default: all
  push:
@@ -33,7 +34,9 @@ env:
  REGISTRY_HOST: ${{ vars.CLUSTER_GITEA_HOST }}
  REGISTRY_NAMESPACE: ${{ vars.CONTAINER_REGISTRY_NAMESPACE }}
  REGISTRY_PLAIN_HTTP: ${{ vars.CONTAINER_REGISTRY_INSECURE }}
-  ARTIFACT_REPOSITORY: attune-build-artifacts
+  REPOSITORY_NAME: attune
+  ARTIFACT_REPOSITORY: attune/build-artifacts
+  GNU_GLIBC_VERSION: "2.28"
  CARGO_TERM_COLOR: always
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
@@ -133,9 +136,13 @@ jobs:
        include:
          - arch: amd64
            runner_label: build-amd64
+            service_rust_target: x86_64-unknown-linux-gnu
+            service_target: x86_64-unknown-linux-gnu.2.28
            musl_target: x86_64-unknown-linux-musl
          - arch: arm64
-            runner_label: build-arm64
+            runner_label: build-amd64
+            service_rust_target: aarch64-unknown-linux-gnu
+            service_target: aarch64-unknown-linux-gnu.2.28
            musl_target: aarch64-unknown-linux-musl
    steps:
      - name: Checkout
@@ -156,7 +163,9 @@ jobs:
      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable
        with:
-          targets: ${{ matrix.musl_target }}
+          targets: |
+            ${{ matrix.service_rust_target }}
+            ${{ matrix.musl_target }}

      - name: Cache Cargo registry + index
        uses: actions/cache@v4
@@ -184,22 +193,69 @@ jobs:
        run: |
          set -euo pipefail
          apt-get update
-          apt-get install -y pkg-config libssl-dev musl-tools file
+          apt-get install -y pkg-config libssl-dev file binutils python3 python3-pip
+
+      - name: Install Zig
+        shell: bash
+        run: |
+          set -euo pipefail
+          pip3 install --break-system-packages --no-cache-dir ziglang
+
+      - name: Install cargo-zigbuild
+        shell: bash
+        run: |
+          set -euo pipefail
+          if ! command -v cargo-zigbuild >/dev/null 2>&1; then
+            cargo install --locked cargo-zigbuild
+          fi

      - name: Build release binaries
        shell: bash
        run: |
          set -euo pipefail
-          cargo build --release \
+          cargo zigbuild --release \
+            --target "${{ matrix.service_target }}" \
            --bin attune-api \
            --bin attune-executor \
            --bin attune-notifier

+      - name: Verify minimum glibc requirement
+        shell: bash
+        run: |
+          set -euo pipefail
+          output_dir="target/${{ matrix.service_rust_target }}/release"
+
+          get_min_glibc() {
+            local file_path="$1"
+            readelf -W --version-info --dyn-syms "$file_path" \
+              | grep 'Name: GLIBC_' \
+              | sed -E 's/.*GLIBC_([0-9.]+).*/\1/' \
+              | sort -t . -k1,1n -k2,2n \
+              | tail -n 1
+          }
+
+          version_gt() {
+            [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n 1)" = "$1" ] && [ "$1" != "$2" ]
+          }
+
+          for binary in attune-api attune-executor attune-notifier; do
+            min_glibc="$(get_min_glibc "${output_dir}/${binary}")"
+            if [ -z "${min_glibc}" ]; then
+              echo "Failed to determine glibc requirement for ${binary}"
+              exit 1
+            fi
+            echo "${binary} requires glibc ${min_glibc}"
+            if version_gt "${min_glibc}" "${GNU_GLIBC_VERSION}"; then
+              echo "Expected ${binary} to require glibc <= ${GNU_GLIBC_VERSION}, got ${min_glibc}"
+              exit 1
+            fi
+          done
+
      - name: Build static agent binaries
        shell: bash
        run: |
          set -euo pipefail
-          cargo build --release \
+          cargo zigbuild --release \
            --target "${{ matrix.musl_target }}" \
            --bin attune-agent \
            --bin attune-sensor-agent
@@ -210,11 +266,12 @@ jobs:
          set -euo pipefail

          bundle_root="dist/bundle/${{ matrix.arch }}"
+          service_output_dir="target/${{ matrix.service_rust_target }}/release"
          mkdir -p "$bundle_root/bin" "$bundle_root/agent"

-          cp target/release/attune-api "$bundle_root/bin/"
-          cp target/release/attune-executor "$bundle_root/bin/"
-          cp target/release/attune-notifier "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-api" "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-executor" "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-notifier" "$bundle_root/bin/"
          cp target/${{ matrix.musl_target }}/release/attune-agent "$bundle_root/agent/"
          cp target/${{ matrix.musl_target }}/release/attune-sensor-agent "$bundle_root/agent/"

@@ -263,16 +320,187 @@ jobs:
        run: |
          set -euo pipefail
          push_args=()
+          artifact_file="attune-binaries-${{ matrix.arch }}.tar.gz"

          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
            push_args+=(--plain-http)
          fi

+          cp "dist/${artifact_file}" "${artifact_file}"
+
          oras push \
            "${push_args[@]}" \
            "${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}" \
            --artifact-type application/vnd.attune.rust-binaries.v1 \
-            "dist/attune-binaries-${{ matrix.arch }}.tar.gz:application/vnd.attune.rust-binaries.layer.v1.tar+gzip"
+            "${artifact_file}:application/vnd.attune.rust-binaries.layer.v1.tar+gzip"
+
+      - name: Link binary bundle package to repository
+        shell: bash
+        env:
+          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
+        run: |
+          set -euo pipefail
+          api_base="${{ github.server_url }}/api/v1"
+          package_name="${ARTIFACT_REPOSITORY}"
+          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
+
+          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
+            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
+
+          case "${status_code}" in
+            200|201|204|409)
+              ;;
+            400|404)
+              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
+              cat /tmp/package-link-response.txt
+              ;;
+            *)
+              cat /tmp/package-link-response.txt
+              exit 1
+              ;;
+          esac
+
+  publish-docker-dist:
+    name: Publish Docker Dist Bundle
+    runs-on: build-amd64
+    needs: metadata
+    if: |
+      github.event_name != 'workflow_dispatch' ||
+      inputs.target_image == 'all' ||
+      inputs.target_image == 'docker-dist'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build docker dist bundle
+        shell: bash
+        run: |
+          set -euo pipefail
+          bash scripts/package-docker-dist.sh docker/distributable artifacts/attune-docker-dist.tar.gz
+
+      - name: Upload docker dist archive
+        uses: actions/upload-artifact@v4
+        with:
+          name: attune-docker-dist-${{ needs.metadata.outputs.image_tag }}
+          path: artifacts/attune-docker-dist.tar.gz
+          if-no-files-found: error
+
+      - name: Attach docker dist archive to release
+        if: github.ref_type == 'tag'
+        shell: bash
+        env:
+          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${REGISTRY_USERNAME:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
+            echo "CONTAINER_REGISTRY_USERNAME and CONTAINER_REGISTRY_PASSWORD are required to attach the docker dist archive to a release"
+            exit 1
+          fi
+
+          api_base="${{ github.server_url }}/api/v1"
+          owner_repo="${{ github.repository }}"
+          tag_name="${{ github.ref_name }}"
+          archive_path="artifacts/attune-docker-dist.tar.gz"
+          asset_name="attune-docker-dist-${tag_name}.tar.gz"
+
+          release_response_file="$(mktemp)"
+          status_code="$(curl -sS -o "${release_response_file}" -w '%{http_code}' \
+            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+            "${api_base}/repos/${owner_repo}/releases/tags/${tag_name}")"
+
+          if [ "${status_code}" = "404" ]; then
+            create_payload="$(TAG_NAME="${tag_name}" python3 - <<'PY'
+            import json
+            import os
+
+            tag = os.environ["TAG_NAME"]
+            print(json.dumps({
+                "tag_name": tag,
+                "name": tag,
+                "draft": False,
+                "prerelease": "-" in tag,
+            }))
+            PY
+            )"
+
+            status_code="$(curl -sS -o "${release_response_file}" -w '%{http_code}' \
+              -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+              -H "Content-Type: application/json" \
+              -X POST \
+              -d "${create_payload}" \
+              "${api_base}/repos/${owner_repo}/releases")"
+          fi
+
+          case "${status_code}" in
+            200|201)
+              ;;
+            *)
+              echo "Failed to fetch or create release for tag ${tag_name}"
+              cat "${release_response_file}"
+              exit 1
+              ;;
+          esac
+
+          release_id="$(python3 - "${release_response_file}" <<'PY'
+          import json
+          import sys
+
+          with open(sys.argv[1], "r", encoding="utf-8") as fh:
+              data = json.load(fh)
+          print(data["id"])
+          PY
+          )"
+
+          existing_asset_id="$(python3 - "${release_response_file}" "${asset_name}" <<'PY'
+          import json
+          import sys
+
+          with open(sys.argv[1], "r", encoding="utf-8") as fh:
+              data = json.load(fh)
+          name = sys.argv[2]
+          for asset in data.get("assets", []):
+              if asset.get("name") == name:
+                  print(asset["id"])
+                  break
+          PY
+          )"
+
+          if [ -n "${existing_asset_id}" ]; then
+            curl -sS \
+              -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+              -X DELETE \
+              "${api_base}/repos/${owner_repo}/releases/${release_id}/assets/${existing_asset_id}" \
+              >/dev/null
+          fi
+
+          encoded_asset_name="$(ASSET_NAME="${asset_name}" python3 - <<'PY'
+          import os
+          import urllib.parse
+
+          print(urllib.parse.quote(os.environ["ASSET_NAME"], safe=""))
+          PY
+          )"
+
+          upload_response_file="$(mktemp)"
+          status_code="$(curl -sS -o "${upload_response_file}" -w '%{http_code}' \
+            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+            -H "Content-Type: application/gzip" \
+            --data-binary "@${archive_path}" \
+            "${api_base}/repos/${owner_repo}/releases/${release_id}/assets?name=${encoded_asset_name}")"
+
+          case "${status_code}" in
+            201)
+              ;;
+            *)
+              echo "Failed to upload release asset ${asset_name}"
+              cat "${upload_response_file}"
+              exit 1
+              ;;
+          esac

  publish-rust-images:
    name: Publish ${{ matrix.image.name }} (${{ matrix.arch }})
@@ -296,7 +524,7 @@ jobs:
            platform: linux/amd64
            image:
              name: api
-              repository: attune-api
+              repository: attune/api
              source_path: bin/attune-api
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -304,7 +532,7 @@ jobs:
            platform: linux/amd64
            image:
              name: executor
-              repository: attune-executor
+              repository: attune/executor
              source_path: bin/attune-executor
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -312,7 +540,7 @@ jobs:
            platform: linux/amd64
            image:
              name: notifier
-              repository: attune-notifier
+              repository: attune/notifier
              source_path: bin/attune-notifier
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -320,7 +548,7 @@ jobs:
            platform: linux/amd64
            image:
              name: agent
-              repository: attune-agent
+              repository: attune/agent
              source_path: agent/attune-agent
              dockerfile: docker/Dockerfile.agent-package
          - arch: arm64
@@ -328,7 +556,7 @@ jobs:
            platform: linux/arm64
            image:
              name: api
-              repository: attune-api
+              repository: attune/api
              source_path: bin/attune-api
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -336,7 +564,7 @@ jobs:
            platform: linux/arm64
            image:
              name: executor
-              repository: attune-executor
+              repository: attune/executor
              source_path: bin/attune-executor
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -344,7 +572,7 @@ jobs:
            platform: linux/arm64
            image:
              name: notifier
-              repository: attune-notifier
+              repository: attune/notifier
              source_path: bin/attune-notifier
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -352,7 +580,7 @@ jobs:
            platform: linux/arm64
            image:
              name: agent
-              repository: attune-agent
+              repository: attune/agent
              source_path: agent/attune-agent
              dockerfile: docker/Dockerfile.agent-package
    steps:
@@ -419,17 +647,23 @@ jobs:
        run: |
          set -euo pipefail
          pull_args=()
+          artifact_ref="${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"

          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
            pull_args+=(--plain-http)
          fi

+          echo "Pulling binary bundle artifact"
+          echo "  ref: ${artifact_ref}"
+          echo "  arch: ${{ matrix.arch }}"
+          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
+
          mkdir -p dist/artifact
          cd dist/artifact

          oras pull \
            "${pull_args[@]}" \
-            "${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
+            "${artifact_ref}"

          tar -xzf "attune-binaries-${{ matrix.arch }}.tar.gz"

@@ -440,6 +674,12 @@ jobs:
          rm -rf dist/image
          mkdir -p dist/image

+          echo "Preparing packaging context"
+          echo "  image: ${{ matrix.image.name }}"
+          echo "  repository: ${{ matrix.image.repository }}"
+          echo "  source_path: ${{ matrix.image.source_path }}"
+          echo "  dockerfile: ${{ matrix.image.dockerfile }}"
+
          case "${{ matrix.image.name }}" in
            api|executor|notifier)
              cp "dist/artifact/${{ matrix.image.source_path }}" dist/attune-service-binary
@@ -459,6 +699,29 @@ jobs:
        run: |
          set -euo pipefail

+          run_with_retries() {
+            local max_attempts="$1"
+            local delay_seconds="$2"
+            shift 2
+
+            local attempt=1
+            while true; do
+              if "$@"; then
+                return 0
+              fi
+
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "Command failed after ${attempt} attempts: $*"
+                return 1
+              fi
+
+              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
+              echo "Retrying in ${delay_seconds}s..."
+              sleep "$delay_seconds"
+              attempt=$((attempt + 1))
+            done
+          }
+
          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/${{ matrix.image.repository }}:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"

          build_cmd=(
@@ -474,7 +737,43 @@ jobs:
            build_cmd+=(--tag "$image_ref" --push)
          fi

-          "${build_cmd[@]}"
+          echo "Publishing architecture image"
+          echo "  image: ${{ matrix.image.name }}"
+          echo "  repository: ${{ matrix.image.repository }}"
+          echo "  platform: ${{ matrix.platform }}"
+          echo "  dockerfile: ${{ matrix.image.dockerfile }}"
+          echo "  destination: ${image_ref}"
+          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
+
+          run_with_retries 3 5 "${build_cmd[@]}"
+
+      - name: Link container package to repository
+        shell: bash
+        env:
+          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
+        run: |
+          set -euo pipefail
+          api_base="${{ github.server_url }}/api/v1"
+          package_name="${{ matrix.image.repository }}"
+          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
+
+          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
+            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
+
+          case "${status_code}" in
+            200|201|204|409)
+              ;;
+            400|404)
+              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
+              cat /tmp/package-link-response.txt
+              ;;
+            *)
+              cat /tmp/package-link-response.txt
+              exit 1
+              ;;
+          esac

  publish-web-images:
    name: Publish web (${{ matrix.arch }})
@@ -548,13 +847,38 @@ jobs:
        run: |
          set -euo pipefail

-          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/attune-web:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
+          run_with_retries() {
+            local max_attempts="$1"
+            local delay_seconds="$2"
+            shift 2
+
+            local attempt=1
+            while true; do
+              if "$@"; then
+                return 0
+              fi
+
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "Command failed after ${attempt} attempts: $*"
+                return 1
+              fi
+
+              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
+              echo "Retrying in ${delay_seconds}s..."
+              sleep "$delay_seconds"
+              attempt=$((attempt + 1))
+            done
+          }
+
+          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/attune/web:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"

          build_cmd=(
            docker buildx build
            .
            --platform "${{ matrix.platform }}"
            --file docker/Dockerfile.web
+            --provenance=false
+            --sbom=false
          )

          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
@@ -563,7 +887,43 @@ jobs:
            build_cmd+=(--tag "$image_ref" --push)
          fi

-          "${build_cmd[@]}"
+          echo "Publishing architecture image"
+          echo "  image: web"
+          echo "  repository: attune/web"
+          echo "  platform: ${{ matrix.platform }}"
+          echo "  dockerfile: docker/Dockerfile.web"
+          echo "  destination: ${image_ref}"
+          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
+
+          run_with_retries 3 5 "${build_cmd[@]}"
+
+      - name: Link web container package to repository
+        shell: bash
+        env:
+          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
+        run: |
+          set -euo pipefail
+          api_base="${{ github.server_url }}/api/v1"
+          package_name="attune/web"
+          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
+
+          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
+            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
+            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
+
+          case "${status_code}" in
+            200|201|204|409)
+              ;;
+            400|404)
+              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
+              cat /tmp/package-link-response.txt
+              ;;
+            *)
+              cat /tmp/package-link-response.txt
+              exit 1
+              ;;
+          esac

  publish-manifests:
    name: Publish manifest ${{ matrix.repository }}
@@ -579,12 +939,25 @@ jobs:
      fail-fast: false
      matrix:
        repository:
-          - attune-api
-          - attune-executor
-          - attune-notifier
-          - attune-agent
-          - attune-web
+          - attune/api
+          - attune/executor
+          - attune/notifier
+          - attune/agent
+          - attune/web
    steps:
+      - name: Setup Docker Buildx
+        if: needs.metadata.outputs.registry_plain_http != 'true'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Setup Docker Buildx For Plain HTTP Registry
+        if: needs.metadata.outputs.registry_plain_http == 'true'
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-config-inline: |
+            [registry."${{ needs.metadata.outputs.registry }}"]
+              http = true
+              insecure = true
+
      - name: Configure OCI registry auth
        shell: bash
        env:
@@ -619,10 +992,35 @@ jobs:
        run: |
          set -euo pipefail

+          run_with_retries() {
+            local max_attempts="$1"
+            local delay_seconds="$2"
+            shift 2
+
+            local attempt=1
+            while true; do
+              if "$@"; then
+                return 0
+              fi
+
+              if [ "$attempt" -ge "$max_attempts" ]; then
+                echo "Command failed after ${attempt} attempts: $*"
+                return 1
+              fi
+
+              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
+              echo "Retrying in ${delay_seconds}s..."
+              sleep "$delay_seconds"
+              attempt=$((attempt + 1))
+            done
+          }
+
          image_base="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/${{ matrix.repository }}"
+          create_args=()
          push_args=()

          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
+            create_args+=(--insecure)
            push_args+=(--insecure)
          fi

@@ -632,9 +1030,33 @@ jobs:
            amd64_ref="${image_base}:${{ needs.metadata.outputs.image_tag }}-amd64"
            arm64_ref="${image_base}:${{ needs.metadata.outputs.image_tag }}-arm64"

-            docker manifest rm "$manifest_ref" >/dev/null 2>&1 || true
-            docker manifest create "$manifest_ref" "$amd64_ref" "$arm64_ref"
-            docker manifest annotate "$manifest_ref" "$amd64_ref" --os linux --arch amd64
-            docker manifest annotate "$manifest_ref" "$arm64_ref" --os linux --arch arm64
-            docker manifest push "${push_args[@]}" "$manifest_ref"
+            if [ "${{ matrix.repository }}" = "attune/web" ]; then
+              echo "Publishing multi-arch manifest with docker manifest"
+              echo "  repository: ${{ matrix.repository }}"
+              echo "  manifest_tag: ${tag}"
+              echo "  manifest_ref: ${manifest_ref}"
+              echo "  source_amd64: ${amd64_ref}"
+              echo "  source_arm64: ${arm64_ref}"
+              echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
+              docker manifest rm "$manifest_ref" >/dev/null 2>&1 || true
+              run_with_retries 3 5 \
+                docker manifest create "${create_args[@]}" "$manifest_ref" "$amd64_ref" "$arm64_ref"
+              docker manifest annotate "$manifest_ref" "$amd64_ref" --os linux --arch amd64
+              docker manifest annotate "$manifest_ref" "$arm64_ref" --os linux --arch arm64
+              run_with_retries 3 5 \
+                docker manifest push "${push_args[@]}" "$manifest_ref"
+            else
+              echo "Publishing multi-arch manifest with buildx imagetools"
+              echo "  repository: ${{ matrix.repository }}"
+              echo "  manifest_tag: ${tag}"
+              echo "  manifest_ref: ${manifest_ref}"
+              echo "  source_amd64: ${amd64_ref}"
+              echo "  source_arm64: ${arm64_ref}"
+              echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
+              run_with_retries 3 5 \
+                docker buildx imagetools create \
+                --tag "$manifest_ref" \
+                "$amd64_ref" \
+                "$arm64_ref"
+            fi
          done
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ target/
 # Configuration files (keep *.example.yaml)
 config.yaml
 config.*.yaml
+!docker/distributable/config.docker.yaml
 !config.example.yaml
 !config.development.yaml
 !config.test.yaml
@@ -35,6 +36,7 @@ logs/
 # Build artifacts
 dist/
 build/
+artifacts/

 # Testing
 coverage/
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2150,21 +2150,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"

-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -3065,15 +3050,17 @@ dependencies = [
 "futures-util",
 "lber",
 "log",
- "native-tls",
 "nom 7.1.3",
 "percent-encoding",
+ "rustls",
+ "rustls-native-certs",
 "thiserror 2.0.18",
 "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
 "tokio-stream",
 "tokio-util",
 "url",
+ "x509-parser",
 ]

 [[package]]
@@ -3314,23 +3301,6 @@ dependencies = [
 "version_check",
 ]

-[[package]]
-name = "native-tls"
-version = "0.2.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -3576,50 +3546,12 @@ dependencies = [
 "url",
 ]

-[[package]]
-name = "openssl"
-version = "0.10.76"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
-dependencies = [
- "bitflags",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"

-[[package]]
-name = "openssl-sys"
-version = "0.9.112"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
-dependencies = [
- "cc",
- "libc",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@@ -4642,6 +4574,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
 "aws-lc-rs",
+ "log",
 "once_cell",
 "ring",
 "rustls-pki-types",
@@ -5698,16 +5631,6 @@ dependencies = [
 "syn",
 ]

-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.26.4"
@@ -5749,9 +5672,11 @@ checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
 dependencies = [
 "futures-util",
 "log",
- "native-tls",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
 "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
 "tungstenite",
 ]

@@ -5938,8 +5863,9 @@ dependencies = [
 "http",
 "httparse",
 "log",
- "native-tls",
 "rand 0.9.2",
+ "rustls",
+ "rustls-pki-types",
 "sha1",
 "thiserror 2.0.18",
 "utf-8",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -101,7 +101,7 @@ tar = "0.4"
 flate2 = "1.1"

 # WebSocket client
-tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.28", features = ["rustls-tls-native-roots"] }

 # URL parsing
 url = "2.5"
--- a/20
+++ b/20
@@ -238,22 +238,24 @@ docker-build-web:
 	docker compose build web

 # Agent binary (statically-linked for injection into any container)
+AGENT_RUST_TARGET ?= x86_64-unknown-linux-musl
+
 build-agent:
 	@echo "Installing musl target (if not already installed)..."
-	rustup target add x86_64-unknown-linux-musl 2>/dev/null || true
+	rustup target add $(AGENT_RUST_TARGET) 2>/dev/null || true
 	@echo "Building statically-linked worker and sensor agent binaries..."
-	SQLX_OFFLINE=true cargo build --release --target x86_64-unknown-linux-musl --bin attune-agent --bin attune-sensor-agent
-	strip target/x86_64-unknown-linux-musl/release/attune-agent
-	strip target/x86_64-unknown-linux-musl/release/attune-sensor-agent
+	SQLX_OFFLINE=true cargo build --release --target $(AGENT_RUST_TARGET) --bin attune-agent --bin attune-sensor-agent
+	strip target/$(AGENT_RUST_TARGET)/release/attune-agent
+	strip target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent
 	@echo "✅ Agent binaries built:"
-	@echo "   - target/x86_64-unknown-linux-musl/release/attune-agent"
-	@echo "   - target/x86_64-unknown-linux-musl/release/attune-sensor-agent"
-	@ls -lh target/x86_64-unknown-linux-musl/release/attune-agent
-	@ls -lh target/x86_64-unknown-linux-musl/release/attune-sensor-agent
+	@echo "   - target/$(AGENT_RUST_TARGET)/release/attune-agent"
+	@echo "   - target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent"
+	@ls -lh target/$(AGENT_RUST_TARGET)/release/attune-agent
+	@ls -lh target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent

 docker-build-agent:
 	@echo "Building agent Docker image (statically-linked binary)..."
-	DOCKER_BUILDKIT=1 docker buildx build --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
+	DOCKER_BUILDKIT=1 docker buildx build --build-arg RUST_TARGET=$(AGENT_RUST_TARGET) --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
 	@echo "✅ Agent image built: attune-agent:latest"

 run-agent:
--- a/crates/api/Cargo.toml
+++ b/crates/api/Cargo.toml
@@ -70,7 +70,7 @@ jsonschema = { workspace = true }
 # HTTP client
 reqwest = { workspace = true }
 openidconnect = "4.0"
-ldap3 = "0.12"
+ldap3 = { version = "0.12", default-features = false, features = ["sync", "tls-rustls-ring"] }
 url = { workspace = true }

 # Archive/compression
--- a/crates/common/src/repositories/runtime.rs
+++ b/crates/common/src/repositories/runtime.rs
@@ -237,7 +237,7 @@ impl Update for RuntimeRepository {

        query.push(", updated = NOW() WHERE id = ");
        query.push_bind(id);
-        query.push(&format!(" RETURNING {}", SELECT_COLUMNS));
+        query.push(format!(" RETURNING {}", SELECT_COLUMNS));

        let runtime = query
            .build_query_as::<Runtime>()
--- a/crates/worker/src/registration.rs
+++ b/crates/worker/src/registration.rs
@@ -452,7 +452,7 @@ mod tests {
    #[test]
    fn test_detected_runtimes_json_structure() {
        // Test the JSON structure that set_detected_runtimes builds
-        let runtimes = vec![
+        let runtimes = [
            DetectedRuntime {
                name: "python".to_string(),
                path: "/usr/bin/python3".to_string(),
--- a/docker/Dockerfile.agent
+++ b/docker/Dockerfile.agent
@@ -28,12 +28,15 @@

 ARG RUST_VERSION=1.92
 ARG DEBIAN_VERSION=bookworm
+ARG RUST_TARGET=x86_64-unknown-linux-musl

 # ============================================================================
 # Stage 1: Builder - Cross-compile a statically-linked binary with musl
 # ============================================================================
 FROM rust:${RUST_VERSION}-${DEBIAN_VERSION} AS builder

+ARG RUST_TARGET
+
 # Install musl toolchain for static linking
 RUN apt-get update && apt-get install -y \
    musl-tools \
@@ -42,8 +45,8 @@ RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

-# Add the musl target for fully static binaries
-RUN rustup target add x86_64-unknown-linux-musl
+# Add the requested musl target for fully static binaries
+RUN rustup target add ${RUST_TARGET}

 WORKDIR /build

@@ -104,9 +107,9 @@ COPY crates/ ./crates/
 RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=shared \
    --mount=type=cache,target=/usr/local/cargo/git,sharing=shared \
    --mount=type=cache,id=agent-target,target=/build/target,sharing=locked \
-    cargo build --release --target x86_64-unknown-linux-musl --bin attune-agent --bin attune-sensor-agent && \
-    cp /build/target/x86_64-unknown-linux-musl/release/attune-agent /build/attune-agent && \
-    cp /build/target/x86_64-unknown-linux-musl/release/attune-sensor-agent /build/attune-sensor-agent
+    cargo build --release --target ${RUST_TARGET} --bin attune-agent --bin attune-sensor-agent && \
+    cp /build/target/${RUST_TARGET}/release/attune-agent /build/attune-agent && \
+    cp /build/target/${RUST_TARGET}/release/attune-sensor-agent /build/attune-sensor-agent

 # Strip the binaries to minimize size
 RUN strip /build/attune-agent && strip /build/attune-sensor-agent
--- a/docker/distributable/README.md
+++ b/docker/distributable/README.md
@@ -0,0 +1,64 @@
+# Attune Docker Dist Bundle
+
+This directory is a distributable Docker bundle built from the main workspace compose setup.
+
+It is designed to run Attune without building the Rust services locally:
+
+- `api`, `executor`, `notifier`, `agent`, and `web` pull published images
+- database bootstrap, user bootstrap, and pack loading run from local scripts shipped in this bundle
+- workers and sensor still use stock runtime images plus the published injected agent binaries
+
+## Registry Defaults
+
+The compose file defaults to:
+
+- registry: `git.rdrx.app/attune-system`
+- tag: `latest`
+
+Override them with env vars:
+
+```bash
+export ATTUNE_IMAGE_REGISTRY=git.rdrx.app/attune-system
+export ATTUNE_IMAGE_TAG=latest
+```
+
+If the registry requires auth:
+
+```bash
+docker login git.rdrx.app
+```
+
+## Run
+
+From this directory:
+
+```bash
+docker compose up -d
+```
+
+Or with an explicit tag:
+
+```bash
+ATTUNE_IMAGE_TAG=sha-xxxxxxxxxxxx docker compose up -d
+```
+
+## Rebuild Bundle
+
+Refresh this bundle and create a tarball from the workspace root:
+
+```bash
+bash scripts/package-docker-dist.sh
+```
+
+## Included Assets
+
+- `docker-compose.yaml` - published-image compose stack
+- `config.docker.yaml` - container config mounted into services
+- `docker/` - init scripts and SQL helpers
+- `migrations/` - schema migrations for the bootstrap job
+- `packs/core/` - builtin core pack content
+- `scripts/load_core_pack.py` - pack loader used by `init-packs`
+
+## Current Limitation
+
+The publish workflow does not currently publish dedicated worker or sensor runtime images. This bundle therefore keeps using stock runtime images with the published `attune/agent` image for injection.
--- a/docker/distributable/config.docker.yaml
+++ b/docker/distributable/config.docker.yaml
@@ -0,0 +1,159 @@
+# Attune Docker Environment Configuration
+# This file overrides base config.yaml settings for Docker deployments
+
+environment: docker
+
+# Docker database (PostgreSQL container)
+database:
+  url: postgresql://attune:attune@postgres:5432/attune
+  max_connections: 20
+  min_connections: 5
+  acquire_timeout: 30
+  idle_timeout: 600
+  max_lifetime: 1800
+  log_statements: false
+  schema: "attune"
+
+# Docker message queue (RabbitMQ container)
+message_queue:
+  url: amqp://attune:attune@rabbitmq:5672
+  connection_timeout: 30
+  heartbeat: 60
+  prefetch_count: 10
+  rabbitmq:
+    worker_queue_ttl_ms: 300000 # 5 minutes - expire unprocessed executions
+    dead_letter:
+      enabled: true
+      exchange: attune.dlx
+      ttl_ms: 86400000 # 24 hours - retain DLQ messages for debugging
+
+# Docker cache (Redis container - optional)
+cache:
+  enabled: true
+  url: redis://redis:6379
+  connection_timeout: 5
+  default_ttl: 3600
+
+# API server configuration
+server:
+  host: 0.0.0.0
+  port: 8080
+  cors_origins:
+    - http://localhost
+    - http://localhost:3000
+    - http://localhost:3001
+    - http://localhost:3002
+    - http://localhost:5173
+    - http://127.0.0.1:3000
+    - http://127.0.0.1:3001
+    - http://127.0.0.1:3002
+    - http://127.0.0.1:5173
+    - http://web
+  request_timeout: 60
+  max_request_size: 10485760 # 10MB
+
+# Logging configuration
+log:
+  level: info
+  format: json # Structured logs for container environments
+  console: true
+
+# Security settings (MUST override via environment variables in production)
+security:
+  jwt_secret: ${JWT_SECRET}
+  jwt_access_expiration: 3600 # 1 hour
+  jwt_refresh_expiration: 604800 # 7 days
+  encryption_key: ${ENCRYPTION_KEY}
+  enable_auth: true
+  allow_self_registration: false
+  login_page:
+    show_local_login: true
+    show_oidc_login: true
+  oidc:
+    # example local dev
+    enabled: false
+    discovery_url: https://my.sso.provider.com/.well-known/openid-configuration
+    client_id: 31d194737840d32bd3afe6474826976bae346d77247a158c4dc43887278eb605
+    client_secret: xL2C9WOC8shZ2QrZs9VFa10JK1Ob95xcMtZU3N86H1Pz0my5
+    provider_name: my-sso-provider
+    provider_label: My SSO Provider
+    provider_icon_url: https://my.sso.provider.com/favicon.ico
+    redirect_uri: http://localhost:3000/auth/callback
+    post_logout_redirect_uri: http://localhost:3000/login
+    scopes:
+      - groups
+
+# Packs directory (mounted volume in containers)
+packs_base_dir: /opt/attune/packs
+
+# Runtime environments directory (isolated envs like virtualenvs, node_modules).
+# Kept separate from packs so pack directories remain clean and read-only.
+# Pattern: {runtime_envs_dir}/{pack_ref}/{runtime_name}
+runtime_envs_dir: /opt/attune/runtime_envs
+
+# Artifacts directory (shared volume for file-based artifact storage).
+# File-type artifacts are written here by execution processes and served by the API.
+# Pattern: {artifacts_dir}/{ref_slug}/v{version}.{ext}
+artifacts_dir: /opt/attune/artifacts
+
+# Executor service configuration
+executor:
+  service_name: attune-executor
+  max_concurrent_executions: 50
+  heartbeat_interval: 30
+  task_timeout: 300
+  cleanup_interval: 120
+  scheduling_interval: 5
+  retry_max_attempts: 3
+  retry_backoff_multiplier: 2.0
+  retry_backoff_max: 300
+  scheduled_timeout: 300 # 5 minutes - fail executions stuck in SCHEDULED
+  timeout_check_interval: 60 # Check every minute for stale executions
+  enable_timeout_monitor: true
+
+# Worker service configuration
+worker:
+  service_name: attune-worker
+  worker_type: container
+  max_concurrent_tasks: 20
+  heartbeat_interval: 10 # Reduced from 30s for faster stale detection (staleness = 30s)
+  task_timeout: 300
+  cleanup_interval: 120
+  work_dir: /tmp/attune-worker
+  python:
+    executable: python3
+    venv_dir: /tmp/attune-worker/venvs
+    requirements_timeout: 300
+  nodejs:
+    executable: node
+    npm_executable: npm
+    modules_dir: /tmp/attune-worker/node_modules
+    install_timeout: 300
+  shell:
+    executable: /bin/bash
+    allowed_shells:
+      - /bin/bash
+      - /bin/sh
+
+# Sensor service configuration
+sensor:
+  service_name: attune-sensor
+  heartbeat_interval: 10 # Reduced from 30s for faster stale detection
+  max_concurrent_sensors: 50
+  sensor_timeout: 300
+  polling_interval: 10
+  cleanup_interval: 120
+
+# Notifier service configuration
+notifier:
+  service_name: attune-notifier
+  websocket_host: 0.0.0.0
+  websocket_port: 8081
+  heartbeat_interval: 30
+  connection_timeout: 60
+  max_connections: 1000
+  message_buffer_size: 10000
+
+# Agent binary distribution (serves the agent binary via API for remote downloads)
+agent:
+  binary_dir: /opt/attune/agent
--- a/docker/distributable/docker-compose.yaml
+++ b/docker/distributable/docker-compose.yaml
@@ -0,0 +1,581 @@
+name: attune
+
+services:
+  postgres:
+    image: timescale/timescaledb:2.17.2-pg16
+    container_name: attune-postgres
+    environment:
+      POSTGRES_USER: attune
+      POSTGRES_PASSWORD: attune
+      POSTGRES_DB: attune
+      PGDATA: /var/lib/postgresql/data/pgdata
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U attune"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  migrations:
+    image: postgres:16-alpine
+    container_name: attune-migrations
+    volumes:
+      - ./migrations:/migrations:ro
+      - ./docker/run-migrations.sh:/run-migrations.sh:ro
+      - ./docker/init-roles.sql:/docker/init-roles.sql:ro
+    environment:
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_USER: attune
+      DB_PASSWORD: attune
+      DB_NAME: attune
+      MIGRATIONS_DIR: /migrations
+    command: ["/bin/sh", "/run-migrations.sh"]
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - attune-network
+    restart: on-failure
+
+  init-user:
+    image: postgres:16-alpine
+    container_name: attune-init-user
+    volumes:
+      - ./docker/init-user.sh:/init-user.sh:ro
+    environment:
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_USER: attune
+      DB_PASSWORD: attune
+      DB_NAME: attune
+      DB_SCHEMA: public
+      TEST_LOGIN: ${ATTUNE_TEST_LOGIN:-test@attune.local}
+      TEST_PASSWORD: ${ATTUNE_TEST_PASSWORD:-TestPass123!}
+      TEST_DISPLAY_NAME: ${ATTUNE_TEST_DISPLAY_NAME:-Test User}
+    command: ["/bin/sh", "/init-user.sh"]
+    depends_on:
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+    networks:
+      - attune-network
+    restart: on-failure
+
+  init-packs:
+    image: python:3.11-slim
+    container_name: attune-init-packs
+    volumes:
+      - ./packs:/source/packs:ro
+      - ./scripts/load_core_pack.py:/scripts/load_core_pack.py:ro
+      - ./docker/init-packs.sh:/init-packs.sh:ro
+      - packs_data:/opt/attune/packs
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+    environment:
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_USER: attune
+      DB_PASSWORD: attune
+      DB_NAME: attune
+      DB_SCHEMA: public
+      SOURCE_PACKS_DIR: /source/packs
+      TARGET_PACKS_DIR: /opt/attune/packs
+      LOADER_SCRIPT: /scripts/load_core_pack.py
+      DEFAULT_ADMIN_LOGIN: ${ATTUNE_TEST_LOGIN:-test@attune.local}
+      DEFAULT_ADMIN_PERMISSION_SET_REF: core.admin
+    command: ["/bin/sh", "/init-packs.sh"]
+    depends_on:
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+    networks:
+      - attune-network
+    restart: on-failure
+    entrypoint: ""
+
+  init-agent:
+    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/agent:${ATTUNE_IMAGE_TAG:-latest}
+    container_name: attune-init-agent
+    volumes:
+      - agent_bin:/opt/attune/agent
+    entrypoint:
+      [
+        "/bin/sh",
+        "-c",
+        "cp /usr/local/bin/attune-agent /opt/attune/agent/attune-agent && cp /usr/local/bin/attune-sensor-agent /opt/attune/agent/attune-sensor-agent && chmod +x /opt/attune/agent/attune-agent /opt/attune/agent/attune-sensor-agent && /usr/local/bin/attune-agent --version > /opt/attune/agent/attune-agent.version && /usr/local/bin/attune-sensor-agent --version > /opt/attune/agent/attune-sensor-agent.version && echo 'Agent binaries copied successfully'",
+      ]
+    restart: "no"
+    networks:
+      - attune-network
+
+  rabbitmq:
+    image: rabbitmq:3.13-management-alpine
+    container_name: attune-rabbitmq
+    environment:
+      RABBITMQ_DEFAULT_USER: attune
+      RABBITMQ_DEFAULT_PASS: attune
+      RABBITMQ_DEFAULT_VHOST: /
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  redis:
+    image: redis:7-alpine
+    container_name: attune-redis
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - attune-network
+    restart: unless-stopped
+    command: redis-server --appendonly yes
+
+  api:
+    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/api:${ATTUNE_IMAGE_TAG:-latest}
+    container_name: attune-api
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE__CACHE__URL: redis://redis:6379
+      ATTUNE__WORKER__WORKER_TYPE: container
+    ports:
+      - "8080:8080"
+    volumes:
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:rw
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+      - api_logs:/opt/attune/logs
+      - agent_bin:/opt/attune/agent:ro
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  executor:
+    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/executor:${ATTUNE_IMAGE_TAG:-latest}
+    container_name: attune-executor
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE__CACHE__URL: redis://redis:6379
+      ATTUNE__WORKER__WORKER_TYPE: container
+    volumes:
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:ro
+      - artifacts_data:/opt/attune/artifacts:ro
+      - executor_logs:/opt/attune/logs
+    depends_on:
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "kill -0 1 || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  worker-shell:
+    image: debian:bookworm-slim
+    container_name: attune-worker-shell
+    entrypoint: ["/opt/attune/agent/attune-agent"]
+    stop_grace_period: 45s
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE_WORKER_TYPE: container
+      ATTUNE_WORKER_NAME: worker-shell-01
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE_API_URL: http://attune-api:8080
+    volumes:
+      - agent_bin:/opt/attune/agent:ro
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:ro
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+      - worker_shell_logs:/opt/attune/logs
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  worker-python:
+    image: python:3.12-slim
+    container_name: attune-worker-python
+    entrypoint: ["/opt/attune/agent/attune-agent"]
+    stop_grace_period: 45s
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE_WORKER_TYPE: container
+      ATTUNE_WORKER_NAME: worker-python-01
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE_API_URL: http://attune-api:8080
+    volumes:
+      - agent_bin:/opt/attune/agent:ro
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:ro
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+      - worker_python_logs:/opt/attune/logs
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  worker-node:
+    image: node:22-slim
+    container_name: attune-worker-node
+    entrypoint: ["/opt/attune/agent/attune-agent"]
+    stop_grace_period: 45s
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE_WORKER_TYPE: container
+      ATTUNE_WORKER_NAME: worker-node-01
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE_API_URL: http://attune-api:8080
+    volumes:
+      - agent_bin:/opt/attune/agent:ro
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:ro
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+      - worker_node_logs:/opt/attune/logs
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  worker-full:
+    image: nikolaik/python-nodejs:python3.12-nodejs22-slim
+    container_name: attune-worker-full
+    entrypoint: ["/opt/attune/agent/attune-agent"]
+    stop_grace_period: 45s
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE_WORKER_RUNTIMES: shell,python,node,native
+      ATTUNE_WORKER_TYPE: container
+      ATTUNE_WORKER_NAME: worker-full-01
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE_API_URL: http://attune-api:8080
+    volumes:
+      - agent_bin:/opt/attune/agent:ro
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:ro
+      - runtime_envs:/opt/attune/runtime_envs
+      - artifacts_data:/opt/attune/artifacts
+      - worker_full_logs:/opt/attune/logs
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  sensor:
+    image: nikolaik/python-nodejs:python3.12-nodejs22-slim
+    container_name: attune-sensor
+    entrypoint: ["/opt/attune/agent/attune-sensor-agent"]
+    stop_grace_period: 45s
+    environment:
+      RUST_LOG: debug
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE_SENSOR_RUNTIMES: shell,python,node,native
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE__WORKER__WORKER_TYPE: container
+      ATTUNE_API_URL: http://attune-api:8080
+      ATTUNE_MQ_URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE_PACKS_BASE_DIR: /opt/attune/packs
+    volumes:
+      - agent_bin:/opt/attune/agent:ro
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - packs_data:/opt/attune/packs:rw
+      - runtime_envs:/opt/attune/runtime_envs
+      - sensor_logs:/opt/attune/logs
+    depends_on:
+      init-agent:
+        condition: service_completed_successfully
+      init-packs:
+        condition: service_completed_successfully
+      init-user:
+        condition: service_completed_successfully
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "kill -0 1 || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  notifier:
+    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/notifier:${ATTUNE_IMAGE_TAG:-latest}
+    container_name: attune-notifier
+    environment:
+      RUST_LOG: info
+      ATTUNE_CONFIG: /opt/attune/config/config.yaml
+      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
+      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
+      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
+      ATTUNE__DATABASE__SCHEMA: public
+      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
+      ATTUNE__WORKER__WORKER_TYPE: container
+    ports:
+      - "8081:8081"
+    volumes:
+      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
+      - notifier_logs:/opt/attune/logs
+    depends_on:
+      migrations:
+        condition: service_completed_successfully
+      postgres:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8081/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+  web:
+    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/web:${ATTUNE_IMAGE_TAG:-latest}
+    container_name: attune-web
+    environment:
+      API_URL: ${API_URL:-http://localhost:8080}
+      WS_URL: ${WS_URL:-ws://localhost:8081}
+      ENVIRONMENT: docker
+    ports:
+      - "3000:80"
+    depends_on:
+      api:
+        condition: service_healthy
+      notifier:
+        condition: service_healthy
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "--no-verbose",
+          "--tries=1",
+          "--spider",
+          "http://localhost/health",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    networks:
+      - attune-network
+    restart: unless-stopped
+
+volumes:
+  postgres_data:
+    driver: local
+  rabbitmq_data:
+    driver: local
+  redis_data:
+    driver: local
+  api_logs:
+    driver: local
+  executor_logs:
+    driver: local
+  worker_shell_logs:
+    driver: local
+  worker_python_logs:
+    driver: local
+  worker_node_logs:
+    driver: local
+  worker_full_logs:
+    driver: local
+  sensor_logs:
+    driver: local
+  notifier_logs:
+    driver: local
+  packs_data:
+    driver: local
+  runtime_envs:
+    driver: local
+  artifacts_data:
+    driver: local
+  agent_bin:
+    driver: local
+
+networks:
+  attune-network:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
--- a/docker/distributable/docker/init-packs.sh
+++ b/docker/distributable/docker/init-packs.sh
@@ -0,0 +1,296 @@
+#!/bin/sh
+# Initialize builtin packs for Attune
+# This script copies pack files to the shared volume and registers them in the database
+# Designed to run on python:3.11-slim (Debian-based) image
+
+set -e
+
+# Color output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration from environment
+DB_HOST="${DB_HOST:-postgres}"
+DB_PORT="${DB_PORT:-5432}"
+DB_USER="${DB_USER:-attune}"
+DB_PASSWORD="${DB_PASSWORD:-attune}"
+DB_NAME="${DB_NAME:-attune}"
+DB_SCHEMA="${DB_SCHEMA:-public}"
+
+# Pack directories
+SOURCE_PACKS_DIR="${SOURCE_PACKS_DIR:-/source/packs}"
+TARGET_PACKS_DIR="${TARGET_PACKS_DIR:-/opt/attune/packs}"
+
+# Python loader script
+LOADER_SCRIPT="${LOADER_SCRIPT:-/scripts/load_core_pack.py}"
+DEFAULT_ADMIN_LOGIN="${DEFAULT_ADMIN_LOGIN:-}"
+DEFAULT_ADMIN_PERMISSION_SET_REF="${DEFAULT_ADMIN_PERMISSION_SET_REF:-core.admin}"
+
+echo ""
+echo -e "${BLUE}╔════════════════════════════════════════════════╗${NC}"
+echo -e "${BLUE}║    Attune Builtin Packs Initialization         ║${NC}"
+echo -e "${BLUE}╚════════════════════════════════════════════════╝${NC}"
+echo ""
+
+# Install Python dependencies
+echo -e "${YELLOW}→${NC} Installing Python dependencies..."
+if pip install --quiet --no-cache-dir psycopg2-binary pyyaml; then
+    echo -e "${GREEN}✓${NC} Python dependencies installed"
+else
+    echo -e "${RED}✗${NC} Failed to install Python dependencies"
+    exit 1
+fi
+echo ""
+
+# Wait for database to be ready (using Python instead of psql to avoid needing postgresql-client)
+echo -e "${YELLOW}→${NC} Waiting for database to be ready..."
+until python3 -c "
+import psycopg2, sys
+try:
+    conn = psycopg2.connect(host='$DB_HOST', port=$DB_PORT, user='$DB_USER', password='$DB_PASSWORD', dbname='$DB_NAME', connect_timeout=3)
+    conn.close()
+    sys.exit(0)
+except Exception:
+    sys.exit(1)
+" 2>/dev/null; do
+  echo -e "${YELLOW}  ...${NC} Database is unavailable - sleeping"
+  sleep 2
+done
+echo -e "${GREEN}✓${NC} Database is ready"
+
+# Create target packs directory if it doesn't exist
+echo -e "${YELLOW}→${NC} Ensuring packs directory exists..."
+mkdir -p "$TARGET_PACKS_DIR"
+# Ensure the attune user (uid 1000) can write to the packs directory
+# so the API service can install packs at runtime
+chown -R 1000:1000 "$TARGET_PACKS_DIR"
+echo -e "${GREEN}✓${NC} Packs directory ready at: $TARGET_PACKS_DIR"
+
+# Initialise runtime environments volume with correct ownership.
+# Workers (running as attune uid 1000) need write access to create
+# virtualenvs, node_modules, etc. at runtime.
+RUNTIME_ENVS_DIR="${RUNTIME_ENVS_DIR:-/opt/attune/runtime_envs}"
+if [ -d "$RUNTIME_ENVS_DIR" ] || mkdir -p "$RUNTIME_ENVS_DIR" 2>/dev/null; then
+    chown -R 1000:1000 "$RUNTIME_ENVS_DIR"
+    echo -e "${GREEN}✓${NC} Runtime environments directory ready at: $RUNTIME_ENVS_DIR"
+else
+    echo -e "${YELLOW}⚠${NC} Runtime environments directory not mounted, skipping"
+fi
+
+# Initialise artifacts volume with correct ownership.
+# The API service (creates directories for file-backed artifact versions) and
+# workers (write artifact files during execution) both run as attune uid 1000.
+ARTIFACTS_DIR="${ARTIFACTS_DIR:-/opt/attune/artifacts}"
+if [ -d "$ARTIFACTS_DIR" ] || mkdir -p "$ARTIFACTS_DIR" 2>/dev/null; then
+    chown -R 1000:1000 "$ARTIFACTS_DIR"
+    echo -e "${GREEN}✓${NC} Artifacts directory ready at: $ARTIFACTS_DIR"
+else
+    echo -e "${YELLOW}⚠${NC} Artifacts directory not mounted, skipping"
+fi
+
+# Check if source packs directory exists
+if [ ! -d "$SOURCE_PACKS_DIR" ]; then
+    echo -e "${RED}✗${NC} Source packs directory not found: $SOURCE_PACKS_DIR"
+    exit 1
+fi
+
+# Find all pack directories (directories with pack.yaml)
+echo ""
+echo -e "${BLUE}Discovering builtin packs...${NC}"
+echo "----------------------------------------"
+
+PACK_COUNT=0
+COPIED_COUNT=0
+LOADED_COUNT=0
+
+for pack_dir in "$SOURCE_PACKS_DIR"/*; do
+    if [ -d "$pack_dir" ]; then
+        pack_name=$(basename "$pack_dir")
+        pack_yaml="$pack_dir/pack.yaml"
+
+        if [ -f "$pack_yaml" ]; then
+            PACK_COUNT=$((PACK_COUNT + 1))
+            echo -e "${BLUE}→${NC} Found pack: ${GREEN}$pack_name${NC}"
+
+            # Check if pack already exists in target
+            target_pack_dir="$TARGET_PACKS_DIR/$pack_name"
+
+            if [ -d "$target_pack_dir" ]; then
+                # Pack exists, update files to ensure we have latest (especially binaries)
+                echo -e "${YELLOW}  ⟳${NC} Pack exists at: $target_pack_dir, updating files..."
+                if cp -rf "$pack_dir"/* "$target_pack_dir"/; then
+                    echo -e "${GREEN}  ✓${NC} Updated pack files at: $target_pack_dir"
+                else
+                    echo -e "${RED}  ✗${NC} Failed to update pack"
+                    exit 1
+                fi
+            else
+                # Copy pack to target directory
+                echo -e "${YELLOW}  →${NC} Copying pack files..."
+                if cp -r "$pack_dir" "$target_pack_dir"; then
+                    COPIED_COUNT=$((COPIED_COUNT + 1))
+                    echo -e "${GREEN}  ✓${NC} Copied to: $target_pack_dir"
+                else
+                    echo -e "${RED}  ✗${NC} Failed to copy pack"
+                    exit 1
+                fi
+            fi
+        fi
+    fi
+done
+
+echo "----------------------------------------"
+echo ""
+
+if [ $PACK_COUNT -eq 0 ]; then
+    echo -e "${YELLOW}⚠${NC} No builtin packs found in $SOURCE_PACKS_DIR"
+    echo -e "${BLUE}ℹ${NC} This is OK if you're running with no packs"
+    exit 0
+fi
+
+echo -e "${BLUE}Pack Discovery Summary:${NC}"
+echo "  Total packs found: $PACK_COUNT"
+echo "  Newly copied: $COPIED_COUNT"
+echo "  Already present: $((PACK_COUNT - COPIED_COUNT))"
+echo ""
+
+# Load packs into database using Python loader
+if [ -f "$LOADER_SCRIPT" ]; then
+    echo -e "${BLUE}Loading packs into database...${NC}"
+    echo "----------------------------------------"
+
+    # Build database URL with schema support
+    DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@$DB_HOST:$DB_PORT/$DB_NAME"
+
+    # Set search_path for the Python script if not using default schema
+    if [ "$DB_SCHEMA" != "public" ]; then
+        export PGOPTIONS="-c search_path=$DB_SCHEMA,public"
+    fi
+
+    # Run the Python loader for each pack
+    for pack_dir in "$TARGET_PACKS_DIR"/*; do
+        if [ -d "$pack_dir" ]; then
+            pack_name=$(basename "$pack_dir")
+            pack_yaml="$pack_dir/pack.yaml"
+
+            if [ -f "$pack_yaml" ]; then
+                echo -e "${YELLOW}→${NC} Loading pack: ${GREEN}$pack_name${NC}"
+
+                # Run Python loader
+                if python3 "$LOADER_SCRIPT" \
+                    --database-url "$DATABASE_URL" \
+                    --pack-dir "$TARGET_PACKS_DIR" \
+                    --pack-name "$pack_name" \
+                    --schema "$DB_SCHEMA"; then
+                    LOADED_COUNT=$((LOADED_COUNT + 1))
+                    echo -e "${GREEN}✓${NC} Loaded pack: $pack_name"
+                else
+                    echo -e "${RED}✗${NC} Failed to load pack: $pack_name"
+                    echo -e "${YELLOW}⚠${NC} Continuing with other packs..."
+                fi
+            fi
+        fi
+    done
+
+    echo "----------------------------------------"
+    echo ""
+    echo -e "${BLUE}Database Loading Summary:${NC}"
+    echo "  Successfully loaded: $LOADED_COUNT"
+    echo "  Failed: $((PACK_COUNT - LOADED_COUNT))"
+    echo ""
+else
+    echo -e "${YELLOW}⚠${NC} Pack loader script not found: $LOADER_SCRIPT"
+    echo -e "${BLUE}ℹ${NC} Packs copied but not registered in database"
+    echo -e "${BLUE}ℹ${NC} You can manually load them later"
+fi
+
+if [ -n "$DEFAULT_ADMIN_LOGIN" ] && [ "$LOADED_COUNT" -gt 0 ]; then
+    echo ""
+    echo -e "${BLUE}Bootstrapping local admin assignment...${NC}"
+    if python3 - <<PY
+import psycopg2
+import sys
+
+conn = psycopg2.connect(
+    host="${DB_HOST}",
+    port=${DB_PORT},
+    user="${DB_USER}",
+    password="${DB_PASSWORD}",
+    dbname="${DB_NAME}",
+)
+conn.autocommit = False
+
+try:
+    with conn.cursor() as cur:
+        cur.execute("SET search_path TO ${DB_SCHEMA}, public")
+        cur.execute("SELECT id FROM identity WHERE login = %s", ("${DEFAULT_ADMIN_LOGIN}",))
+        identity_row = cur.fetchone()
+        if identity_row is None:
+            print("  ⚠ Default admin identity not found; skipping assignment")
+            conn.rollback()
+            sys.exit(0)
+
+        cur.execute("SELECT id FROM permission_set WHERE ref = %s", ("${DEFAULT_ADMIN_PERMISSION_SET_REF}",))
+        permset_row = cur.fetchone()
+        if permset_row is None:
+            print("  ⚠ Default admin permission set not found; skipping assignment")
+            conn.rollback()
+            sys.exit(0)
+
+        cur.execute(
+            """
+            INSERT INTO permission_assignment (identity, permset)
+            VALUES (%s, %s)
+            ON CONFLICT (identity, permset) DO NOTHING
+            """,
+            (identity_row[0], permset_row[0]),
+        )
+    conn.commit()
+    print("  ✓ Default admin permission assignment ensured")
+except Exception as exc:
+    conn.rollback()
+    print(f"  ✗ Failed to ensure default admin assignment: {exc}")
+    sys.exit(1)
+finally:
+    conn.close()
+PY
+    then
+        :
+    else
+        exit 1
+    fi
+fi
+
+# Summary
+echo ""
+echo -e "${GREEN}╔════════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║    Builtin Packs Initialization Complete!      ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "${BLUE}Packs Location:${NC} ${GREEN}$TARGET_PACKS_DIR${NC}"
+echo -e "${BLUE}Packs Available:${NC}"
+
+for pack_dir in "$TARGET_PACKS_DIR"/*; do
+    if [ -d "$pack_dir" ]; then
+        pack_name=$(basename "$pack_dir")
+        pack_yaml="$pack_dir/pack.yaml"
+        if [ -f "$pack_yaml" ]; then
+            # Try to extract version from pack.yaml
+            version=$(grep "^version:" "$pack_yaml" | head -1 | sed 's/version:[[:space:]]*//' | tr -d '"')
+            echo -e "  • ${GREEN}$pack_name${NC} ${BLUE}($version)${NC}"
+        fi
+    fi
+done
+
+echo ""
+# Ensure ownership is correct after all packs have been copied
+# The API service (running as attune uid 1000) needs write access to install new packs
+chown -R 1000:1000 "$TARGET_PACKS_DIR"
+
+echo -e "${BLUE}ℹ${NC} Pack files are accessible to all services via shared volume"
+echo ""
+
+exit 0
--- a/docker/distributable/docker/init-roles.sql
+++ b/docker/distributable/docker/init-roles.sql
@@ -0,0 +1,29 @@
+-- Docker initialization script
+-- Creates the svc_attune role needed by migrations
+-- This runs before migrations via docker-compose
+
+-- Create service role for the application
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'svc_attune') THEN
+        CREATE ROLE svc_attune WITH LOGIN PASSWORD 'attune_service_password';
+    END IF;
+END
+$$;
+
+-- Create API role
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'attune_api') THEN
+        CREATE ROLE attune_api WITH LOGIN PASSWORD 'attune_api_password';
+    END IF;
+END
+$$;
+
+-- Grant basic permissions
+GRANT ALL PRIVILEGES ON DATABASE attune TO svc_attune;
+GRANT ALL PRIVILEGES ON DATABASE attune TO attune_api;
+
+-- Enable required extensions
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
--- a/docker/distributable/docker/init-user.sh
+++ b/docker/distributable/docker/init-user.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+# Initialize default test user for Attune
+# This script creates a default test user if it doesn't already exist
+
+set -e
+
+# Color output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Database configuration from environment
+DB_HOST="${DB_HOST:-postgres}"
+DB_PORT="${DB_PORT:-5432}"
+DB_USER="${DB_USER:-attune}"
+DB_PASSWORD="${DB_PASSWORD:-attune}"
+DB_NAME="${DB_NAME:-attune}"
+DB_SCHEMA="${DB_SCHEMA:-public}"
+
+# Test user configuration
+TEST_LOGIN="${TEST_LOGIN:-test@attune.local}"
+TEST_DISPLAY_NAME="${TEST_DISPLAY_NAME:-Test User}"
+TEST_PASSWORD="${TEST_PASSWORD:-TestPass123!}"
+
+# Pre-computed Argon2id hash for "TestPass123!"
+# Using: m=19456, t=2, p=1 (default Argon2id parameters)
+DEFAULT_PASSWORD_HASH='$argon2id$v=19$m=19456,t=2,p=1$AuZJ0xsGuSRk6LdCd58OOA$vBZnaflJwR9L4LPWoGGrcnRsIOf95FV4uIsoe3PjRE0'
+
+echo ""
+echo -e "${BLUE}╔════════════════════════════════════════════════╗${NC}"
+echo -e "${BLUE}║    Attune Default User Initialization         ║${NC}"
+echo -e "${BLUE}╚════════════════════════════════════════════════╝${NC}"
+echo ""
+
+# Wait for database to be ready
+echo -e "${YELLOW}→${NC} Waiting for database to be ready..."
+until PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c '\q' 2>/dev/null; do
+  echo -e "${YELLOW}  ...${NC} Database is unavailable - sleeping"
+  sleep 2
+done
+echo -e "${GREEN}✓${NC} Database is ready"
+
+# Check if user already exists
+echo -e "${YELLOW}→${NC} Checking if user exists..."
+USER_EXISTS=$(PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -tAc \
+  "SELECT COUNT(*) FROM ${DB_SCHEMA}.identity WHERE login = '$TEST_LOGIN';")
+
+if [ "$USER_EXISTS" -gt 0 ]; then
+    echo -e "${GREEN}✓${NC} User '$TEST_LOGIN' already exists"
+    echo -e "${BLUE}ℹ${NC} Skipping user creation"
+else
+    echo -e "${YELLOW}→${NC} Creating default test user..."
+
+    # Use the pre-computed hash for default password
+    if [ "$TEST_PASSWORD" = "TestPass123!" ]; then
+        PASSWORD_HASH="$DEFAULT_PASSWORD_HASH"
+        echo -e "${BLUE}ℹ${NC} Using default password hash"
+    else
+        echo -e "${YELLOW}⚠${NC} Custom password detected - using basic hash"
+        echo -e "${YELLOW}⚠${NC} For production, generate proper Argon2id hash"
+        # Note: For custom passwords in Docker, you should pre-generate the hash
+        # This is a fallback that will work but is less secure
+        PASSWORD_HASH="$DEFAULT_PASSWORD_HASH"
+    fi
+
+    # Insert the user
+    PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" << EOF
+INSERT INTO ${DB_SCHEMA}.identity (login, display_name, password_hash, attributes)
+VALUES (
+    '$TEST_LOGIN',
+    '$TEST_DISPLAY_NAME',
+    '$PASSWORD_HASH',
+    jsonb_build_object(
+        'email', '$TEST_LOGIN',
+        'created_via', 'docker-init',
+        'is_test_user', true
+    )
+);
+EOF
+
+    if [ $? -eq 0 ]; then
+        echo -e "${GREEN}✓${NC} User created successfully"
+    else
+        echo -e "${RED}✗${NC} Failed to create user"
+        exit 1
+    fi
+fi
+
+echo ""
+echo -e "${GREEN}╔════════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║  Default User Initialization Complete!        ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "${BLUE}Default User Credentials:${NC}"
+echo -e "  Login:    ${GREEN}$TEST_LOGIN${NC}"
+echo -e "  Password: ${GREEN}$TEST_PASSWORD${NC}"
+echo ""
+echo -e "${BLUE}Test Login:${NC}"
+echo -e "  ${YELLOW}curl -X POST http://localhost:8080/auth/login \\${NC}"
+echo -e "    ${YELLOW}-H 'Content-Type: application/json' \\${NC}"
+echo -e "    ${YELLOW}-d '{\"login\":\"$TEST_LOGIN\",\"password\":\"$TEST_PASSWORD\"}'${NC}"
+echo ""
+echo -e "${BLUE}ℹ${NC} For custom users, see: docs/testing/test-user-setup.md"
+echo ""
+
+exit 0
--- a/docker/distributable/docker/inject-env.sh
+++ b/docker/distributable/docker/inject-env.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+# inject-env.sh - Injects runtime environment variables into the Web UI
+# This script runs at container startup to make environment variables available to the browser
+
+set -e
+
+# Default values
+API_URL="${API_URL:-http://localhost:8080}"
+WS_URL="${WS_URL:-ws://localhost:8081}"
+
+# Create runtime configuration file
+cat > /usr/share/nginx/html/config/runtime-config.js <<EOF
+// Runtime configuration injected at container startup
+window.ATTUNE_CONFIG = {
+  apiUrl: '${API_URL}',
+  wsUrl: '${WS_URL}',
+  environment: '${ENVIRONMENT:-production}'
+};
+EOF
+
+echo "Runtime configuration injected:"
+echo "  API_URL: ${API_URL}"
+echo "  WS_URL: ${WS_URL}"
+echo "  ENVIRONMENT: ${ENVIRONMENT:-production}"
--- a/docker/distributable/docker/nginx.conf
+++ b/docker/distributable/docker/nginx.conf
@@ -0,0 +1,125 @@
+# Nginx configuration for Attune Web UI
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Enable gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml+rss application/json;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "OK\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Use Docker's embedded DNS resolver so that proxy_pass with variables
+    # resolves hostnames at request time, not config load time.
+    # This prevents nginx from crashing if backends aren't ready yet.
+    resolver 127.0.0.11 valid=10s;
+    set $api_upstream http://api:8080;
+    set $notifier_upstream http://notifier:8081;
+
+    # Auth proxy - forward auth requests to backend
+    # With variable proxy_pass (no URI path), the full original request URI
+    # (e.g. /auth/login) is passed through to the backend as-is.
+    location /auth/ {
+        proxy_pass $api_upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # API proxy - forward API requests to backend (preserves /api prefix)
+    # With variable proxy_pass (no URI path), the full original request URI
+    # (e.g. /api/packs?page=1) is passed through to the backend as-is.
+    location /api/ {
+        proxy_pass $api_upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # WebSocket proxy for notifier service
+    # Strip the /ws/ prefix before proxying (notifier expects paths at root).
+    # e.g. /ws/events → /events
+    location /ws/ {
+        rewrite ^/ws/(.*) /$1 break;
+        proxy_pass $notifier_upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket timeouts
+        proxy_connect_timeout 7d;
+        proxy_send_timeout 7d;
+        proxy_read_timeout 7d;
+    }
+
+    # Serve static assets with caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Runtime configuration endpoint
+    location /config/runtime-config.js {
+        expires -1;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+    }
+
+    # SPA routing - serve index.html for all routes
+    location / {
+        try_files $uri $uri/ /index.html;
+
+        # Disable caching for index.html
+        location = /index.html {
+            expires -1;
+            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+        }
+    }
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+}
--- a/docker/distributable/docker/run-migrations.sh
+++ b/docker/distributable/docker/run-migrations.sh
@@ -0,0 +1,189 @@
+#!/bin/bash
+# Migration script for Attune database
+# Runs all SQL migration files in order
+
+set -e
+
+echo "=========================================="
+echo "Attune Database Migration Runner"
+echo "=========================================="
+echo ""
+
+# Database connection parameters
+DB_HOST="${DB_HOST:-postgres}"
+DB_PORT="${DB_PORT:-5432}"
+DB_USER="${DB_USER:-attune}"
+DB_PASSWORD="${DB_PASSWORD:-attune}"
+DB_NAME="${DB_NAME:-attune}"
+
+MIGRATIONS_DIR="${MIGRATIONS_DIR:-/migrations}"
+
+# Export password for psql
+export PGPASSWORD="$DB_PASSWORD"
+
+# Color output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Function to wait for PostgreSQL to be ready
+wait_for_postgres() {
+    echo "Waiting for PostgreSQL to be ready..."
+    local max_attempts=30
+    local attempt=1
+
+    while [ $attempt -le $max_attempts ]; do
+        if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c '\q' 2>/dev/null; then
+            echo -e "${GREEN}✓ PostgreSQL is ready${NC}"
+            return 0
+        fi
+
+        echo "  Attempt $attempt/$max_attempts: PostgreSQL not ready yet..."
+        sleep 2
+        attempt=$((attempt + 1))
+    done
+
+    echo -e "${RED}✗ PostgreSQL failed to become ready after $max_attempts attempts${NC}"
+    return 1
+}
+
+# Function to check if migrations table exists
+setup_migrations_table() {
+    echo "Setting up migrations tracking table..."
+
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 <<-EOSQL
+        CREATE TABLE IF NOT EXISTS _migrations (
+            id SERIAL PRIMARY KEY,
+            filename VARCHAR(255) UNIQUE NOT NULL,
+            applied_at TIMESTAMP DEFAULT NOW()
+        );
+EOSQL
+
+    echo -e "${GREEN}✓ Migrations table ready${NC}"
+}
+
+# Function to check if a migration has been applied
+is_migration_applied() {
+    local filename=$1
+    local count=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c \
+        "SELECT COUNT(*) FROM _migrations WHERE filename = '$filename';" | tr -d ' ')
+    [ "$count" -gt 0 ]
+}
+
+# Function to mark migration as applied
+mark_migration_applied() {
+    local filename=$1
+    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c \
+        "INSERT INTO _migrations (filename) VALUES ('$filename');" > /dev/null
+}
+
+# Function to run a migration file
+run_migration() {
+    local filepath=$1
+    local filename=$(basename "$filepath")
+
+    if is_migration_applied "$filename"; then
+        echo -e "${YELLOW}⊘ Skipping $filename (already applied)${NC}"
+        return 0
+    fi
+
+    echo -e "${GREEN}→ Applying $filename...${NC}"
+
+    # Run migration in a transaction with detailed error reporting
+    if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 \
+        -c "BEGIN;" \
+        -f "$filepath" \
+        -c "COMMIT;" > /tmp/migration_output.log 2>&1; then
+        mark_migration_applied "$filename"
+        echo -e "${GREEN}✓ Applied $filename${NC}"
+        return 0
+    else
+        echo -e "${RED}✗ Failed to apply $filename${NC}"
+        echo ""
+        echo "Error details:"
+        cat /tmp/migration_output.log
+        echo ""
+        echo "Migration rolled back due to error."
+        return 1
+    fi
+}
+
+# Function to initialize Docker-specific roles and extensions
+init_docker_roles() {
+    echo "Initializing Docker roles and extensions..."
+
+    if [ -f "/docker/init-roles.sql" ]; then
+        if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 -f "/docker/init-roles.sql" > /dev/null 2>&1; then
+            echo -e "${GREEN}✓ Docker roles initialized${NC}"
+            return 0
+        else
+            echo -e "${YELLOW}⚠ Warning: Could not initialize Docker roles (may already exist)${NC}"
+            return 0
+        fi
+    else
+        echo -e "${YELLOW}⚠ No Docker init script found, skipping${NC}"
+        return 0
+    fi
+}
+
+# Main migration process
+main() {
+    echo "Configuration:"
+    echo "  Database: $DB_HOST:$DB_PORT/$DB_NAME"
+    echo "  User: $DB_USER"
+    echo "  Migrations directory: $MIGRATIONS_DIR"
+    echo ""
+
+    # Wait for database
+    wait_for_postgres || exit 1
+
+    # Initialize Docker-specific roles
+    init_docker_roles || exit 1
+
+    # Setup migrations tracking
+    setup_migrations_table || exit 1
+
+    echo ""
+    echo "Running migrations..."
+    echo "----------------------------------------"
+
+    # Find and sort migration files
+    local migration_count=0
+    local applied_count=0
+    local skipped_count=0
+
+    # Process migrations in sorted order
+    for migration_file in $(find "$MIGRATIONS_DIR" -name "*.sql" -type f | sort); do
+        migration_count=$((migration_count + 1))
+
+        if is_migration_applied "$(basename "$migration_file")"; then
+            skipped_count=$((skipped_count + 1))
+            run_migration "$migration_file"
+        else
+            if run_migration "$migration_file"; then
+                applied_count=$((applied_count + 1))
+            else
+                echo -e "${RED}Migration failed!${NC}"
+                exit 1
+            fi
+        fi
+    done
+
+    echo "----------------------------------------"
+    echo ""
+    echo "Migration Summary:"
+    echo "  Total migrations: $migration_count"
+    echo "  Newly applied: $applied_count"
+    echo "  Already applied: $skipped_count"
+    echo ""
+
+    if [ $applied_count -gt 0 ]; then
+        echo -e "${GREEN}✓ All migrations applied successfully!${NC}"
+    else
+        echo -e "${GREEN}✓ Database is up to date (no new migrations)${NC}"
+    fi
+}
+
+# Run main function
+main
--- a/docker/distributable/migrations/20250101000001_initial_setup.sql
+++ b/docker/distributable/migrations/20250101000001_initial_setup.sql
@@ -0,0 +1,230 @@
+-- Migration: Initial Setup
+-- Description: Creates the attune schema, enums, and shared database functions
+-- Version: 20250101000001
+
+-- ============================================================================
+-- EXTENSIONS
+-- ============================================================================
+
+-- Enable required extensions
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- ============================================================================
+-- ENUM TYPES
+-- ============================================================================
+
+-- WorkerType enum
+DO $$ BEGIN
+    CREATE TYPE worker_type_enum AS ENUM (
+        'local',
+        'remote',
+        'container'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE worker_type_enum IS 'Type of worker deployment';
+
+-- WorkerRole enum
+DO $$ BEGIN
+    CREATE TYPE worker_role_enum AS ENUM (
+        'action',
+        'sensor',
+        'hybrid'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE worker_role_enum IS 'Role of worker (action executor, sensor, or both)';
+
+
+-- WorkerStatus enum
+DO $$ BEGIN
+    CREATE TYPE worker_status_enum AS ENUM (
+        'active',
+        'inactive',
+        'busy',
+        'error'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE worker_status_enum IS 'Worker operational status';
+
+-- EnforcementStatus enum
+DO $$ BEGIN
+    CREATE TYPE enforcement_status_enum AS ENUM (
+        'created',
+        'processed',
+        'disabled'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE enforcement_status_enum IS 'Enforcement processing status';
+
+-- EnforcementCondition enum
+DO $$ BEGIN
+    CREATE TYPE enforcement_condition_enum AS ENUM (
+        'any',
+        'all'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE enforcement_condition_enum IS 'Logical operator for conditions (OR/AND)';
+
+-- ExecutionStatus enum
+DO $$ BEGIN
+    CREATE TYPE execution_status_enum AS ENUM (
+        'requested',
+        'scheduling',
+        'scheduled',
+        'running',
+        'completed',
+        'failed',
+        'canceling',
+        'cancelled',
+        'timeout',
+        'abandoned'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE execution_status_enum IS 'Execution lifecycle status';
+
+-- InquiryStatus enum
+DO $$ BEGIN
+    CREATE TYPE inquiry_status_enum AS ENUM (
+        'pending',
+        'responded',
+        'timeout',
+        'cancelled'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE inquiry_status_enum IS 'Inquiry lifecycle status';
+
+-- PolicyMethod enum
+DO $$ BEGIN
+    CREATE TYPE policy_method_enum AS ENUM (
+        'cancel',
+        'enqueue'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE policy_method_enum IS 'Policy enforcement method';
+
+-- OwnerType enum
+DO $$ BEGIN
+    CREATE TYPE owner_type_enum AS ENUM (
+        'system',
+        'identity',
+        'pack',
+        'action',
+        'sensor'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE owner_type_enum IS 'Type of resource owner';
+
+-- NotificationState enum
+DO $$ BEGIN
+    CREATE TYPE notification_status_enum AS ENUM (
+        'created',
+        'queued',
+        'processing',
+        'error'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE notification_status_enum IS 'Notification processing state';
+
+-- ArtifactType enum
+DO $$ BEGIN
+    CREATE TYPE artifact_type_enum AS ENUM (
+        'file_binary',
+        'file_datatable',
+        'file_image',
+        'file_text',
+        'other',
+        'progress',
+        'url'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE artifact_type_enum IS 'Type of artifact';
+
+-- RetentionPolicyType enum
+DO $$ BEGIN
+    CREATE TYPE artifact_retention_enum AS ENUM (
+        'versions',
+        'days',
+        'hours',
+        'minutes'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE artifact_retention_enum IS 'Type of retention policy';
+
+-- ArtifactVisibility enum
+DO $$ BEGIN
+    CREATE TYPE artifact_visibility_enum AS ENUM (
+        'public',
+        'private'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE artifact_visibility_enum IS 'Visibility of an artifact (public = viewable by all users, private = scoped by owner)';
+
+
+-- PackEnvironmentStatus enum
+DO $$ BEGIN
+    CREATE TYPE pack_environment_status_enum AS ENUM (
+        'pending',
+        'installing',
+        'ready',
+        'failed',
+        'outdated'
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+COMMENT ON TYPE pack_environment_status_enum IS 'Status of pack runtime environment installation';
+
+-- ============================================================================
+-- SHARED FUNCTIONS
+-- ============================================================================
+
+-- Function to automatically update the 'updated' timestamp
+CREATE OR REPLACE FUNCTION update_updated_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated = NOW();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION update_updated_column() IS 'Automatically updates the updated timestamp on row modification';
--- a/docker/distributable/migrations/20250101000002_pack_system.sql
+++ b/docker/distributable/migrations/20250101000002_pack_system.sql
@@ -0,0 +1,262 @@
+-- Migration: Pack System
+-- Description: Creates pack, runtime, and runtime_version tables
+-- Version: 20250101000002
+
+-- ============================================================================
+-- PACK TABLE
+-- ============================================================================
+
+CREATE TABLE pack (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    label TEXT NOT NULL,
+    description TEXT,
+    version TEXT NOT NULL,
+    conf_schema JSONB NOT NULL DEFAULT '{}'::jsonb,
+    config JSONB NOT NULL DEFAULT '{}'::jsonb,
+    meta JSONB NOT NULL DEFAULT '{}'::jsonb,
+    tags TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    runtime_deps TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    dependencies TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    is_standard BOOLEAN NOT NULL DEFAULT FALSE,
+    installers JSONB DEFAULT '[]'::jsonb,
+
+    -- Installation metadata (nullable for non-installed packs)
+    source_type TEXT,
+    source_url TEXT,
+    source_ref TEXT,
+    checksum TEXT,
+    checksum_verified BOOLEAN DEFAULT FALSE,
+    installed_at TIMESTAMPTZ,
+    installed_by BIGINT,
+    installation_method TEXT,
+    storage_path TEXT,
+
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT pack_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT pack_ref_format CHECK (ref ~ '^[a-z][a-z0-9_-]+$'),
+    CONSTRAINT pack_version_semver CHECK (
+        version ~ '^\d+\.\d+\.\d+(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'
+    )
+);
+
+-- Indexes
+CREATE INDEX idx_pack_ref ON pack(ref);
+CREATE INDEX idx_pack_created ON pack(created DESC);
+CREATE INDEX idx_pack_is_standard ON pack(is_standard) WHERE is_standard = TRUE;
+CREATE INDEX idx_pack_is_standard_created ON pack(is_standard, created DESC);
+CREATE INDEX idx_pack_version_created ON pack(version, created DESC);
+CREATE INDEX idx_pack_config_gin ON pack USING GIN (config);
+CREATE INDEX idx_pack_meta_gin ON pack USING GIN (meta);
+CREATE INDEX idx_pack_tags_gin ON pack USING GIN (tags);
+CREATE INDEX idx_pack_runtime_deps_gin ON pack USING GIN (runtime_deps);
+CREATE INDEX idx_pack_dependencies_gin ON pack USING GIN (dependencies);
+CREATE INDEX idx_pack_installed_at ON pack(installed_at DESC) WHERE installed_at IS NOT NULL;
+CREATE INDEX idx_pack_installed_by ON pack(installed_by) WHERE installed_by IS NOT NULL;
+CREATE INDEX idx_pack_source_type ON pack(source_type) WHERE source_type IS NOT NULL;
+
+-- Trigger
+CREATE TRIGGER update_pack_updated
+    BEFORE UPDATE ON pack
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE pack IS 'Packs bundle related automation components';
+COMMENT ON COLUMN pack.ref IS 'Unique pack reference identifier (e.g., "slack", "github")';
+COMMENT ON COLUMN pack.label IS 'Human-readable pack name';
+COMMENT ON COLUMN pack.version IS 'Semantic version of the pack';
+COMMENT ON COLUMN pack.conf_schema IS 'JSON schema for pack configuration';
+COMMENT ON COLUMN pack.config IS 'Pack configuration values';
+COMMENT ON COLUMN pack.meta IS 'Pack metadata';
+COMMENT ON COLUMN pack.runtime_deps IS 'Array of required runtime references (e.g., shell, python, nodejs)';
+COMMENT ON COLUMN pack.dependencies IS 'Array of required pack references (e.g., core, utils)';
+COMMENT ON COLUMN pack.is_standard IS 'Whether this is a core/built-in pack';
+COMMENT ON COLUMN pack.source_type IS 'Installation source type (e.g., "git", "local", "registry")';
+COMMENT ON COLUMN pack.source_url IS 'URL or path where pack was installed from';
+COMMENT ON COLUMN pack.source_ref IS 'Git ref, version tag, or other source reference';
+COMMENT ON COLUMN pack.checksum IS 'Content checksum for verification';
+COMMENT ON COLUMN pack.checksum_verified IS 'Whether checksum has been verified';
+COMMENT ON COLUMN pack.installed_at IS 'Timestamp when pack was installed';
+COMMENT ON COLUMN pack.installed_by IS 'Identity ID of user who installed the pack';
+COMMENT ON COLUMN pack.installation_method IS 'Method used for installation (e.g., "cli", "api", "auto")';
+COMMENT ON COLUMN pack.storage_path IS 'Filesystem path where pack files are stored';
+
+-- ============================================================================
+-- RUNTIME TABLE
+-- ============================================================================
+
+CREATE TABLE runtime (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT,
+    description TEXT,
+    name TEXT NOT NULL,
+    aliases TEXT[] NOT NULL DEFAULT '{}'::text[],
+
+    distributions JSONB NOT NULL,
+    installation JSONB,
+    installers JSONB DEFAULT '[]'::jsonb,
+
+    -- Execution configuration: describes how to execute actions using this runtime,
+    -- how to create isolated environments, and how to install dependencies.
+    --
+    -- Structure:
+    -- {
+    --   "interpreter": {
+    --     "binary": "python3",          -- interpreter binary name or path
+    --     "args": [],                   -- additional args before the action file
+    --     "file_extension": ".py"       -- file extension this runtime handles
+    --   },
+    --   "environment": {               -- optional: isolated environment config
+    --     "env_type": "virtualenv",     -- "virtualenv", "node_modules", "none"
+    --     "dir_name": ".venv",          -- directory name relative to pack dir
+    --     "create_command": ["python3", "-m", "venv", "{env_dir}"],
+    --     "interpreter_path": "{env_dir}/bin/python3"  -- overrides interpreter.binary
+    --   },
+    --   "dependencies": {              -- optional: dependency management config
+    --     "manifest_file": "requirements.txt",
+    --     "install_command": ["{interpreter}", "-m", "pip", "install", "-r", "{manifest_path}"]
+    --   }
+    -- }
+    --
+    -- Template variables:
+    --   {pack_dir}      - absolute path to the pack directory
+    --   {env_dir}       - resolved environment directory (pack_dir/dir_name)
+    --   {interpreter}   - resolved interpreter path
+    --   {action_file}   - absolute path to the action script file
+    --   {manifest_path} - absolute path to the dependency manifest file
+    execution_config JSONB NOT NULL DEFAULT '{}'::jsonb,
+
+    -- Whether this runtime was auto-registered by an agent
+    -- (vs. loaded from a pack's YAML file during pack registration)
+    auto_detected BOOLEAN NOT NULL DEFAULT FALSE,
+
+    -- Detection metadata for auto-discovered runtimes.
+    -- Stores how the agent discovered this runtime (binary path, version, etc.)
+    -- enables re-verification on restart.
+    -- Example: { "detected_path": "/usr/bin/ruby", "detected_name": "ruby",
+    --            "detected_version": "3.3.0" }
+    detection_config JSONB NOT NULL DEFAULT '{}'::jsonb,
+
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT runtime_ref_lowercase CHECK (ref = LOWER(ref))
+);
+
+-- Indexes
+CREATE INDEX idx_runtime_ref ON runtime(ref);
+CREATE INDEX idx_runtime_pack ON runtime(pack);
+CREATE INDEX idx_runtime_created ON runtime(created DESC);
+CREATE INDEX idx_runtime_name ON runtime(name);
+CREATE INDEX idx_runtime_verification ON runtime USING GIN ((distributions->'verification'));
+CREATE INDEX idx_runtime_execution_config ON runtime USING GIN (execution_config);
+CREATE INDEX idx_runtime_auto_detected ON runtime(auto_detected);
+CREATE INDEX idx_runtime_detection_config ON runtime USING GIN (detection_config);
+CREATE INDEX idx_runtime_aliases ON runtime USING GIN (aliases);
+
+-- Trigger
+CREATE TRIGGER update_runtime_updated
+    BEFORE UPDATE ON runtime
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE runtime IS 'Runtime environments for executing actions and sensors (unified)';
+COMMENT ON COLUMN runtime.ref IS 'Unique runtime reference (format: pack.name, e.g., core.python)';
+COMMENT ON COLUMN runtime.name IS 'Runtime name (e.g., "Python", "Node.js", "Shell")';
+COMMENT ON COLUMN runtime.aliases IS 'Lowercase alias names for this runtime (e.g., ["ruby", "rb"] for the Ruby runtime). Used for alias-aware matching during auto-detection and scheduling.';
+COMMENT ON COLUMN runtime.distributions IS 'Runtime distribution metadata including verification commands, version requirements, and capabilities';
+COMMENT ON COLUMN runtime.installation IS 'Installation requirements and instructions including package managers and setup steps';
+COMMENT ON COLUMN runtime.installers IS 'Array of installer actions to create pack-specific runtime environments. Each installer defines commands to set up isolated environments (e.g., Python venv, npm install).';
+COMMENT ON COLUMN runtime.execution_config IS 'Execution configuration: interpreter, environment setup, and dependency management. Drives how the worker executes actions and how pack install sets up environments.';
+COMMENT ON COLUMN runtime.auto_detected IS 'Whether this runtime was auto-registered by an agent (true) vs. loaded from a pack YAML (false)';
+COMMENT ON COLUMN runtime.detection_config IS 'Detection metadata for auto-discovered runtimes: binaries probed, version regex, detected path/version';
+
+-- ============================================================================
+-- RUNTIME VERSION TABLE
+-- ============================================================================
+
+CREATE TABLE runtime_version (
+    id BIGSERIAL PRIMARY KEY,
+    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
+    runtime_ref TEXT NOT NULL,
+
+    -- Semantic version string (e.g., "3.12.1", "20.11.0")
+    version TEXT NOT NULL,
+
+    -- Individual version components for efficient range queries.
+    -- Nullable because some runtimes may use non-numeric versioning.
+    version_major INT,
+    version_minor INT,
+    version_patch INT,
+
+    -- Complete execution configuration for this specific version.
+    -- This is NOT a diff/override — it is a full standalone config that can
+    -- replace the parent runtime's execution_config when this version is selected.
+    -- Structure is identical to runtime.execution_config (RuntimeExecutionConfig).
+    execution_config JSONB NOT NULL DEFAULT '{}'::jsonb,
+
+    -- Version-specific distribution/verification metadata.
+    -- Structure mirrors runtime.distributions but with version-specific commands.
+    -- Example: verification commands that check for a specific binary like python3.12.
+    distributions JSONB NOT NULL DEFAULT '{}'::jsonb,
+
+    -- Whether this version is the default for the parent runtime.
+    -- At most one version per runtime should be marked as default.
+    is_default BOOLEAN NOT NULL DEFAULT FALSE,
+
+    -- Whether this version has been verified as available on the current system.
+    available BOOLEAN NOT NULL DEFAULT TRUE,
+
+    -- When this version was last verified (via running verification commands).
+    verified_at TIMESTAMPTZ,
+
+    -- Arbitrary version-specific metadata (e.g., EOL date, release notes URL,
+    -- feature flags, platform-specific notes).
+    meta JSONB NOT NULL DEFAULT '{}'::jsonb,
+
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT runtime_version_unique UNIQUE(runtime, version)
+);
+
+-- Indexes
+CREATE INDEX idx_runtime_version_runtime ON runtime_version(runtime);
+CREATE INDEX idx_runtime_version_runtime_ref ON runtime_version(runtime_ref);
+CREATE INDEX idx_runtime_version_version ON runtime_version(version);
+CREATE INDEX idx_runtime_version_available ON runtime_version(available) WHERE available = TRUE;
+CREATE INDEX idx_runtime_version_is_default ON runtime_version(is_default) WHERE is_default = TRUE;
+CREATE INDEX idx_runtime_version_components ON runtime_version(runtime, version_major, version_minor, version_patch);
+CREATE INDEX idx_runtime_version_created ON runtime_version(created DESC);
+CREATE INDEX idx_runtime_version_execution_config ON runtime_version USING GIN (execution_config);
+CREATE INDEX idx_runtime_version_meta ON runtime_version USING GIN (meta);
+
+-- Trigger
+CREATE TRIGGER update_runtime_version_updated
+    BEFORE UPDATE ON runtime_version
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE runtime_version IS 'Specific versions of a runtime (e.g., Python 3.11, 3.12) with version-specific execution configuration';
+COMMENT ON COLUMN runtime_version.runtime IS 'Parent runtime this version belongs to';
+COMMENT ON COLUMN runtime_version.runtime_ref IS 'Parent runtime ref (e.g., core.python) for display/filtering';
+COMMENT ON COLUMN runtime_version.version IS 'Semantic version string (e.g., "3.12.1", "20.11.0")';
+COMMENT ON COLUMN runtime_version.version_major IS 'Major version component for efficient range queries';
+COMMENT ON COLUMN runtime_version.version_minor IS 'Minor version component for efficient range queries';
+COMMENT ON COLUMN runtime_version.version_patch IS 'Patch version component for efficient range queries';
+COMMENT ON COLUMN runtime_version.execution_config IS 'Complete execution configuration for this version (same structure as runtime.execution_config)';
+COMMENT ON COLUMN runtime_version.distributions IS 'Version-specific distribution/verification metadata';
+COMMENT ON COLUMN runtime_version.is_default IS 'Whether this is the default version for the parent runtime (at most one per runtime)';
+COMMENT ON COLUMN runtime_version.available IS 'Whether this version has been verified as available on the system';
+COMMENT ON COLUMN runtime_version.verified_at IS 'Timestamp of last availability verification';
+COMMENT ON COLUMN runtime_version.meta IS 'Arbitrary version-specific metadata';
--- a/docker/distributable/migrations/20250101000003_identity_and_auth.sql
+++ b/docker/distributable/migrations/20250101000003_identity_and_auth.sql
@@ -0,0 +1,223 @@
+-- Migration: Identity and Authentication
+-- Description: Creates identity, permission, and policy tables
+-- Version: 20250101000002
+
+-- ============================================================================
+-- IDENTITY TABLE
+-- ============================================================================
+
+CREATE TABLE identity (
+    id BIGSERIAL PRIMARY KEY,
+    login TEXT NOT NULL UNIQUE,
+    display_name TEXT,
+    password_hash TEXT,
+    attributes JSONB NOT NULL DEFAULT '{}'::jsonb,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_identity_login ON identity(login);
+CREATE INDEX idx_identity_created ON identity(created DESC);
+CREATE INDEX idx_identity_password_hash ON identity(password_hash) WHERE password_hash IS NOT NULL;
+CREATE INDEX idx_identity_attributes_gin ON identity USING GIN (attributes);
+
+-- Trigger
+CREATE TRIGGER update_identity_updated
+    BEFORE UPDATE ON identity
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE identity IS 'Identities represent users or service accounts';
+COMMENT ON COLUMN identity.login IS 'Unique login identifier';
+COMMENT ON COLUMN identity.display_name IS 'Human-readable name';
+COMMENT ON COLUMN identity.password_hash IS 'Argon2 hashed password for authentication (NULL for service accounts or external auth)';
+COMMENT ON COLUMN identity.attributes IS 'Custom attributes (email, groups, etc.)';
+
+-- ============================================================================
+-- ADD FOREIGN KEY CONSTRAINTS TO EXISTING TABLES
+-- ============================================================================
+
+-- Add foreign key constraint for pack.installed_by now that identity table exists
+ALTER TABLE pack
+    ADD CONSTRAINT fk_pack_installed_by
+    FOREIGN KEY (installed_by)
+    REFERENCES identity(id)
+    ON DELETE SET NULL;
+
+-- ============================================================================
+
+-- ============================================================================
+-- PERMISSION_SET TABLE
+-- ============================================================================
+
+CREATE TABLE permission_set (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT,
+    label TEXT,
+    description TEXT,
+    grants JSONB NOT NULL DEFAULT '[]'::jsonb,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT permission_set_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT permission_set_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
+);
+
+-- Indexes
+CREATE INDEX idx_permission_set_ref ON permission_set(ref);
+CREATE INDEX idx_permission_set_pack ON permission_set(pack);
+CREATE INDEX idx_permission_set_created ON permission_set(created DESC);
+
+-- Trigger
+CREATE TRIGGER update_permission_set_updated
+    BEFORE UPDATE ON permission_set
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE permission_set IS 'Permission sets group permissions together (like roles)';
+COMMENT ON COLUMN permission_set.ref IS 'Unique permission set reference (format: pack.name)';
+COMMENT ON COLUMN permission_set.label IS 'Human-readable name';
+COMMENT ON COLUMN permission_set.grants IS 'Array of permission grants';
+
+-- ============================================================================
+
+-- ============================================================================
+-- PERMISSION_ASSIGNMENT TABLE
+-- ============================================================================
+
+CREATE TABLE permission_assignment (
+    id BIGSERIAL PRIMARY KEY,
+    identity BIGINT NOT NULL REFERENCES identity(id) ON DELETE CASCADE,
+    permset BIGINT NOT NULL REFERENCES permission_set(id) ON DELETE CASCADE,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Unique constraint to prevent duplicate assignments
+    CONSTRAINT unique_identity_permset UNIQUE (identity, permset)
+);
+
+-- Indexes
+CREATE INDEX idx_permission_assignment_identity ON permission_assignment(identity);
+CREATE INDEX idx_permission_assignment_permset ON permission_assignment(permset);
+CREATE INDEX idx_permission_assignment_created ON permission_assignment(created DESC);
+CREATE INDEX idx_permission_assignment_identity_created ON permission_assignment(identity, created DESC);
+CREATE INDEX idx_permission_assignment_permset_created ON permission_assignment(permset, created DESC);
+
+-- Comments
+COMMENT ON TABLE permission_assignment IS 'Links identities to permission sets (many-to-many)';
+COMMENT ON COLUMN permission_assignment.identity IS 'Identity being granted permissions';
+COMMENT ON COLUMN permission_assignment.permset IS 'Permission set being assigned';
+
+-- ============================================================================
+
+ALTER TABLE identity
+    ADD COLUMN frozen BOOLEAN NOT NULL DEFAULT false;
+
+CREATE INDEX idx_identity_frozen ON identity(frozen);
+
+COMMENT ON COLUMN identity.frozen IS 'If true, authentication is blocked for this identity';
+
+CREATE TABLE identity_role_assignment (
+    id BIGSERIAL PRIMARY KEY,
+    identity BIGINT NOT NULL REFERENCES identity(id) ON DELETE CASCADE,
+    role TEXT NOT NULL,
+    source TEXT NOT NULL DEFAULT 'manual',
+    managed BOOLEAN NOT NULL DEFAULT false,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    CONSTRAINT unique_identity_role_assignment UNIQUE (identity, role)
+);
+
+CREATE INDEX idx_identity_role_assignment_identity
+    ON identity_role_assignment(identity);
+CREATE INDEX idx_identity_role_assignment_role
+    ON identity_role_assignment(role);
+CREATE INDEX idx_identity_role_assignment_source
+    ON identity_role_assignment(source);
+
+CREATE TRIGGER update_identity_role_assignment_updated
+    BEFORE UPDATE ON identity_role_assignment
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+COMMENT ON TABLE identity_role_assignment IS 'Links identities to role labels from manual assignment or external identity providers';
+COMMENT ON COLUMN identity_role_assignment.role IS 'Opaque role/group label (e.g. IDP group name)';
+COMMENT ON COLUMN identity_role_assignment.source IS 'Where the role assignment originated (manual, oidc, ldap, sync, etc.)';
+COMMENT ON COLUMN identity_role_assignment.managed IS 'True when the assignment is managed by external sync and should not be edited manually';
+
+CREATE TABLE permission_set_role_assignment (
+    id BIGSERIAL PRIMARY KEY,
+    permset BIGINT NOT NULL REFERENCES permission_set(id) ON DELETE CASCADE,
+    role TEXT NOT NULL,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    CONSTRAINT unique_permission_set_role_assignment UNIQUE (permset, role)
+);
+
+CREATE INDEX idx_permission_set_role_assignment_permset
+    ON permission_set_role_assignment(permset);
+CREATE INDEX idx_permission_set_role_assignment_role
+    ON permission_set_role_assignment(role);
+
+COMMENT ON TABLE permission_set_role_assignment IS 'Links permission sets to role labels for role-based grant expansion';
+COMMENT ON COLUMN permission_set_role_assignment.role IS 'Opaque role/group label associated with the permission set';
+
+-- ============================================================================
+
+-- ============================================================================
+-- POLICY TABLE
+-- ============================================================================
+
+CREATE TABLE policy (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT,
+    action BIGINT, -- Forward reference to action table, will add constraint in next migration
+    action_ref TEXT,
+    parameters TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    method policy_method_enum NOT NULL,
+    threshold INTEGER NOT NULL,
+    name TEXT NOT NULL,
+    description TEXT,
+    tags TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT policy_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT policy_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$'),
+    CONSTRAINT policy_threshold_positive CHECK (threshold > 0)
+);
+
+-- Indexes
+CREATE INDEX idx_policy_ref ON policy(ref);
+CREATE INDEX idx_policy_pack ON policy(pack);
+CREATE INDEX idx_policy_action ON policy(action);
+CREATE INDEX idx_policy_created ON policy(created DESC);
+CREATE INDEX idx_policy_action_created ON policy(action, created DESC);
+CREATE INDEX idx_policy_pack_created ON policy(pack, created DESC);
+CREATE INDEX idx_policy_parameters_gin ON policy USING GIN (parameters);
+CREATE INDEX idx_policy_tags_gin ON policy USING GIN (tags);
+
+-- Trigger
+CREATE TRIGGER update_policy_updated
+    BEFORE UPDATE ON policy
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE policy IS 'Policies define execution controls (rate limiting, concurrency)';
+COMMENT ON COLUMN policy.ref IS 'Unique policy reference (format: pack.name)';
+COMMENT ON COLUMN policy.action IS 'Action this policy applies to';
+COMMENT ON COLUMN policy.parameters IS 'Parameter names used for policy grouping';
+COMMENT ON COLUMN policy.method IS 'How to handle policy violations (cancel/enqueue)';
+COMMENT ON COLUMN policy.threshold IS 'Numeric limit (e.g., max concurrent executions)';
+
+-- ============================================================================
--- a/docker/distributable/migrations/20250101000004_trigger_sensor_event_rule.sql
+++ b/docker/distributable/migrations/20250101000004_trigger_sensor_event_rule.sql
@@ -0,0 +1,290 @@
+-- Migration: Event System and Actions
+-- Description: Creates trigger, sensor, event, enforcement, and action tables
+--              with runtime version constraint support. Includes webhook key
+--              generation function used by webhook management functions in 000007.
+--
+--              NOTE: The event and enforcement tables are converted to TimescaleDB
+--              hypertables in migration 000009. Hypertables cannot be the target of
+--              FK constraints, so enforcement.event is a plain BIGINT with no FK.
+--              FKs *from* hypertables to regular tables (e.g., event.trigger → trigger,
+--              enforcement.rule → rule) are supported by TimescaleDB 2.x and are kept.
+-- Version: 20250101000004
+
+-- ============================================================================
+-- WEBHOOK KEY GENERATION
+-- ============================================================================
+
+-- Generates a unique webhook key in the format: wh_<32 random hex chars>
+-- Used by enable_trigger_webhook() and regenerate_trigger_webhook_key() in 000007.
+CREATE OR REPLACE FUNCTION generate_webhook_key()
+RETURNS VARCHAR(64) AS $$
+BEGIN
+    RETURN 'wh_' || encode(gen_random_bytes(16), 'hex');
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION generate_webhook_key() IS 'Generates a unique webhook key (format: wh_<32 hex chars>) for trigger webhook authentication';
+
+-- ============================================================================
+-- TRIGGER TABLE
+-- ============================================================================
+
+CREATE TABLE trigger (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT,
+    label TEXT NOT NULL,
+    description TEXT,
+    enabled BOOLEAN NOT NULL DEFAULT TRUE,
+    is_adhoc BOOLEAN DEFAULT false NOT NULL,
+    param_schema JSONB,
+    out_schema JSONB,
+    webhook_enabled BOOLEAN NOT NULL DEFAULT FALSE,
+    webhook_key VARCHAR(64) UNIQUE,
+    webhook_config JSONB DEFAULT '{}'::jsonb,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT trigger_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT trigger_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
+);
+
+-- Indexes
+CREATE INDEX idx_trigger_ref ON trigger(ref);
+CREATE INDEX idx_trigger_pack ON trigger(pack);
+CREATE INDEX idx_trigger_enabled ON trigger(enabled) WHERE enabled = TRUE;
+CREATE INDEX idx_trigger_created ON trigger(created DESC);
+CREATE INDEX idx_trigger_pack_enabled ON trigger(pack, enabled);
+CREATE INDEX idx_trigger_webhook_key ON trigger(webhook_key) WHERE webhook_key IS NOT NULL;
+CREATE INDEX idx_trigger_enabled_created ON trigger(enabled, created DESC) WHERE enabled = TRUE;
+
+-- Trigger
+CREATE TRIGGER update_trigger_updated
+    BEFORE UPDATE ON trigger
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE trigger IS 'Trigger definitions that can activate rules';
+COMMENT ON COLUMN trigger.ref IS 'Unique trigger reference (format: pack.name)';
+COMMENT ON COLUMN trigger.label IS 'Human-readable trigger name';
+COMMENT ON COLUMN trigger.enabled IS 'Whether this trigger is active';
+COMMENT ON COLUMN trigger.param_schema IS 'JSON schema defining the expected configuration parameters when this trigger is used';
+COMMENT ON COLUMN trigger.out_schema IS 'JSON schema defining the structure of event payloads generated by this trigger';
+
+-- ============================================================================
+
+
+-- ============================================================================
+-- SENSOR TABLE
+-- ============================================================================
+
+CREATE TABLE sensor (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT,
+    label TEXT NOT NULL,
+    description TEXT,
+    entrypoint TEXT NOT NULL,
+    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
+    runtime_ref TEXT NOT NULL,
+    trigger BIGINT NOT NULL REFERENCES trigger(id) ON DELETE CASCADE,
+    trigger_ref TEXT NOT NULL,
+    enabled BOOLEAN NOT NULL,
+    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
+    param_schema JSONB,
+    config JSONB,
+    runtime_version_constraint TEXT,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT sensor_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT sensor_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
+);
+
+-- Indexes
+CREATE INDEX idx_sensor_ref ON sensor(ref);
+CREATE INDEX idx_sensor_pack ON sensor(pack);
+CREATE INDEX idx_sensor_runtime ON sensor(runtime);
+CREATE INDEX idx_sensor_trigger ON sensor(trigger);
+CREATE INDEX idx_sensor_enabled ON sensor(enabled) WHERE enabled = TRUE;
+CREATE INDEX idx_sensor_is_adhoc ON sensor(is_adhoc) WHERE is_adhoc = true;
+CREATE INDEX idx_sensor_created ON sensor(created DESC);
+
+-- Trigger
+CREATE TRIGGER update_sensor_updated
+    BEFORE UPDATE ON sensor
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE sensor IS 'Sensors monitor for events and create trigger instances';
+COMMENT ON COLUMN sensor.ref IS 'Unique sensor reference (format: pack.name)';
+COMMENT ON COLUMN sensor.label IS 'Human-readable sensor name';
+COMMENT ON COLUMN sensor.entrypoint IS 'Script or command to execute';
+COMMENT ON COLUMN sensor.runtime IS 'Runtime environment for execution';
+COMMENT ON COLUMN sensor.trigger IS 'Trigger type this sensor creates events for';
+COMMENT ON COLUMN sensor.enabled IS 'Whether this sensor is active';
+COMMENT ON COLUMN sensor.is_adhoc IS 'True if sensor was manually created (ad-hoc), false if installed from pack';
+COMMENT ON COLUMN sensor.runtime_version_constraint IS 'Semver version constraint for the runtime (e.g., ">=3.12", ">=3.12,<4.0", "~18.0"). NULL means any version.';
+
+-- ============================================================================
+-- EVENT TABLE
+-- ============================================================================
+
+CREATE TABLE event (
+    id BIGSERIAL PRIMARY KEY,
+    trigger BIGINT REFERENCES trigger(id) ON DELETE SET NULL,
+    trigger_ref TEXT NOT NULL,
+    config JSONB,
+    payload JSONB,
+    source BIGINT REFERENCES sensor(id) ON DELETE SET NULL,
+    source_ref TEXT,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    rule BIGINT,
+    rule_ref TEXT
+);
+
+-- Indexes
+CREATE INDEX idx_event_trigger ON event(trigger);
+CREATE INDEX idx_event_trigger_ref ON event(trigger_ref);
+CREATE INDEX idx_event_source ON event(source);
+CREATE INDEX idx_event_created ON event(created DESC);
+CREATE INDEX idx_event_trigger_created ON event(trigger, created DESC);
+CREATE INDEX idx_event_trigger_ref_created ON event(trigger_ref, created DESC);
+CREATE INDEX idx_event_source_created ON event(source, created DESC);
+CREATE INDEX idx_event_payload_gin ON event USING GIN (payload);
+
+-- Comments
+COMMENT ON TABLE event IS 'Events are instances of triggers firing';
+COMMENT ON COLUMN event.trigger IS 'Trigger that fired (may be null if trigger deleted)';
+COMMENT ON COLUMN event.trigger_ref IS 'Trigger reference (preserved even if trigger deleted)';
+COMMENT ON COLUMN event.config IS 'Snapshot of trigger/sensor configuration at event time';
+COMMENT ON COLUMN event.payload IS 'Event data payload';
+COMMENT ON COLUMN event.source IS 'Sensor that generated this event';
+
+-- ============================================================================
+-- ENFORCEMENT TABLE
+-- ============================================================================
+
+CREATE TABLE enforcement (
+    id BIGSERIAL PRIMARY KEY,
+    rule BIGINT, -- Forward reference to rule table, will add constraint after rule is created
+    rule_ref TEXT NOT NULL,
+    trigger_ref TEXT NOT NULL,
+    config JSONB,
+    event BIGINT,           -- references event(id); no FK because event becomes a hypertable
+    status enforcement_status_enum NOT NULL DEFAULT 'created',
+    payload JSONB NOT NULL,
+    condition enforcement_condition_enum NOT NULL DEFAULT 'all',
+    conditions JSONB NOT NULL DEFAULT '[]'::jsonb,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    resolved_at TIMESTAMPTZ,
+
+    -- Constraints
+    CONSTRAINT enforcement_condition_check CHECK (condition IN ('any', 'all'))
+);
+
+-- Indexes
+CREATE INDEX idx_enforcement_rule ON enforcement(rule);
+CREATE INDEX idx_enforcement_rule_ref ON enforcement(rule_ref);
+CREATE INDEX idx_enforcement_trigger_ref ON enforcement(trigger_ref);
+CREATE INDEX idx_enforcement_event ON enforcement(event);
+CREATE INDEX idx_enforcement_status ON enforcement(status);
+CREATE INDEX idx_enforcement_created ON enforcement(created DESC);
+CREATE INDEX idx_enforcement_status_created ON enforcement(status, created DESC);
+CREATE INDEX idx_enforcement_rule_status ON enforcement(rule, status);
+CREATE INDEX idx_enforcement_event_status ON enforcement(event, status);
+CREATE INDEX idx_enforcement_payload_gin ON enforcement USING GIN (payload);
+CREATE INDEX idx_enforcement_conditions_gin ON enforcement USING GIN (conditions);
+
+-- Comments
+COMMENT ON TABLE enforcement IS 'Enforcements represent rule triggering by events';
+COMMENT ON COLUMN enforcement.rule IS 'Rule being enforced (may be null if rule deleted)';
+COMMENT ON COLUMN enforcement.rule_ref IS 'Rule reference (preserved even if rule deleted)';
+COMMENT ON COLUMN enforcement.event IS 'Event that triggered this enforcement (no FK — event is a hypertable)';
+COMMENT ON COLUMN enforcement.status IS 'Processing status (created → processed or disabled)';
+COMMENT ON COLUMN enforcement.resolved_at IS 'Timestamp when the enforcement was resolved (status changed from created to processed/disabled). NULL while status is created.';
+COMMENT ON COLUMN enforcement.payload IS 'Event payload for rule evaluation';
+COMMENT ON COLUMN enforcement.condition IS 'Logical operator for conditions (any=OR, all=AND)';
+COMMENT ON COLUMN enforcement.conditions IS 'Condition expressions to evaluate';
+
+-- ============================================================================
+-- ACTION TABLE
+-- ============================================================================
+
+CREATE TABLE action (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT NOT NULL,
+    label TEXT NOT NULL,
+    description TEXT,
+    entrypoint TEXT NOT NULL,
+    runtime BIGINT REFERENCES runtime(id),
+    param_schema JSONB,
+    out_schema JSONB,
+    parameter_delivery TEXT NOT NULL DEFAULT 'stdin' CHECK (parameter_delivery IN ('stdin', 'file')),
+    parameter_format TEXT NOT NULL DEFAULT 'json' CHECK (parameter_format IN ('dotenv', 'json', 'yaml')),
+    output_format TEXT NOT NULL DEFAULT 'text' CHECK (output_format IN ('text', 'json', 'yaml', 'jsonl')),
+    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
+    timeout_seconds INTEGER,
+    max_retries INTEGER DEFAULT 0,
+    runtime_version_constraint TEXT,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT action_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT action_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
+);
+
+-- Indexes
+CREATE INDEX idx_action_ref ON action(ref);
+CREATE INDEX idx_action_pack ON action(pack);
+CREATE INDEX idx_action_runtime ON action(runtime);
+CREATE INDEX idx_action_parameter_delivery ON action(parameter_delivery);
+CREATE INDEX idx_action_parameter_format ON action(parameter_format);
+CREATE INDEX idx_action_output_format ON action(output_format);
+CREATE INDEX idx_action_is_adhoc ON action(is_adhoc) WHERE is_adhoc = true;
+CREATE INDEX idx_action_created ON action(created DESC);
+
+-- Trigger
+CREATE TRIGGER update_action_updated
+    BEFORE UPDATE ON action
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE action IS 'Actions are executable tasks that can be triggered';
+COMMENT ON COLUMN action.ref IS 'Unique action reference (format: pack.name)';
+COMMENT ON COLUMN action.pack IS 'Pack this action belongs to';
+COMMENT ON COLUMN action.label IS 'Human-readable action name';
+COMMENT ON COLUMN action.entrypoint IS 'Script or command to execute';
+COMMENT ON COLUMN action.runtime IS 'Runtime environment for execution';
+COMMENT ON COLUMN action.param_schema IS 'JSON schema for action parameters';
+COMMENT ON COLUMN action.out_schema IS 'JSON schema for action output';
+COMMENT ON COLUMN action.parameter_delivery IS 'How parameters are delivered: stdin (standard input - secure), file (temporary file - secure for large payloads). Environment variables are set separately via execution.env_vars.';
+COMMENT ON COLUMN action.parameter_format IS 'Parameter serialization format: json (JSON object - default), dotenv (KEY=''VALUE''), yaml (YAML format)';
+COMMENT ON COLUMN action.output_format IS 'Output parsing format: text (no parsing - raw stdout), json (parse stdout as JSON), yaml (parse stdout as YAML), jsonl (parse each line as JSON, collect into array)';
+COMMENT ON COLUMN action.is_adhoc IS 'True if action was manually created (ad-hoc), false if installed from pack';
+COMMENT ON COLUMN action.timeout_seconds IS 'Worker queue TTL override in seconds. If NULL, uses global worker_queue_ttl_ms config. Allows per-action timeout tuning.';
+COMMENT ON COLUMN action.max_retries IS 'Maximum number of automatic retry attempts for failed executions. 0 = no retries (default).';
+COMMENT ON COLUMN action.runtime_version_constraint IS 'Semver version constraint for the runtime (e.g., ">=3.12", ">=3.12,<4.0", "~18.0"). NULL means any version.';
+
+-- ============================================================================
+
+-- Add foreign key constraint for policy table
+ALTER TABLE policy
+    ADD CONSTRAINT policy_action_fkey
+    FOREIGN KEY (action) REFERENCES action(id) ON DELETE CASCADE;
+
+-- Note: Foreign key constraints for key table (key_owner_action_fkey, key_owner_sensor_fkey)
+-- will be added in migration 000007_supporting_systems.sql after the key table is created
+
+-- Note: Rule table will be created in migration 000005 after execution table exists
+-- Note: Foreign key constraints for enforcement.rule and event.rule will be added there
--- a/docker/distributable/migrations/20250101000005_execution_and_operations.sql
+++ b/docker/distributable/migrations/20250101000005_execution_and_operations.sql
@@ -0,0 +1,410 @@
+-- Migration: Execution and Operations
+-- Description: Creates execution, inquiry, rule, worker, and notification tables.
+--              Includes retry tracking, worker health views, and helper functions.
+--              Consolidates former migrations: 000006 (execution_system), 000008
+--              (worker_notification), 000014 (worker_table), and 20260209 (phase3).
+--
+--              NOTE: The execution table is converted to a TimescaleDB hypertable in
+--              migration 000009. Hypertables cannot be the target of FK constraints,
+--              so columns referencing execution (inquiry.execution, workflow_execution.execution)
+--              are plain BIGINT with no FK. Similarly, columns ON the execution table that
+--              would self-reference or reference other hypertables (parent, enforcement,
+--              original_execution) are plain BIGINT. The action and executor FKs are also
+--              omitted since they would need to be dropped during hypertable conversion.
+-- Version: 20250101000005
+
+-- ============================================================================
+-- EXECUTION TABLE
+-- ============================================================================
+
+CREATE TABLE execution (
+    id BIGSERIAL PRIMARY KEY,
+    action BIGINT,          -- references action(id); no FK because execution becomes a hypertable
+    action_ref TEXT NOT NULL,
+    config JSONB,
+    env_vars JSONB,
+    parent BIGINT,          -- self-reference; no FK because execution becomes a hypertable
+    enforcement BIGINT,     -- references enforcement(id); no FK (both are hypertables)
+    executor BIGINT,        -- references identity(id); no FK because execution becomes a hypertable
+    worker BIGINT,          -- references worker(id); no FK because execution becomes a hypertable
+    status execution_status_enum NOT NULL DEFAULT 'requested',
+    result JSONB,
+    started_at TIMESTAMPTZ,         -- set when execution transitions to 'running'
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    is_workflow BOOLEAN DEFAULT false NOT NULL,
+    workflow_def BIGINT,    -- references workflow_definition(id); no FK because execution becomes a hypertable
+    workflow_task JSONB,
+
+    -- Retry tracking (baked in from phase 3)
+    retry_count INTEGER NOT NULL DEFAULT 0,
+    max_retries INTEGER,
+    retry_reason TEXT,
+    original_execution BIGINT, -- self-reference; no FK because execution becomes a hypertable
+
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_execution_action ON execution(action);
+CREATE INDEX idx_execution_action_ref ON execution(action_ref);
+CREATE INDEX idx_execution_parent ON execution(parent);
+CREATE INDEX idx_execution_enforcement ON execution(enforcement);
+CREATE INDEX idx_execution_executor ON execution(executor);
+CREATE INDEX idx_execution_worker ON execution(worker);
+CREATE INDEX idx_execution_status ON execution(status);
+CREATE INDEX idx_execution_created ON execution(created DESC);
+CREATE INDEX idx_execution_updated ON execution(updated DESC);
+CREATE INDEX idx_execution_status_created ON execution(status, created DESC);
+CREATE INDEX idx_execution_status_updated ON execution(status, updated DESC);
+CREATE INDEX idx_execution_action_status ON execution(action, status);
+CREATE INDEX idx_execution_executor_created ON execution(executor, created DESC);
+CREATE INDEX idx_execution_worker_created ON execution(worker, created DESC);
+CREATE INDEX idx_execution_parent_created ON execution(parent, created DESC);
+CREATE INDEX idx_execution_result_gin ON execution USING GIN (result);
+CREATE INDEX idx_execution_env_vars_gin ON execution USING GIN (env_vars);
+CREATE INDEX idx_execution_original_execution ON execution(original_execution) WHERE original_execution IS NOT NULL;
+CREATE INDEX idx_execution_status_retry ON execution(status, retry_count) WHERE status = 'failed' AND retry_count < COALESCE(max_retries, 0);
+
+-- Trigger
+CREATE TRIGGER update_execution_updated
+    BEFORE UPDATE ON execution
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE execution IS 'Executions represent action runs, supports nested workflows';
+COMMENT ON COLUMN execution.action IS 'Action being executed (may be null if action deleted)';
+COMMENT ON COLUMN execution.action_ref IS 'Action reference (preserved even if action deleted)';
+COMMENT ON COLUMN execution.config IS 'Snapshot of action configuration at execution time';
+COMMENT ON COLUMN execution.env_vars IS 'Environment variables for this execution as key-value pairs (string -> string). These are set in the execution environment and are separate from action parameters. Used for execution context, configuration, and non-sensitive metadata.';
+COMMENT ON COLUMN execution.parent IS 'Parent execution ID for workflow hierarchies (no FK — execution is a hypertable)';
+COMMENT ON COLUMN execution.enforcement IS 'Enforcement that triggered this execution (no FK — both are hypertables)';
+COMMENT ON COLUMN execution.executor IS 'Identity that initiated the execution (no FK — execution is a hypertable)';
+COMMENT ON COLUMN execution.worker IS 'Assigned worker handling this execution (no FK — execution is a hypertable)';
+COMMENT ON COLUMN execution.status IS 'Current execution lifecycle status';
+COMMENT ON COLUMN execution.result IS 'Execution output/results';
+COMMENT ON COLUMN execution.retry_count IS 'Current retry attempt number (0 = first attempt, 1 = first retry, etc.)';
+COMMENT ON COLUMN execution.max_retries IS 'Maximum retries for this execution. Copied from action.max_retries at creation time.';
+COMMENT ON COLUMN execution.retry_reason IS 'Reason for retry (e.g., "worker_unavailable", "transient_error", "manual_retry")';
+COMMENT ON COLUMN execution.original_execution IS 'ID of the original execution if this is a retry. Forms a retry chain.';
+
+-- ============================================================================
+
+-- ============================================================================
+-- INQUIRY TABLE
+-- ============================================================================
+
+CREATE TABLE inquiry (
+    id BIGSERIAL PRIMARY KEY,
+    execution BIGINT NOT NULL, -- references execution(id); no FK because execution is a hypertable
+    prompt TEXT NOT NULL,
+    response_schema JSONB,
+    assigned_to BIGINT REFERENCES identity(id) ON DELETE SET NULL,
+    status inquiry_status_enum NOT NULL DEFAULT 'pending',
+    response JSONB,
+    timeout_at TIMESTAMPTZ,
+    responded_at TIMESTAMPTZ,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_inquiry_execution ON inquiry(execution);
+CREATE INDEX idx_inquiry_assigned_to ON inquiry(assigned_to);
+CREATE INDEX idx_inquiry_status ON inquiry(status);
+CREATE INDEX idx_inquiry_timeout_at ON inquiry(timeout_at) WHERE timeout_at IS NOT NULL;
+CREATE INDEX idx_inquiry_created ON inquiry(created DESC);
+CREATE INDEX idx_inquiry_status_created ON inquiry(status, created DESC);
+CREATE INDEX idx_inquiry_assigned_status ON inquiry(assigned_to, status);
+CREATE INDEX idx_inquiry_execution_status ON inquiry(execution, status);
+CREATE INDEX idx_inquiry_response_gin ON inquiry USING GIN (response);
+
+-- Trigger
+CREATE TRIGGER update_inquiry_updated
+    BEFORE UPDATE ON inquiry
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE inquiry IS 'Inquiries enable human-in-the-loop workflows with async user interactions';
+COMMENT ON COLUMN inquiry.execution IS 'Execution that is waiting on this inquiry (no FK — execution is a hypertable)';
+COMMENT ON COLUMN inquiry.prompt IS 'Question or prompt text for the user';
+COMMENT ON COLUMN inquiry.response_schema IS 'JSON schema defining expected response format';
+COMMENT ON COLUMN inquiry.assigned_to IS 'Identity who should respond to this inquiry';
+COMMENT ON COLUMN inquiry.status IS 'Current inquiry lifecycle status';
+COMMENT ON COLUMN inquiry.response IS 'User response data';
+COMMENT ON COLUMN inquiry.timeout_at IS 'When this inquiry expires';
+COMMENT ON COLUMN inquiry.responded_at IS 'When the response was received';
+
+-- ============================================================================
+
+-- ============================================================================
+-- RULE TABLE
+-- ============================================================================
+
+CREATE TABLE rule (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT NOT NULL,
+    label TEXT NOT NULL,
+    description TEXT,
+    action BIGINT REFERENCES action(id) ON DELETE SET NULL,
+    action_ref TEXT NOT NULL,
+    trigger BIGINT REFERENCES trigger(id) ON DELETE SET NULL,
+    trigger_ref TEXT NOT NULL,
+    conditions JSONB NOT NULL DEFAULT '[]'::jsonb,
+    action_params JSONB DEFAULT '{}'::jsonb,
+    trigger_params JSONB DEFAULT '{}'::jsonb,
+    enabled BOOLEAN NOT NULL,
+    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT rule_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT rule_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
+);
+
+-- Indexes
+CREATE INDEX idx_rule_ref ON rule(ref);
+CREATE INDEX idx_rule_pack ON rule(pack);
+CREATE INDEX idx_rule_action ON rule(action);
+CREATE INDEX idx_rule_trigger ON rule(trigger);
+CREATE INDEX idx_rule_enabled ON rule(enabled) WHERE enabled = TRUE;
+CREATE INDEX idx_rule_is_adhoc ON rule(is_adhoc) WHERE is_adhoc = true;
+CREATE INDEX idx_rule_created ON rule(created DESC);
+CREATE INDEX idx_rule_trigger_enabled ON rule(trigger, enabled);
+CREATE INDEX idx_rule_action_enabled ON rule(action, enabled);
+CREATE INDEX idx_rule_pack_enabled ON rule(pack, enabled);
+CREATE INDEX idx_rule_action_params_gin ON rule USING GIN (action_params);
+CREATE INDEX idx_rule_trigger_params_gin ON rule USING GIN (trigger_params);
+
+-- Trigger
+CREATE TRIGGER update_rule_updated
+    BEFORE UPDATE ON rule
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE rule IS 'Rules link triggers to actions with conditions';
+COMMENT ON COLUMN rule.ref IS 'Unique rule reference (format: pack.name)';
+COMMENT ON COLUMN rule.label IS 'Human-readable rule name';
+COMMENT ON COLUMN rule.action IS 'Action to execute when rule triggers (null if action deleted)';
+COMMENT ON COLUMN rule.trigger IS 'Trigger that activates this rule (null if trigger deleted)';
+COMMENT ON COLUMN rule.conditions IS 'Condition expressions to evaluate before executing action';
+COMMENT ON COLUMN rule.action_params IS 'Parameter overrides for the action';
+COMMENT ON COLUMN rule.trigger_params IS 'Parameter overrides for the trigger';
+COMMENT ON COLUMN rule.enabled IS 'Whether this rule is active';
+COMMENT ON COLUMN rule.is_adhoc IS 'True if rule was manually created (ad-hoc), false if installed from pack';
+
+-- ============================================================================
+
+-- Add foreign key constraints now that rule table exists
+ALTER TABLE enforcement
+    ADD CONSTRAINT enforcement_rule_fkey
+    FOREIGN KEY (rule) REFERENCES rule(id) ON DELETE SET NULL;
+
+ALTER TABLE event
+    ADD CONSTRAINT event_rule_fkey
+    FOREIGN KEY (rule) REFERENCES rule(id) ON DELETE SET NULL;
+
+-- ============================================================================
+-- WORKER TABLE
+-- ============================================================================
+
+CREATE TABLE worker (
+    id BIGSERIAL PRIMARY KEY,
+    name TEXT NOT NULL UNIQUE,
+    worker_type worker_type_enum NOT NULL,
+    worker_role worker_role_enum NOT NULL,
+    runtime BIGINT REFERENCES runtime(id) ON DELETE SET NULL,
+    host TEXT,
+    port INTEGER,
+    status worker_status_enum NOT NULL DEFAULT 'active',
+    capabilities JSONB,
+    meta JSONB,
+    last_heartbeat TIMESTAMPTZ,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_worker_name ON worker(name);
+CREATE INDEX idx_worker_type ON worker(worker_type);
+CREATE INDEX idx_worker_role ON worker(worker_role);
+CREATE INDEX idx_worker_runtime ON worker(runtime);
+CREATE INDEX idx_worker_status ON worker(status);
+CREATE INDEX idx_worker_last_heartbeat ON worker(last_heartbeat DESC) WHERE last_heartbeat IS NOT NULL;
+CREATE INDEX idx_worker_created ON worker(created DESC);
+CREATE INDEX idx_worker_status_role ON worker(status, worker_role);
+CREATE INDEX idx_worker_capabilities_gin ON worker USING GIN (capabilities);
+CREATE INDEX idx_worker_meta_gin ON worker USING GIN (meta);
+CREATE INDEX idx_worker_capabilities_health_status ON worker USING GIN ((capabilities -> 'health' -> 'status'));
+
+-- Trigger
+CREATE TRIGGER update_worker_updated
+    BEFORE UPDATE ON worker
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE worker IS 'Worker registration and tracking table for action and sensor workers';
+COMMENT ON COLUMN worker.name IS 'Unique worker identifier (typically hostname-based)';
+COMMENT ON COLUMN worker.worker_type IS 'Worker deployment type (local or remote)';
+COMMENT ON COLUMN worker.worker_role IS 'Worker role (action or sensor)';
+COMMENT ON COLUMN worker.runtime IS 'Runtime environment this worker supports (optional)';
+COMMENT ON COLUMN worker.host IS 'Worker host address';
+COMMENT ON COLUMN worker.port IS 'Worker port number';
+COMMENT ON COLUMN worker.status IS 'Worker operational status';
+COMMENT ON COLUMN worker.capabilities IS 'Worker capabilities (e.g., max_concurrent_executions, supported runtimes)';
+COMMENT ON COLUMN worker.meta IS 'Additional worker metadata';
+COMMENT ON COLUMN worker.last_heartbeat IS 'Timestamp of last heartbeat from worker';
+
+-- ============================================================================
+-- NOTIFICATION TABLE
+-- ============================================================================
+
+CREATE TABLE notification (
+    id BIGSERIAL PRIMARY KEY,
+    channel TEXT NOT NULL,
+    entity_type TEXT NOT NULL,
+    entity TEXT NOT NULL,
+    activity TEXT NOT NULL,
+    state notification_status_enum NOT NULL DEFAULT 'created',
+    content JSONB,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_notification_channel ON notification(channel);
+CREATE INDEX idx_notification_entity_type ON notification(entity_type);
+CREATE INDEX idx_notification_entity ON notification(entity);
+CREATE INDEX idx_notification_state ON notification(state);
+CREATE INDEX idx_notification_created ON notification(created DESC);
+CREATE INDEX idx_notification_channel_state ON notification(channel, state);
+CREATE INDEX idx_notification_entity_type_entity ON notification(entity_type, entity);
+CREATE INDEX idx_notification_state_created ON notification(state, created DESC);
+CREATE INDEX idx_notification_content_gin ON notification USING GIN (content);
+
+-- Trigger
+CREATE TRIGGER update_notification_updated
+    BEFORE UPDATE ON notification
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Function for pg_notify on notification insert
+CREATE OR REPLACE FUNCTION notify_on_insert()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload TEXT;
+BEGIN
+    -- Build JSON payload with id, entity, and activity
+    payload := json_build_object(
+        'id', NEW.id,
+        'entity_type', NEW.entity_type,
+        'entity', NEW.entity,
+        'activity', NEW.activity
+    )::text;
+
+    -- Send notification to the specified channel
+    PERFORM pg_notify(NEW.channel, payload);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger to send pg_notify on notification insert
+CREATE TRIGGER notify_on_notification_insert
+    AFTER INSERT ON notification
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_on_insert();
+
+-- Comments
+COMMENT ON TABLE notification IS 'System notifications about entity changes for real-time updates';
+COMMENT ON COLUMN notification.channel IS 'Notification channel (typically table name)';
+COMMENT ON COLUMN notification.entity_type IS 'Type of entity (table name)';
+COMMENT ON COLUMN notification.entity IS 'Entity identifier (typically ID or ref)';
+COMMENT ON COLUMN notification.activity IS 'Activity type (e.g., "created", "updated", "completed")';
+COMMENT ON COLUMN notification.state IS 'Processing state of notification';
+COMMENT ON COLUMN notification.content IS 'Optional notification payload data';
+
+-- ============================================================================
+-- WORKER HEALTH VIEWS AND FUNCTIONS
+-- ============================================================================
+
+-- View for healthy workers (convenience for queries)
+CREATE OR REPLACE VIEW healthy_workers AS
+SELECT
+    w.id,
+    w.name,
+    w.worker_type,
+    w.worker_role,
+    w.runtime,
+    w.status,
+    w.capabilities,
+    w.last_heartbeat,
+    (w.capabilities -> 'health' ->> 'status')::TEXT as health_status,
+    (w.capabilities -> 'health' ->> 'queue_depth')::INTEGER as queue_depth,
+    (w.capabilities -> 'health' ->> 'consecutive_failures')::INTEGER as consecutive_failures
+FROM worker w
+WHERE
+    w.status = 'active'
+    AND w.last_heartbeat > NOW() - INTERVAL '30 seconds'
+    AND (
+        -- Healthy if no health info (backward compatible)
+        w.capabilities -> 'health' IS NULL
+        OR
+        -- Or explicitly marked healthy
+        w.capabilities -> 'health' ->> 'status' IN ('healthy', 'degraded')
+    );
+
+COMMENT ON VIEW healthy_workers IS 'Workers that are active, have fresh heartbeat, and are healthy or degraded (not unhealthy)';
+
+-- Function to get worker queue depth estimate
+CREATE OR REPLACE FUNCTION get_worker_queue_depth(worker_id_param BIGINT)
+RETURNS INTEGER AS $$
+BEGIN
+    RETURN (
+        SELECT (capabilities -> 'health' ->> 'queue_depth')::INTEGER
+        FROM worker
+        WHERE id = worker_id_param
+    );
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION get_worker_queue_depth IS 'Extract current queue depth from worker health metadata';
+
+-- Function to check if execution is retriable
+CREATE OR REPLACE FUNCTION is_execution_retriable(execution_id_param BIGINT)
+RETURNS BOOLEAN AS $$
+DECLARE
+    exec_record RECORD;
+BEGIN
+    SELECT
+        e.retry_count,
+        e.max_retries,
+        e.status
+    INTO exec_record
+    FROM execution e
+    WHERE e.id = execution_id_param;
+
+    IF NOT FOUND THEN
+        RETURN FALSE;
+    END IF;
+
+    -- Can retry if:
+    -- 1. Status is failed
+    -- 2. max_retries is set and > 0
+    -- 3. retry_count < max_retries
+    RETURN (
+        exec_record.status = 'failed'
+        AND exec_record.max_retries IS NOT NULL
+        AND exec_record.max_retries > 0
+        AND exec_record.retry_count < exec_record.max_retries
+    );
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION is_execution_retriable IS 'Check if a failed execution can be automatically retried based on retry limits';
--- a/docker/distributable/migrations/20250101000006_workflow_system.sql
+++ b/docker/distributable/migrations/20250101000006_workflow_system.sql
@@ -0,0 +1,145 @@
+-- Migration: Workflow System
+-- Description: Creates workflow_definition and workflow_execution tables
+--              (workflow_task_execution consolidated into execution.workflow_task JSONB)
+--
+--              NOTE: The execution table is converted to a TimescaleDB hypertable in
+--              migration 000009. Hypertables cannot be the target of FK constraints,
+--              so workflow_execution.execution is a plain BIGINT with no FK.
+--              execution.workflow_def also has no FK (added as plain BIGINT in 000005)
+--              since execution is a hypertable and FKs from hypertables are only
+--              supported for simple cases — we omit it for consistency.
+-- Version: 20250101000006
+
+-- ============================================================================
+-- WORKFLOW DEFINITION TABLE
+-- ============================================================================
+
+CREATE TABLE workflow_definition (
+    id BIGSERIAL PRIMARY KEY,
+    ref VARCHAR(255) NOT NULL UNIQUE,
+    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref VARCHAR(255) NOT NULL,
+    label VARCHAR(255) NOT NULL,
+    description TEXT,
+    version VARCHAR(50) NOT NULL,
+    param_schema JSONB,
+    out_schema JSONB,
+    definition JSONB NOT NULL,
+    tags TEXT[] DEFAULT '{}',
+    created TIMESTAMPTZ DEFAULT NOW() NOT NULL,
+    updated TIMESTAMPTZ DEFAULT NOW() NOT NULL
+);
+
+-- Indexes
+CREATE INDEX idx_workflow_def_pack ON workflow_definition(pack);
+CREATE INDEX idx_workflow_def_ref ON workflow_definition(ref);
+CREATE INDEX idx_workflow_def_tags ON workflow_definition USING gin(tags);
+
+-- Trigger
+CREATE TRIGGER update_workflow_definition_updated
+    BEFORE UPDATE ON workflow_definition
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE workflow_definition IS 'Stores workflow definitions (YAML parsed to JSON)';
+COMMENT ON COLUMN workflow_definition.ref IS 'Unique workflow reference (e.g., pack_name.workflow_name)';
+COMMENT ON COLUMN workflow_definition.definition IS 'Complete workflow specification including tasks, variables, and transitions';
+COMMENT ON COLUMN workflow_definition.param_schema IS 'JSON schema for workflow input parameters';
+COMMENT ON COLUMN workflow_definition.out_schema IS 'JSON schema for workflow output';
+
+-- ============================================================================
+-- WORKFLOW EXECUTION TABLE
+-- ============================================================================
+
+CREATE TABLE workflow_execution (
+    id BIGSERIAL PRIMARY KEY,
+    execution BIGINT NOT NULL, -- references execution(id); no FK because execution is a hypertable
+    workflow_def BIGINT NOT NULL REFERENCES workflow_definition(id) ON DELETE CASCADE,
+    current_tasks TEXT[] DEFAULT '{}',
+    completed_tasks TEXT[] DEFAULT '{}',
+    failed_tasks TEXT[] DEFAULT '{}',
+    skipped_tasks TEXT[] DEFAULT '{}',
+    variables JSONB DEFAULT '{}',
+    task_graph JSONB NOT NULL,
+    status execution_status_enum NOT NULL DEFAULT 'requested',
+    error_message TEXT,
+    paused BOOLEAN DEFAULT false NOT NULL,
+    pause_reason TEXT,
+    created TIMESTAMPTZ DEFAULT NOW() NOT NULL,
+    updated TIMESTAMPTZ DEFAULT NOW() NOT NULL
+);
+
+-- Indexes
+CREATE INDEX idx_workflow_exec_execution ON workflow_execution(execution);
+CREATE INDEX idx_workflow_exec_workflow_def ON workflow_execution(workflow_def);
+CREATE INDEX idx_workflow_exec_status ON workflow_execution(status);
+CREATE INDEX idx_workflow_exec_paused ON workflow_execution(paused) WHERE paused = true;
+
+-- Trigger
+CREATE TRIGGER update_workflow_execution_updated
+    BEFORE UPDATE ON workflow_execution
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE workflow_execution IS 'Runtime state tracking for workflow executions. execution column has no FK — execution is a hypertable.';
+COMMENT ON COLUMN workflow_execution.variables IS 'Workflow-scoped variables, updated via publish directives';
+COMMENT ON COLUMN workflow_execution.task_graph IS 'Execution graph with dependencies and transitions';
+COMMENT ON COLUMN workflow_execution.current_tasks IS 'Array of task names currently executing';
+COMMENT ON COLUMN workflow_execution.paused IS 'True if workflow execution is paused (can be resumed)';
+
+-- ============================================================================
+-- MODIFY ACTION TABLE - Add Workflow Support
+-- ============================================================================
+
+ALTER TABLE action
+    ADD COLUMN workflow_def BIGINT REFERENCES workflow_definition(id) ON DELETE CASCADE;
+
+CREATE INDEX idx_action_workflow_def ON action(workflow_def);
+
+COMMENT ON COLUMN action.workflow_def IS 'Reference to workflow definition (non-null means this action is a workflow)';
+
+-- NOTE: execution.workflow_def has no FK constraint because execution is a
+-- TimescaleDB hypertable (converted in migration 000009). The column was
+-- created as a plain BIGINT in migration 000005.
+
+-- ============================================================================
+-- WORKFLOW VIEWS
+-- ============================================================================
+
+CREATE VIEW workflow_execution_summary AS
+SELECT
+    we.id,
+    we.execution,
+    wd.ref as workflow_ref,
+    wd.label as workflow_label,
+    wd.version as workflow_version,
+    we.status,
+    we.paused,
+    array_length(we.current_tasks, 1) as current_task_count,
+    array_length(we.completed_tasks, 1) as completed_task_count,
+    array_length(we.failed_tasks, 1) as failed_task_count,
+    array_length(we.skipped_tasks, 1) as skipped_task_count,
+    we.error_message,
+    we.created,
+    we.updated
+FROM workflow_execution we
+JOIN workflow_definition wd ON we.workflow_def = wd.id;
+
+COMMENT ON VIEW workflow_execution_summary IS 'Summary view of workflow executions with task counts';
+
+CREATE VIEW workflow_action_link AS
+SELECT
+    wd.id as workflow_def_id,
+    wd.ref as workflow_ref,
+    wd.label,
+    wd.version,
+    a.id as action_id,
+    a.ref as action_ref,
+    a.pack as pack_id,
+    a.pack_ref
+FROM workflow_definition wd
+LEFT JOIN action a ON a.workflow_def = wd.id;
+
+COMMENT ON VIEW workflow_action_link IS 'Links workflow definitions to their corresponding action records';
--- a/docker/distributable/migrations/20250101000007_supporting_systems.sql
+++ b/docker/distributable/migrations/20250101000007_supporting_systems.sql
@@ -0,0 +1,779 @@
+-- Migration: Supporting Systems
+-- Description: Creates keys, artifacts, queue_stats, pack_environment, pack_testing,
+--              and webhook function tables.
+--              Consolidates former migrations: 000009 (keys_artifacts), 000010 (webhook_system),
+--              000011 (pack_environments), and 000012 (pack_testing).
+-- Version: 20250101000007
+
+-- ============================================================================
+-- KEY TABLE
+-- ============================================================================
+
+CREATE TABLE key (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL UNIQUE,
+    owner_type owner_type_enum NOT NULL,
+    owner TEXT,
+    owner_identity BIGINT REFERENCES identity(id),
+    owner_pack BIGINT REFERENCES pack(id),
+    owner_pack_ref TEXT,
+    owner_action BIGINT, -- Forward reference to action table
+    owner_action_ref TEXT,
+    owner_sensor BIGINT, -- Forward reference to sensor table
+    owner_sensor_ref TEXT,
+    name TEXT NOT NULL,
+    encrypted BOOLEAN NOT NULL,
+    encryption_key_hash TEXT,
+    value TEXT NOT NULL,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Constraints
+    CONSTRAINT key_ref_lowercase CHECK (ref = LOWER(ref)),
+    CONSTRAINT key_ref_format CHECK (ref ~ '^[^.]+(\.[^.]+)*$')
+);
+
+-- Unique index on owner_type, owner, name
+CREATE UNIQUE INDEX idx_key_unique ON key(owner_type, owner, name);
+
+-- Indexes
+CREATE INDEX idx_key_ref ON key(ref);
+CREATE INDEX idx_key_owner_type ON key(owner_type);
+CREATE INDEX idx_key_owner_identity ON key(owner_identity);
+CREATE INDEX idx_key_owner_pack ON key(owner_pack);
+CREATE INDEX idx_key_owner_action ON key(owner_action);
+CREATE INDEX idx_key_owner_sensor ON key(owner_sensor);
+CREATE INDEX idx_key_created ON key(created DESC);
+CREATE INDEX idx_key_owner_type_owner ON key(owner_type, owner);
+CREATE INDEX idx_key_owner_identity_name ON key(owner_identity, name);
+CREATE INDEX idx_key_owner_pack_name ON key(owner_pack, name);
+
+-- Function to validate and set owner fields
+CREATE OR REPLACE FUNCTION validate_key_owner()
+RETURNS TRIGGER AS $$
+DECLARE
+    owner_count INTEGER := 0;
+BEGIN
+    -- Count how many owner fields are set
+    IF NEW.owner_identity IS NOT NULL THEN owner_count := owner_count + 1; END IF;
+    IF NEW.owner_pack IS NOT NULL THEN owner_count := owner_count + 1; END IF;
+    IF NEW.owner_action IS NOT NULL THEN owner_count := owner_count + 1; END IF;
+    IF NEW.owner_sensor IS NOT NULL THEN owner_count := owner_count + 1; END IF;
+
+    -- System owner should have no owner fields set
+    IF NEW.owner_type = 'system' THEN
+        IF owner_count > 0 THEN
+            RAISE EXCEPTION 'System owner cannot have specific owner fields set';
+        END IF;
+        NEW.owner := 'system';
+    -- All other types must have exactly one owner field set
+    ELSIF owner_count != 1 THEN
+        RAISE EXCEPTION 'Exactly one owner field must be set for owner_type %', NEW.owner_type;
+    -- Validate owner_type matches the populated field and set owner
+    ELSIF NEW.owner_type = 'identity' THEN
+        IF NEW.owner_identity IS NULL THEN
+            RAISE EXCEPTION 'owner_identity must be set for owner_type identity';
+        END IF;
+        NEW.owner := NEW.owner_identity::TEXT;
+    ELSIF NEW.owner_type = 'pack' THEN
+        IF NEW.owner_pack IS NULL THEN
+            RAISE EXCEPTION 'owner_pack must be set for owner_type pack';
+        END IF;
+        NEW.owner := NEW.owner_pack::TEXT;
+    ELSIF NEW.owner_type = 'action' THEN
+        IF NEW.owner_action IS NULL THEN
+            RAISE EXCEPTION 'owner_action must be set for owner_type action';
+        END IF;
+        NEW.owner := NEW.owner_action::TEXT;
+    ELSIF NEW.owner_type = 'sensor' THEN
+        IF NEW.owner_sensor IS NULL THEN
+            RAISE EXCEPTION 'owner_sensor must be set for owner_type sensor';
+        END IF;
+        NEW.owner := NEW.owner_sensor::TEXT;
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger to validate owner fields
+CREATE TRIGGER validate_key_owner_trigger
+    BEFORE INSERT OR UPDATE ON key
+    FOR EACH ROW
+    EXECUTE FUNCTION validate_key_owner();
+
+-- Trigger for updated timestamp
+CREATE TRIGGER update_key_updated
+    BEFORE UPDATE ON key
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE key IS 'Keys store configuration values and secrets with ownership scoping';
+COMMENT ON COLUMN key.ref IS 'Unique key reference (format: [owner.]name)';
+COMMENT ON COLUMN key.owner_type IS 'Type of owner (system, identity, pack, action, sensor)';
+COMMENT ON COLUMN key.owner IS 'Owner identifier (auto-populated by trigger)';
+COMMENT ON COLUMN key.owner_identity IS 'Identity owner (if owner_type=identity)';
+COMMENT ON COLUMN key.owner_pack IS 'Pack owner (if owner_type=pack)';
+COMMENT ON COLUMN key.owner_pack_ref IS 'Pack reference for owner_pack';
+COMMENT ON COLUMN key.owner_action IS 'Action owner (if owner_type=action)';
+COMMENT ON COLUMN key.owner_sensor IS 'Sensor owner (if owner_type=sensor)';
+COMMENT ON COLUMN key.name IS 'Key name within owner scope';
+COMMENT ON COLUMN key.encrypted IS 'Whether the value is encrypted';
+COMMENT ON COLUMN key.encryption_key_hash IS 'Hash of encryption key used';
+COMMENT ON COLUMN key.value IS 'The actual value (encrypted if encrypted=true)';
+
+
+-- Add foreign key constraints for action and sensor references
+ALTER TABLE key
+    ADD CONSTRAINT key_owner_action_fkey
+    FOREIGN KEY (owner_action) REFERENCES action(id) ON DELETE CASCADE;
+
+ALTER TABLE key
+    ADD CONSTRAINT key_owner_sensor_fkey
+    FOREIGN KEY (owner_sensor) REFERENCES sensor(id) ON DELETE CASCADE;
+
+-- ============================================================================
+-- ARTIFACT TABLE
+-- ============================================================================
+
+CREATE TABLE artifact (
+    id BIGSERIAL PRIMARY KEY,
+    ref TEXT NOT NULL,
+    scope owner_type_enum NOT NULL DEFAULT 'system',
+    owner TEXT NOT NULL DEFAULT '',
+    type artifact_type_enum NOT NULL,
+    visibility artifact_visibility_enum NOT NULL DEFAULT 'private',
+    retention_policy artifact_retention_enum NOT NULL DEFAULT 'versions',
+    retention_limit INTEGER NOT NULL DEFAULT 1,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_artifact_ref ON artifact(ref);
+CREATE INDEX idx_artifact_scope ON artifact(scope);
+CREATE INDEX idx_artifact_owner ON artifact(owner);
+CREATE INDEX idx_artifact_type ON artifact(type);
+CREATE INDEX idx_artifact_created ON artifact(created DESC);
+CREATE INDEX idx_artifact_scope_owner ON artifact(scope, owner);
+CREATE INDEX idx_artifact_type_created ON artifact(type, created DESC);
+CREATE INDEX idx_artifact_visibility ON artifact(visibility);
+CREATE INDEX idx_artifact_visibility_scope ON artifact(visibility, scope, owner);
+
+-- Trigger
+CREATE TRIGGER update_artifact_updated
+    BEFORE UPDATE ON artifact
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE artifact IS 'Artifacts track files, logs, and outputs from executions';
+COMMENT ON COLUMN artifact.ref IS 'Artifact reference/path';
+COMMENT ON COLUMN artifact.scope IS 'Owner type (system, identity, pack, action, sensor)';
+COMMENT ON COLUMN artifact.owner IS 'Owner identifier';
+COMMENT ON COLUMN artifact.type IS 'Artifact type (file, url, progress, etc.)';
+COMMENT ON COLUMN artifact.visibility IS 'Visibility level: public (all users) or private (scoped by scope/owner)';
+COMMENT ON COLUMN artifact.retention_policy IS 'How to retain artifacts (versions, days, hours, minutes)';
+COMMENT ON COLUMN artifact.retention_limit IS 'Numeric limit for retention policy';
+
+-- ============================================================================
+-- QUEUE_STATS TABLE
+-- ============================================================================
+
+CREATE TABLE queue_stats (
+    action_id BIGINT PRIMARY KEY REFERENCES action(id) ON DELETE CASCADE,
+    queue_length INTEGER NOT NULL DEFAULT 0,
+    active_count INTEGER NOT NULL DEFAULT 0,
+    max_concurrent INTEGER NOT NULL DEFAULT 1,
+    oldest_enqueued_at TIMESTAMPTZ,
+    total_enqueued BIGINT NOT NULL DEFAULT 0,
+    total_completed BIGINT NOT NULL DEFAULT 0,
+    last_updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Indexes
+CREATE INDEX idx_queue_stats_last_updated ON queue_stats(last_updated);
+
+-- Comments
+COMMENT ON TABLE queue_stats IS 'Real-time queue statistics for action execution ordering';
+COMMENT ON COLUMN queue_stats.action_id IS 'Foreign key to action table';
+COMMENT ON COLUMN queue_stats.queue_length IS 'Number of executions waiting in queue';
+COMMENT ON COLUMN queue_stats.active_count IS 'Number of currently running executions';
+COMMENT ON COLUMN queue_stats.max_concurrent IS 'Maximum concurrent executions allowed';
+COMMENT ON COLUMN queue_stats.oldest_enqueued_at IS 'Timestamp of oldest queued execution (NULL if queue empty)';
+COMMENT ON COLUMN queue_stats.total_enqueued IS 'Total executions enqueued since queue creation';
+COMMENT ON COLUMN queue_stats.total_completed IS 'Total executions completed since queue creation';
+COMMENT ON COLUMN queue_stats.last_updated IS 'Timestamp of last statistics update';
+
+-- ============================================================================
+-- PACK ENVIRONMENT TABLE
+-- ============================================================================
+
+CREATE TABLE IF NOT EXISTS pack_environment (
+    id BIGSERIAL PRIMARY KEY,
+    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
+    pack_ref TEXT NOT NULL,
+    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
+    runtime_ref TEXT NOT NULL,
+    env_path TEXT NOT NULL,
+    status pack_environment_status_enum NOT NULL DEFAULT 'pending',
+    installed_at TIMESTAMPTZ,
+    last_verified TIMESTAMPTZ,
+    install_log TEXT,
+    install_error TEXT,
+    metadata JSONB DEFAULT '{}'::jsonb,
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE(pack, runtime)
+);
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_pack_environment_pack ON pack_environment(pack);
+CREATE INDEX IF NOT EXISTS idx_pack_environment_runtime ON pack_environment(runtime);
+CREATE INDEX IF NOT EXISTS idx_pack_environment_status ON pack_environment(status);
+CREATE INDEX IF NOT EXISTS idx_pack_environment_pack_ref ON pack_environment(pack_ref);
+CREATE INDEX IF NOT EXISTS idx_pack_environment_runtime_ref ON pack_environment(runtime_ref);
+CREATE INDEX IF NOT EXISTS idx_pack_environment_pack_runtime ON pack_environment(pack, runtime);
+
+-- Trigger for updated timestamp
+CREATE TRIGGER update_pack_environment_updated
+    BEFORE UPDATE ON pack_environment
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_column();
+
+-- Comments
+COMMENT ON TABLE pack_environment IS 'Tracks pack-specific runtime environments for dependency isolation';
+COMMENT ON COLUMN pack_environment.pack IS 'Pack that owns this environment';
+COMMENT ON COLUMN pack_environment.pack_ref IS 'Pack reference for quick lookup';
+COMMENT ON COLUMN pack_environment.runtime IS 'Runtime used for this environment';
+COMMENT ON COLUMN pack_environment.runtime_ref IS 'Runtime reference for quick lookup';
+COMMENT ON COLUMN pack_environment.env_path IS 'Filesystem path to the environment directory (e.g., /opt/attune/packenvs/mypack/python)';
+COMMENT ON COLUMN pack_environment.status IS 'Current installation status';
+COMMENT ON COLUMN pack_environment.installed_at IS 'When the environment was successfully installed';
+COMMENT ON COLUMN pack_environment.last_verified IS 'Last time the environment was verified as working';
+COMMENT ON COLUMN pack_environment.install_log IS 'Installation output logs';
+COMMENT ON COLUMN pack_environment.install_error IS 'Error message if installation failed';
+COMMENT ON COLUMN pack_environment.metadata IS 'Additional metadata (installed packages, versions, etc.)';
+
+-- ============================================================================
+-- PACK ENVIRONMENT: Update existing runtimes with installer metadata
+-- ============================================================================
+
+-- Python runtime installers
+UPDATE runtime
+SET installers = jsonb_build_object(
+    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
+    'installers', jsonb_build_array(
+        jsonb_build_object(
+            'name', 'create_venv',
+            'description', 'Create Python virtual environment',
+            'command', 'python3',
+            'args', jsonb_build_array('-m', 'venv', '{env_path}'),
+            'cwd', '{pack_path}',
+            'env', jsonb_build_object(),
+            'order', 1,
+            'optional', false
+        ),
+        jsonb_build_object(
+            'name', 'upgrade_pip',
+            'description', 'Upgrade pip to latest version',
+            'command', '{env_path}/bin/pip',
+            'args', jsonb_build_array('install', '--upgrade', 'pip'),
+            'cwd', '{pack_path}',
+            'env', jsonb_build_object(),
+            'order', 2,
+            'optional', true
+        ),
+        jsonb_build_object(
+            'name', 'install_requirements',
+            'description', 'Install pack Python dependencies',
+            'command', '{env_path}/bin/pip',
+            'args', jsonb_build_array('install', '-r', '{pack_path}/requirements.txt'),
+            'cwd', '{pack_path}',
+            'env', jsonb_build_object(),
+            'order', 3,
+            'optional', false,
+            'condition', jsonb_build_object(
+                'file_exists', '{pack_path}/requirements.txt'
+            )
+        )
+    ),
+    'executable_templates', jsonb_build_object(
+        'python', '{env_path}/bin/python',
+        'pip', '{env_path}/bin/pip'
+    )
+)
+WHERE ref = 'core.python';
+
+-- Node.js runtime installers
+UPDATE runtime
+SET installers = jsonb_build_object(
+    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
+    'installers', jsonb_build_array(
+        jsonb_build_object(
+            'name', 'npm_install',
+            'description', 'Install Node.js dependencies',
+            'command', 'npm',
+            'args', jsonb_build_array('install', '--prefix', '{env_path}'),
+            'cwd', '{pack_path}',
+            'env', jsonb_build_object(
+                'NODE_PATH', '{env_path}/node_modules'
+            ),
+            'order', 1,
+            'optional', false,
+            'condition', jsonb_build_object(
+                'file_exists', '{pack_path}/package.json'
+            )
+        )
+    ),
+    'executable_templates', jsonb_build_object(
+        'node', 'node',
+        'npm', 'npm'
+    ),
+    'env_vars', jsonb_build_object(
+        'NODE_PATH', '{env_path}/node_modules'
+    )
+)
+WHERE ref = 'core.nodejs';
+
+-- Shell runtime (no environment needed, uses system shell)
+UPDATE runtime
+SET installers = jsonb_build_object(
+    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
+    'installers', jsonb_build_array(),
+    'executable_templates', jsonb_build_object(
+        'sh', 'sh',
+        'bash', 'bash'
+    ),
+    'requires_environment', false
+)
+WHERE ref = 'core.shell';
+
+-- Native runtime (no environment needed, binaries are standalone)
+UPDATE runtime
+SET installers = jsonb_build_object(
+    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
+    'installers', jsonb_build_array(),
+    'executable_templates', jsonb_build_object(),
+    'requires_environment', false
+)
+WHERE ref = 'core.native';
+
+-- Built-in sensor runtime (internal, no environment)
+UPDATE runtime
+SET installers = jsonb_build_object(
+    'installers', jsonb_build_array(),
+    'requires_environment', false
+)
+WHERE ref = 'core.sensor.builtin';
+
+-- ============================================================================
+-- PACK ENVIRONMENT: Helper functions
+-- ============================================================================
+
+-- Function to get environment path for a pack/runtime combination
+CREATE OR REPLACE FUNCTION get_pack_environment_path(p_pack_ref TEXT, p_runtime_ref TEXT)
+RETURNS TEXT AS $$
+DECLARE
+    v_runtime_name TEXT;
+    v_base_template TEXT;
+    v_result TEXT;
+BEGIN
+    -- Get runtime name and base path template
+    SELECT
+        LOWER(name),
+        installers->>'base_path_template'
+    INTO v_runtime_name, v_base_template
+    FROM runtime
+    WHERE ref = p_runtime_ref;
+
+    IF v_base_template IS NULL THEN
+        v_base_template := '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}';
+    END IF;
+
+    -- Replace template variables
+    v_result := v_base_template;
+    v_result := REPLACE(v_result, '{pack_ref}', p_pack_ref);
+    v_result := REPLACE(v_result, '{runtime_ref}', p_runtime_ref);
+    v_result := REPLACE(v_result, '{runtime_name_lower}', v_runtime_name);
+
+    RETURN v_result;
+END;
+$$ LANGUAGE plpgsql IMMUTABLE;
+
+COMMENT ON FUNCTION get_pack_environment_path IS 'Calculate the filesystem path for a pack runtime environment';
+
+-- Function to check if a runtime requires an environment
+CREATE OR REPLACE FUNCTION runtime_requires_environment(p_runtime_ref TEXT)
+RETURNS BOOLEAN AS $$
+DECLARE
+    v_requires BOOLEAN;
+BEGIN
+    SELECT COALESCE((installers->>'requires_environment')::boolean, true)
+    INTO v_requires
+    FROM runtime
+    WHERE ref = p_runtime_ref;
+
+    RETURN COALESCE(v_requires, false);
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION runtime_requires_environment IS 'Check if a runtime needs a pack-specific environment';
+
+-- ============================================================================
+-- PACK ENVIRONMENT: Status view
+-- ============================================================================
+
+CREATE OR REPLACE VIEW v_pack_environment_status AS
+SELECT
+    pe.id,
+    pe.pack,
+    p.ref AS pack_ref,
+    p.label AS pack_name,
+    pe.runtime,
+    r.ref AS runtime_ref,
+    r.name AS runtime_name,
+    pe.env_path,
+    pe.status,
+    pe.installed_at,
+    pe.last_verified,
+    CASE
+        WHEN pe.status = 'ready' AND pe.last_verified < NOW() - INTERVAL '7 days' THEN true
+        ELSE false
+    END AS needs_verification,
+    CASE
+        WHEN pe.status = 'ready' THEN 'healthy'
+        WHEN pe.status = 'failed' THEN 'unhealthy'
+        WHEN pe.status IN ('pending', 'installing') THEN 'provisioning'
+        WHEN pe.status = 'outdated' THEN 'needs_update'
+        ELSE 'unknown'
+    END AS health_status,
+    pe.install_error,
+    pe.created,
+    pe.updated
+FROM pack_environment pe
+JOIN pack p ON pe.pack = p.id
+JOIN runtime r ON pe.runtime = r.id;
+
+COMMENT ON VIEW v_pack_environment_status IS 'Consolidated view of pack environment status with health indicators';
+
+-- ============================================================================
+-- PACK TEST EXECUTION TABLE
+-- ============================================================================
+
+CREATE TABLE IF NOT EXISTS pack_test_execution (
+    id BIGSERIAL PRIMARY KEY,
+    pack_id BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
+    pack_version VARCHAR(50) NOT NULL,
+    execution_time TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    trigger_reason VARCHAR(50) NOT NULL, -- 'install', 'update', 'manual', 'validation'
+    total_tests INT NOT NULL,
+    passed INT NOT NULL,
+    failed INT NOT NULL,
+    skipped INT NOT NULL,
+    pass_rate DECIMAL(5,4) NOT NULL, -- 0.0000 to 1.0000
+    duration_ms BIGINT NOT NULL,
+    result JSONB NOT NULL, -- Full test result structure
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    CONSTRAINT valid_test_counts CHECK (total_tests >= 0 AND passed >= 0 AND failed >= 0 AND skipped >= 0),
+    CONSTRAINT valid_pass_rate CHECK (pass_rate >= 0.0 AND pass_rate <= 1.0),
+    CONSTRAINT valid_trigger_reason CHECK (trigger_reason IN ('install', 'update', 'manual', 'validation'))
+);
+
+-- Indexes for efficient queries
+CREATE INDEX idx_pack_test_execution_pack_id ON pack_test_execution(pack_id);
+CREATE INDEX idx_pack_test_execution_time ON pack_test_execution(execution_time DESC);
+CREATE INDEX idx_pack_test_execution_pass_rate ON pack_test_execution(pass_rate);
+CREATE INDEX idx_pack_test_execution_trigger ON pack_test_execution(trigger_reason);
+
+-- Comments for documentation
+COMMENT ON TABLE pack_test_execution IS 'Tracks pack test execution results for validation and auditing';
+COMMENT ON COLUMN pack_test_execution.pack_id IS 'Reference to the pack being tested';
+COMMENT ON COLUMN pack_test_execution.pack_version IS 'Version of the pack at test time';
+COMMENT ON COLUMN pack_test_execution.trigger_reason IS 'What triggered the test: install, update, manual, validation';
+COMMENT ON COLUMN pack_test_execution.pass_rate IS 'Percentage of tests passed (0.0 to 1.0)';
+COMMENT ON COLUMN pack_test_execution.result IS 'Full JSON structure with detailed test results';
+
+-- Pack test result summary view (all test executions with pack info)
+CREATE OR REPLACE VIEW pack_test_summary AS
+SELECT
+    p.id AS pack_id,
+    p.ref AS pack_ref,
+    p.label AS pack_label,
+    pte.id AS test_execution_id,
+    pte.pack_version,
+    pte.execution_time AS test_time,
+    pte.trigger_reason,
+    pte.total_tests,
+    pte.passed,
+    pte.failed,
+    pte.skipped,
+    pte.pass_rate,
+    pte.duration_ms,
+    ROW_NUMBER() OVER (PARTITION BY p.id ORDER BY pte.execution_time DESC) AS rn
+FROM pack p
+LEFT JOIN pack_test_execution pte ON p.id = pte.pack_id
+WHERE pte.id IS NOT NULL;
+
+COMMENT ON VIEW pack_test_summary IS 'Summary of all pack test executions with pack details';
+
+-- Latest test results per pack view
+CREATE OR REPLACE VIEW pack_latest_test AS
+SELECT
+    pack_id,
+    pack_ref,
+    pack_label,
+    test_execution_id,
+    pack_version,
+    test_time,
+    trigger_reason,
+    total_tests,
+    passed,
+    failed,
+    skipped,
+    pass_rate,
+    duration_ms
+FROM pack_test_summary
+WHERE rn = 1;
+
+COMMENT ON VIEW pack_latest_test IS 'Latest test results for each pack';
+
+-- Function to get pack test statistics
+CREATE OR REPLACE FUNCTION get_pack_test_stats(p_pack_id BIGINT)
+RETURNS TABLE (
+    total_executions BIGINT,
+    successful_executions BIGINT,
+    failed_executions BIGINT,
+    avg_pass_rate DECIMAL,
+    avg_duration_ms BIGINT,
+    last_test_time TIMESTAMPTZ,
+    last_test_passed BOOLEAN
+) AS $$
+BEGIN
+    RETURN QUERY
+    SELECT
+        COUNT(*)::BIGINT AS total_executions,
+        COUNT(*) FILTER (WHERE passed = total_tests)::BIGINT AS successful_executions,
+        COUNT(*) FILTER (WHERE failed > 0)::BIGINT AS failed_executions,
+        AVG(pass_rate) AS avg_pass_rate,
+        AVG(duration_ms)::BIGINT AS avg_duration_ms,
+        MAX(execution_time) AS last_test_time,
+        (SELECT failed = 0 FROM pack_test_execution
+         WHERE pack_id = p_pack_id
+         ORDER BY execution_time DESC
+         LIMIT 1) AS last_test_passed
+    FROM pack_test_execution
+    WHERE pack_id = p_pack_id;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION get_pack_test_stats IS 'Get statistical summary of test executions for a pack';
+
+-- Function to check if pack has recent passing tests
+CREATE OR REPLACE FUNCTION pack_has_passing_tests(
+    p_pack_id BIGINT,
+    p_hours_ago INT DEFAULT 24
+)
+RETURNS BOOLEAN AS $$
+DECLARE
+    v_has_passing_tests BOOLEAN;
+BEGIN
+    SELECT EXISTS(
+        SELECT 1
+        FROM pack_test_execution
+        WHERE pack_id = p_pack_id
+        AND execution_time > NOW() - (p_hours_ago || ' hours')::INTERVAL
+        AND failed = 0
+        AND total_tests > 0
+    ) INTO v_has_passing_tests;
+
+    RETURN v_has_passing_tests;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION pack_has_passing_tests IS 'Check if pack has recent passing test executions';
+
+-- Add trigger to update pack metadata on test execution
+CREATE OR REPLACE FUNCTION update_pack_test_metadata()
+RETURNS TRIGGER AS $$
+BEGIN
+    -- Could update pack table with last_tested timestamp if we add that column
+    -- For now, just a placeholder for future functionality
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_update_pack_test_metadata
+    AFTER INSERT ON pack_test_execution
+    FOR EACH ROW
+    EXECUTE FUNCTION update_pack_test_metadata();
+
+COMMENT ON TRIGGER trigger_update_pack_test_metadata ON pack_test_execution IS 'Updates pack metadata when tests are executed';
+
+-- ============================================================================
+-- WEBHOOK FUNCTIONS
+-- ============================================================================
+
+-- Drop existing functions to avoid signature conflicts
+DROP FUNCTION IF EXISTS enable_trigger_webhook(BIGINT, JSONB);
+DROP FUNCTION IF EXISTS enable_trigger_webhook(BIGINT);
+DROP FUNCTION IF EXISTS disable_trigger_webhook(BIGINT);
+DROP FUNCTION IF EXISTS regenerate_trigger_webhook_key(BIGINT);
+
+-- Function to enable webhooks for a trigger
+CREATE OR REPLACE FUNCTION enable_trigger_webhook(
+    p_trigger_id BIGINT,
+    p_config JSONB DEFAULT '{}'::jsonb
+)
+RETURNS TABLE(
+    webhook_enabled BOOLEAN,
+    webhook_key VARCHAR(255),
+    webhook_url TEXT
+) AS $$
+DECLARE
+    v_webhook_key VARCHAR(255);
+    v_api_base_url TEXT := 'http://localhost:8080'; -- Default, should be configured
+BEGIN
+    -- Check if trigger exists
+    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
+        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
+    END IF;
+
+    -- Generate webhook key if one doesn't exist
+    SELECT t.webhook_key INTO v_webhook_key
+    FROM trigger t
+    WHERE t.id = p_trigger_id;
+
+    IF v_webhook_key IS NULL THEN
+        v_webhook_key := generate_webhook_key();
+    END IF;
+
+    -- Update trigger to enable webhooks
+    UPDATE trigger
+    SET
+        webhook_enabled = TRUE,
+        webhook_key = v_webhook_key,
+        webhook_config = p_config,
+        updated = NOW()
+    WHERE id = p_trigger_id;
+
+    -- Return webhook details
+    RETURN QUERY SELECT
+        TRUE,
+        v_webhook_key,
+        v_api_base_url || '/api/v1/webhooks/' || v_webhook_key;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION enable_trigger_webhook(BIGINT, JSONB) IS
+    'Enables webhooks for a trigger with optional configuration. Generates a new webhook key if one does not exist. Returns webhook details.';
+
+-- Function to disable webhooks for a trigger
+CREATE OR REPLACE FUNCTION disable_trigger_webhook(
+    p_trigger_id BIGINT
+)
+RETURNS BOOLEAN AS $$
+BEGIN
+    -- Check if trigger exists
+    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
+        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
+    END IF;
+
+    -- Update trigger to disable webhooks
+    -- Set webhook_key to NULL when disabling to remove it from API responses
+    UPDATE trigger
+    SET
+        webhook_enabled = FALSE,
+        webhook_key = NULL,
+        updated = NOW()
+    WHERE id = p_trigger_id;
+
+    RETURN TRUE;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION disable_trigger_webhook(BIGINT) IS
+    'Disables webhooks for a trigger. Webhook key is removed when disabled.';
+
+-- Function to regenerate webhook key for a trigger
+CREATE OR REPLACE FUNCTION regenerate_trigger_webhook_key(
+    p_trigger_id BIGINT
+)
+RETURNS TABLE(
+    webhook_key VARCHAR(255),
+    previous_key_revoked BOOLEAN
+) AS $$
+DECLARE
+    v_new_key VARCHAR(255);
+    v_old_key VARCHAR(255);
+    v_webhook_enabled BOOLEAN;
+BEGIN
+    -- Check if trigger exists
+    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
+        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
+    END IF;
+
+    -- Get current webhook state
+    SELECT t.webhook_key, t.webhook_enabled INTO v_old_key, v_webhook_enabled
+    FROM trigger t
+    WHERE t.id = p_trigger_id;
+
+    -- Check if webhooks are enabled
+    IF NOT v_webhook_enabled THEN
+        RAISE EXCEPTION 'Webhooks are not enabled for trigger %', p_trigger_id;
+    END IF;
+
+    -- Generate new key
+    v_new_key := generate_webhook_key();
+
+    -- Update trigger with new key
+    UPDATE trigger
+    SET
+        webhook_key = v_new_key,
+        updated = NOW()
+    WHERE id = p_trigger_id;
+
+    -- Return new key and whether old key was present
+    RETURN QUERY SELECT
+        v_new_key,
+        (v_old_key IS NOT NULL);
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION regenerate_trigger_webhook_key(BIGINT) IS
+    'Regenerates webhook key for a trigger. Returns new key and whether a previous key was revoked.';
+
+-- Verify all webhook functions exist
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_proc p
+        JOIN pg_namespace n ON p.pronamespace = n.oid
+        WHERE n.nspname = current_schema()
+        AND p.proname = 'enable_trigger_webhook'
+    ) THEN
+        RAISE EXCEPTION 'enable_trigger_webhook function not found after migration';
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_proc p
+        JOIN pg_namespace n ON p.pronamespace = n.oid
+        WHERE n.nspname = current_schema()
+        AND p.proname = 'disable_trigger_webhook'
+    ) THEN
+        RAISE EXCEPTION 'disable_trigger_webhook function not found after migration';
+    END IF;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_proc p
+        JOIN pg_namespace n ON p.pronamespace = n.oid
+        WHERE n.nspname = current_schema()
+        AND p.proname = 'regenerate_trigger_webhook_key'
+    ) THEN
+        RAISE EXCEPTION 'regenerate_trigger_webhook_key function not found after migration';
+    END IF;
+
+    RAISE NOTICE 'All webhook functions successfully created';
+END $$;
--- a/docker/distributable/migrations/20250101000008_notify_triggers.sql
+++ b/docker/distributable/migrations/20250101000008_notify_triggers.sql
@@ -0,0 +1,428 @@
+-- Migration: LISTEN/NOTIFY Triggers
+-- Description: Consolidated PostgreSQL LISTEN/NOTIFY triggers for real-time event notifications
+-- Version: 20250101000008
+
+-- ============================================================================
+-- EXECUTION CHANGE NOTIFICATION
+-- ============================================================================
+
+-- Function to notify on execution creation
+CREATE OR REPLACE FUNCTION notify_execution_created()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+    enforcement_rule_ref TEXT;
+    enforcement_trigger_ref TEXT;
+BEGIN
+    -- Lookup enforcement details if this execution is linked to an enforcement
+    IF NEW.enforcement IS NOT NULL THEN
+        SELECT rule_ref, trigger_ref
+        INTO enforcement_rule_ref, enforcement_trigger_ref
+        FROM enforcement
+        WHERE id = NEW.enforcement;
+    END IF;
+
+    payload := json_build_object(
+        'entity_type', 'execution',
+        'entity_id', NEW.id,
+        'id', NEW.id,
+        'action_id', NEW.action,
+        'action_ref', NEW.action_ref,
+        'status', NEW.status,
+        'enforcement', NEW.enforcement,
+        'rule_ref', enforcement_rule_ref,
+        'trigger_ref', enforcement_trigger_ref,
+        'parent', NEW.parent,
+        'result', NEW.result,
+        'started_at', NEW.started_at,
+        'workflow_task', NEW.workflow_task,
+        'created', NEW.created,
+        'updated', NEW.updated
+    );
+
+    PERFORM pg_notify('execution_created', payload::text);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Function to notify on execution status changes
+CREATE OR REPLACE FUNCTION notify_execution_status_changed()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+    enforcement_rule_ref TEXT;
+    enforcement_trigger_ref TEXT;
+BEGIN
+    -- Only notify on updates, not inserts
+    IF TG_OP = 'UPDATE' AND OLD.status IS DISTINCT FROM NEW.status THEN
+        -- Lookup enforcement details if this execution is linked to an enforcement
+        IF NEW.enforcement IS NOT NULL THEN
+            SELECT rule_ref, trigger_ref
+            INTO enforcement_rule_ref, enforcement_trigger_ref
+            FROM enforcement
+            WHERE id = NEW.enforcement;
+        END IF;
+
+        payload := json_build_object(
+            'entity_type', 'execution',
+            'entity_id', NEW.id,
+            'id', NEW.id,
+            'action_id', NEW.action,
+            'action_ref', NEW.action_ref,
+            'status', NEW.status,
+            'old_status', OLD.status,
+            'enforcement', NEW.enforcement,
+            'rule_ref', enforcement_rule_ref,
+            'trigger_ref', enforcement_trigger_ref,
+            'parent', NEW.parent,
+            'result', NEW.result,
+            'started_at', NEW.started_at,
+            'workflow_task', NEW.workflow_task,
+            'created', NEW.created,
+            'updated', NEW.updated
+        );
+
+        PERFORM pg_notify('execution_status_changed', payload::text);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on execution table for creation
+CREATE TRIGGER execution_created_notify
+    AFTER INSERT ON execution
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_execution_created();
+
+-- Trigger on execution table for status changes
+CREATE TRIGGER execution_status_changed_notify
+    AFTER UPDATE ON execution
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_execution_status_changed();
+
+COMMENT ON FUNCTION notify_execution_created() IS 'Sends execution creation notifications via PostgreSQL LISTEN/NOTIFY';
+COMMENT ON FUNCTION notify_execution_status_changed() IS 'Sends execution status change notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- ============================================================================
+-- EVENT CREATION NOTIFICATION
+-- ============================================================================
+
+-- Function to notify on event creation
+CREATE OR REPLACE FUNCTION notify_event_created()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    payload := json_build_object(
+        'entity_type', 'event',
+        'entity_id', NEW.id,
+        'id', NEW.id,
+        'trigger', NEW.trigger,
+        'trigger_ref', NEW.trigger_ref,
+        'source', NEW.source,
+        'source_ref', NEW.source_ref,
+        'rule', NEW.rule,
+        'rule_ref', NEW.rule_ref,
+        'payload', NEW.payload,
+        'created', NEW.created
+    );
+
+    PERFORM pg_notify('event_created', payload::text);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on event table
+CREATE TRIGGER event_created_notify
+    AFTER INSERT ON event
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_event_created();
+
+COMMENT ON FUNCTION notify_event_created() IS 'Sends event creation notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- ============================================================================
+-- ENFORCEMENT CHANGE NOTIFICATION
+-- ============================================================================
+
+-- Function to notify on enforcement creation
+CREATE OR REPLACE FUNCTION notify_enforcement_created()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    payload := json_build_object(
+        'entity_type', 'enforcement',
+        'entity_id', NEW.id,
+        'id', NEW.id,
+        'rule', NEW.rule,
+        'rule_ref', NEW.rule_ref,
+        'trigger_ref', NEW.trigger_ref,
+        'event', NEW.event,
+        'status', NEW.status,
+        'condition', NEW.condition,
+        'conditions', NEW.conditions,
+        'config', NEW.config,
+        'payload', NEW.payload,
+        'created', NEW.created,
+        'resolved_at', NEW.resolved_at
+    );
+
+    PERFORM pg_notify('enforcement_created', payload::text);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on enforcement table
+CREATE TRIGGER enforcement_created_notify
+    AFTER INSERT ON enforcement
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_enforcement_created();
+
+COMMENT ON FUNCTION notify_enforcement_created() IS 'Sends enforcement creation notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- Function to notify on enforcement status changes
+CREATE OR REPLACE FUNCTION notify_enforcement_status_changed()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    -- Only notify on updates when status actually changed
+    IF TG_OP = 'UPDATE' AND OLD.status IS DISTINCT FROM NEW.status THEN
+        payload := json_build_object(
+            'entity_type', 'enforcement',
+            'entity_id', NEW.id,
+            'id', NEW.id,
+            'rule', NEW.rule,
+            'rule_ref', NEW.rule_ref,
+            'trigger_ref', NEW.trigger_ref,
+            'event', NEW.event,
+            'status', NEW.status,
+            'old_status', OLD.status,
+            'condition', NEW.condition,
+            'conditions', NEW.conditions,
+            'config', NEW.config,
+            'payload', NEW.payload,
+            'created', NEW.created,
+            'resolved_at', NEW.resolved_at
+        );
+
+        PERFORM pg_notify('enforcement_status_changed', payload::text);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on enforcement table for status changes
+CREATE TRIGGER enforcement_status_changed_notify
+    AFTER UPDATE ON enforcement
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_enforcement_status_changed();
+
+COMMENT ON FUNCTION notify_enforcement_status_changed() IS 'Sends enforcement status change notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- ============================================================================
+-- INQUIRY NOTIFICATIONS
+-- ============================================================================
+
+-- Function to notify on inquiry creation
+CREATE OR REPLACE FUNCTION notify_inquiry_created()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    payload := json_build_object(
+        'entity_type', 'inquiry',
+        'entity_id', NEW.id,
+        'id', NEW.id,
+        'execution', NEW.execution,
+        'status', NEW.status,
+        'ttl', NEW.ttl,
+        'created', NEW.created
+    );
+
+    PERFORM pg_notify('inquiry_created', payload::text);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Function to notify on inquiry response
+CREATE OR REPLACE FUNCTION notify_inquiry_responded()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    -- Only notify when status changes to 'responded'
+    IF TG_OP = 'UPDATE' AND NEW.status = 'responded' AND OLD.status != 'responded' THEN
+        payload := json_build_object(
+            'entity_type', 'inquiry',
+            'entity_id', NEW.id,
+            'id', NEW.id,
+            'execution', NEW.execution,
+            'status', NEW.status,
+            'response', NEW.response,
+            'updated', NEW.updated
+        );
+
+        PERFORM pg_notify('inquiry_responded', payload::text);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on inquiry table for creation
+CREATE TRIGGER inquiry_created_notify
+    AFTER INSERT ON inquiry
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_inquiry_created();
+
+-- Trigger on inquiry table for responses
+CREATE TRIGGER inquiry_responded_notify
+    AFTER UPDATE ON inquiry
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_inquiry_responded();
+
+COMMENT ON FUNCTION notify_inquiry_created() IS 'Sends inquiry creation notifications via PostgreSQL LISTEN/NOTIFY';
+COMMENT ON FUNCTION notify_inquiry_responded() IS 'Sends inquiry response notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- ============================================================================
+-- WORKFLOW EXECUTION NOTIFICATIONS
+-- ============================================================================
+
+-- Function to notify on workflow execution status changes
+CREATE OR REPLACE FUNCTION notify_workflow_execution_status_changed()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    -- Only notify for workflow executions when status changes
+    IF TG_OP = 'UPDATE' AND NEW.is_workflow = true AND OLD.status IS DISTINCT FROM NEW.status THEN
+        payload := json_build_object(
+            'entity_type', 'execution',
+            'entity_id', NEW.id,
+            'id', NEW.id,
+            'action_ref', NEW.action_ref,
+            'status', NEW.status,
+            'old_status', OLD.status,
+            'workflow_def', NEW.workflow_def,
+            'parent', NEW.parent,
+            'created', NEW.created,
+            'updated', NEW.updated
+        );
+
+        PERFORM pg_notify('workflow_execution_status_changed', payload::text);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on execution table for workflow status changes
+CREATE TRIGGER workflow_execution_status_changed_notify
+    AFTER UPDATE ON execution
+    FOR EACH ROW
+    WHEN (NEW.is_workflow = true)
+    EXECUTE FUNCTION notify_workflow_execution_status_changed();
+
+COMMENT ON FUNCTION notify_workflow_execution_status_changed() IS 'Sends workflow execution status change notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- ============================================================================
+-- ARTIFACT NOTIFICATIONS
+-- ============================================================================
+
+-- Function to notify on artifact creation
+CREATE OR REPLACE FUNCTION notify_artifact_created()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+BEGIN
+    payload := json_build_object(
+        'entity_type', 'artifact',
+        'entity_id', NEW.id,
+        'id', NEW.id,
+        'ref', NEW.ref,
+        'type', NEW.type,
+        'visibility', NEW.visibility,
+        'name', NEW.name,
+        'execution', NEW.execution,
+        'scope', NEW.scope,
+        'owner', NEW.owner,
+        'content_type', NEW.content_type,
+        'size_bytes', NEW.size_bytes,
+        'created', NEW.created
+    );
+
+    PERFORM pg_notify('artifact_created', payload::text);
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on artifact table for creation
+CREATE TRIGGER artifact_created_notify
+    AFTER INSERT ON artifact
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_artifact_created();
+
+COMMENT ON FUNCTION notify_artifact_created() IS 'Sends artifact creation notifications via PostgreSQL LISTEN/NOTIFY';
+
+-- Function to notify on artifact updates (progress appends, data changes)
+CREATE OR REPLACE FUNCTION notify_artifact_updated()
+RETURNS TRIGGER AS $$
+DECLARE
+    payload JSON;
+    latest_percent DOUBLE PRECISION;
+    latest_message TEXT;
+    entry_count INTEGER;
+BEGIN
+    -- Only notify on actual changes
+    IF TG_OP = 'UPDATE' THEN
+        -- Extract progress summary from data array if this is a progress artifact
+        IF NEW.type = 'progress' AND NEW.data IS NOT NULL AND jsonb_typeof(NEW.data) = 'array' THEN
+            entry_count := jsonb_array_length(NEW.data);
+            IF entry_count > 0 THEN
+                latest_percent := (NEW.data -> (entry_count - 1) ->> 'percent')::DOUBLE PRECISION;
+                latest_message := NEW.data -> (entry_count - 1) ->> 'message';
+            END IF;
+        END IF;
+
+        payload := json_build_object(
+            'entity_type', 'artifact',
+            'entity_id', NEW.id,
+            'id', NEW.id,
+            'ref', NEW.ref,
+            'type', NEW.type,
+            'visibility', NEW.visibility,
+            'name', NEW.name,
+            'execution', NEW.execution,
+            'scope', NEW.scope,
+            'owner', NEW.owner,
+            'content_type', NEW.content_type,
+            'size_bytes', NEW.size_bytes,
+            'progress_percent', latest_percent,
+            'progress_message', latest_message,
+            'progress_entries', entry_count,
+            'created', NEW.created,
+            'updated', NEW.updated
+        );
+
+        PERFORM pg_notify('artifact_updated', payload::text);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Trigger on artifact table for updates
+CREATE TRIGGER artifact_updated_notify
+    AFTER UPDATE ON artifact
+    FOR EACH ROW
+    EXECUTE FUNCTION notify_artifact_updated();
+
+COMMENT ON FUNCTION notify_artifact_updated() IS 'Sends artifact update notifications via PostgreSQL LISTEN/NOTIFY (includes progress summary for progress-type artifacts)';
--- a/docker/distributable/migrations/20250101000009_timescaledb_history.sql
+++ b/docker/distributable/migrations/20250101000009_timescaledb_history.sql
@@ -0,0 +1,616 @@
+-- Migration: TimescaleDB Entity History and Analytics
+-- Description: Creates append-only history hypertables for execution and worker tables.
+--              Uses JSONB diff format to track field-level changes via PostgreSQL triggers.
+--              Converts the event, enforcement, and execution tables into TimescaleDB
+--              hypertables (events are immutable; enforcements are updated exactly once;
+--              executions are updated ~4 times during their lifecycle).
+--              Includes continuous aggregates for dashboard analytics.
+--              See docs/plans/timescaledb-entity-history.md for full design.
+--
+--              NOTE: FK constraints that would reference hypertable targets were never
+--              created in earlier migrations (000004, 000005, 000006), so no DROP
+--              CONSTRAINT statements are needed here.
+-- Version: 20250101000009
+
+-- ============================================================================
+-- EXTENSION
+-- ============================================================================
+
+CREATE EXTENSION IF NOT EXISTS timescaledb;
+
+-- ============================================================================
+-- HELPER FUNCTIONS
+-- ============================================================================
+
+-- Returns a small {digest, size, type} object instead of the full JSONB value.
+-- Used in history triggers for columns that can be arbitrarily large (e.g. result).
+-- The full value is always available on the live row.
+CREATE OR REPLACE FUNCTION _jsonb_digest_summary(val JSONB)
+RETURNS JSONB AS $$
+BEGIN
+    IF val IS NULL THEN
+        RETURN NULL;
+    END IF;
+    RETURN jsonb_build_object(
+        'digest', 'md5:' || md5(val::text),
+        'size',   octet_length(val::text),
+        'type',   jsonb_typeof(val)
+    );
+END;
+$$ LANGUAGE plpgsql IMMUTABLE;
+
+COMMENT ON FUNCTION _jsonb_digest_summary(JSONB) IS
+    'Returns a compact {digest, size, type} summary of a JSONB value for use in history tables. '
+    'The digest is md5 of the text representation — sufficient for change-detection, not for security.';
+
+-- ============================================================================
+-- HISTORY TABLES
+-- ============================================================================
+
+-- ----------------------------------------------------------------------------
+-- execution_history
+-- ----------------------------------------------------------------------------
+
+CREATE TABLE execution_history (
+    time             TIMESTAMPTZ    NOT NULL DEFAULT NOW(),
+    operation        TEXT           NOT NULL,
+    entity_id        BIGINT         NOT NULL,
+    entity_ref       TEXT,
+    changed_fields   TEXT[]         NOT NULL DEFAULT '{}',
+    old_values       JSONB,
+    new_values       JSONB
+);
+
+SELECT create_hypertable('execution_history', 'time',
+    chunk_time_interval => INTERVAL '1 day');
+
+CREATE INDEX idx_execution_history_entity
+    ON execution_history (entity_id, time DESC);
+
+CREATE INDEX idx_execution_history_entity_ref
+    ON execution_history (entity_ref, time DESC);
+
+CREATE INDEX idx_execution_history_status_changes
+    ON execution_history (time DESC)
+    WHERE 'status' = ANY(changed_fields);
+
+CREATE INDEX idx_execution_history_changed_fields
+    ON execution_history USING GIN (changed_fields);
+
+COMMENT ON TABLE execution_history IS 'Append-only history of field-level changes to the execution table (TimescaleDB hypertable)';
+COMMENT ON COLUMN execution_history.time IS 'When the change occurred (hypertable partitioning dimension)';
+COMMENT ON COLUMN execution_history.operation IS 'INSERT, UPDATE, or DELETE';
+COMMENT ON COLUMN execution_history.entity_id IS 'execution.id of the changed row';
+COMMENT ON COLUMN execution_history.entity_ref IS 'Denormalized action_ref for JOIN-free queries';
+COMMENT ON COLUMN execution_history.changed_fields IS 'Array of field names that changed (empty for INSERT/DELETE)';
+COMMENT ON COLUMN execution_history.old_values IS 'Previous values of changed fields (NULL for INSERT)';
+COMMENT ON COLUMN execution_history.new_values IS 'New values of changed fields (NULL for DELETE)';
+
+-- ----------------------------------------------------------------------------
+-- worker_history
+-- ----------------------------------------------------------------------------
+
+CREATE TABLE worker_history (
+    time             TIMESTAMPTZ    NOT NULL DEFAULT NOW(),
+    operation        TEXT           NOT NULL,
+    entity_id        BIGINT         NOT NULL,
+    entity_ref       TEXT,
+    changed_fields   TEXT[]         NOT NULL DEFAULT '{}',
+    old_values       JSONB,
+    new_values       JSONB
+);
+
+SELECT create_hypertable('worker_history', 'time',
+    chunk_time_interval => INTERVAL '7 days');
+
+CREATE INDEX idx_worker_history_entity
+    ON worker_history (entity_id, time DESC);
+
+CREATE INDEX idx_worker_history_entity_ref
+    ON worker_history (entity_ref, time DESC);
+
+CREATE INDEX idx_worker_history_status_changes
+    ON worker_history (time DESC)
+    WHERE 'status' = ANY(changed_fields);
+
+CREATE INDEX idx_worker_history_changed_fields
+    ON worker_history USING GIN (changed_fields);
+
+COMMENT ON TABLE worker_history IS 'Append-only history of field-level changes to the worker table (TimescaleDB hypertable)';
+COMMENT ON COLUMN worker_history.entity_ref IS 'Denormalized worker name for JOIN-free queries';
+
+-- ============================================================================
+-- CONVERT EVENT TABLE TO HYPERTABLE
+-- ============================================================================
+-- Events are immutable after insert — they are never updated. Instead of
+-- maintaining a separate event_history table to track changes that never
+-- happen, we convert the event table itself into a TimescaleDB hypertable
+-- partitioned on `created`. This gives us automatic time-based partitioning,
+-- compression, and retention for free.
+--
+-- No FK constraints reference event(id) — enforcement.event was created as a
+-- plain BIGINT in migration 000004 (hypertables cannot be FK targets).
+-- ----------------------------------------------------------------------------
+
+-- Replace the single-column PK with a composite PK that includes the
+-- partitioning column (required by TimescaleDB).
+ALTER TABLE event DROP CONSTRAINT event_pkey;
+ALTER TABLE event ADD PRIMARY KEY (id, created);
+
+SELECT create_hypertable('event', 'created',
+    chunk_time_interval => INTERVAL '1 day',
+    migrate_data        => true);
+
+COMMENT ON TABLE event IS 'Events are instances of triggers firing (TimescaleDB hypertable partitioned on created)';
+
+-- ============================================================================
+-- CONVERT ENFORCEMENT TABLE TO HYPERTABLE
+-- ============================================================================
+-- Enforcements are created and then updated exactly once (status changes from
+-- `created` to `processed` or `disabled` within ~1 second). This single update
+-- happens well before the 7-day compression window, so UPDATE on uncompressed
+-- chunks works without issues.
+--
+-- No FK constraints reference enforcement(id) — execution.enforcement was
+-- created as a plain BIGINT in migration 000005.
+-- ----------------------------------------------------------------------------
+
+ALTER TABLE enforcement DROP CONSTRAINT enforcement_pkey;
+ALTER TABLE enforcement ADD PRIMARY KEY (id, created);
+
+SELECT create_hypertable('enforcement', 'created',
+    chunk_time_interval => INTERVAL '1 day',
+    migrate_data        => true);
+
+COMMENT ON TABLE enforcement IS 'Enforcements represent rule triggering by events (TimescaleDB hypertable partitioned on created)';
+
+-- ============================================================================
+-- CONVERT EXECUTION TABLE TO HYPERTABLE
+-- ============================================================================
+-- Executions are updated ~4 times during their lifecycle (requested → scheduled
+-- → running → completed/failed), completing within at most ~1 day — well before
+-- the 7-day compression window. The `updated` column and its BEFORE UPDATE
+-- trigger are preserved (used by timeout monitor and UI).
+--
+-- No FK constraints reference execution(id) — inquiry.execution,
+-- workflow_execution.execution, execution.parent, and execution.original_execution
+-- were all created as plain BIGINT columns in migrations 000005 and 000006.
+--
+-- The existing execution_history hypertable and its trigger are preserved —
+-- they track field-level diffs of each update, which remains valuable for
+-- a mutable table.
+-- ----------------------------------------------------------------------------
+
+ALTER TABLE execution DROP CONSTRAINT execution_pkey;
+ALTER TABLE execution ADD PRIMARY KEY (id, created);
+
+SELECT create_hypertable('execution', 'created',
+    chunk_time_interval => INTERVAL '1 day',
+    migrate_data        => true);
+
+COMMENT ON TABLE execution IS 'Executions represent action runs with workflow support (TimescaleDB hypertable partitioned on created). Updated ~4 times during lifecycle, completing within ~1 day (well before 7-day compression window).';
+
+-- ============================================================================
+-- TRIGGER FUNCTIONS
+-- ============================================================================
+
+-- ----------------------------------------------------------------------------
+-- execution history trigger
+-- Tracked fields: status, result, executor, worker, workflow_task, env_vars, started_at
+-- Note: result uses _jsonb_digest_summary() to avoid storing large payloads
+-- ----------------------------------------------------------------------------
+
+CREATE OR REPLACE FUNCTION record_execution_history()
+RETURNS TRIGGER AS $$
+DECLARE
+    changed TEXT[] := '{}';
+    old_vals JSONB := '{}';
+    new_vals JSONB := '{}';
+BEGIN
+    IF TG_OP = 'INSERT' THEN
+        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'INSERT', NEW.id, NEW.action_ref, '{}', NULL,
+                jsonb_build_object(
+                    'status', NEW.status,
+                    'action_ref', NEW.action_ref,
+                    'executor', NEW.executor,
+                    'worker', NEW.worker,
+                    'parent', NEW.parent,
+                    'enforcement', NEW.enforcement,
+                    'started_at', NEW.started_at
+                ));
+        RETURN NEW;
+    END IF;
+
+    IF TG_OP = 'DELETE' THEN
+        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'DELETE', OLD.id, OLD.action_ref, '{}', NULL, NULL);
+        RETURN OLD;
+    END IF;
+
+    -- UPDATE: detect which fields changed
+
+    IF OLD.status IS DISTINCT FROM NEW.status THEN
+        changed := array_append(changed, 'status');
+        old_vals := old_vals || jsonb_build_object('status', OLD.status);
+        new_vals := new_vals || jsonb_build_object('status', NEW.status);
+    END IF;
+
+    -- Result: store a compact digest instead of the full JSONB to avoid bloat.
+    -- The live execution row always has the complete result.
+    IF OLD.result IS DISTINCT FROM NEW.result THEN
+        changed := array_append(changed, 'result');
+        old_vals := old_vals || jsonb_build_object('result', _jsonb_digest_summary(OLD.result));
+        new_vals := new_vals || jsonb_build_object('result', _jsonb_digest_summary(NEW.result));
+    END IF;
+
+    IF OLD.executor IS DISTINCT FROM NEW.executor THEN
+        changed := array_append(changed, 'executor');
+        old_vals := old_vals || jsonb_build_object('executor', OLD.executor);
+        new_vals := new_vals || jsonb_build_object('executor', NEW.executor);
+    END IF;
+
+    IF OLD.worker IS DISTINCT FROM NEW.worker THEN
+        changed := array_append(changed, 'worker');
+        old_vals := old_vals || jsonb_build_object('worker', OLD.worker);
+        new_vals := new_vals || jsonb_build_object('worker', NEW.worker);
+    END IF;
+
+    IF OLD.workflow_task IS DISTINCT FROM NEW.workflow_task THEN
+        changed := array_append(changed, 'workflow_task');
+        old_vals := old_vals || jsonb_build_object('workflow_task', OLD.workflow_task);
+        new_vals := new_vals || jsonb_build_object('workflow_task', NEW.workflow_task);
+    END IF;
+
+    IF OLD.env_vars IS DISTINCT FROM NEW.env_vars THEN
+        changed := array_append(changed, 'env_vars');
+        old_vals := old_vals || jsonb_build_object('env_vars', OLD.env_vars);
+        new_vals := new_vals || jsonb_build_object('env_vars', NEW.env_vars);
+    END IF;
+
+    IF OLD.started_at IS DISTINCT FROM NEW.started_at THEN
+        changed := array_append(changed, 'started_at');
+        old_vals := old_vals || jsonb_build_object('started_at', OLD.started_at);
+        new_vals := new_vals || jsonb_build_object('started_at', NEW.started_at);
+    END IF;
+
+    -- Only record if something actually changed
+    IF array_length(changed, 1) > 0 THEN
+        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'UPDATE', NEW.id, NEW.action_ref, changed, old_vals, new_vals);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION record_execution_history() IS 'Records field-level changes to execution table in execution_history hypertable';
+
+-- ----------------------------------------------------------------------------
+-- worker history trigger
+-- Tracked fields: name, status, capabilities, meta, host, port
+-- Excludes: last_heartbeat when it is the only field that changed
+-- ----------------------------------------------------------------------------
+
+CREATE OR REPLACE FUNCTION record_worker_history()
+RETURNS TRIGGER AS $$
+DECLARE
+    changed TEXT[] := '{}';
+    old_vals JSONB := '{}';
+    new_vals JSONB := '{}';
+BEGIN
+    IF TG_OP = 'INSERT' THEN
+        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'INSERT', NEW.id, NEW.name, '{}', NULL,
+                jsonb_build_object(
+                    'name', NEW.name,
+                    'worker_type', NEW.worker_type,
+                    'worker_role', NEW.worker_role,
+                    'status', NEW.status,
+                    'host', NEW.host,
+                    'port', NEW.port
+                ));
+        RETURN NEW;
+    END IF;
+
+    IF TG_OP = 'DELETE' THEN
+        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'DELETE', OLD.id, OLD.name, '{}', NULL, NULL);
+        RETURN OLD;
+    END IF;
+
+    -- UPDATE: detect which fields changed
+    IF OLD.name IS DISTINCT FROM NEW.name THEN
+        changed := array_append(changed, 'name');
+        old_vals := old_vals || jsonb_build_object('name', OLD.name);
+        new_vals := new_vals || jsonb_build_object('name', NEW.name);
+    END IF;
+
+    IF OLD.status IS DISTINCT FROM NEW.status THEN
+        changed := array_append(changed, 'status');
+        old_vals := old_vals || jsonb_build_object('status', OLD.status);
+        new_vals := new_vals || jsonb_build_object('status', NEW.status);
+    END IF;
+
+    IF OLD.capabilities IS DISTINCT FROM NEW.capabilities THEN
+        changed := array_append(changed, 'capabilities');
+        old_vals := old_vals || jsonb_build_object('capabilities', OLD.capabilities);
+        new_vals := new_vals || jsonb_build_object('capabilities', NEW.capabilities);
+    END IF;
+
+    IF OLD.meta IS DISTINCT FROM NEW.meta THEN
+        changed := array_append(changed, 'meta');
+        old_vals := old_vals || jsonb_build_object('meta', OLD.meta);
+        new_vals := new_vals || jsonb_build_object('meta', NEW.meta);
+    END IF;
+
+    IF OLD.host IS DISTINCT FROM NEW.host THEN
+        changed := array_append(changed, 'host');
+        old_vals := old_vals || jsonb_build_object('host', OLD.host);
+        new_vals := new_vals || jsonb_build_object('host', NEW.host);
+    END IF;
+
+    IF OLD.port IS DISTINCT FROM NEW.port THEN
+        changed := array_append(changed, 'port');
+        old_vals := old_vals || jsonb_build_object('port', OLD.port);
+        new_vals := new_vals || jsonb_build_object('port', NEW.port);
+    END IF;
+
+    -- Only record if something besides last_heartbeat changed.
+    -- Pure heartbeat-only updates are excluded to avoid high-volume noise.
+    IF array_length(changed, 1) > 0 THEN
+        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
+        VALUES (NOW(), 'UPDATE', NEW.id, NEW.name, changed, old_vals, new_vals);
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION record_worker_history() IS 'Records field-level changes to worker table in worker_history hypertable. Excludes heartbeat-only updates.';
+
+-- ============================================================================
+-- ATTACH TRIGGERS TO OPERATIONAL TABLES
+-- ============================================================================
+
+CREATE TRIGGER execution_history_trigger
+    AFTER INSERT OR UPDATE OR DELETE ON execution
+    FOR EACH ROW
+    EXECUTE FUNCTION record_execution_history();
+
+CREATE TRIGGER worker_history_trigger
+    AFTER INSERT OR UPDATE OR DELETE ON worker
+    FOR EACH ROW
+    EXECUTE FUNCTION record_worker_history();
+
+-- ============================================================================
+-- COMPRESSION POLICIES
+-- ============================================================================
+
+-- History tables
+ALTER TABLE execution_history SET (
+    timescaledb.compress,
+    timescaledb.compress_segmentby = 'entity_id',
+    timescaledb.compress_orderby = 'time DESC'
+);
+SELECT add_compression_policy('execution_history', INTERVAL '7 days');
+
+ALTER TABLE worker_history SET (
+    timescaledb.compress,
+    timescaledb.compress_segmentby = 'entity_id',
+    timescaledb.compress_orderby = 'time DESC'
+);
+SELECT add_compression_policy('worker_history', INTERVAL '7 days');
+
+-- Event table (hypertable)
+ALTER TABLE event SET (
+    timescaledb.compress,
+    timescaledb.compress_segmentby = 'trigger_ref',
+    timescaledb.compress_orderby = 'created DESC'
+);
+SELECT add_compression_policy('event', INTERVAL '7 days');
+
+-- Enforcement table (hypertable)
+ALTER TABLE enforcement SET (
+    timescaledb.compress,
+    timescaledb.compress_segmentby = 'rule_ref',
+    timescaledb.compress_orderby = 'created DESC'
+);
+SELECT add_compression_policy('enforcement', INTERVAL '7 days');
+
+-- Execution table (hypertable)
+ALTER TABLE execution SET (
+    timescaledb.compress,
+    timescaledb.compress_segmentby = 'action_ref',
+    timescaledb.compress_orderby = 'created DESC'
+);
+SELECT add_compression_policy('execution', INTERVAL '7 days');
+
+-- ============================================================================
+-- RETENTION POLICIES
+-- ============================================================================
+
+SELECT add_retention_policy('execution_history', INTERVAL '90 days');
+SELECT add_retention_policy('worker_history', INTERVAL '180 days');
+SELECT add_retention_policy('event', INTERVAL '90 days');
+SELECT add_retention_policy('enforcement', INTERVAL '90 days');
+SELECT add_retention_policy('execution', INTERVAL '90 days');
+
+-- ============================================================================
+-- CONTINUOUS AGGREGATES
+-- ============================================================================
+
+-- Drop existing continuous aggregates if they exist, so this migration can be
+-- re-run safely after a partial failure. (TimescaleDB continuous aggregates
+-- must be dropped with CASCADE to remove their associated policies.)
+DROP MATERIALIZED VIEW IF EXISTS execution_status_hourly CASCADE;
+DROP MATERIALIZED VIEW IF EXISTS execution_throughput_hourly CASCADE;
+DROP MATERIALIZED VIEW IF EXISTS event_volume_hourly CASCADE;
+DROP MATERIALIZED VIEW IF EXISTS worker_status_hourly CASCADE;
+DROP MATERIALIZED VIEW IF EXISTS enforcement_volume_hourly CASCADE;
+DROP MATERIALIZED VIEW IF EXISTS execution_volume_hourly CASCADE;
+
+-- ----------------------------------------------------------------------------
+-- execution_status_hourly
+-- Tracks execution status transitions per hour, grouped by action_ref and new status.
+-- Powers: execution throughput chart, failure rate widget, status breakdown over time.
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW execution_status_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', time) AS bucket,
+    entity_ref AS action_ref,
+    new_values->>'status' AS new_status,
+    COUNT(*) AS transition_count
+FROM execution_history
+WHERE 'status' = ANY(changed_fields)
+GROUP BY bucket, entity_ref, new_values->>'status'
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('execution_status_hourly',
+    start_offset    => INTERVAL '7 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '30 minutes'
+);
+
+-- ----------------------------------------------------------------------------
+-- execution_throughput_hourly
+-- Tracks total execution creation volume per hour, regardless of status.
+-- Powers: execution throughput sparkline on the dashboard.
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW execution_throughput_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', time) AS bucket,
+    entity_ref AS action_ref,
+    COUNT(*) AS execution_count
+FROM execution_history
+WHERE operation = 'INSERT'
+GROUP BY bucket, entity_ref
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('execution_throughput_hourly',
+    start_offset    => INTERVAL '7 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '30 minutes'
+);
+
+-- ----------------------------------------------------------------------------
+-- event_volume_hourly
+-- Tracks event creation volume per hour by trigger ref.
+-- Powers: event throughput monitoring widget.
+-- NOTE: Queries the event table directly (it is now a hypertable) instead of
+--       a separate event_history table.
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW event_volume_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', created) AS bucket,
+    trigger_ref,
+    COUNT(*) AS event_count
+FROM event
+GROUP BY bucket, trigger_ref
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('event_volume_hourly',
+    start_offset    => INTERVAL '7 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '30 minutes'
+);
+
+-- ----------------------------------------------------------------------------
+-- worker_status_hourly
+-- Tracks worker status changes per hour (online/offline/draining transitions).
+-- Powers: worker health trends widget.
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW worker_status_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', time) AS bucket,
+    entity_ref AS worker_name,
+    new_values->>'status' AS new_status,
+    COUNT(*) AS transition_count
+FROM worker_history
+WHERE 'status' = ANY(changed_fields)
+GROUP BY bucket, entity_ref, new_values->>'status'
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('worker_status_hourly',
+    start_offset    => INTERVAL '30 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '1 hour'
+);
+
+-- ----------------------------------------------------------------------------
+-- enforcement_volume_hourly
+-- Tracks enforcement creation volume per hour by rule ref.
+-- Powers: rule activation rate monitoring.
+-- NOTE: Queries the enforcement table directly (it is now a hypertable)
+--       instead of a separate enforcement_history table.
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW enforcement_volume_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', created) AS bucket,
+    rule_ref,
+    COUNT(*) AS enforcement_count
+FROM enforcement
+GROUP BY bucket, rule_ref
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('enforcement_volume_hourly',
+    start_offset    => INTERVAL '7 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '30 minutes'
+);
+
+-- ----------------------------------------------------------------------------
+-- execution_volume_hourly
+-- Tracks execution creation volume per hour by action_ref and status.
+-- This queries the execution hypertable directly (like event_volume_hourly
+-- queries the event table). Complements the existing execution_status_hourly
+-- and execution_throughput_hourly aggregates which query execution_history.
+--
+-- Use case: direct execution volume monitoring without relying on the history
+-- trigger (belt-and-suspenders, plus captures the initial status at creation).
+-- ----------------------------------------------------------------------------
+
+CREATE MATERIALIZED VIEW execution_volume_hourly
+WITH (timescaledb.continuous) AS
+SELECT
+    time_bucket('1 hour', created) AS bucket,
+    action_ref,
+    status AS initial_status,
+    COUNT(*) AS execution_count
+FROM execution
+GROUP BY bucket, action_ref, status
+WITH NO DATA;
+
+SELECT add_continuous_aggregate_policy('execution_volume_hourly',
+    start_offset    => INTERVAL '7 days',
+    end_offset      => INTERVAL '1 hour',
+    schedule_interval => INTERVAL '30 minutes'
+);
+
+-- ============================================================================
+-- INITIAL REFRESH NOTE
+-- ============================================================================
+-- NOTE: refresh_continuous_aggregate() cannot run inside a transaction block,
+-- and the migration runner wraps each file in BEGIN/COMMIT. The continuous
+-- aggregate policies configured above will automatically backfill data within
+-- their first scheduled interval (30 min – 1 hour). On a fresh database there
+-- is no history data to backfill anyway.
+--
+-- If you need an immediate manual refresh after migration, run outside a
+-- transaction:
+--   CALL refresh_continuous_aggregate('execution_status_hourly', NULL, NOW());
+--   CALL refresh_continuous_aggregate('execution_throughput_hourly', NULL, NOW());
+--   CALL refresh_continuous_aggregate('event_volume_hourly', NULL, NOW());
+--   CALL refresh_continuous_aggregate('worker_status_hourly', NULL, NOW());
+--   CALL refresh_continuous_aggregate('enforcement_volume_hourly', NULL, NOW());
+--   CALL refresh_continuous_aggregate('execution_volume_hourly', NULL, NOW());
--- a/docker/distributable/migrations/20250101000010_artifact_content.sql
+++ b/docker/distributable/migrations/20250101000010_artifact_content.sql
@@ -0,0 +1,202 @@
+-- Migration: Artifact Content System
+-- Description: Enhances the artifact table with content fields (name, description,
+--              content_type, size_bytes, execution link, structured data, visibility)
+--              and creates the artifact_version table for versioned file/data storage.
+--
+--              The artifact table now serves as the "header" for a logical artifact,
+--              while artifact_version rows hold the actual immutable content snapshots.
+--              Progress-type artifacts store their live state directly in artifact.data
+--              (append-style updates without creating new versions).
+--
+-- Version: 20250101000010
+
+-- ============================================================================
+-- ENHANCE ARTIFACT TABLE
+-- ============================================================================
+
+-- Human-readable name (e.g. "Build Log", "Test Results")
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS name TEXT;
+
+-- Optional longer description
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS description TEXT;
+
+-- MIME content type (e.g. "application/json", "text/plain", "image/png")
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS content_type TEXT;
+
+-- Total size in bytes of the latest version's content (NULL for progress artifacts)
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS size_bytes BIGINT;
+
+-- Execution that produced/owns this artifact (plain BIGINT, no FK — execution is a hypertable)
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS execution BIGINT;
+
+-- Structured data for progress-type artifacts and small structured payloads.
+-- Progress artifacts append entries here; file artifacts may store parsed metadata.
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS data JSONB;
+
+-- Visibility: public artifacts are viewable by all authenticated users;
+-- private artifacts are restricted based on the artifact's scope/owner.
+-- The scope (identity, action, pack, etc.) + owner fields define who can access
+-- a private artifact. Full RBAC enforcement is deferred — for now the column
+-- enables filtering and is available for future permission checks.
+ALTER TABLE artifact ADD COLUMN IF NOT EXISTS visibility artifact_visibility_enum NOT NULL DEFAULT 'private';
+
+-- New indexes for the added columns
+CREATE INDEX IF NOT EXISTS idx_artifact_execution ON artifact(execution);
+CREATE INDEX IF NOT EXISTS idx_artifact_name ON artifact(name);
+CREATE INDEX IF NOT EXISTS idx_artifact_execution_type ON artifact(execution, type);
+CREATE INDEX IF NOT EXISTS idx_artifact_visibility ON artifact(visibility);
+CREATE INDEX IF NOT EXISTS idx_artifact_visibility_scope ON artifact(visibility, scope, owner);
+
+-- Comments for new columns
+COMMENT ON COLUMN artifact.name IS 'Human-readable artifact name';
+COMMENT ON COLUMN artifact.description IS 'Optional description of the artifact';
+COMMENT ON COLUMN artifact.content_type IS 'MIME content type (e.g. application/json, text/plain)';
+COMMENT ON COLUMN artifact.size_bytes IS 'Size of latest version content in bytes';
+COMMENT ON COLUMN artifact.execution IS 'Execution that produced this artifact (no FK — execution is a hypertable)';
+COMMENT ON COLUMN artifact.data IS 'Structured JSONB data for progress artifacts or metadata';
+COMMENT ON COLUMN artifact.visibility IS 'Access visibility: public (all users) or private (scope/owner-restricted)';
+
+
+-- ============================================================================
+-- ARTIFACT_VERSION TABLE
+-- ============================================================================
+-- Each row is an immutable snapshot of artifact content. File-type artifacts get
+-- a new version on each upload; progress-type artifacts do NOT use versions
+-- (they update artifact.data directly).
+
+CREATE TABLE artifact_version (
+    id BIGSERIAL PRIMARY KEY,
+
+    -- Parent artifact
+    artifact BIGINT NOT NULL REFERENCES artifact(id) ON DELETE CASCADE,
+
+    -- Monotonically increasing version number within the artifact (1-based)
+    version INTEGER NOT NULL,
+
+    -- MIME content type for this specific version (may differ from parent)
+    content_type TEXT,
+
+    -- Size of the content in bytes
+    size_bytes BIGINT,
+
+    -- Binary content (file uploads, DB-stored). NULL for file-backed versions.
+    content BYTEA,
+
+    -- Structured content (JSON payloads, parsed results, etc.)
+    content_json JSONB,
+
+    -- Relative path from artifacts_dir root for disk-stored content.
+    -- When set, content BYTEA is NULL — file lives on shared volume.
+    -- Pattern: {ref_slug}/v{version}.{ext}
+    -- e.g., "mypack/build_log/v1.txt"
+    file_path TEXT,
+
+    -- Free-form metadata about this version (e.g. commit hash, build number)
+    meta JSONB,
+
+    -- Who or what created this version (identity ref, action ref, "system", etc.)
+    created_by TEXT,
+
+    -- Immutable — no updated column
+    created TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Unique constraint: one version number per artifact
+ALTER TABLE artifact_version
+    ADD CONSTRAINT uq_artifact_version_artifact_version UNIQUE (artifact, version);
+
+-- Indexes
+CREATE INDEX idx_artifact_version_artifact ON artifact_version(artifact);
+CREATE INDEX idx_artifact_version_artifact_version ON artifact_version(artifact, version DESC);
+CREATE INDEX idx_artifact_version_created ON artifact_version(created DESC);
+CREATE INDEX idx_artifact_version_file_path ON artifact_version(file_path) WHERE file_path IS NOT NULL;
+
+-- Comments
+COMMENT ON TABLE artifact_version IS 'Immutable content snapshots for artifacts (file uploads, structured data)';
+COMMENT ON COLUMN artifact_version.artifact IS 'Parent artifact this version belongs to';
+COMMENT ON COLUMN artifact_version.version IS 'Version number (1-based, monotonically increasing per artifact)';
+COMMENT ON COLUMN artifact_version.content_type IS 'MIME content type for this version';
+COMMENT ON COLUMN artifact_version.size_bytes IS 'Size of content in bytes';
+COMMENT ON COLUMN artifact_version.content IS 'Binary content (file data)';
+COMMENT ON COLUMN artifact_version.content_json IS 'Structured JSON content';
+COMMENT ON COLUMN artifact_version.meta IS 'Free-form metadata about this version';
+COMMENT ON COLUMN artifact_version.created_by IS 'Who created this version (identity ref, action ref, system)';
+COMMENT ON COLUMN artifact_version.file_path IS 'Relative path from artifacts_dir root for disk-stored content. When set, content BYTEA is NULL — file lives on shared volume.';
+
+
+-- ============================================================================
+-- HELPER FUNCTION: next_artifact_version
+-- ============================================================================
+-- Returns the next version number for an artifact (MAX(version) + 1, or 1 if none).
+
+CREATE OR REPLACE FUNCTION next_artifact_version(p_artifact_id BIGINT)
+RETURNS INTEGER AS $$
+DECLARE
+    v_next INTEGER;
+BEGIN
+    SELECT COALESCE(MAX(version), 0) + 1
+    INTO v_next
+    FROM artifact_version
+    WHERE artifact = p_artifact_id;
+
+    RETURN v_next;
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON FUNCTION next_artifact_version IS 'Returns the next version number for the given artifact';
+
+
+-- ============================================================================
+-- RETENTION ENFORCEMENT FUNCTION
+-- ============================================================================
+-- Called after inserting a new version to enforce the artifact retention policy.
+-- For 'versions' policy: deletes oldest versions beyond the limit.
+-- Time-based policies (days/hours/minutes) are handled by a scheduled job (not this trigger).
+
+CREATE OR REPLACE FUNCTION enforce_artifact_retention()
+RETURNS TRIGGER AS $$
+DECLARE
+    v_policy artifact_retention_enum;
+    v_limit INTEGER;
+    v_count INTEGER;
+BEGIN
+    SELECT retention_policy, retention_limit
+    INTO v_policy, v_limit
+    FROM artifact
+    WHERE id = NEW.artifact;
+
+    IF v_policy = 'versions' AND v_limit > 0 THEN
+        -- Count existing versions
+        SELECT COUNT(*) INTO v_count
+        FROM artifact_version
+        WHERE artifact = NEW.artifact;
+
+        -- If over limit, delete the oldest ones
+        IF v_count > v_limit THEN
+            DELETE FROM artifact_version
+            WHERE id IN (
+                SELECT id
+                FROM artifact_version
+                WHERE artifact = NEW.artifact
+                ORDER BY version ASC
+                LIMIT (v_count - v_limit)
+            );
+        END IF;
+    END IF;
+
+    -- Update parent artifact size_bytes with the new version's size
+    UPDATE artifact
+    SET size_bytes = NEW.size_bytes,
+        content_type = COALESCE(NEW.content_type, content_type)
+    WHERE id = NEW.artifact;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trg_enforce_artifact_retention
+    AFTER INSERT ON artifact_version
+    FOR EACH ROW
+    EXECUTE FUNCTION enforce_artifact_retention();
+
+COMMENT ON FUNCTION enforce_artifact_retention IS 'Enforces version-count retention policy and syncs size to parent artifact';
--- a/docker/distributable/migrations/20250101000011_key_value_jsonb.sql
+++ b/docker/distributable/migrations/20250101000011_key_value_jsonb.sql
@@ -0,0 +1,17 @@
+-- Migration: Convert key.value from TEXT to JSONB
+--
+-- This allows keys to store structured data (objects, arrays, numbers, booleans)
+-- in addition to plain strings. Existing string values are wrapped in JSON string
+-- literals so they remain valid and accessible.
+--
+-- Before: value TEXT NOT NULL  (e.g., 'my-secret-token')
+-- After:  value JSONB NOT NULL (e.g., '"my-secret-token"' or '{"user":"admin","pass":"s3cret"}')
+
+-- Step 1: Convert existing TEXT values to JSONB.
+-- to_jsonb(text) wraps a plain string as a JSON string literal, e.g.:
+--   'hello'  ->  '"hello"'
+-- This preserves all existing values perfectly — encrypted values (base64 strings)
+-- become JSON strings, and plain text values become JSON strings.
+ALTER TABLE key
+    ALTER COLUMN value TYPE JSONB
+    USING to_jsonb(value);
--- a/docker/distributable/migrations/README.md
+++ b/docker/distributable/migrations/README.md
@@ -0,0 +1,348 @@
+# Attune Database Migrations
+
+This directory contains SQL migrations for the Attune automation platform database schema.
+
+## Overview
+
+Migrations are numbered and executed in order. Each migration file is named with a timestamp prefix to ensure proper ordering:
+
+```
+YYYYMMDDHHMMSS_description.sql
+```
+
+## Migration Files
+
+The schema is organized into 5 logical migration files:
+
+| File | Description |
+|------|-------------|
+| `20250101000001_initial_setup.sql` | Creates schema, service role, all enum types, and shared functions |
+| `20250101000002_core_tables.sql` | Creates pack, runtime, worker, identity, permission_set, permission_assignment, policy, and key tables |
+| `20250101000003_event_system.sql` | Creates trigger, sensor, event, and enforcement tables |
+| `20250101000004_execution_system.sql` | Creates action, rule, execution, inquiry, workflow orchestration tables (workflow_definition, workflow_execution, workflow_task_execution), and workflow views |
+| `20250101000005_supporting_tables.sql` | Creates notification, artifact, and queue_stats tables with performance indexes |
+
+### Migration Dependencies
+
+The migrations must be run in order due to foreign key dependencies:
+
+1. **Initial Setup** - Foundation (schema, enums, functions)
+2. **Core Tables** - Base entities (pack, runtime, worker, identity, permissions, policy, key)
+3. **Event System** - Event monitoring (trigger, sensor, event, enforcement)
+4. **Execution System** - Action execution (action, rule, execution, inquiry)
+5. **Supporting Tables** - Auxiliary features (notification, artifact)
+
+## Running Migrations
+
+### Using SQLx CLI
+
+```bash
+# Install sqlx-cli if not already installed
+cargo install sqlx-cli --no-default-features --features postgres
+
+# Run all pending migrations
+sqlx migrate run
+
+# Check migration status
+sqlx migrate info
+
+# Revert last migration (if needed)
+sqlx migrate revert
+```
+
+### Manual Execution
+
+You can also run migrations manually using `psql`:
+
+```bash
+# Run all migrations in order
+for file in migrations/202501*.sql; do
+    psql -U postgres -d attune -f "$file"
+done
+```
+
+Or individually:
+
+```bash
+psql -U postgres -d attune -f migrations/20250101000001_initial_setup.sql
+psql -U postgres -d attune -f migrations/20250101000002_core_tables.sql
+# ... etc
+```
+
+## Database Setup
+
+### Prerequisites
+
+1. PostgreSQL 14 or later installed
+2. Create the database:
+
+```bash
+createdb attune
+```
+
+3. Set environment variable:
+
+```bash
+export DATABASE_URL="postgresql://postgres:postgres@localhost:5432/attune"
+```
+
+### Initial Setup
+
+```bash
+# Navigate to workspace root
+cd /path/to/attune
+
+# Run migrations
+sqlx migrate run
+
+# Verify tables were created
+psql -U postgres -d attune -c "\dt attune.*"
+```
+
+## Schema Overview
+
+The Attune schema includes 22 tables organized into logical groups:
+
+### Core Tables (Migration 2)
+- **pack**: Automation component bundles
+- **runtime**: Execution environments (Python, Node.js, containers)
+- **worker**: Execution workers
+- **identity**: Users and service accounts
+- **permission_set**: Permission groups (like roles)
+- **permission_assignment**: Identity-permission links (many-to-many)
+- **policy**: Execution policies (rate limiting, concurrency)
+- **key**: Secure configuration and secrets storage
+
+### Event System (Migration 3)
+- **trigger**: Event type definitions
+- **sensor**: Event monitors that watch for triggers
+- **event**: Event instances (trigger firings)
+- **enforcement**: Rule activation instances
+
+### Execution System (Migration 4)
+- **action**: Executable operations (can be workflows)
+- **rule**: Trigger-to-action automation logic
+- **execution**: Action execution instances (supports workflows)
+- **inquiry**: Human-in-the-loop interactions (approvals, inputs)
+- **workflow_definition**: YAML-based workflow definitions (composable action graphs)
+- **workflow_execution**: Runtime state tracking for workflow executions
+- **workflow_task_execution**: Individual task executions within workflows
+
+### Supporting Tables (Migration 5)
+- **notification**: Real-time system notifications (uses PostgreSQL LISTEN/NOTIFY)
+- **artifact**: Execution outputs (files, logs, progress data)
+- **queue_stats**: Real-time execution queue statistics for FIFO ordering
+
+## Key Features
+
+### Automatic Timestamps
+All tables include `created` and `updated` timestamps that are automatically managed by the `update_updated_column()` trigger function.
+
+### Reference Preservation
+Tables use both ID foreign keys and `*_ref` text columns. The ref columns preserve string references even when the referenced entity is deleted, maintaining complete audit trails.
+
+### Soft Deletes
+Foreign keys strategically use:
+- `ON DELETE CASCADE` - For dependent data that should be removed
+- `ON DELETE SET NULL` - To preserve historical records while breaking the link
+
+### Validation Constraints
+- **Reference format validation** - Lowercase, specific patterns (e.g., `pack.name`)
+- **Semantic version validation** - For pack versions
+- **Ownership validation** - Custom trigger for key table ownership rules
+- **Range checks** - Port numbers, positive thresholds, etc.
+
+### Performance Optimization
+- **B-tree indexes** - On frequently queried columns (IDs, refs, status, timestamps)
+- **Partial indexes** - For filtered queries (e.g., `enabled = TRUE`)
+- **GIN indexes** - On JSONB and array columns for fast containment queries
+- **Composite indexes** - For common multi-column query patterns
+
+### PostgreSQL Features
+- **JSONB** - Flexible schema storage for configurations, payloads, results
+- **Array types** - Multi-value fields (tags, parameters, dependencies)
+- **Custom enum types** - Constrained string values with type safety
+- **Triggers** - Data validation, timestamp management, notifications
+- **pg_notify** - Real-time notifications via PostgreSQL's LISTEN/NOTIFY
+
+## Service Role
+
+The migrations create a `svc_attune` role with appropriate permissions. **Change the password in production:**
+
+```sql
+ALTER ROLE svc_attune WITH PASSWORD 'secure_password_here';
+```
+
+The default password is `attune_service_password` (only for development).
+
+## Rollback Strategy
+
+### Complete Reset
+
+To completely reset the database:
+
+```bash
+# Drop and recreate
+dropdb attune
+createdb attune
+sqlx migrate run
+```
+
+Or drop just the schema:
+
+```sql
+psql -U postgres -d attune -c "DROP SCHEMA attune CASCADE;"
+```
+
+Then re-run migrations.
+
+### Individual Migration Revert
+
+With SQLx CLI:
+
+```bash
+sqlx migrate revert
+```
+
+Or manually remove from tracking:
+
+```sql
+DELETE FROM _sqlx_migrations WHERE version = 20250101000001;
+```
+
+## Best Practices
+
+1. **Never edit existing migrations** - Create new migrations to modify schema
+2. **Test migrations** - Always test on a copy of production data first
+3. **Backup before migrating** - Backup production database before applying migrations
+4. **Review changes** - Review all migrations before applying to production
+5. **Version control** - Keep migrations in version control (they are!)
+6. **Document changes** - Add comments to complex migrations
+
+## Development Workflow
+
+1. Create new migration file with timestamp:
+   ```bash
+   touch migrations/$(date +%Y%m%d%H%M%S)_description.sql
+   ```
+
+2. Write migration SQL (follow existing patterns)
+
+3. Test migration:
+   ```bash
+   sqlx migrate run
+   ```
+
+4. Verify changes:
+   ```bash
+   psql -U postgres -d attune
+   \d+ attune.table_name
+   ```
+
+5. Commit to version control
+
+## Production Deployment
+
+1. **Backup** production database
+2. **Review** all pending migrations
+3. **Test** migrations on staging environment with production data copy
+4. **Schedule** maintenance window if needed
+5. **Apply** migrations:
+   ```bash
+   sqlx migrate run
+   ```
+6. **Verify** application functionality
+7. **Monitor** for errors in logs
+
+## Troubleshooting
+
+### Migration already applied
+
+If you need to re-run a migration:
+
+```bash
+# Remove from migration tracking (SQLx)
+psql -U postgres -d attune -c "DELETE FROM _sqlx_migrations WHERE version = 20250101000001;"
+
+# Then re-run
+sqlx migrate run
+```
+
+### Permission denied
+
+Ensure the PostgreSQL user has sufficient permissions:
+
+```sql
+GRANT ALL PRIVILEGES ON DATABASE attune TO postgres;
+GRANT ALL PRIVILEGES ON SCHEMA attune TO postgres;
+```
+
+### Connection refused
+
+Check PostgreSQL is running:
+
+```bash
+# Linux/macOS
+pg_ctl status
+sudo systemctl status postgresql
+
+# Check if listening
+psql -U postgres -c "SELECT version();"
+```
+
+### Foreign key constraint violations
+
+Ensure migrations run in correct order. The consolidated migrations handle forward references correctly:
+- Migration 2 creates tables with forward references (commented as such)
+- Migration 3 and 4 add the foreign key constraints back
+
+## Schema Diagram
+
+```
+┌─────────────┐
+│    pack     │◄──┐
+└─────────────┘   │
+       ▲          │
+       │          │
+┌──────┴──────────┴──────┐
+│ runtime │ trigger │ ... │  (Core entities reference pack)
+└─────────┴─────────┴─────┘
+       ▲          ▲
+       │          │
+┌──────┴──────┐  │
+│   sensor    │──┘  (Sensors reference both runtime and trigger)
+└─────────────┘
+       │
+       ▼
+┌─────────────┐     ┌──────────────┐
+│    event    │────►│ enforcement  │  (Events trigger enforcements)
+└─────────────┘     └──────────────┘
+                           │
+                           ▼
+                    ┌──────────────┐
+                    │  execution   │  (Enforcements create executions)
+                    └──────────────┘
+```
+
+## Workflow Orchestration
+
+Migration 4 includes comprehensive workflow orchestration support:
+- **workflow_definition**: Stores parsed YAML workflow definitions with tasks, variables, and transitions
+- **workflow_execution**: Tracks runtime state including current/completed/failed tasks and variables
+- **workflow_task_execution**: Individual task execution tracking with retry and timeout support
+- **Action table extensions**: `is_workflow` and `workflow_def` columns link actions to workflows
+- **Helper views**: Three views for querying workflow state (summary, task detail, action links)
+
+## Queue Statistics
+
+Migration 5 includes the queue_stats table for execution ordering:
+- Tracks per-action queue length, active executions, and concurrency limits
+- Enables FIFO queue management with database persistence
+- Supports monitoring and API visibility of execution queues
+
+## Additional Resources
+
+- [SQLx Documentation](https://github.com/launchbadge/sqlx)
+- [PostgreSQL Documentation](https://www.postgresql.org/docs/)
+- [Attune Architecture Documentation](../docs/architecture.md)
+- [Attune Data Model Documentation](../docs/data-model.md)
--- a/docker/distributable/packs/core/DEPENDENCIES.md
+++ b/docker/distributable/packs/core/DEPENDENCIES.md
@@ -0,0 +1,270 @@
+# Core Pack Dependencies
+
+**Philosophy:** The core pack has **zero runtime dependencies** beyond standard system utilities.
+
+## Why Zero Dependencies?
+
+1. **Portability:** Works in any environment with standard Unix utilities
+2. **Reliability:** No version conflicts, no package installation failures
+3. **Security:** Minimal attack surface, no third-party library vulnerabilities
+4. **Performance:** Fast startup, no runtime initialization overhead
+5. **Simplicity:** Easy to audit, test, and maintain
+
+## Required System Utilities
+
+All core pack actions rely only on utilities available in standard Linux/Unix environments:
+
+| Utility | Purpose | Used By |
+|---------|---------|---------|
+| `bash` | Shell scripting | All shell actions |
+| `jq` | JSON parsing/generation | All actions (parameter handling) |
+| `curl` | HTTP client | `http_request.sh` |
+| Standard Unix tools | Text processing, file operations | Various actions |
+
+These utilities are:
+- ✅ Pre-installed in all Attune worker containers
+- ✅ Standard across Linux distributions
+- ✅ Stable, well-tested, and widely used
+- ✅ Available via package managers if needed
+
+## No Runtime Dependencies
+
+The core pack **does not require:**
+- ❌ Python interpreter or packages
+- ❌ Node.js runtime or npm modules
+- ❌ Ruby, Perl, or other scripting languages
+- ❌ Third-party libraries or frameworks
+- ❌ Package installations at runtime
+
+## Action Implementation Guidelines
+
+### ✅ Preferred Approaches
+
+**Use bash + standard utilities:**
+```bash
+#!/bin/bash
+# Read params with jq
+INPUT=$(cat)
+PARAM=$(echo "$INPUT" | jq -r '.param // "default"')
+
+# Process with standard tools
+RESULT=$(echo "$PARAM" | tr '[:lower:]' '[:upper:]')
+
+# Output with jq
+jq -n --arg result "$RESULT" '{result: $result}'
+```
+
+**Use curl for HTTP:**
+```bash
+# Make HTTP requests with curl
+curl -s -X POST "$URL" \
+    -H "Content-Type: application/json" \
+    -d '{"key": "value"}'
+```
+
+**Use jq for JSON processing:**
+```bash
+# Parse JSON responses
+echo "$RESPONSE" | jq '.data.items[] | .name'
+
+# Generate JSON output
+jq -n \
+    --arg status "success" \
+    --argjson count 42 \
+    '{status: $status, count: $count}'
+```
+
+### ❌ Avoid
+
+**Don't add runtime dependencies:**
+```bash
+# ❌ DON'T DO THIS
+pip install requests
+python3 script.py
+
+# ❌ DON'T DO THIS
+npm install axios
+node script.js
+
+# ❌ DON'T DO THIS
+gem install httparty
+ruby script.rb
+```
+
+**Don't use language-specific features:**
+```python
+# ❌ DON'T DO THIS in core pack
+#!/usr/bin/env python3
+import requests  # External dependency!
+response = requests.get(url)
+```
+
+Instead, use bash + curl:
+```bash
+# ✅ DO THIS in core pack
+#!/bin/bash
+response=$(curl -s "$url")
+```
+
+## When Runtime Dependencies Are Acceptable
+
+For **custom packs** (not core pack), runtime dependencies are fine:
+- ✅ Pack-specific Python libraries (installed in pack virtualenv)
+- ✅ Pack-specific npm modules (installed in pack node_modules)
+- ✅ Language runtimes (Python, Node.js) for complex logic
+- ✅ Specialized tools for specific integrations
+
+The core pack serves as a foundation with zero dependencies. Custom packs can have dependencies managed via:
+- `requirements.txt` for Python packages
+- `package.json` for Node.js modules
+- Pack runtime environments (isolated per pack)
+
+## Migration from Runtime Dependencies
+
+If an action currently uses a runtime dependency, consider:
+
+1. **Can it be done with bash + standard utilities?**
+   - Yes → Rewrite in bash
+   - No → Consider if it belongs in core pack
+
+2. **Is the functionality complex?**
+   - Simple HTTP/JSON → Use curl + jq
+   - Complex API client → Move to custom pack
+
+3. **Is it a specialized integration?**
+   - Yes → Move to integration-specific pack
+   - No → Keep in core pack with bash implementation
+
+### Example: http_request Migration
+
+**Before (Python with dependency):**
+```python
+#!/usr/bin/env python3
+import requests  # ❌ External dependency
+
+response = requests.get(url, headers=headers)
+print(response.json())
+```
+
+**After (Bash with standard utilities):**
+```bash
+#!/bin/bash
+# ✅ No dependencies beyond curl + jq
+
+response=$(curl -s -H "Authorization: Bearer $TOKEN" "$URL")
+echo "$response" | jq '.'
+```
+
+## Testing Without Dependencies
+
+Core pack actions can be tested anywhere with standard utilities:
+
+```bash
+# Local testing (no installation needed)
+echo '{"param": "value"}' | ./action.sh
+
+# Docker testing (minimal base image)
+docker run --rm -i alpine:latest sh -c '
+    apk add --no-cache bash jq curl &&
+    /bin/bash < action.sh
+'
+
+# CI/CD testing (standard tools available)
+./action.sh < test-params.json
+```
+
+## Benefits Realized
+
+### For Developers
+- No dependency management overhead
+- Immediate action execution (no runtime setup)
+- Easy to test locally
+- Simple to audit and debug
+
+### For Operators
+- No version conflicts between packs
+- No package installation failures
+- Faster container startup
+- Smaller container images
+
+### For Security
+- Minimal attack surface
+- No third-party library vulnerabilities
+- Easier to audit (standard tools only)
+- No supply chain risks
+
+### For Performance
+- Fast action startup (no runtime initialization)
+- Low memory footprint
+- No package loading overhead
+- Efficient resource usage
+
+## Standard Utility Reference
+
+### jq (JSON Processing)
+```bash
+# Parse input
+VALUE=$(echo "$JSON" | jq -r '.key')
+
+# Generate output
+jq -n --arg val "$VALUE" '{result: $val}'
+
+# Transform data
+echo "$JSON" | jq '.items[] | select(.active)'
+```
+
+### curl (HTTP Client)
+```bash
+# GET request
+curl -s "$URL"
+
+# POST with JSON
+curl -s -X POST "$URL" \
+    -H "Content-Type: application/json" \
+    -d '{"key": "value"}'
+
+# With authentication
+curl -s -H "Authorization: Bearer $TOKEN" "$URL"
+```
+
+### Standard Text Tools
+```bash
+# grep - Pattern matching
+echo "$TEXT" | grep "pattern"
+
+# sed - Text transformation
+echo "$TEXT" | sed 's/old/new/g'
+
+# awk - Text processing
+echo "$TEXT" | awk '{print $1}'
+
+# tr - Character translation
+echo "$TEXT" | tr '[:lower:]' '[:upper:]'
+```
+
+## Future Considerations
+
+The core pack will:
+- ✅ Continue to have zero runtime dependencies
+- ✅ Use only standard Unix utilities
+- ✅ Serve as a reference implementation
+- ✅ Provide foundational actions for workflows
+
+Custom packs may:
+- ✅ Have runtime dependencies (Python, Node.js, etc.)
+- ✅ Use specialized libraries for integrations
+- ✅ Require specific tools or SDKs
+- ✅ Manage dependencies via pack environments
+
+## Summary
+
+**Core Pack = Zero Dependencies + Standard Utilities**
+
+This philosophy ensures the core pack is:
+- Portable across all environments
+- Reliable without version conflicts
+- Secure with minimal attack surface
+- Performant with fast startup
+- Simple to test and maintain
+
+For actions requiring runtime dependencies, create custom packs with proper dependency management via `requirements.txt`, `package.json`, or similar mechanisms.
--- a/docker/distributable/packs/core/README.md
+++ b/docker/distributable/packs/core/README.md
@@ -0,0 +1,361 @@
+# Attune Core Pack
+
+The **Core Pack** is the foundational system pack for Attune, providing essential automation components including timer triggers, HTTP utilities, and basic shell actions.
+
+## Overview
+
+The core pack is automatically installed with Attune and provides the building blocks for creating automation workflows. It includes:
+
+- **Timer Triggers**: Interval-based, cron-based, and one-shot datetime timers
+- **HTTP Actions**: Make HTTP requests to external APIs
+- **Shell Actions**: Execute basic shell commands (echo, sleep, noop)
+- **Built-in Sensors**: System sensors for monitoring time-based events
+
+## Components
+
+### Actions
+
+#### `core.echo`
+Outputs a message to stdout.
+
+**Parameters:**
+- `message` (string, required): Message to echo
+- `uppercase` (boolean, optional): Convert message to uppercase
+
+**Example:**
+```yaml
+action: core.echo
+parameters:
+  message: "Hello, Attune!"
+  uppercase: false
+```
+
+---
+
+#### `core.sleep`
+Pauses execution for a specified duration.
+
+**Parameters:**
+- `seconds` (integer, required): Number of seconds to sleep (0-3600)
+- `message` (string, optional): Optional message to display before sleeping
+
+**Example:**
+```yaml
+action: core.sleep
+parameters:
+  seconds: 30
+  message: "Waiting 30 seconds..."
+```
+
+---
+
+#### `core.noop`
+Does nothing - useful for testing and placeholder workflows.
+
+**Parameters:**
+- `message` (string, optional): Optional message to log
+- `exit_code` (integer, optional): Exit code to return (default: 0)
+
+**Example:**
+```yaml
+action: core.noop
+parameters:
+  message: "Testing workflow structure"
+```
+
+---
+
+#### `core.http_request`
+Make HTTP requests to external APIs with full control over headers, authentication, and request body.
+
+**Parameters:**
+- `url` (string, required): URL to send the request to
+- `method` (string, optional): HTTP method (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)
+- `headers` (object, optional): HTTP headers as key-value pairs
+- `body` (string, optional): Request body for POST/PUT/PATCH
+- `json_body` (object, optional): JSON request body (alternative to `body`)
+- `query_params` (object, optional): URL query parameters
+- `timeout` (integer, optional): Request timeout in seconds (default: 30)
+- `verify_ssl` (boolean, optional): Verify SSL certificates (default: true)
+- `auth_type` (string, optional): Authentication type (none, basic, bearer)
+- `auth_username` (string, optional): Username for basic auth
+- `auth_password` (string, secret, optional): Password for basic auth
+- `auth_token` (string, secret, optional): Bearer token
+- `follow_redirects` (boolean, optional): Follow HTTP redirects (default: true)
+- `max_redirects` (integer, optional): Maximum redirects to follow (default: 10)
+
+**Output:**
+- `status_code` (integer): HTTP status code
+- `headers` (object): Response headers
+- `body` (string): Response body as text
+- `json` (object): Parsed JSON response (if applicable)
+- `elapsed_ms` (integer): Request duration in milliseconds
+- `url` (string): Final URL after redirects
+- `success` (boolean): Whether request was successful (2xx status)
+
+**Example:**
+```yaml
+action: core.http_request
+parameters:
+  url: "https://api.example.com/users"
+  method: "POST"
+  json_body:
+    name: "John Doe"
+    email: "john@example.com"
+  headers:
+    Content-Type: "application/json"
+  auth_type: "bearer"
+  auth_token: "${secret:api_token}"
+```
+
+---
+
+### Triggers
+
+#### `core.intervaltimer`
+Fires at regular intervals based on time unit and interval.
+
+**Parameters:**
+- `unit` (string, required): Time unit (seconds, minutes, hours)
+- `interval` (integer, required): Number of time units between triggers
+
+**Payload:**
+- `type`: "interval"
+- `interval_seconds`: Total interval in seconds
+- `fired_at`: ISO 8601 timestamp
+- `execution_count`: Number of times fired
+- `sensor_ref`: Reference to the sensor
+
+**Example:**
+```yaml
+trigger: core.intervaltimer
+config:
+  unit: "minutes"
+  interval: 5
+```
+
+---
+
+#### `core.crontimer`
+Fires based on cron schedule expressions.
+
+**Parameters:**
+- `expression` (string, required): Cron expression (6 fields: second minute hour day month weekday)
+- `timezone` (string, optional): Timezone (default: UTC)
+- `description` (string, optional): Human-readable schedule description
+
+**Payload:**
+- `type`: "cron"
+- `fired_at`: ISO 8601 timestamp
+- `scheduled_at`: When trigger was scheduled to fire
+- `expression`: The cron expression
+- `timezone`: Timezone used
+- `next_fire_at`: Next scheduled fire time
+- `execution_count`: Number of times fired
+- `sensor_ref`: Reference to the sensor
+
+**Cron Format:**
+```
+┌───────── second (0-59)
+│ ┌─────── minute (0-59)
+│ │ ┌───── hour (0-23)
+│ │ │ ┌─── day of month (1-31)
+│ │ │ │ ┌─ month (1-12)
+│ │ │ │ │ ┌ day of week (0-6, 0=Sunday)
+│ │ │ │ │ │
+* * * * * *
+```
+
+**Examples:**
+- `0 0 * * * *` - Every hour
+- `0 0 0 * * *` - Every day at midnight
+- `0 */15 * * * *` - Every 15 minutes
+- `0 30 8 * * 1-5` - 8:30 AM on weekdays
+
+---
+
+#### `core.datetimetimer`
+Fires once at a specific date and time.
+
+**Parameters:**
+- `fire_at` (string, required): ISO 8601 timestamp when timer should fire
+- `timezone` (string, optional): Timezone (default: UTC)
+- `description` (string, optional): Human-readable description
+
+**Payload:**
+- `type`: "one_shot"
+- `fire_at`: Scheduled fire time
+- `fired_at`: Actual fire time
+- `timezone`: Timezone used
+- `delay_ms`: Delay between scheduled and actual fire time
+- `sensor_ref`: Reference to the sensor
+
+**Example:**
+```yaml
+trigger: core.datetimetimer
+config:
+  fire_at: "2024-12-31T23:59:59Z"
+  description: "New Year's countdown"
+```
+
+---
+
+### Sensors
+
+#### `core.interval_timer_sensor`
+Built-in sensor that monitors time and fires interval timer triggers.
+
+**Configuration:**
+- `check_interval_seconds` (integer, optional): How often to check triggers (default: 1)
+
+This sensor automatically runs as part of the Attune sensor service and manages all interval timer trigger instances.
+
+---
+
+## Configuration
+
+The core pack supports the following configuration options:
+
+```yaml
+# config.yaml
+packs:
+  core:
+    max_action_timeout: 300        # Maximum action timeout in seconds
+    enable_debug_logging: false    # Enable debug logging
+```
+
+## Dependencies
+
+### Python Dependencies
+- `requests>=2.28.0` - For HTTP request action
+- `croniter>=1.4.0` - For cron timer parsing (future)
+
+### Runtime Dependencies
+- Shell (bash/sh) - For shell-based actions
+- Python 3.8+ - For Python-based actions and sensors
+
+## Installation
+
+The core pack is automatically installed with Attune. No manual installation is required.
+
+To verify the core pack is loaded:
+
+```bash
+# Using CLI
+attune pack list | grep core
+
+# Using API
+curl http://localhost:8080/api/v1/packs/core
+```
+
+## Usage Examples
+
+### Example 1: Echo Every 10 Seconds
+
+Create a rule that echoes "Hello, World!" every 10 seconds:
+
+```yaml
+ref: core.hello_world_rule
+trigger: core.intervaltimer
+trigger_config:
+  unit: "seconds"
+  interval: 10
+action: core.echo
+action_params:
+  message: "Hello, World!"
+  uppercase: false
+```
+
+### Example 2: HTTP Health Check Every 5 Minutes
+
+Monitor an API endpoint every 5 minutes:
+
+```yaml
+ref: core.health_check_rule
+trigger: core.intervaltimer
+trigger_config:
+  unit: "minutes"
+  interval: 5
+action: core.http_request
+action_params:
+  url: "https://api.example.com/health"
+  method: "GET"
+  timeout: 10
+```
+
+### Example 3: Daily Report at Midnight
+
+Generate a report every day at midnight:
+
+```yaml
+ref: core.daily_report_rule
+trigger: core.crontimer
+trigger_config:
+  expression: "0 0 0 * * *"
+  timezone: "UTC"
+  description: "Daily at midnight"
+action: core.http_request
+action_params:
+  url: "https://api.example.com/reports/generate"
+  method: "POST"
+```
+
+### Example 4: One-Time Reminder
+
+Set a one-time reminder for a specific date and time:
+
+```yaml
+ref: core.meeting_reminder
+trigger: core.datetimetimer
+trigger_config:
+  fire_at: "2024-06-15T14:00:00Z"
+  description: "Team meeting reminder"
+action: core.echo
+action_params:
+  message: "Team meeting starts in 15 minutes!"
+```
+
+## Development
+
+### Adding New Actions
+
+1. Create action metadata file: `actions/<action_name>.yaml`
+2. Create action implementation: `actions/<action_name>.sh` or `actions/<action_name>.py`
+3. Make script executable: `chmod +x actions/<action_name>.sh`
+4. Update pack manifest if needed
+5. Test the action
+
+### Testing Actions Locally
+
+Test actions directly by setting environment variables:
+
+```bash
+# Test echo action
+export ATTUNE_ACTION_MESSAGE="Test message"
+export ATTUNE_ACTION_UPPERCASE=true
+./actions/echo.sh
+
+# Test HTTP request action
+export ATTUNE_ACTION_URL="https://httpbin.org/get"
+export ATTUNE_ACTION_METHOD="GET"
+python3 actions/http_request.py
+```
+
+## Contributing
+
+The core pack is part of the Attune project. Contributions are welcome!
+
+1. Follow the existing code style and structure
+2. Add tests for new actions/sensors
+3. Update documentation
+4. Submit a pull request
+
+## License
+
+The core pack is licensed under the same license as Attune.
+
+## Support
+
+- Documentation: https://docs.attune.io/packs/core
+- Issues: https://github.com/attune-io/attune/issues
+- Discussions: https://github.com/attune-io/attune/discussions
--- a/docker/distributable/packs/core/SETUP.md
+++ b/docker/distributable/packs/core/SETUP.md
@@ -0,0 +1,305 @@
+# Core Pack Setup Guide
+
+This guide explains how to set up and load the Attune core pack into your database.
+
+## Overview
+
+The **core pack** is Attune's built-in system pack that provides essential automation components including:
+
+- **Timer Triggers**: Interval-based, cron-based, and datetime triggers
+- **Basic Actions**: Echo, sleep, noop, and HTTP request actions
+- **Built-in Sensors**: Interval timer sensor for time-based automation
+
+The core pack must be loaded into the database before it can be used in rules and workflows.
+
+## Prerequisites
+
+Before loading the core pack, ensure:
+
+1. **PostgreSQL is running** and accessible
+2. **Database migrations are applied**: `sqlx migrate run`
+3. **Python 3.8+** is installed (for the loader script)
+4. **Required Python packages** are installed:
+   ```bash
+   pip install psycopg2-binary pyyaml
+   ```
+
+## Loading Methods
+
+### Method 1: Python Loader Script (Recommended)
+
+The Python loader script reads the pack YAML files and creates database entries automatically.
+
+**Usage:**
+```bash
+# From the project root
+python3 scripts/load_core_pack.py
+
+# With custom database URL
+python3 scripts/load_core_pack.py --database-url "postgresql://user:pass@localhost:5432/attune"
+
+# With custom pack directory
+python3 scripts/load_core_pack.py --pack-dir ./packs
+```
+
+**What it does:**
+- Reads `pack.yaml` for pack metadata
+- Loads all trigger definitions from `triggers/*.yaml`
+- Loads all action definitions from `actions/*.yaml`
+- Loads all sensor definitions from `sensors/*.yaml`
+- Creates or updates database entries (idempotent)
+- Uses transactions (all-or-nothing)
+
+**Output:**
+```
+============================================================
+Core Pack Loader
+============================================================
+
+→ Loading pack metadata...
+✓ Pack 'core' loaded (ID: 1)
+
+→ Loading triggers...
+  ✓ Trigger 'core.intervaltimer' (ID: 1)
+  ✓ Trigger 'core.crontimer' (ID: 2)
+  ✓ Trigger 'core.datetimetimer' (ID: 3)
+
+→ Loading actions...
+  ✓ Action 'core.echo' (ID: 1)
+  ✓ Action 'core.sleep' (ID: 2)
+  ✓ Action 'core.noop' (ID: 3)
+  ✓ Action 'core.http_request' (ID: 4)
+
+→ Loading sensors...
+  ✓ Sensor 'core.interval_timer_sensor' (ID: 1)
+
+============================================================
+✓ Core pack loaded successfully!
+============================================================
+  Pack ID: 1
+  Triggers: 3
+  Actions: 4
+  Sensors: 1
+```
+
+### Method 2: SQL Seed Script
+
+For simpler setups or CI/CD, you can use the SQL seed script directly.
+
+**Usage:**
+```bash
+psql $DATABASE_URL -f scripts/seed_core_pack.sql
+```
+
+**Note:** The SQL script may not include all pack metadata and is less flexible than the Python loader.
+
+### Method 3: CLI (Future)
+
+Once the CLI pack management commands are fully implemented:
+
+```bash
+attune pack register ./packs/core
+```
+
+## Verification
+
+After loading, verify the core pack is available:
+
+### Using CLI
+```bash
+# List all packs
+attune pack list
+
+# Show core pack details
+attune pack show core
+
+# List core pack actions
+attune action list --pack core
+
+# List core pack triggers
+attune trigger list --pack core
+```
+
+### Using API
+```bash
+# Get pack info
+curl http://localhost:8080/api/v1/packs/core | jq
+
+# List actions
+curl http://localhost:8080/api/v1/packs/core/actions | jq
+
+# List triggers
+curl http://localhost:8080/api/v1/packs/core/triggers | jq
+```
+
+### Using Database
+```sql
+-- Check pack exists
+SELECT * FROM attune.pack WHERE ref = 'core';
+
+-- Count components
+SELECT 
+    (SELECT COUNT(*) FROM attune.trigger WHERE pack_ref = 'core') as triggers,
+    (SELECT COUNT(*) FROM attune.action WHERE pack_ref = 'core') as actions,
+    (SELECT COUNT(*) FROM attune.sensor WHERE pack_ref = 'core') as sensors;
+```
+
+## Testing the Core Pack
+
+### 1. Test Actions Directly
+
+Test actions using environment variables:
+
+```bash
+# Test echo action
+export ATTUNE_ACTION_MESSAGE="Hello, Attune!"
+export ATTUNE_ACTION_UPPERCASE=false
+./packs/core/actions/echo.sh
+
+# Test sleep action
+export ATTUNE_ACTION_SECONDS=2
+export ATTUNE_ACTION_MESSAGE="Sleeping..."
+./packs/core/actions/sleep.sh
+
+# Test HTTP request action
+export ATTUNE_ACTION_URL="https://httpbin.org/get"
+export ATTUNE_ACTION_METHOD="GET"
+python3 packs/core/actions/http_request.py
+```
+
+### 2. Run Pack Test Suite
+
+```bash
+# Run comprehensive test suite
+./packs/core/test_core_pack.sh
+```
+
+### 3. Create a Test Rule
+
+Create a simple rule to test the core pack integration:
+
+```bash
+# Create a rule that echoes every 10 seconds
+attune rule create \
+  --name "test_timer_echo" \
+  --trigger "core.intervaltimer" \
+  --trigger-config '{"unit":"seconds","interval":10}' \
+  --action "core.echo" \
+  --action-params '{"message":"Timer triggered!"}' \
+  --enabled
+```
+
+## Updating the Core Pack
+
+To update the core pack after making changes:
+
+1. Edit the relevant YAML files in `packs/core/`
+2. Re-run the loader script:
+   ```bash
+   python3 scripts/load_core_pack.py
+   ```
+3. The loader will update existing entries (upsert)
+
+## Troubleshooting
+
+### "Failed to connect to database"
+- Verify PostgreSQL is running: `pg_isready`
+- Check `DATABASE_URL` environment variable
+- Test connection: `psql $DATABASE_URL -c "SELECT 1"`
+
+### "pack.yaml not found"
+- Ensure you're running from the project root
+- Check the `--pack-dir` argument points to the correct directory
+- Verify `packs/core/pack.yaml` exists
+
+### "ModuleNotFoundError: No module named 'psycopg2'"
+```bash
+pip install psycopg2-binary pyyaml
+```
+
+### "Pack loaded but not visible in API"
+- Restart the API service to reload pack data
+- Check pack is enabled: `SELECT enabled FROM attune.pack WHERE ref = 'core'`
+
+### Actions not executing
+- Verify action scripts are executable: `chmod +x packs/core/actions/*.sh`
+- Check worker service is running and can access the packs directory
+- Verify runtime configuration is correct
+
+## Development Workflow
+
+When developing new core pack components:
+
+1. **Add new action:**
+   - Create `actions/new_action.yaml` with metadata
+   - Create `actions/new_action.sh` (or `.py`) with implementation
+   - Make script executable: `chmod +x actions/new_action.sh`
+   - Test locally: `export ATTUNE_ACTION_*=... && ./actions/new_action.sh`
+   - Load into database: `python3 scripts/load_core_pack.py`
+
+2. **Add new trigger:**
+   - Create `triggers/new_trigger.yaml` with metadata
+   - Load into database: `python3 scripts/load_core_pack.py`
+   - Create sensor if needed
+
+3. **Add new sensor:**
+   - Create `sensors/new_sensor.yaml` with metadata
+   - Create `sensors/new_sensor.py` with implementation
+   - Load into database: `python3 scripts/load_core_pack.py`
+   - Restart sensor service
+
+## Environment Variables
+
+The loader script supports the following environment variables:
+
+- `DATABASE_URL` - PostgreSQL connection string
+  - Default: `postgresql://postgres:postgres@localhost:5432/attune`
+  - Example: `postgresql://user:pass@db.example.com:5432/attune`
+
+- `ATTUNE_PACKS_DIR` - Base directory for packs
+  - Default: `./packs`
+  - Example: `/opt/attune/packs`
+
+## CI/CD Integration
+
+For automated deployments:
+
+```yaml
+# Example GitHub Actions workflow
+- name: Load Core Pack
+  run: |
+    python3 scripts/load_core_pack.py \
+      --database-url "${{ secrets.DATABASE_URL }}"
+  env:
+    DATABASE_URL: ${{ secrets.DATABASE_URL }}
+```
+
+## Next Steps
+
+After loading the core pack:
+
+1. **Create your first rule** using core triggers and actions
+2. **Enable sensors** to start generating events
+3. **Monitor executions** via the API or Web UI
+4. **Explore pack documentation** in `README.md`
+
+## Additional Resources
+
+- **Pack README**: `packs/core/README.md` - Comprehensive component documentation
+- **Testing Guide**: `packs/core/TESTING.md` - Testing procedures
+- **API Documentation**: `docs/api-packs.md` - Pack management API
+- **Action Development**: `docs/action-development.md` - Creating custom actions
+
+## Support
+
+If you encounter issues:
+
+1. Check this troubleshooting section
+2. Review logs from services (api, executor, worker, sensor)
+3. Verify database state with SQL queries
+4. File an issue with detailed error messages and logs
+
+---
+
+**Last Updated:** 2025-01-20  
+**Core Pack Version:** 1.0.0
--- a/docker/distributable/packs/core/TESTING.md
+++ b/docker/distributable/packs/core/TESTING.md
@@ -0,0 +1,410 @@
+# Core Pack Testing Guide
+
+Quick reference for testing core pack actions and sensors locally.
+
+---
+
+## Prerequisites
+
+```bash
+# Ensure scripts are executable
+chmod +x packs/core/actions/*.sh
+chmod +x packs/core/actions/*.py
+chmod +x packs/core/sensors/*.py
+
+# Install Python dependencies
+pip install requests>=2.28.0
+```
+
+---
+
+## Testing Actions
+
+Actions receive parameters via environment variables prefixed with `ATTUNE_ACTION_`.
+
+### Test `core.echo`
+
+```bash
+# Basic echo
+export ATTUNE_ACTION_MESSAGE="Hello, Attune!"
+./packs/core/actions/echo.sh
+
+# With uppercase conversion
+export ATTUNE_ACTION_MESSAGE="test message"
+export ATTUNE_ACTION_UPPERCASE=true
+./packs/core/actions/echo.sh
+```
+
+**Expected Output:**
+```
+Hello, Attune!
+TEST MESSAGE
+```
+
+---
+
+### Test `core.sleep`
+
+```bash
+# Sleep for 2 seconds
+export ATTUNE_ACTION_SECONDS=2
+export ATTUNE_ACTION_MESSAGE="Sleeping..."
+time ./packs/core/actions/sleep.sh
+```
+
+**Expected Output:**
+```
+Sleeping...
+Slept for 2 seconds
+
+real    0m2.004s
+```
+
+---
+
+### Test `core.noop`
+
+```bash
+# No operation with message
+export ATTUNE_ACTION_MESSAGE="Testing noop"
+./packs/core/actions/noop.sh
+
+# With custom exit code
+export ATTUNE_ACTION_EXIT_CODE=0
+./packs/core/actions/noop.sh
+echo "Exit code: $?"
+```
+
+**Expected Output:**
+```
+[NOOP] Testing noop
+No operation completed successfully
+Exit code: 0
+```
+
+---
+
+### Test `core.http_request`
+
+```bash
+# Simple GET request
+export ATTUNE_ACTION_URL="https://httpbin.org/get"
+export ATTUNE_ACTION_METHOD="GET"
+python3 ./packs/core/actions/http_request.py
+
+# POST with JSON body
+export ATTUNE_ACTION_URL="https://httpbin.org/post"
+export ATTUNE_ACTION_METHOD="POST"
+export ATTUNE_ACTION_JSON_BODY='{"name": "test", "value": 123}'
+python3 ./packs/core/actions/http_request.py
+
+# With custom headers
+export ATTUNE_ACTION_URL="https://httpbin.org/headers"
+export ATTUNE_ACTION_METHOD="GET"
+export ATTUNE_ACTION_HEADERS='{"X-Custom-Header": "test-value"}'
+python3 ./packs/core/actions/http_request.py
+
+# With query parameters
+export ATTUNE_ACTION_URL="https://httpbin.org/get"
+export ATTUNE_ACTION_METHOD="GET"
+export ATTUNE_ACTION_QUERY_PARAMS='{"foo": "bar", "page": "1"}'
+python3 ./packs/core/actions/http_request.py
+
+# With timeout
+export ATTUNE_ACTION_URL="https://httpbin.org/delay/5"
+export ATTUNE_ACTION_METHOD="GET"
+export ATTUNE_ACTION_TIMEOUT=2
+python3 ./packs/core/actions/http_request.py
+```
+
+**Expected Output:**
+```json
+{
+  "status_code": 200,
+  "headers": {
+    "Content-Type": "application/json",
+    ...
+  },
+  "body": "...",
+  "json": {
+    "args": {},
+    "headers": {...},
+    ...
+  },
+  "elapsed_ms": 234,
+  "url": "https://httpbin.org/get",
+  "success": true
+}
+```
+
+---
+
+## Testing Sensors
+
+Sensors receive configuration via environment variables prefixed with `ATTUNE_SENSOR_`.
+
+### Test `core.interval_timer_sensor`
+
+```bash
+# Create test trigger instances JSON
+export ATTUNE_SENSOR_TRIGGERS='[
+  {
+    "id": 1,
+    "ref": "core.intervaltimer",
+    "config": {
+      "unit": "seconds",
+      "interval": 5
+    }
+  }
+]'
+
+# Run sensor (will output events every 5 seconds)
+python3 ./packs/core/sensors/interval_timer_sensor.py
+```
+
+**Expected Output:**
+```
+Interval Timer Sensor started (check_interval=1s)
+{"type": "interval", "interval_seconds": 5, "fired_at": "2024-01-20T12:00:00Z", "execution_count": 1, "sensor_ref": "core.interval_timer_sensor", "trigger_instance_id": 1, "trigger_ref": "core.intervaltimer"}
+{"type": "interval", "interval_seconds": 5, "fired_at": "2024-01-20T12:00:05Z", "execution_count": 2, "sensor_ref": "core.interval_timer_sensor", "trigger_instance_id": 1, "trigger_ref": "core.intervaltimer"}
+...
+```
+
+Press `Ctrl+C` to stop the sensor.
+
+---
+
+## Testing with Multiple Trigger Instances
+
+```bash
+# Test multiple timers
+export ATTUNE_SENSOR_TRIGGERS='[
+  {
+    "id": 1,
+    "ref": "core.intervaltimer",
+    "config": {"unit": "seconds", "interval": 3}
+  },
+  {
+    "id": 2,
+    "ref": "core.intervaltimer",
+    "config": {"unit": "seconds", "interval": 5}
+  },
+  {
+    "id": 3,
+    "ref": "core.intervaltimer",
+    "config": {"unit": "seconds", "interval": 10}
+  }
+]'
+
+python3 ./packs/core/sensors/interval_timer_sensor.py
+```
+
+You should see events firing at different intervals (3s, 5s, 10s).
+
+---
+
+## Validation Tests
+
+### Validate YAML Schemas
+
+```bash
+# Install yamllint (optional)
+pip install yamllint
+
+# Validate all YAML files
+yamllint packs/core/**/*.yaml
+```
+
+### Validate JSON Schemas
+
+```bash
+# Check parameter schemas are valid JSON Schema
+cat packs/core/actions/http_request.yaml | grep -A 50 "parameters:" | python3 -c "
+import sys, yaml, json
+data = yaml.safe_load(sys.stdin)
+print(json.dumps(data, indent=2))
+"
+```
+
+---
+
+## Error Testing
+
+### Test Invalid Parameters
+
+```bash
+# Invalid seconds value for sleep
+export ATTUNE_ACTION_SECONDS=-1
+./packs/core/actions/sleep.sh
+# Expected: ERROR: seconds must be between 0 and 3600
+
+# Invalid exit code for noop
+export ATTUNE_ACTION_EXIT_CODE=999
+./packs/core/actions/noop.sh
+# Expected: ERROR: exit_code must be between 0 and 255
+
+# Missing required parameter for HTTP request
+unset ATTUNE_ACTION_URL
+python3 ./packs/core/actions/http_request.py
+# Expected: ERROR: Required parameter 'url' not provided
+```
+
+---
+
+## Performance Testing
+
+### Measure Action Execution Time
+
+```bash
+# Echo action
+time for i in {1..100}; do
+  export ATTUNE_ACTION_MESSAGE="Test $i"
+  ./packs/core/actions/echo.sh > /dev/null
+done
+
+# HTTP request action
+time for i in {1..10}; do
+  export ATTUNE_ACTION_URL="https://httpbin.org/get"
+  python3 ./packs/core/actions/http_request.py > /dev/null
+done
+```
+
+---
+
+## Integration Testing (with Attune Services)
+
+### Prerequisites
+
+```bash
+# Start Attune services
+docker-compose up -d postgres rabbitmq redis
+
+# Run migrations
+sqlx migrate run
+
+# Load core pack (future)
+# attune pack load packs/core
+```
+
+### Test Action Execution via API
+
+```bash
+# Create execution manually
+curl -X POST http://localhost:8080/api/v1/executions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "action_ref": "core.echo",
+    "parameters": {
+      "message": "API test",
+      "uppercase": true
+    }
+  }'
+
+# Check execution status
+curl http://localhost:8080/api/v1/executions/{execution_id}
+```
+
+### Test Sensor via Sensor Service
+
+```bash
+# Start sensor service (future)
+# cargo run --bin attune-sensor
+
+# Check events created
+curl http://localhost:8080/api/v1/events?limit=10
+```
+
+---
+
+## Troubleshooting
+
+### Action Not Executing
+
+```bash
+# Check file permissions
+ls -la packs/core/actions/
+
+# Ensure scripts are executable
+chmod +x packs/core/actions/*.sh
+chmod +x packs/core/actions/*.py
+```
+
+### Python Import Errors
+
+```bash
+# Install required packages
+pip install requests>=2.28.0
+
+# Verify Python version
+python3 --version  # Should be 3.8+
+```
+
+### Environment Variables Not Working
+
+```bash
+# Print all ATTUNE_* environment variables
+env | grep ATTUNE_
+
+# Test with explicit export
+export ATTUNE_ACTION_MESSAGE="test"
+echo $ATTUNE_ACTION_MESSAGE
+```
+
+---
+
+## Automated Test Script
+
+Create a test script `test_core_pack.sh`:
+
+```bash
+#!/bin/bash
+set -e
+
+echo "Testing Core Pack Actions..."
+
+# Test echo
+echo "→ Testing core.echo..."
+export ATTUNE_ACTION_MESSAGE="Test"
+./packs/core/actions/echo.sh > /dev/null
+echo "✓ core.echo passed"
+
+# Test sleep
+echo "→ Testing core.sleep..."
+export ATTUNE_ACTION_SECONDS=1
+./packs/core/actions/sleep.sh > /dev/null
+echo "✓ core.sleep passed"
+
+# Test noop
+echo "→ Testing core.noop..."
+export ATTUNE_ACTION_MESSAGE="test"
+./packs/core/actions/noop.sh > /dev/null
+echo "✓ core.noop passed"
+
+# Test HTTP request
+echo "→ Testing core.http_request..."
+export ATTUNE_ACTION_URL="https://httpbin.org/get"
+export ATTUNE_ACTION_METHOD="GET"
+python3 ./packs/core/actions/http_request.py > /dev/null
+echo "✓ core.http_request passed"
+
+echo ""
+echo "All tests passed! ✓"
+```
+
+Run with:
+```bash
+chmod +x test_core_pack.sh
+./test_core_pack.sh
+```
+
+---
+
+## Next Steps
+
+1. Implement pack loader to register components in database
+2. Update worker service to execute actions from filesystem
+3. Update sensor service to run sensors from filesystem
+4. Add comprehensive integration tests
+5. Create CLI commands for pack management
+
+See `docs/core-pack-integration.md` for implementation details.
--- a/docker/distributable/packs/core/actions/README.md
+++ b/docker/distributable/packs/core/actions/README.md
@@ -0,0 +1,362 @@
+# Core Pack Actions
+
+## Overview
+
+All actions in the core pack are implemented as **pure POSIX shell scripts** with **zero external dependencies** (except `curl` for HTTP actions). This design ensures maximum portability and minimal runtime requirements.
+
+**Key Principles:**
+- **POSIX shell only** - No bash-specific features, works everywhere
+- **DOTENV parameter format** - Simple key=value format, no JSON parsing needed
+- **No jq/yq/Python/Node.js** - Core pack depends only on standard POSIX utilities
+- **Stdin parameter delivery** - Secure, never exposed in process list
+- **Explicit output formats** - text, json, or yaml
+
+## Parameter Delivery Method
+
+**All actions use stdin with DOTENV format:**
+- Parameters read from **stdin** in `key=value` format
+- Use `parameter_delivery: stdin` and `parameter_format: dotenv` in YAML
+- Stdin is closed after delivery; scripts read until EOF
+- **DO NOT** use environment variables for parameters
+
+**Example DOTENV input:**
+```
+message="Hello World"
+seconds=5
+enabled=true
+```
+
+## Output Format
+
+**All actions must specify an `output_format`:**
+- `text` - Plain text output (stored as-is, no parsing)
+- `json` - JSON structured data (parsed into JSONB field)
+- `yaml` - YAML structured data (parsed into JSONB field)
+
+**Output schema:**
+- Only applicable for `json` and `yaml` formats
+- Describes the structure of data written to stdout
+- **Should NOT include** stdout/stderr/exit_code (captured automatically)
+
+## Environment Variables
+
+### Standard Environment Variables (Provided by Worker)
+
+The worker automatically provides these environment variables to all action executions:
+
+| Variable | Description | Always Present |
+|----------|-------------|----------------|
+| `ATTUNE_ACTION` | Action ref (e.g., `core.http_request`) | ✅ Yes |
+| `ATTUNE_EXEC_ID` | Execution database ID | ✅ Yes |
+| `ATTUNE_API_TOKEN` | Execution-scoped API token | ✅ Yes |
+| `ATTUNE_RULE` | Rule ref that triggered execution | ❌ Only if from rule |
+| `ATTUNE_TRIGGER` | Trigger ref that caused enforcement | ❌ Only if from trigger |
+
+**Use cases:**
+- Logging with execution context
+- Calling Attune API (using `ATTUNE_API_TOKEN`)
+- Conditional logic based on rule/trigger
+- Creating child executions
+- Accessing secrets via API
+
+### Custom Environment Variables (Optional)
+
+Custom environment variables can be set via `execution.env_vars` field for:
+- **Debug/logging controls** (e.g., `DEBUG=1`, `LOG_LEVEL=debug`)
+- **Runtime configuration** (e.g., custom paths, feature flags)
+
+Environment variables should **NEVER** be used for:
+- Action parameters (use stdin DOTENV instead)
+- Secrets or credentials (use `ATTUNE_API_TOKEN` to fetch from key vault)
+- User-provided data (use stdin parameters)
+
+## Implementation Pattern
+
+### POSIX Shell Actions (Standard Pattern)
+
+All core pack actions follow this pattern:
+
+```sh
+#!/bin/sh
+# Action Name - Core Pack
+# Brief description
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables with defaults
+param1=""
+param2="default_value"
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes if present
+    case "$value" in
+        \"*\") value="${value#\"}"; value="${value%\"}" ;;
+        \'*\') value="${value#\'}"; value="${value%\'}" ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        param1) param1="$value" ;;
+        param2) param2="$value" ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$param1" ]; then
+    echo "ERROR: param1 is required" >&2
+    exit 1
+fi
+
+# Action logic
+echo "Processing: $param1"
+
+exit 0
+```
+
+### Boolean Normalization
+
+```sh
+case "$bool_param" in
+    true|True|TRUE|yes|Yes|YES|1) bool_param="true" ;;
+    *) bool_param="false" ;;
+esac
+```
+
+### Numeric Validation
+
+```sh
+case "$number" in
+    ''|*[!0-9]*)
+        echo "ERROR: must be a number" >&2
+        exit 1
+        ;;
+esac
+```
+
+## Core Pack Actions
+
+### Simple Actions
+
+1. **echo.sh** - Outputs a message (reference implementation)
+2. **sleep.sh** - Pauses execution for a specified duration
+3. **noop.sh** - Does nothing (useful for testing and placeholder workflows)
+
+### HTTP Action
+
+4. **http_request.sh** - Makes HTTP requests with full feature support:
+   - Multiple HTTP methods (GET, POST, PUT, PATCH, DELETE, etc.)
+   - Custom headers and query parameters
+   - Authentication (basic, bearer token)
+   - SSL verification control
+   - Redirect following
+   - JSON output with parsed response
+
+### Pack Management Actions (API Wrappers)
+
+These actions wrap Attune API endpoints for pack management:
+
+5. **download_packs.sh** - Downloads packs from git/HTTP/registry
+6. **build_pack_envs.sh** - Builds runtime environments for packs
+7. **register_packs.sh** - Registers packs in the database
+8. **get_pack_dependencies.sh** - Analyzes pack dependencies
+
+All API wrappers:
+- Accept parameters via DOTENV format
+- Build JSON request bodies manually (no jq)
+- Make authenticated API calls with curl
+- Extract response data using simple sed patterns
+- Return structured JSON output
+
+## Testing Actions Locally
+
+Test actions by echoing DOTENV format to stdin:
+
+```bash
+# Test echo action
+printf 'message="Hello World"\n' | ./echo.sh
+
+# Test with empty parameters
+printf '' | ./echo.sh
+
+# Test sleep action
+printf 'seconds=2\nmessage="Sleeping..."\n' | ./sleep.sh
+
+# Test http_request action
+printf 'url="https://api.github.com"\nmethod="GET"\n' | ./http_request.sh
+
+# Test with file input
+cat params.dotenv | ./echo.sh
+```
+
+## YAML Configuration Example
+
+```yaml
+ref: core.example_action
+label: "Example Action"
+description: "Example action demonstrating DOTENV format"
+enabled: true
+runner_type: shell
+entry_point: example.sh
+
+# IMPORTANT: Use DOTENV format for POSIX shell compatibility
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: text, json, or yaml
+output_format: text
+
+parameters:
+  type: object
+  properties:
+    message:
+      type: string
+      description: "Message to output"
+      default: ""
+    count:
+      type: integer
+      description: "Number of times to repeat"
+      default: 1
+  required:
+    - message
+```
+
+## Dependencies
+
+**Core pack has ZERO runtime dependencies:**
+
+✅ **Required (universally available):**
+- POSIX-compliant shell (`/bin/sh`)
+- `curl` (for HTTP actions only)
+- Standard POSIX utilities: `sed`, `mktemp`, `cat`, `printf`, `sleep`
+
+❌ **NOT Required:**
+- `jq` - Eliminated (was used for JSON parsing)
+- `yq` - Never used
+- Python - Not used in core pack actions
+- Node.js - Not used in core pack actions
+- bash - Scripts are POSIX-compliant
+- Any other external tools or libraries
+
+This makes the core pack **maximally portable** and suitable for minimal containers (Alpine, distroless, etc.).
+
+## Security Benefits
+
+1. **No process exposure** - Parameters never appear in `ps`, `/proc/<pid>/environ`
+2. **Secure by default** - All actions use stdin, no special configuration needed
+3. **Clear separation** - Action parameters vs. environment configuration
+4. **Audit friendly** - All sensitive data flows through stdin, not environment
+5. **Minimal attack surface** - No external dependencies to exploit
+
+## Best Practices
+
+### Parameters
+1. **Always use stdin with DOTENV format** for action parameters
+2. **Handle quoted values** - Remove both single and double quotes
+3. **Provide sensible defaults** - Use empty string, 0, false as appropriate
+4. **Validate required params** - Exit with error if truly required parameters missing
+5. **Mark secrets** - Use `secret: true` in YAML for sensitive parameters
+6. **Never use env vars for parameters** - Parameters come from stdin only
+
+### Environment Variables
+1. **Use standard ATTUNE_* variables** - Worker provides execution context
+2. **Access API with ATTUNE_API_TOKEN** - Execution-scoped authentication
+3. **Log with context** - Include `ATTUNE_ACTION` and `ATTUNE_EXEC_ID` in logs
+4. **Never log ATTUNE_API_TOKEN** - Security sensitive
+5. **Use env vars for runtime config only** - Not for user data or parameters
+
+### Output Format
+1. **Specify output_format** - Always set to "text", "json", or "yaml"
+2. **Use text for simple output** - Messages, logs, unstructured data
+3. **Use json for structured data** - API responses, complex results
+4. **Define schema for structured output** - Only for json/yaml formats
+5. **Use stderr for diagnostics** - Error messages go to stderr, not stdout
+6. **Return proper exit codes** - 0 for success, non-zero for failure
+
+### Shell Script Best Practices
+1. **Use `#!/bin/sh`** - POSIX shell, not bash
+2. **Use `set -e`** - Exit on error
+3. **Quote all variables** - `"$var"` not `$var`
+4. **Use `case` not `if`** - More portable for pattern matching
+5. **Clean up temp files** - Use trap handlers
+6. **Avoid bash-isms** - No `[[`, `${var^^}`, `=~`, arrays, etc.
+
+## Execution Metadata (Automatic)
+
+The following are **automatically captured** by the worker and should **NOT** be included in output schemas:
+
+- `stdout` - Raw standard output (captured as-is)
+- `stderr` - Standard error output (written to log file)
+- `exit_code` - Process exit code (0 = success)
+- `duration_ms` - Execution duration in milliseconds
+
+These are execution system concerns, not action output concerns.
+
+## Example: Complete Action
+
+```sh
+#!/bin/sh
+# Example Action - Core Pack
+# Demonstrates DOTENV parameter parsing and environment variable usage
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+
+set -e
+
+# Log execution start
+echo "[$ATTUNE_ACTION] [Exec: $ATTUNE_EXEC_ID] Starting" >&2
+
+# Initialize variables
+url=""
+timeout="30"
+
+# Read DOTENV parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+    
+    case "$value" in
+        \"*\") value="${value#\"}"; value="${value%\"}" ;;
+    esac
+
+    case "$key" in
+        url) url="$value" ;;
+        timeout) timeout="$value" ;;
+    esac
+done
+
+# Validate
+if [ -z "$url" ]; then
+    echo "ERROR: url is required" >&2
+    exit 1
+fi
+
+# Execute
+echo "Fetching: $url" >&2
+result=$(curl -s --max-time "$timeout" "$url")
+
+# Output
+echo "$result"
+
+echo "[$ATTUNE_ACTION] [Exec: $ATTUNE_EXEC_ID] Completed" >&2
+exit 0
+```
+
+## Further Documentation
+
+- **Pattern Reference:** `docs/QUICKREF-dotenv-shell-actions.md`
+- **Pack Structure:** `docs/pack-structure.md`
+- **Example Actions:**
+  - `echo.sh` - Simplest reference implementation
+  - `http_request.sh` - Complex action with full HTTP client
+  - `register_packs.sh` - API wrapper with JSON construction
--- a/docker/distributable/packs/core/actions/build_pack_envs.sh
+++ b/docker/distributable/packs/core/actions/build_pack_envs.sh
@@ -0,0 +1,215 @@
+#!/bin/sh
+# Build Pack Environments Action - Core Pack
+# API Wrapper for POST /api/v1/packs/build-envs
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+pack_paths=""
+packs_base_dir="/opt/attune/packs"
+python_version="3.11"
+nodejs_version="20"
+skip_python="false"
+skip_nodejs="false"
+force_rebuild="false"
+timeout="600"
+api_url="http://localhost:8080"
+api_token=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes if present (both single and double)
+    case "$value" in
+        \"*\")
+            value="${value#\"}"
+            value="${value%\"}"
+            ;;
+        \'*\')
+            value="${value#\'}"
+            value="${value%\'}"
+            ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        pack_paths)
+            pack_paths="$value"
+            ;;
+        packs_base_dir)
+            packs_base_dir="$value"
+            ;;
+        python_version)
+            python_version="$value"
+            ;;
+        nodejs_version)
+            nodejs_version="$value"
+            ;;
+        skip_python)
+            skip_python="$value"
+            ;;
+        skip_nodejs)
+            skip_nodejs="$value"
+            ;;
+        force_rebuild)
+            force_rebuild="$value"
+            ;;
+        timeout)
+            timeout="$value"
+            ;;
+        api_url)
+            api_url="$value"
+            ;;
+        api_token)
+            api_token="$value"
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$pack_paths" ]; then
+    printf '{"built_environments":[],"failed_environments":[],"summary":{"total_packs":0,"success_count":0,"failure_count":0,"python_envs_built":0,"nodejs_envs_built":0,"total_duration_ms":0}}\n'
+    exit 1
+fi
+
+# Normalize booleans
+case "$skip_python" in
+    true|True|TRUE|yes|Yes|YES|1) skip_python="true" ;;
+    *) skip_python="false" ;;
+esac
+
+case "$skip_nodejs" in
+    true|True|TRUE|yes|Yes|YES|1) skip_nodejs="true" ;;
+    *) skip_nodejs="false" ;;
+esac
+
+case "$force_rebuild" in
+    true|True|TRUE|yes|Yes|YES|1) force_rebuild="true" ;;
+    *) force_rebuild="false" ;;
+esac
+
+# Validate timeout is numeric
+case "$timeout" in
+    ''|*[!0-9]*)
+        timeout="600"
+        ;;
+esac
+
+# Escape values for JSON
+pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
+packs_base_dir_escaped=$(printf '%s' "$packs_base_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
+python_version_escaped=$(printf '%s' "$python_version" | sed 's/\\/\\\\/g; s/"/\\"/g')
+nodejs_version_escaped=$(printf '%s' "$nodejs_version" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+# Build JSON request body
+request_body=$(cat <<EOF
+{
+  "pack_paths": $pack_paths_escaped,
+  "packs_base_dir": "$packs_base_dir_escaped",
+  "python_version": "$python_version_escaped",
+  "nodejs_version": "$nodejs_version_escaped",
+  "skip_python": $skip_python,
+  "skip_nodejs": $skip_nodejs,
+  "force_rebuild": $force_rebuild,
+  "timeout": $timeout
+}
+EOF
+)
+
+# Create temp files for curl
+temp_response=$(mktemp)
+temp_headers=$(mktemp)
+
+cleanup() {
+    rm -f "$temp_response" "$temp_headers"
+}
+trap cleanup EXIT
+
+# Calculate curl timeout (request timeout + buffer)
+curl_timeout=$((timeout + 30))
+
+# Make API call
+http_code=$(curl -X POST \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
+    -d "$request_body" \
+    -s \
+    -w "%{http_code}" \
+    -o "$temp_response" \
+    --max-time "$curl_timeout" \
+    --connect-timeout 10 \
+    "${api_url}/api/v1/packs/build-envs" 2>/dev/null || echo "000")
+
+# Check HTTP status
+if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
+    # Success - extract data field from API response
+    response_body=$(cat "$temp_response")
+
+    # Try to extract .data field using simple text processing
+    # If response contains "data" field, extract it; otherwise use whole response
+    case "$response_body" in
+        *'"data":'*)
+            # Extract content after "data": up to the closing brace
+            # This is a simple extraction - assumes well-formed JSON
+            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
+            if [ -n "$data_content" ]; then
+                printf '%s\n' "$data_content"
+            else
+                cat "$temp_response"
+            fi
+            ;;
+        *)
+            cat "$temp_response"
+            ;;
+    esac
+    exit 0
+else
+    # Error response - try to extract error message
+    error_msg="API request failed"
+    if [ -s "$temp_response" ]; then
+        # Try to extract error or message field
+        response_content=$(cat "$temp_response")
+        case "$response_content" in
+            *'"error":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+            *'"message":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+        esac
+    fi
+
+    # Escape error message for JSON
+    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+    cat <<EOF
+{
+  "built_environments": [],
+  "failed_environments": [{
+    "pack_ref": "api",
+    "pack_path": "",
+    "runtime": "unknown",
+    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
+  }],
+  "summary": {
+    "total_packs": 0,
+    "success_count": 0,
+    "failure_count": 1,
+    "python_envs_built": 0,
+    "nodejs_envs_built": 0,
+    "total_duration_ms": 0
+  }
+}
+EOF
+    exit 1
+fi
--- a/docker/distributable/packs/core/actions/build_pack_envs.yaml
+++ b/docker/distributable/packs/core/actions/build_pack_envs.yaml
@@ -0,0 +1,160 @@
+# Build Pack Environments Action
+# Creates runtime environments and installs dependencies for packs
+
+ref: core.build_pack_envs
+label: "Build Pack Environments"
+description: "Build runtime environments for packs and install declared dependencies (Python requirements.txt, Node.js package.json)"
+enabled: true
+runner_type: shell
+entry_point: build_pack_envs.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: json (structured data parsing enabled)
+output_format: json
+
+# Action parameters schema (StackStorm-style with inline required/secret)
+parameters:
+  pack_paths:
+    type: array
+    description: "List of pack directory paths to build environments for"
+    required: true
+    items:
+      type: string
+    minItems: 1
+  packs_base_dir:
+    type: string
+    description: "Base directory where packs are installed"
+    default: "/opt/attune/packs"
+  python_version:
+    type: string
+    description: "Python version to use for virtualenvs"
+    default: "3.11"
+  nodejs_version:
+    type: string
+    description: "Node.js version to use"
+    default: "20"
+  skip_python:
+    type: boolean
+    description: "Skip building Python environments"
+    default: false
+  skip_nodejs:
+    type: boolean
+    description: "Skip building Node.js environments"
+    default: false
+  force_rebuild:
+    type: boolean
+    description: "Force rebuild of existing environments"
+    default: false
+  timeout:
+    type: integer
+    description: "Timeout in seconds for building each environment"
+    default: 600
+    minimum: 60
+    maximum: 3600
+
+# Output schema: describes the JSON structure written to stdout
+# Note: stdout/stderr/exit_code are captured automatically by the execution system
+output_schema:
+  built_environments:
+    type: array
+    description: "List of successfully built environments"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        pack_path:
+          type: string
+          description: "Pack directory path"
+        environments:
+          type: object
+          description: "Built environments for this pack"
+          properties:
+            python:
+              type: object
+              description: "Python environment details"
+              properties:
+                virtualenv_path:
+                  type: string
+                  description: "Path to Python virtualenv"
+                requirements_installed:
+                  type: boolean
+                  description: "Whether requirements.txt was installed"
+                package_count:
+                  type: integer
+                  description: "Number of packages installed"
+                python_version:
+                  type: string
+                  description: "Python version used"
+            nodejs:
+              type: object
+              description: "Node.js environment details"
+              properties:
+                node_modules_path:
+                  type: string
+                  description: "Path to node_modules directory"
+                dependencies_installed:
+                  type: boolean
+                  description: "Whether package.json was installed"
+                package_count:
+                  type: integer
+                  description: "Number of packages installed"
+                nodejs_version:
+                  type: string
+                  description: "Node.js version used"
+        duration_ms:
+          type: integer
+          description: "Time taken to build environments in milliseconds"
+  failed_environments:
+    type: array
+    description: "List of packs where environment build failed"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        pack_path:
+          type: string
+          description: "Pack directory path"
+        runtime:
+          type: string
+          description: "Runtime that failed (python or nodejs)"
+        error:
+          type: string
+          description: "Error message"
+  summary:
+    type: object
+    description: "Summary of environment build process"
+    properties:
+      total_packs:
+        type: integer
+        description: "Total number of packs processed"
+      success_count:
+        type: integer
+        description: "Number of packs with successful builds"
+      failure_count:
+        type: integer
+        description: "Number of packs with failed builds"
+      python_envs_built:
+        type: integer
+        description: "Number of Python environments built"
+      nodejs_envs_built:
+        type: integer
+        description: "Number of Node.js environments built"
+      total_duration_ms:
+        type: integer
+        description: "Total time taken for all builds in milliseconds"
+
+# Tags for categorization
+tags:
+  - pack
+  - environment
+  - dependencies
+  - python
+  - nodejs
+  - installation
--- a/docker/distributable/packs/core/actions/download_packs.sh
+++ b/docker/distributable/packs/core/actions/download_packs.sh
@@ -0,0 +1,201 @@
+#!/bin/sh
+# Download Packs Action - Core Pack
+# API Wrapper for POST /api/v1/packs/download
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+packs=""
+destination_dir=""
+registry_url="https://registry.attune.io/index.json"
+ref_spec=""
+timeout="300"
+verify_ssl="true"
+api_url="http://localhost:8080"
+api_token=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes if present (both single and double)
+    case "$value" in
+        \"*\")
+            value="${value#\"}"
+            value="${value%\"}"
+            ;;
+        \'*\')
+            value="${value#\'}"
+            value="${value%\'}"
+            ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        packs)
+            packs="$value"
+            ;;
+        destination_dir)
+            destination_dir="$value"
+            ;;
+        registry_url)
+            registry_url="$value"
+            ;;
+        ref_spec)
+            ref_spec="$value"
+            ;;
+        timeout)
+            timeout="$value"
+            ;;
+        verify_ssl)
+            verify_ssl="$value"
+            ;;
+        api_url)
+            api_url="$value"
+            ;;
+        api_token)
+            api_token="$value"
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$destination_dir" ]; then
+    printf '{"downloaded_packs":[],"failed_packs":[{"source":"input","error":"destination_dir is required"}],"total_count":0,"success_count":0,"failure_count":1}\n'
+    exit 1
+fi
+
+# Normalize boolean
+case "$verify_ssl" in
+    true|True|TRUE|yes|Yes|YES|1) verify_ssl="true" ;;
+    *) verify_ssl="false" ;;
+esac
+
+# Validate timeout is numeric
+case "$timeout" in
+    ''|*[!0-9]*)
+        timeout="300"
+        ;;
+esac
+
+# Escape values for JSON
+packs_escaped=$(printf '%s' "$packs" | sed 's/\\/\\\\/g; s/"/\\"/g')
+destination_dir_escaped=$(printf '%s' "$destination_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
+registry_url_escaped=$(printf '%s' "$registry_url" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+# Build JSON request body
+if [ -n "$ref_spec" ]; then
+    ref_spec_escaped=$(printf '%s' "$ref_spec" | sed 's/\\/\\\\/g; s/"/\\"/g')
+    request_body=$(cat <<EOF
+{
+  "packs": $packs_escaped,
+  "destination_dir": "$destination_dir_escaped",
+  "registry_url": "$registry_url_escaped",
+  "ref_spec": "$ref_spec_escaped",
+  "timeout": $timeout,
+  "verify_ssl": $verify_ssl
+}
+EOF
+)
+else
+    request_body=$(cat <<EOF
+{
+  "packs": $packs_escaped,
+  "destination_dir": "$destination_dir_escaped",
+  "registry_url": "$registry_url_escaped",
+  "timeout": $timeout,
+  "verify_ssl": $verify_ssl
+}
+EOF
+)
+fi
+
+# Create temp files for curl
+temp_response=$(mktemp)
+temp_headers=$(mktemp)
+
+cleanup() {
+    rm -f "$temp_response" "$temp_headers"
+}
+trap cleanup EXIT
+
+# Calculate curl timeout (request timeout + buffer)
+curl_timeout=$((timeout + 30))
+
+# Make API call
+http_code=$(curl -X POST \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
+    -d "$request_body" \
+    -s \
+    -w "%{http_code}" \
+    -o "$temp_response" \
+    --max-time "$curl_timeout" \
+    --connect-timeout 10 \
+    "${api_url}/api/v1/packs/download" 2>/dev/null || echo "000")
+
+# Check HTTP status
+if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
+    # Success - extract data field from API response
+    response_body=$(cat "$temp_response")
+
+    # Try to extract .data field using simple text processing
+    # If response contains "data" field, extract it; otherwise use whole response
+    case "$response_body" in
+        *'"data":'*)
+            # Extract content after "data": up to the closing brace
+            # This is a simple extraction - assumes well-formed JSON
+            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
+            if [ -n "$data_content" ]; then
+                printf '%s\n' "$data_content"
+            else
+                cat "$temp_response"
+            fi
+            ;;
+        *)
+            cat "$temp_response"
+            ;;
+    esac
+    exit 0
+else
+    # Error response - try to extract error message
+    error_msg="API request failed"
+    if [ -s "$temp_response" ]; then
+        # Try to extract error or message field
+        response_content=$(cat "$temp_response")
+        case "$response_content" in
+            *'"error":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+            *'"message":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+        esac
+    fi
+
+    # Escape error message for JSON
+    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+    cat <<EOF
+{
+  "downloaded_packs": [],
+  "failed_packs": [{
+    "source": "api",
+    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
+  }],
+  "total_count": 0,
+  "success_count": 0,
+  "failure_count": 1
+}
+EOF
+    exit 1
+fi
--- a/docker/distributable/packs/core/actions/download_packs.yaml
+++ b/docker/distributable/packs/core/actions/download_packs.yaml
@@ -0,0 +1,115 @@
+# Download Packs Action
+# Downloads packs from various sources (git repositories, HTTP archives, or pack registry)
+
+ref: core.download_packs
+label: "Download Packs"
+description: "Download packs from git repositories, HTTP archives, or pack registry to a temporary directory"
+enabled: true
+runner_type: shell
+entry_point: download_packs.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: json (structured data parsing enabled)
+output_format: json
+
+# Action parameters schema (StackStorm-style with inline required/secret)
+parameters:
+  packs:
+    type: array
+    description: "List of packs to download (git URLs, HTTP URLs, or pack refs)"
+    items:
+      type: string
+    minItems: 1
+    required: true
+  destination_dir:
+    type: string
+    description: "Destination directory for downloaded packs"
+    required: true
+  registry_url:
+    type: string
+    description: "Pack registry URL for resolving pack refs (optional)"
+    default: "https://registry.attune.io/index.json"
+  ref_spec:
+    type: string
+    description: "Git reference to checkout (branch, tag, or commit) - applies to all git URLs"
+  timeout:
+    type: integer
+    description: "Download timeout in seconds per pack"
+    default: 300
+    minimum: 10
+    maximum: 3600
+  verify_ssl:
+    type: boolean
+    description: "Verify SSL certificates for HTTPS downloads"
+    default: true
+  api_url:
+    type: string
+    description: "Attune API URL for making registry lookups"
+    default: "http://localhost:8080"
+
+# Output schema: describes the JSON structure written to stdout
+# Note: stdout/stderr/exit_code are captured automatically by the execution system
+output_schema:
+  downloaded_packs:
+    type: array
+    description: "List of successfully downloaded packs"
+    items:
+      type: object
+      properties:
+        source:
+          type: string
+          description: "Original pack source (URL or ref)"
+        source_type:
+          type: string
+          description: "Type of source"
+          enum:
+            - git
+            - http
+            - registry
+        pack_path:
+          type: string
+          description: "Local filesystem path to downloaded pack"
+        pack_ref:
+          type: string
+          description: "Pack reference (from pack.yaml)"
+        pack_version:
+          type: string
+          description: "Pack version (from pack.yaml)"
+        git_commit:
+          type: string
+          description: "Git commit hash (for git sources)"
+        checksum:
+          type: string
+          description: "Directory checksum"
+  failed_packs:
+    type: array
+    description: "List of packs that failed to download"
+    items:
+      type: object
+      properties:
+        source:
+          type: string
+          description: "Pack source that failed"
+        error:
+          type: string
+          description: "Error message"
+  total_count:
+    type: integer
+    description: "Total number of packs requested"
+  success_count:
+    type: integer
+    description: "Number of packs successfully downloaded"
+  failure_count:
+    type: integer
+    description: "Number of packs that failed"
+
+# Tags for categorization
+tags:
+  - pack
+  - download
+  - git
+  - installation
+  - registry
--- a/docker/distributable/packs/core/actions/echo.sh
+++ b/docker/distributable/packs/core/actions/echo.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# Echo Action - Core Pack
+# Outputs a message to stdout
+#
+# This script uses pure POSIX shell without external dependencies like jq or yq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize message variable
+message=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    case "$line" in
+        message=*)
+            # Extract value after message=
+            message="${line#message=}"
+            # Remove quotes if present (both single and double)
+            case "$message" in
+                \"*\")
+                    message="${message#\"}"
+                    message="${message%\"}"
+                    ;;
+                \'*\')
+                    message="${message#\'}"
+                    message="${message%\'}"
+                    ;;
+            esac
+            ;;
+    esac
+done
+
+# Echo the message (even if empty)
+echo -n "$message"
+
+# Exit successfully
+exit 0
--- a/docker/distributable/packs/core/actions/echo.yaml
+++ b/docker/distributable/packs/core/actions/echo.yaml
@@ -0,0 +1,35 @@
+# Echo Action
+# Outputs a message to stdout
+
+ref: core.echo
+label: "Echo"
+description: "Echo a message to stdout"
+enabled: true
+
+# Runner type determines how the action is executed
+runner_type: shell
+
+# Entry point is the shell command or script to execute
+entry_point: echo.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: text (no structured data parsing)
+output_format: text
+
+# Action parameters schema (StackStorm-style: inline required/secret per parameter)
+parameters:
+  message:
+    type: string
+    description: "Message to echo (empty string if not provided)"
+
+# Output schema: not applicable for text output format
+# The action outputs plain text to stdout
+
+# Tags for categorization
+tags:
+  - utility
+  - testing
+  - debug
--- a/docker/distributable/packs/core/actions/get_pack_dependencies.sh
+++ b/docker/distributable/packs/core/actions/get_pack_dependencies.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+# Get Pack Dependencies Action - Core Pack
+# API Wrapper for POST /api/v1/packs/dependencies
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+pack_paths=""
+skip_validation="false"
+api_url="http://localhost:8080"
+api_token=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes if present (both single and double)
+    case "$value" in
+        \"*\")
+            value="${value#\"}"
+            value="${value%\"}"
+            ;;
+        \'*\')
+            value="${value#\'}"
+            value="${value%\'}"
+            ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        pack_paths)
+            pack_paths="$value"
+            ;;
+        skip_validation)
+            skip_validation="$value"
+            ;;
+        api_url)
+            api_url="$value"
+            ;;
+        api_token)
+            api_token="$value"
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$pack_paths" ]; then
+    printf '{"dependencies":[],"runtime_requirements":{},"missing_dependencies":[],"analyzed_packs":[],"errors":[{"pack_path":"input","error":"No pack paths provided"}]}\n'
+    exit 1
+fi
+
+# Normalize boolean
+case "$skip_validation" in
+    true|True|TRUE|yes|Yes|YES|1) skip_validation="true" ;;
+    *) skip_validation="false" ;;
+esac
+
+# Build JSON request body (escape pack_paths value for JSON)
+pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+request_body=$(cat <<EOF
+{
+  "pack_paths": $pack_paths_escaped,
+  "skip_validation": $skip_validation
+}
+EOF
+)
+
+# Create temp files for curl
+temp_response=$(mktemp)
+temp_headers=$(mktemp)
+
+cleanup() {
+    rm -f "$temp_response" "$temp_headers"
+}
+trap cleanup EXIT
+
+# Make API call
+http_code=$(curl -X POST \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
+    -d "$request_body" \
+    -s \
+    -w "%{http_code}" \
+    -o "$temp_response" \
+    --max-time 60 \
+    --connect-timeout 10 \
+    "${api_url}/api/v1/packs/dependencies" 2>/dev/null || echo "000")
+
+# Check HTTP status
+if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
+    # Success - extract data field from API response
+    response_body=$(cat "$temp_response")
+
+    # Try to extract .data field using simple text processing
+    # If response contains "data" field, extract it; otherwise use whole response
+    case "$response_body" in
+        *'"data":'*)
+            # Extract content after "data": up to the closing brace
+            # This is a simple extraction - assumes well-formed JSON
+            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
+            if [ -n "$data_content" ]; then
+                printf '%s\n' "$data_content"
+            else
+                cat "$temp_response"
+            fi
+            ;;
+        *)
+            cat "$temp_response"
+            ;;
+    esac
+    exit 0
+else
+    # Error response - try to extract error message
+    error_msg="API request failed"
+    if [ -s "$temp_response" ]; then
+        # Try to extract error or message field
+        response_content=$(cat "$temp_response")
+        case "$response_content" in
+            *'"error":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+            *'"message":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+        esac
+    fi
+
+    # Escape error message for JSON
+    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+    cat <<EOF
+{
+  "dependencies": [],
+  "runtime_requirements": {},
+  "missing_dependencies": [],
+  "analyzed_packs": [],
+  "errors": [{
+    "pack_path": "api",
+    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
+  }]
+}
+EOF
+    exit 1
+fi
--- a/docker/distributable/packs/core/actions/get_pack_dependencies.yaml
+++ b/docker/distributable/packs/core/actions/get_pack_dependencies.yaml
@@ -0,0 +1,137 @@
+# Get Pack Dependencies Action
+# Parses pack.yaml files to identify pack and runtime dependencies
+
+ref: core.get_pack_dependencies
+label: "Get Pack Dependencies"
+description: "Parse pack.yaml files to extract pack dependencies and runtime requirements"
+enabled: true
+runner_type: shell
+entry_point: get_pack_dependencies.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: json (structured data parsing enabled)
+output_format: json
+
+# Action parameters schema (StackStorm-style with inline required/secret)
+parameters:
+  pack_paths:
+    type: array
+    description: "List of pack directory paths to analyze"
+    items:
+      type: string
+    minItems: 1
+    required: true
+  skip_validation:
+    type: boolean
+    description: "Skip validation of pack.yaml schema"
+    default: false
+  api_url:
+    type: string
+    description: "Attune API URL for checking installed packs"
+    default: "http://localhost:8080"
+
+# Output schema: describes the JSON structure written to stdout
+# Note: stdout/stderr/exit_code are captured automatically by the execution system
+output_schema:
+  dependencies:
+    type: array
+    description: "List of pack dependencies that need to be installed"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference (e.g., 'core', 'slack')"
+        version_spec:
+          type: string
+          description: "Version specification (e.g., '>=1.0.0', '^2.1.0')"
+        required_by:
+          type: string
+          description: "Pack that requires this dependency"
+        already_installed:
+          type: boolean
+          description: "Whether this dependency is already installed"
+  runtime_requirements:
+    type: object
+    description: "Runtime environment requirements by pack"
+    additionalProperties:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        python:
+          type: object
+          description: "Python runtime requirements"
+          properties:
+            version:
+              type: string
+              description: "Python version requirement"
+            requirements_file:
+              type: string
+              description: "Path to requirements.txt"
+        nodejs:
+          type: object
+          description: "Node.js runtime requirements"
+          properties:
+            version:
+              type: string
+              description: "Node.js version requirement"
+            package_file:
+              type: string
+              description: "Path to package.json"
+  missing_dependencies:
+    type: array
+    description: "Pack dependencies that are not yet installed"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        version_spec:
+          type: string
+          description: "Version specification"
+        required_by:
+          type: string
+          description: "Pack that requires this dependency"
+  analyzed_packs:
+    type: array
+    description: "List of packs that were analyzed"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        pack_path:
+          type: string
+          description: "Path to pack directory"
+        has_dependencies:
+          type: boolean
+          description: "Whether pack has dependencies"
+        dependency_count:
+          type: integer
+          description: "Number of dependencies"
+  errors:
+    type: array
+    description: "Errors encountered during analysis"
+    items:
+      type: object
+      properties:
+        pack_path:
+          type: string
+          description: "Pack path where error occurred"
+        error:
+          type: string
+          description: "Error message"
+
+# Tags for categorization
+tags:
+  - pack
+  - dependencies
+  - validation
+  - installation
--- a/docker/distributable/packs/core/actions/http_request.sh
+++ b/docker/distributable/packs/core/actions/http_request.sh
@@ -0,0 +1,268 @@
+#!/bin/sh
+# HTTP Request Action - Core Pack
+# Make HTTP requests to external APIs using curl
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+url=""
+method="GET"
+body=""
+json_body=""
+timeout="30"
+verify_ssl="true"
+auth_type="none"
+auth_username=""
+auth_password=""
+auth_token=""
+follow_redirects="true"
+max_redirects="10"
+
+# Temporary files
+headers_file=$(mktemp)
+query_params_file=$(mktemp)
+body_file=""
+temp_headers=$(mktemp)
+curl_output=$(mktemp)
+write_out_file=$(mktemp)
+
+cleanup() {
+    local exit_code=$?
+    rm -f "$headers_file" "$query_params_file" "$temp_headers" "$curl_output" "$write_out_file"
+    [ -n "$body_file" ] && [ -f "$body_file" ] && rm -f "$body_file"
+    return "$exit_code"
+}
+trap cleanup EXIT
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes
+    case "$value" in
+        \"*\") value="${value#\"}"; value="${value%\"}" ;;
+        \'*\') value="${value#\'}"; value="${value%\'}" ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        url) url="$value" ;;
+        method) method="$value" ;;
+        body) body="$value" ;;
+        json_body) json_body="$value" ;;
+        timeout) timeout="$value" ;;
+        verify_ssl) verify_ssl="$value" ;;
+        auth_type) auth_type="$value" ;;
+        auth_username) auth_username="$value" ;;
+        auth_password) auth_password="$value" ;;
+        auth_token) auth_token="$value" ;;
+        follow_redirects) follow_redirects="$value" ;;
+        max_redirects) max_redirects="$value" ;;
+        headers.*)
+            printf '%s: %s\n' "${key#headers.}" "$value" >> "$headers_file"
+            ;;
+        query_params.*)
+            printf '%s=%s\n' "${key#query_params.}" "$value" >> "$query_params_file"
+            ;;
+    esac
+done
+
+# Validate required
+if [ -z "$url" ]; then
+    printf '{"status_code":0,"headers":{},"body":"","json":null,"elapsed_ms":0,"url":"","success":false,"error":"url parameter is required"}\n'
+    exit 1
+fi
+
+# Normalize method
+method=$(printf '%s' "$method" | tr '[:lower:]' '[:upper:]')
+
+# URL encode helper
+url_encode() {
+    printf '%s' "$1" | sed 's/ /%20/g; s/!/%21/g; s/"/%22/g; s/#/%23/g; s/\$/%24/g; s/&/%26/g; s/'\''/%27/g'
+}
+
+# Build URL with query params
+final_url="$url"
+if [ -s "$query_params_file" ]; then
+    query_string=""
+    while IFS='=' read -r param_name param_value; do
+        [ -z "$param_name" ] && continue
+        encoded=$(url_encode "$param_value")
+        [ -z "$query_string" ] && query_string="${param_name}=${encoded}" || query_string="${query_string}&${param_name}=${encoded}"
+    done < "$query_params_file"
+
+    if [ -n "$query_string" ]; then
+        case "$final_url" in
+            *\?*) final_url="${final_url}&${query_string}" ;;
+            *) final_url="${final_url}?${query_string}" ;;
+        esac
+    fi
+fi
+
+# Prepare body
+if [ -n "$json_body" ]; then
+    body_file=$(mktemp)
+    printf '%s' "$json_body" > "$body_file"
+elif [ -n "$body" ]; then
+    body_file=$(mktemp)
+    printf '%s' "$body" > "$body_file"
+fi
+
+# Build curl args file (avoid shell escaping issues)
+curl_args=$(mktemp)
+{
+    printf -- '-X\n%s\n' "$method"
+    printf -- '-s\n'
+    # Use @file for -w to avoid xargs escape interpretation issues
+    # curl's @file mode requires literal \n (two chars) not actual newlines
+    printf '\\n%%{http_code}\\n%%{url_effective}\\n' > "$write_out_file"
+    printf -- '-w\n@%s\n' "$write_out_file"
+    printf -- '--max-time\n%s\n' "$timeout"
+    printf -- '--connect-timeout\n10\n'
+    printf -- '--dump-header\n%s\n' "$temp_headers"
+
+    [ "$verify_ssl" = "false" ] && printf -- '-k\n'
+
+    if [ "$follow_redirects" = "true" ]; then
+        printf -- '-L\n'
+        printf -- '--max-redirs\n%s\n' "$max_redirects"
+    fi
+
+    if [ -s "$headers_file" ]; then
+        while IFS= read -r h; do
+            [ -n "$h" ] && printf -- '-H\n%s\n' "$h"
+        done < "$headers_file"
+    fi
+
+    case "$auth_type" in
+        basic)
+            [ -n "$auth_username" ] && printf -- '-u\n%s:%s\n' "$auth_username" "$auth_password"
+            ;;
+        bearer)
+            [ -n "$auth_token" ] && printf -- '-H\nAuthorization: Bearer %s\n' "$auth_token"
+            ;;
+    esac
+
+    if [ -n "$body_file" ] && [ -f "$body_file" ]; then
+        [ -n "$json_body" ] && printf -- '-H\nContent-Type: application/json\n'
+        printf -- '-d\n@%s\n' "$body_file"
+    fi
+
+    printf -- '%s\n' "$final_url"
+} > "$curl_args"
+
+# Execute curl
+start_time=$(date +%s%3N 2>/dev/null || echo $(($(date +%s) * 1000)))
+
+set +e
+xargs -a "$curl_args" curl > "$curl_output" 2>&1
+curl_exit_code=$?
+set -e
+
+rm -f "$curl_args"
+
+end_time=$(date +%s%3N 2>/dev/null || echo $(($(date +%s) * 1000)))
+elapsed_ms=$((end_time - start_time))
+
+# Parse output
+response=$(cat "$curl_output")
+total_lines=$(printf '%s\n' "$response" | wc -l)
+body_lines=$((total_lines - 2))
+
+if [ "$body_lines" -gt 0 ]; then
+    body_output=$(printf '%s\n' "$response" | head -n "$body_lines")
+else
+    body_output=""
+fi
+
+http_code=$(printf '%s\n' "$response" | tail -n 2 | head -n 1 | tr -d '\r\n ')
+effective_url=$(printf '%s\n' "$response" | tail -n 1 | tr -d '\r\n')
+
+case "$http_code" in
+    ''|*[!0-9]*) http_code=0 ;;
+esac
+
+# Handle errors
+if [ "$curl_exit_code" -ne 0 ]; then
+    error_msg="curl error code $curl_exit_code"
+    case $curl_exit_code in
+        6) error_msg="Could not resolve host" ;;
+        7) error_msg="Failed to connect to host" ;;
+        28) error_msg="Request timeout" ;;
+        35) error_msg="SSL/TLS connection error" ;;
+        52) error_msg="Empty reply from server" ;;
+        56) error_msg="Failure receiving network data" ;;
+    esac
+    error_msg=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
+    printf '{"status_code":0,"headers":{},"body":"","json":null,"elapsed_ms":%d,"url":"%s","success":false,"error":"%s"}\n' \
+        "$elapsed_ms" "$final_url" "$error_msg"
+    exit 1
+fi
+
+# Parse headers
+headers_json="{"
+first_header=true
+if [ -f "$temp_headers" ]; then
+    while IFS= read -r line; do
+        case "$line" in HTTP/*|'') continue ;; esac
+
+        header_name="${line%%:*}"
+        header_value="${line#*:}"
+        [ "$header_name" = "$line" ] && continue
+
+        header_value=$(printf '%s' "$header_value" | sed 's/^ *//; s/ *$//; s/\r$//; s/\\/\\\\/g; s/"/\\"/g')
+        header_name=$(printf '%s' "$header_name" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+        if [ "$first_header" = true ]; then
+            headers_json="${headers_json}\"${header_name}\":\"${header_value}\""
+            first_header=false
+        else
+            headers_json="${headers_json},\"${header_name}\":\"${header_value}\""
+        fi
+    done < "$temp_headers"
+fi
+headers_json="${headers_json}}"
+
+# Success check
+success="false"
+[ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ] && success="true"
+
+# Escape body
+body_escaped=$(printf '%s' "$body_output" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g' | awk '{printf "%s\\n", $0}' | sed 's/\\n$//')
+
+# Detect JSON
+json_parsed="null"
+if [ -n "$body_output" ]; then
+    first_char=$(printf '%s' "$body_output" | sed 's/^[[:space:]]*//' | head -c 1)
+    last_char=$(printf '%s' "$body_output" | sed 's/[[:space:]]*$//' | tail -c 1)
+    case "$first_char" in
+        '{'|'[')
+            case "$last_char" in
+                '}'|']')
+                    # Compact multi-line JSON to single line to avoid breaking
+                    # the worker's last-line JSON parser. In valid JSON, literal
+                    # newlines only appear as whitespace outside strings (inside
+                    # strings they must be escaped as \n), so tr is safe here.
+                    json_parsed=$(printf '%s' "$body_output" | tr '\n' ' ' | tr '\r' ' ')
+                    ;;
+            esac
+            ;;
+    esac
+fi
+
+# Output
+if [ "$json_parsed" = "null" ]; then
+    printf '{"status_code":%d,"headers":%s,"body":"%s","json":null,"elapsed_ms":%d,"url":"%s","success":%s}\n' \
+        "$http_code" "$headers_json" "$body_escaped" "$elapsed_ms" "$effective_url" "$success"
+else
+    printf '{"status_code":%d,"headers":%s,"body":"%s","json":%s,"elapsed_ms":%d,"url":"%s","success":%s}\n' \
+        "$http_code" "$headers_json" "$body_escaped" "$json_parsed" "$elapsed_ms" "$effective_url" "$success"
+fi
+
+exit 0
--- a/docker/distributable/packs/core/actions/http_request.yaml
+++ b/docker/distributable/packs/core/actions/http_request.yaml
@@ -0,0 +1,126 @@
+# HTTP Request Action
+# Make HTTP requests to external APIs
+
+ref: core.http_request
+label: "HTTP Request"
+description: "Make HTTP requests to external APIs with support for various methods, headers, and authentication"
+enabled: true
+
+# Runner type determines how the action is executed
+runner_type: shell
+
+# Entry point is the bash script to execute
+entry_point: http_request.sh
+
+# Parameter delivery configuration (for security)
+# Use stdin + DOTENV for secure parameter passing (credentials won't appear in process list)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: json (structured data parsing enabled)
+output_format: json
+
+# Action parameters schema (StackStorm-style with inline required/secret)
+parameters:
+  url:
+    type: string
+    description: "URL to send the request to"
+    required: true
+  method:
+    type: string
+    description: "HTTP method to use"
+    default: "GET"
+    enum:
+      - GET
+      - POST
+      - PUT
+      - PATCH
+      - DELETE
+      - HEAD
+      - OPTIONS
+  headers:
+    type: object
+    description: "HTTP headers to include in the request"
+    default: {}
+  body:
+    type: string
+    description: "Request body (for POST, PUT, PATCH methods)"
+  json_body:
+    type: object
+    description: "JSON request body (alternative to body parameter)"
+  query_params:
+    type: object
+    description: "URL query parameters as key-value pairs"
+    default: {}
+  timeout:
+    type: integer
+    description: "Request timeout in seconds"
+    default: 30
+    minimum: 1
+    maximum: 300
+  verify_ssl:
+    type: boolean
+    description: "Verify SSL certificates"
+    default: true
+  auth_type:
+    type: string
+    description: "Authentication type"
+    enum:
+      - none
+      - basic
+      - bearer
+  auth_username:
+    type: string
+    description: "Username for basic authentication"
+  auth_password:
+    type: string
+    description: "Password for basic authentication"
+    secret: true
+  auth_token:
+    type: string
+    description: "Bearer token for bearer authentication"
+    secret: true
+  follow_redirects:
+    type: boolean
+    description: "Follow HTTP redirects"
+    default: true
+  max_redirects:
+    type: integer
+    description: "Maximum number of redirects to follow"
+    default: 10
+
+# Output schema: describes the JSON structure written to stdout
+# Note: stdout/stderr/exit_code are captured automatically by the execution system
+output_schema:
+  status_code:
+    type: integer
+    description: "HTTP status code"
+  headers:
+    type: object
+    description: "Response headers"
+  body:
+    type: string
+    description: "Response body as text"
+  json:
+    type: object
+    description: "Parsed JSON response (if applicable, null otherwise)"
+  elapsed_ms:
+    type: integer
+    description: "Request duration in milliseconds"
+  url:
+    type: string
+    description: "Final URL after redirects"
+  success:
+    type: boolean
+    description: "Whether the request was successful (2xx status code)"
+  error:
+    type: string
+    description: "Error message if request failed (only present on failure)"
+
+# Tags for categorization
+tags:
+  - http
+  - api
+  - web
+  - utility
+  - integration
--- a/docker/distributable/packs/core/actions/noop.sh
+++ b/docker/distributable/packs/core/actions/noop.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+# No Operation Action - Core Pack
+# Does nothing - useful for testing and placeholder workflows
+#
+# This script uses pure POSIX shell without external dependencies like jq or yq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+message=""
+exit_code="0"
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    case "$line" in
+        message=*)
+            # Extract value after message=
+            message="${line#message=}"
+            # Remove quotes if present (both single and double)
+            case "$message" in
+                \"*\")
+                    message="${message#\"}"
+                    message="${message%\"}"
+                    ;;
+                \'*\')
+                    message="${message#\'}"
+                    message="${message%\'}"
+                    ;;
+            esac
+            ;;
+        exit_code=*)
+            # Extract value after exit_code=
+            exit_code="${line#exit_code=}"
+            # Remove quotes if present
+            case "$exit_code" in
+                \"*\")
+                    exit_code="${exit_code#\"}"
+                    exit_code="${exit_code%\"}"
+                    ;;
+                \'*\')
+                    exit_code="${exit_code#\'}"
+                    exit_code="${exit_code%\'}"
+                    ;;
+            esac
+            ;;
+    esac
+done
+
+# Validate exit code parameter (must be numeric)
+case "$exit_code" in
+    ''|*[!0-9]*)
+        echo "ERROR: exit_code must be a positive integer" >&2
+        exit 1
+        ;;
+esac
+
+# Validate exit code range (0-255)
+if [ "$exit_code" -lt 0 ] || [ "$exit_code" -gt 255 ]; then
+    echo "ERROR: exit_code must be between 0 and 255" >&2
+    exit 1
+fi
+
+# Log message if provided
+if [ -n "$message" ]; then
+    echo "[NOOP] $message"
+fi
+
+# Output result
+echo "No operation completed successfully"
+
+# Exit with specified code
+exit "$exit_code"
--- a/docker/distributable/packs/core/actions/noop.yaml
+++ b/docker/distributable/packs/core/actions/noop.yaml
@@ -0,0 +1,42 @@
+# No Operation Action
+# Does nothing - useful for testing and placeholder workflows
+
+ref: core.noop
+label: "No-Op"
+description: "Does nothing - useful for testing and placeholder workflows"
+enabled: true
+
+# Runner type determines how the action is executed
+runner_type: shell
+
+# Entry point is the shell command or script to execute
+entry_point: noop.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: text (no structured data parsing)
+output_format: text
+
+# Action parameters schema (StackStorm-style inline format)
+parameters:
+  message:
+    type: string
+    description: "Optional message to log (for debugging)"
+  exit_code:
+    type: integer
+    description: "Exit code to return (default: 0 for success)"
+    default: 0
+    minimum: 0
+    maximum: 255
+
+# Output schema: not applicable for text output format
+# The action outputs plain text to stdout
+
+# Tags for categorization
+tags:
+  - utility
+  - testing
+  - placeholder
+  - noop
--- a/docker/distributable/packs/core/actions/register_packs.sh
+++ b/docker/distributable/packs/core/actions/register_packs.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+# Register Packs Action - Core Pack
+# API Wrapper for POST /api/v1/packs/register-batch
+#
+# This script uses pure POSIX shell without external dependencies like jq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+pack_paths=""
+packs_base_dir="/opt/attune/packs"
+skip_validation="false"
+skip_tests="false"
+force="false"
+api_url="http://localhost:8080"
+api_token=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    [ -z "$line" ] && continue
+
+    key="${line%%=*}"
+    value="${line#*=}"
+
+    # Remove quotes if present (both single and double)
+    case "$value" in
+        \"*\")
+            value="${value#\"}"
+            value="${value%\"}"
+            ;;
+        \'*\')
+            value="${value#\'}"
+            value="${value%\'}"
+            ;;
+    esac
+
+    # Process parameters
+    case "$key" in
+        pack_paths)
+            pack_paths="$value"
+            ;;
+        packs_base_dir)
+            packs_base_dir="$value"
+            ;;
+        skip_validation)
+            skip_validation="$value"
+            ;;
+        skip_tests)
+            skip_tests="$value"
+            ;;
+        force)
+            force="$value"
+            ;;
+        api_url)
+            api_url="$value"
+            ;;
+        api_token)
+            api_token="$value"
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$pack_paths" ]; then
+    printf '{"registered_packs":[],"failed_packs":[{"pack_ref":"input","pack_path":"","error":"No pack paths provided","error_stage":"input_validation"}],"summary":{"total_packs":0,"success_count":0,"failure_count":1,"total_components":0,"duration_ms":0}}\n'
+    exit 1
+fi
+
+# Normalize booleans
+case "$skip_validation" in
+    true|True|TRUE|yes|Yes|YES|1) skip_validation="true" ;;
+    *) skip_validation="false" ;;
+esac
+
+case "$skip_tests" in
+    true|True|TRUE|yes|Yes|YES|1) skip_tests="true" ;;
+    *) skip_tests="false" ;;
+esac
+
+case "$force" in
+    true|True|TRUE|yes|Yes|YES|1) force="true" ;;
+    *) force="false" ;;
+esac
+
+# Escape values for JSON
+pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
+packs_base_dir_escaped=$(printf '%s' "$packs_base_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+# Build JSON request body
+request_body=$(cat <<EOF
+{
+  "pack_paths": $pack_paths_escaped,
+  "packs_base_dir": "$packs_base_dir_escaped",
+  "skip_validation": $skip_validation,
+  "skip_tests": $skip_tests,
+  "force": $force
+}
+EOF
+)
+
+# Create temp files for curl
+temp_response=$(mktemp)
+temp_headers=$(mktemp)
+
+cleanup() {
+    rm -f "$temp_response" "$temp_headers"
+}
+trap cleanup EXIT
+
+# Make API call
+http_code=$(curl -X POST \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
+    -d "$request_body" \
+    -s \
+    -w "%{http_code}" \
+    -o "$temp_response" \
+    --max-time 300 \
+    --connect-timeout 10 \
+    "${api_url}/api/v1/packs/register-batch" 2>/dev/null || echo "000")
+
+# Check HTTP status
+if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
+    # Success - extract data field from API response
+    response_body=$(cat "$temp_response")
+
+    # Try to extract .data field using simple text processing
+    # If response contains "data" field, extract it; otherwise use whole response
+    case "$response_body" in
+        *'"data":'*)
+            # Extract content after "data": up to the closing brace
+            # This is a simple extraction - assumes well-formed JSON
+            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
+            if [ -n "$data_content" ]; then
+                printf '%s\n' "$data_content"
+            else
+                cat "$temp_response"
+            fi
+            ;;
+        *)
+            cat "$temp_response"
+            ;;
+    esac
+    exit 0
+else
+    # Error response - try to extract error message
+    error_msg="API request failed"
+    if [ -s "$temp_response" ]; then
+        # Try to extract error or message field
+        response_content=$(cat "$temp_response")
+        case "$response_content" in
+            *'"error":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+            *'"message":'*)
+                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
+                [ -z "$error_msg" ] && error_msg="API request failed"
+                ;;
+        esac
+    fi
+
+    # Escape error message for JSON
+    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
+
+    cat <<EOF
+{
+  "registered_packs": [],
+  "failed_packs": [{
+    "pack_ref": "api",
+    "pack_path": "",
+    "error": "API call failed (HTTP $http_code): $error_msg_escaped",
+    "error_stage": "api_call"
+  }],
+  "summary": {
+    "total_packs": 0,
+    "success_count": 0,
+    "failure_count": 1,
+    "total_components": 0,
+    "duration_ms": 0
+  }
+}
+EOF
+    exit 1
+fi
--- a/docker/distributable/packs/core/actions/register_packs.yaml
+++ b/docker/distributable/packs/core/actions/register_packs.yaml
@@ -0,0 +1,187 @@
+# Register Packs Action
+# Validates pack structure and loads components into database
+
+ref: core.register_packs
+label: "Register Packs"
+description: "Register packs by validating schemas, loading components into database, and copying to permanent storage"
+enabled: true
+runner_type: shell
+entry_point: register_packs.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: json (structured data parsing enabled)
+output_format: json
+
+# Action parameters schema (StackStorm-style with inline required/secret)
+parameters:
+  pack_paths:
+    type: array
+    description: "List of pack directory paths to register"
+    items:
+      type: string
+    minItems: 1
+    required: true
+  packs_base_dir:
+    type: string
+    description: "Base directory where packs are permanently stored"
+    default: "/opt/attune/packs"
+  skip_validation:
+    type: boolean
+    description: "Skip schema validation of pack components"
+    default: false
+  skip_tests:
+    type: boolean
+    description: "Skip running pack tests before registration"
+    default: false
+  force:
+    type: boolean
+    description: "Force registration even if pack already exists (will replace)"
+    default: false
+  api_url:
+    type: string
+    description: "Attune API URL for registration calls"
+    default: "http://localhost:8080"
+  api_token:
+    type: string
+    description: "API authentication token"
+    secret: true
+
+# Output schema: describes the JSON structure written to stdout
+# Note: stdout/stderr/exit_code are captured automatically by the execution system
+output_schema:
+  registered_packs:
+    type: array
+    description: "List of successfully registered packs"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        pack_id:
+          type: integer
+          description: "Database ID of registered pack"
+        pack_version:
+          type: string
+          description: "Pack version"
+        storage_path:
+          type: string
+          description: "Permanent storage path"
+        components_registered:
+          type: object
+          description: "Count of registered components by type"
+          properties:
+            actions:
+              type: integer
+              description: "Number of actions registered"
+            sensors:
+              type: integer
+              description: "Number of sensors registered"
+            triggers:
+              type: integer
+              description: "Number of triggers registered"
+            rules:
+              type: integer
+              description: "Number of rules registered"
+            workflows:
+              type: integer
+              description: "Number of workflows registered"
+            policies:
+              type: integer
+              description: "Number of policies registered"
+        test_result:
+          type: object
+          description: "Pack test results (if tests were run)"
+          properties:
+            status:
+              type: string
+              description: "Test status"
+              enum:
+                - passed
+                - failed
+                - skipped
+            total_tests:
+              type: integer
+              description: "Total number of tests"
+            passed:
+              type: integer
+              description: "Number of passed tests"
+            failed:
+              type: integer
+              description: "Number of failed tests"
+        validation_results:
+          type: object
+          description: "Component validation results"
+          properties:
+            valid:
+              type: boolean
+              description: "Whether all components are valid"
+            errors:
+              type: array
+              description: "Validation errors found"
+              items:
+                type: object
+                properties:
+                  component_type:
+                    type: string
+                    description: "Type of component"
+                  component_file:
+                    type: string
+                    description: "File with validation error"
+                  error:
+                    type: string
+                    description: "Error message"
+  failed_packs:
+    type: array
+    description: "List of packs that failed to register"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+          description: "Pack reference"
+        pack_path:
+          type: string
+          description: "Pack directory path"
+        error:
+          type: string
+          description: "Error message"
+        error_stage:
+          type: string
+          description: "Stage where error occurred"
+          enum:
+            - validation
+            - testing
+            - database_registration
+            - file_copy
+            - api_call
+  summary:
+    type: object
+    description: "Summary of registration process"
+    properties:
+      total_packs:
+        type: integer
+        description: "Total number of packs processed"
+      success_count:
+        type: integer
+        description: "Number of successfully registered packs"
+      failure_count:
+        type: integer
+        description: "Number of failed registrations"
+      total_components:
+        type: integer
+        description: "Total number of components registered"
+      duration_ms:
+        type: integer
+        description: "Total registration time in milliseconds"
+
+# Tags for categorization
+tags:
+  - pack
+  - registration
+  - validation
+  - installation
+  - database
--- a/docker/distributable/packs/core/actions/sleep.sh
+++ b/docker/distributable/packs/core/actions/sleep.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+# Sleep Action - Core Pack
+# Pauses execution for a specified duration
+#
+# This script uses pure POSIX shell without external dependencies like jq or yq.
+# It reads parameters in DOTENV format from stdin until EOF.
+
+set -e
+
+# Initialize variables
+seconds="1"
+message=""
+
+# Read DOTENV-formatted parameters from stdin until EOF
+while IFS= read -r line; do
+    case "$line" in
+        seconds=*)
+            # Extract value after seconds=
+            seconds="${line#seconds=}"
+            # Remove quotes if present (both single and double)
+            case "$seconds" in
+                \"*\")
+                    seconds="${seconds#\"}"
+                    seconds="${seconds%\"}"
+                    ;;
+                \'*\')
+                    seconds="${seconds#\'}"
+                    seconds="${seconds%\'}"
+                    ;;
+            esac
+            ;;
+        message=*)
+            # Extract value after message=
+            message="${line#message=}"
+            # Remove quotes if present
+            case "$message" in
+                \"*\")
+                    message="${message#\"}"
+                    message="${message%\"}"
+                    ;;
+                \'*\')
+                    message="${message#\'}"
+                    message="${message%\'}"
+                    ;;
+            esac
+            ;;
+    esac
+done
+
+# Validate seconds parameter (must be numeric)
+case "$seconds" in
+    ''|*[!0-9]*)
+        echo "ERROR: seconds must be a positive integer" >&2
+        exit 1
+        ;;
+esac
+
+# Validate seconds range (0-3600)
+if [ "$seconds" -lt 0 ] || [ "$seconds" -gt 3600 ]; then
+    echo "ERROR: seconds must be between 0 and 3600" >&2
+    exit 1
+fi
+
+# Display message if provided
+if [ -n "$message" ]; then
+    echo "$message"
+fi
+
+# Sleep for the specified duration
+sleep "$seconds"
+
+# Output result
+echo "Slept for $seconds seconds"
+
+# Exit successfully
+exit 0
--- a/docker/distributable/packs/core/actions/sleep.yaml
+++ b/docker/distributable/packs/core/actions/sleep.yaml
@@ -0,0 +1,43 @@
+# Sleep Action
+# Pauses execution for a specified duration
+
+ref: core.sleep
+label: "Sleep"
+description: "Sleep for a specified number of seconds"
+enabled: true
+
+# Runner type determines how the action is executed
+runner_type: shell
+
+# Entry point is the shell command or script to execute
+entry_point: sleep.sh
+
+# Parameter delivery: stdin for secure parameter passing (no env vars)
+parameter_delivery: stdin
+parameter_format: dotenv
+
+# Output format: text (no structured data parsing)
+output_format: text
+
+# Action parameters (StackStorm-style with inline required/secret)
+parameters:
+  seconds:
+    type: integer
+    description: "Number of seconds to sleep"
+    required: true
+    default: 1
+    minimum: 0
+    maximum: 3600
+  message:
+    type: string
+    description: "Optional message to display before sleeping"
+
+# Output schema: not applicable for text output format
+# The action outputs plain text to stdout
+
+# Tags for categorization
+tags:
+  - utility
+  - testing
+  - delay
+  - timing
--- a/docker/distributable/packs/core/pack.yaml
+++ b/docker/distributable/packs/core/pack.yaml
@@ -0,0 +1,97 @@
+# Attune Core Pack
+# Built-in core functionality including timers, utilities, and basic actions
+
+ref: core
+label: "Core Pack"
+description: "Built-in core functionality including timer triggers, HTTP utilities, and basic shell actions"
+version: "1.0.0"
+author: "Attune Team"
+email: "core@attune.io"
+
+# Pack is a system pack (shipped with Attune)
+system: true
+
+# Pack configuration schema (StackStorm-style flat format)
+conf_schema:
+  max_action_timeout:
+    type: integer
+    description: "Maximum timeout for action execution in seconds"
+    default: 300
+    minimum: 1
+    maximum: 3600
+  enable_debug_logging:
+    type: boolean
+    description: "Enable debug logging for core pack actions"
+    default: false
+
+# Default pack configuration
+config:
+  max_action_timeout: 300
+  enable_debug_logging: false
+
+# Pack metadata
+meta:
+  category: "system"
+  keywords:
+    - "core"
+    - "utilities"
+    - "timers"
+    - "http"
+    - "shell"
+
+  # Python dependencies for Python-based actions
+  python_dependencies:
+    - "requests>=2.28.0"
+    - "croniter>=1.4.0"
+
+  # Documentation
+  documentation_url: "https://docs.attune.io/packs/core"
+  repository_url: "https://github.com/attune-io/attune"
+
+# Pack tags for discovery
+tags:
+  - core
+  - system
+  - utilities
+  - timers
+
+# Runtime dependencies
+runtime_deps:
+  - shell
+  - native
+
+# Enabled by default
+enabled: true
+
+# Pack Testing Configuration
+testing:
+  # Enable testing during installation
+  enabled: true
+
+  # Test discovery method
+  discovery:
+    method: "directory"
+    path: "tests"
+
+  # Test runners by runtime type
+  runners:
+    shell:
+      type: "script"
+      entry_point: "tests/run_tests.sh"
+      timeout: 60
+      result_format: "simple"
+
+    python:
+      type: "unittest"
+      entry_point: "tests/test_actions.py"
+      timeout: 120
+      result_format: "simple"
+
+  # Test result expectations
+  result_path: "tests/results/"
+
+  # Minimum passing criteria (100% tests must pass)
+  min_pass_rate: 1.0
+
+  # Block installation if tests fail
+  on_failure: "block"
--- a/docker/distributable/packs/core/permission_sets/admin.yaml
+++ b/docker/distributable/packs/core/permission_sets/admin.yaml
@@ -0,0 +1,28 @@
+ref: core.admin
+label: Admin
+description: Full administrative access across Attune resources.
+grants:
+  - resource: packs
+    actions: [read, create, update, delete]
+  - resource: actions
+    actions: [read, create, update, delete, execute]
+  - resource: rules
+    actions: [read, create, update, delete]
+  - resource: triggers
+    actions: [read, create, update, delete]
+  - resource: executions
+    actions: [read, update, cancel]
+  - resource: events
+    actions: [read]
+  - resource: enforcements
+    actions: [read]
+  - resource: inquiries
+    actions: [read, create, update, delete, respond]
+  - resource: keys
+    actions: [read, create, update, delete, decrypt]
+  - resource: artifacts
+    actions: [read, create, update, delete]
+  - resource: identities
+    actions: [read, create, update, delete]
+  - resource: permissions
+    actions: [read, create, update, delete, manage]
--- a/docker/distributable/packs/core/permission_sets/editor.yaml
+++ b/docker/distributable/packs/core/permission_sets/editor.yaml
@@ -0,0 +1,18 @@
+ref: core.editor
+label: Editor
+description: Create and update operational resources without full administrative control.
+grants:
+  - resource: packs
+    actions: [read, create, update]
+  - resource: actions
+    actions: [read, create, update, execute]
+  - resource: rules
+    actions: [read, create, update]
+  - resource: triggers
+    actions: [read]
+  - resource: executions
+    actions: [read, cancel]
+  - resource: keys
+    actions: [read, update, decrypt]
+  - resource: artifacts
+    actions: [read]
--- a/docker/distributable/packs/core/permission_sets/executor.yaml
+++ b/docker/distributable/packs/core/permission_sets/executor.yaml
@@ -0,0 +1,18 @@
+ref: core.executor
+label: Executor
+description: Read operational metadata and trigger executions without changing system definitions.
+grants:
+  - resource: packs
+    actions: [read]
+  - resource: actions
+    actions: [read, execute]
+  - resource: rules
+    actions: [read]
+  - resource: triggers
+    actions: [read]
+  - resource: executions
+    actions: [read]
+  - resource: keys
+    actions: [read]
+  - resource: artifacts
+    actions: [read]
--- a/docker/distributable/packs/core/permission_sets/viewer.yaml
+++ b/docker/distributable/packs/core/permission_sets/viewer.yaml
@@ -0,0 +1,18 @@
+ref: core.viewer
+label: Viewer
+description: Read-only access to operational metadata and execution visibility.
+grants:
+  - resource: packs
+    actions: [read]
+  - resource: actions
+    actions: [read]
+  - resource: rules
+    actions: [read]
+  - resource: triggers
+    actions: [read]
+  - resource: executions
+    actions: [read]
+  - resource: keys
+    actions: [read]
+  - resource: artifacts
+    actions: [read]
--- a/docker/distributable/packs/core/runtimes/README.md
+++ b/docker/distributable/packs/core/runtimes/README.md
@@ -0,0 +1,60 @@
+# Core Pack Runtime Metadata
+
+This directory contains runtime metadata YAML files for the core pack. Each file defines a runtime environment that can be used to execute actions and sensors.
+
+## File Structure
+
+Each runtime YAML file contains only the fields that are stored in the database:
+
+- `ref` - Unique runtime reference (format: pack.name)
+- `pack_ref` - Pack this runtime belongs to
+- `name` - Human-readable runtime name
+- `description` - Brief description of the runtime
+- `distributions` - Runtime verification and capability metadata (JSONB)
+- `installation` - Installation requirements and metadata (JSONB)
+- `execution_config` - Interpreter, environment, dependency, and execution-time env var metadata
+
+## `execution_config.env_vars`
+
+Runtime authors can declare execution-time environment variables in a purely declarative way.
+
+String values replace the variable entirely:
+
+```yaml
+env_vars:
+  NODE_PATH: "{env_dir}/node_modules"
+```
+
+Object values support merge semantics against an existing value already present in the execution environment:
+
+```yaml
+env_vars:
+  PYTHONPATH:
+    operation: prepend
+    value: "{pack_dir}/lib"
+    separator: ":"
+```
+
+Supported operations:
+
+- `set` - Replace the variable with the resolved value
+- `prepend` - Add the resolved value before the existing value
+- `append` - Add the resolved value after the existing value
+
+Supported template variables:
+
+- `{pack_dir}`
+- `{env_dir}`
+- `{interpreter}`
+- `{manifest_path}`
+
+## Available Runtimes
+
+- **python.yaml** - Python 3 runtime for actions and sensors
+- **nodejs.yaml** - Node.js runtime for JavaScript-based actions and sensors
+- **shell.yaml** - Shell (bash/sh) runtime - always available
+- **native.yaml** - Native compiled runtime (Rust, Go, C, etc.) - executes binaries directly without an interpreter
+
+## Loading
+
+Runtime metadata files are loaded by the pack loading system and inserted into the `runtime` table in the database.
--- a/docker/distributable/packs/core/runtimes/go.yaml
+++ b/docker/distributable/packs/core/runtimes/go.yaml
@@ -0,0 +1,48 @@
+ref: core.go
+pack_ref: core
+name: Go
+aliases: [go, golang]
+description: Go runtime for compiling and running Go scripts and programs
+
+distributions:
+  verification:
+    commands:
+      - binary: go
+        args:
+          - "version"
+        exit_code: 0
+        pattern: "go\\d+\\."
+        priority: 1
+  min_version: "1.18"
+  recommended_version: "1.22"
+
+installation:
+  package_managers:
+    - apt
+    - snap
+    - brew
+  module_support: true
+
+execution_config:
+  interpreter:
+    binary: go
+    args:
+      - "run"
+    file_extension: ".go"
+  environment:
+    env_type: gopath
+    dir_name: gopath
+    create_command:
+      - sh
+      - "-c"
+      - "mkdir -p {env_dir}"
+    interpreter_path: null
+  dependencies:
+    manifest_file: go.mod
+    install_command:
+      - sh
+      - "-c"
+      - "cd {pack_dir} && GOPATH={env_dir} go mod download 2>/dev/null || true"
+  env_vars:
+    GOPATH: "{env_dir}"
+    GOMODCACHE: "{env_dir}/pkg/mod"
--- a/docker/distributable/packs/core/runtimes/java.yaml
+++ b/docker/distributable/packs/core/runtimes/java.yaml
@@ -0,0 +1,31 @@
+ref: core.java
+pack_ref: core
+name: Java
+aliases: [java, jdk, openjdk]
+description: Java runtime for executing Java programs and scripts
+
+distributions:
+  verification:
+    commands:
+      - binary: java
+        args:
+          - "-version"
+        exit_code: 0
+        pattern: "version \"\\d+"
+        priority: 1
+  min_version: "11"
+  recommended_version: "21"
+
+installation:
+  interpreters:
+    - java
+    - javac
+  package_managers:
+    - maven
+    - gradle
+
+execution_config:
+  interpreter:
+    binary: java
+    args: []
+    file_extension: ".java"
--- a/docker/distributable/packs/core/runtimes/native.yaml
+++ b/docker/distributable/packs/core/runtimes/native.yaml
@@ -0,0 +1,21 @@
+ref: core.native
+pack_ref: core
+name: Native
+aliases: [native, builtin, standalone]
+description: Native compiled runtime (Rust, Go, C, etc.) - executes binaries directly without an interpreter
+
+distributions:
+  verification:
+    always_available: true
+    check_required: false
+  languages:
+    - rust
+    - go
+    - c
+    - c++
+
+installation:
+  build_required: false
+  system_native: true
+
+execution_config: {}
--- a/docker/distributable/packs/core/runtimes/nodejs.yaml
+++ b/docker/distributable/packs/core/runtimes/nodejs.yaml
@@ -0,0 +1,180 @@
+ref: core.nodejs
+pack_ref: core
+name: Node.js
+aliases: [node, nodejs, "node.js"]
+description: Node.js runtime for JavaScript-based actions and sensors
+
+distributions:
+  verification:
+    commands:
+      - binary: node
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "v\\d+\\.\\d+\\.\\d+"
+        priority: 1
+  min_version: "16.0.0"
+  recommended_version: "20.0.0"
+
+installation:
+  package_managers:
+    - npm
+    - yarn
+    - pnpm
+  module_support: true
+
+execution_config:
+  interpreter:
+    binary: node
+    args: []
+    file_extension: ".js"
+  environment:
+    env_type: node_modules
+    dir_name: node_modules
+    create_command:
+      - sh
+      - "-c"
+      - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
+    interpreter_path: null
+  dependencies:
+    manifest_file: package.json
+    install_command:
+      - npm
+      - install
+      - "--prefix"
+      - "{env_dir}"
+  env_vars:
+    NODE_PATH: "{env_dir}/node_modules"
+
+# Version-specific execution configurations.
+# Each entry describes how to invoke a particular Node.js version.
+# The worker uses these when an action declares a runtime_version constraint
+# (e.g., runtime_version: ">=20"). The highest available version satisfying
+# the constraint is selected, and its execution_config replaces the parent's.
+versions:
+  - version: "18"
+    distributions:
+      verification:
+        commands:
+          - binary: node18
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v18\\."
+            priority: 1
+          - binary: node
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v18\\."
+            priority: 2
+    execution_config:
+      interpreter:
+        binary: node18
+        args: []
+        file_extension: ".js"
+      environment:
+        env_type: node_modules
+        dir_name: node_modules
+        create_command:
+          - sh
+          - "-c"
+          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
+        interpreter_path: null
+      dependencies:
+        manifest_file: package.json
+        install_command:
+          - npm
+          - install
+          - "--prefix"
+          - "{env_dir}"
+      env_vars:
+        NODE_PATH: "{env_dir}/node_modules"
+    meta:
+      lts_codename: "hydrogen"
+      eol: "2025-04-30"
+
+  - version: "20"
+    is_default: true
+    distributions:
+      verification:
+        commands:
+          - binary: node20
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v20\\."
+            priority: 1
+          - binary: node
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v20\\."
+            priority: 2
+    execution_config:
+      interpreter:
+        binary: node20
+        args: []
+        file_extension: ".js"
+      environment:
+        env_type: node_modules
+        dir_name: node_modules
+        create_command:
+          - sh
+          - "-c"
+          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
+        interpreter_path: null
+      dependencies:
+        manifest_file: package.json
+        install_command:
+          - npm
+          - install
+          - "--prefix"
+          - "{env_dir}"
+      env_vars:
+        NODE_PATH: "{env_dir}/node_modules"
+    meta:
+      lts_codename: "iron"
+      eol: "2026-04-30"
+
+  - version: "22"
+    distributions:
+      verification:
+        commands:
+          - binary: node22
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v22\\."
+            priority: 1
+          - binary: node
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "v22\\."
+            priority: 2
+    execution_config:
+      interpreter:
+        binary: node22
+        args: []
+        file_extension: ".js"
+      environment:
+        env_type: node_modules
+        dir_name: node_modules
+        create_command:
+          - sh
+          - "-c"
+          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
+        interpreter_path: null
+      dependencies:
+        manifest_file: package.json
+        install_command:
+          - npm
+          - install
+          - "--prefix"
+          - "{env_dir}"
+      env_vars:
+        NODE_PATH: "{env_dir}/node_modules"
+    meta:
+      lts_codename: "jod"
+      eol: "2027-04-30"
--- a/docker/distributable/packs/core/runtimes/perl.yaml
+++ b/docker/distributable/packs/core/runtimes/perl.yaml
@@ -0,0 +1,47 @@
+ref: core.perl
+pack_ref: core
+name: Perl
+aliases: [perl, perl5]
+description: Perl runtime for script execution with optional CPAN dependency management
+
+distributions:
+  verification:
+    commands:
+      - binary: perl
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "perl.*v\\d+\\."
+        priority: 1
+  min_version: "5.20"
+  recommended_version: "5.38"
+
+installation:
+  package_managers:
+    - cpanm
+    - cpan
+  interpreters:
+    - perl
+
+execution_config:
+  interpreter:
+    binary: perl
+    args: []
+    file_extension: ".pl"
+  environment:
+    env_type: local_lib
+    dir_name: perl5
+    create_command:
+      - sh
+      - "-c"
+      - "mkdir -p {env_dir}/lib/perl5"
+    interpreter_path: null
+  dependencies:
+    manifest_file: cpanfile
+    install_command:
+      - sh
+      - "-c"
+      - "cd {pack_dir} && PERL5LIB={env_dir}/lib/perl5 PERL_LOCAL_LIB_ROOT={env_dir} cpanm --local-lib {env_dir} --installdeps --quiet . 2>/dev/null || true"
+  env_vars:
+    PERL5LIB: "{env_dir}/lib/perl5"
+    PERL_LOCAL_LIB_ROOT: "{env_dir}"
--- a/docker/distributable/packs/core/runtimes/python.yaml
+++ b/docker/distributable/packs/core/runtimes/python.yaml
@@ -0,0 +1,191 @@
+ref: core.python
+pack_ref: core
+name: Python
+aliases: [python, python3]
+description: Python 3 runtime for actions and sensors with automatic environment management
+
+distributions:
+  verification:
+    commands:
+      - binary: python3
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "Python 3\\."
+        priority: 1
+      - binary: python
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "Python 3\\."
+        priority: 2
+  min_version: "3.8"
+  recommended_version: "3.12"
+
+installation:
+  package_managers:
+    - pip
+    - pipenv
+    - poetry
+  virtual_env_support: true
+
+execution_config:
+  interpreter:
+    binary: python3
+    args:
+      - "-u"
+    file_extension: ".py"
+  environment:
+    env_type: virtualenv
+    dir_name: ".venv"
+    create_command:
+      - python3
+      - "-m"
+      - venv
+      - "--copies"
+      - "{env_dir}"
+    interpreter_path: "{env_dir}/bin/python3"
+  dependencies:
+    manifest_file: requirements.txt
+    install_command:
+      - "{interpreter}"
+      - "-m"
+      - pip
+      - install
+      - "-r"
+      - "{manifest_path}"
+  env_vars:
+    PYTHONPATH:
+      operation: prepend
+      value: "{pack_dir}/lib"
+      separator: ":"
+
+# Version-specific execution configurations.
+# Each entry describes how to invoke a particular Python version.
+# The worker uses these when an action declares a runtime_version constraint
+# (e.g., runtime_version: ">=3.12"). The highest available version satisfying
+# the constraint is selected, and its execution_config replaces the parent's.
+versions:
+  - version: "3.11"
+    distributions:
+      verification:
+        commands:
+          - binary: python3.11
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "Python 3\\.11\\."
+            priority: 1
+    execution_config:
+      interpreter:
+        binary: python3.11
+        args:
+          - "-u"
+        file_extension: ".py"
+      environment:
+        env_type: virtualenv
+        dir_name: ".venv"
+        create_command:
+          - python3.11
+          - "-m"
+          - venv
+          - "--copies"
+          - "{env_dir}"
+        interpreter_path: "{env_dir}/bin/python3.11"
+      dependencies:
+        manifest_file: requirements.txt
+        install_command:
+          - "{interpreter}"
+          - "-m"
+          - pip
+          - install
+          - "-r"
+          - "{manifest_path}"
+      env_vars:
+        PYTHONPATH:
+          operation: prepend
+          value: "{pack_dir}/lib"
+          separator: ":"
+
+  - version: "3.12"
+    is_default: true
+    distributions:
+      verification:
+        commands:
+          - binary: python3.12
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "Python 3\\.12\\."
+            priority: 1
+    execution_config:
+      interpreter:
+        binary: python3.12
+        args:
+          - "-u"
+        file_extension: ".py"
+      environment:
+        env_type: virtualenv
+        dir_name: ".venv"
+        create_command:
+          - python3.12
+          - "-m"
+          - venv
+          - "--copies"
+          - "{env_dir}"
+        interpreter_path: "{env_dir}/bin/python3.12"
+      dependencies:
+        manifest_file: requirements.txt
+        install_command:
+          - "{interpreter}"
+          - "-m"
+          - pip
+          - install
+          - "-r"
+          - "{manifest_path}"
+      env_vars:
+        PYTHONPATH:
+          operation: prepend
+          value: "{pack_dir}/lib"
+          separator: ":"
+
+  - version: "3.13"
+    distributions:
+      verification:
+        commands:
+          - binary: python3.13
+            args:
+              - "--version"
+            exit_code: 0
+            pattern: "Python 3\\.13\\."
+            priority: 1
+    execution_config:
+      interpreter:
+        binary: python3.13
+        args:
+          - "-u"
+        file_extension: ".py"
+      environment:
+        env_type: virtualenv
+        dir_name: ".venv"
+        create_command:
+          - python3.13
+          - "-m"
+          - venv
+          - "--copies"
+          - "{env_dir}"
+        interpreter_path: "{env_dir}/bin/python3.13"
+      dependencies:
+        manifest_file: requirements.txt
+        install_command:
+          - "{interpreter}"
+          - "-m"
+          - pip
+          - install
+          - "-r"
+          - "{manifest_path}"
+      env_vars:
+        PYTHONPATH:
+          operation: prepend
+          value: "{pack_dir}/lib"
+          separator: ":"
--- a/docker/distributable/packs/core/runtimes/r.yaml
+++ b/docker/distributable/packs/core/runtimes/r.yaml
@@ -0,0 +1,48 @@
+ref: core.r
+pack_ref: core
+name: R
+aliases: [r, rscript]
+description: R runtime for statistical computing and data analysis scripts
+
+distributions:
+  verification:
+    commands:
+      - binary: Rscript
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "\\d+\\.\\d+\\.\\d+"
+        priority: 1
+  min_version: "4.0.0"
+  recommended_version: "4.4.0"
+
+installation:
+  package_managers:
+    - install.packages
+    - renv
+  interpreters:
+    - Rscript
+    - R
+
+execution_config:
+  interpreter:
+    binary: Rscript
+    args:
+      - "--vanilla"
+    file_extension: ".R"
+  environment:
+    env_type: renv
+    dir_name: renv
+    create_command:
+      - sh
+      - "-c"
+      - "mkdir -p {env_dir}/library"
+    interpreter_path: null
+  dependencies:
+    manifest_file: renv.lock
+    install_command:
+      - sh
+      - "-c"
+      - 'cd {pack_dir} && R_LIBS_USER={env_dir}/library Rscript -e "if (file.exists(''renv.lock'')) renv::restore(library=''{env_dir}/library'', prompt=FALSE)" 2>/dev/null || true'
+  env_vars:
+    R_LIBS_USER: "{env_dir}/library"
--- a/docker/distributable/packs/core/runtimes/ruby.yaml
+++ b/docker/distributable/packs/core/runtimes/ruby.yaml
@@ -0,0 +1,49 @@
+ref: core.ruby
+pack_ref: core
+name: Ruby
+aliases: [ruby, rb]
+description: Ruby runtime for script execution with automatic gem environment management
+
+distributions:
+  verification:
+    commands:
+      - binary: ruby
+        args:
+          - "--version"
+        exit_code: 0
+        pattern: "ruby \\d+\\."
+        priority: 1
+  min_version: "2.7"
+  recommended_version: "3.2"
+
+installation:
+  package_managers:
+    - gem
+    - bundler
+  interpreters:
+    - ruby
+  portable: false
+
+execution_config:
+  interpreter:
+    binary: ruby
+    args: []
+    file_extension: ".rb"
+  environment:
+    env_type: gem_home
+    dir_name: gems
+    create_command:
+      - sh
+      - "-c"
+      - "mkdir -p {env_dir}/gems"
+    interpreter_path: null
+  dependencies:
+    manifest_file: Gemfile
+    install_command:
+      - sh
+      - "-c"
+      - "cd {pack_dir} && GEM_HOME={env_dir}/gems GEM_PATH={env_dir}/gems bundle install --quiet 2>/dev/null || true"
+  env_vars:
+    GEM_HOME: "{env_dir}/gems"
+    GEM_PATH: "{env_dir}/gems"
+    BUNDLE_PATH: "{env_dir}/gems"
--- a/docker/distributable/packs/core/runtimes/shell.yaml
+++ b/docker/distributable/packs/core/runtimes/shell.yaml
@@ -0,0 +1,39 @@
+ref: core.shell
+pack_ref: core
+name: Shell
+aliases: [shell, bash, sh]
+description: Shell (bash/sh) runtime for script execution - always available
+
+distributions:
+  verification:
+    commands:
+      - binary: sh
+        args:
+          - "--version"
+        exit_code: 0
+        optional: true
+        priority: 1
+      - binary: bash
+        args:
+          - "--version"
+        exit_code: 0
+        optional: true
+        priority: 2
+    always_available: true
+
+installation:
+  interpreters:
+    - sh
+    - bash
+    - dash
+  portable: true
+
+execution_config:
+  interpreter:
+    binary: "/bin/bash"
+    args: []
+    file_extension: ".sh"
+  inline_execution:
+    strategy: temp_file
+    extension: ".sh"
+    inject_shell_helpers: true
--- a/docker/distributable/packs/core/sensors/attune-core-timer-sensor
+++ b/docker/distributable/packs/core/sensors/attune-core-timer-sensor
--- a/docker/distributable/packs/core/sensors/interval_timer_sensor.yaml
+++ b/docker/distributable/packs/core/sensors/interval_timer_sensor.yaml
@@ -0,0 +1,85 @@
+# Timer Sensor
+# Monitors time and fires all timer trigger types
+
+ref: core.interval_timer_sensor
+label: "Interval Timer Sensor"
+description: "Built-in sensor that monitors time and fires timer triggers (interval, cron, and one-shot datetime)"
+enabled: true
+
+# Sensor runner type
+runner_type: native
+
+# Entry point for sensor execution
+entry_point: attune-core-timer-sensor
+
+# Trigger types this sensor monitors
+trigger_types:
+  - core.intervaltimer
+  - core.crontimer
+  - core.datetimetimer
+
+# Sensor configuration schema (StackStorm-style flat format)
+parameters:
+  check_interval_seconds:
+    type: integer
+    description: "How often to check if triggers should fire (in seconds)"
+    default: 1
+    minimum: 1
+    maximum: 60
+
+# Poll interval (how often the sensor checks for events)
+poll_interval: 1
+
+# Tags for categorization
+tags:
+  - timer
+  - interval
+  - system
+  - builtin
+
+# Metadata
+meta:
+  builtin: true
+  system: true
+  description: |
+    The timer sensor is a built-in system sensor that monitors all timer-based
+    triggers and fires events according to their schedules. It supports three
+    timer types:
+
+    1. Interval timers: Fire at regular intervals (seconds, minutes, hours, days)
+    2. Cron timers: Fire based on cron schedule expressions (e.g., "0 0 * * * *")
+    3. DateTime timers: Fire once at a specific date and time (one-shot)
+
+    This sensor uses tokio-cron-scheduler for efficient async scheduling and
+    runs continuously as part of the Attune sensor service.
+
+# Documentation
+examples:
+  - description: "Interval timer - fires every 10 seconds"
+    trigger_type: core.intervaltimer
+    trigger_config:
+      unit: "seconds"
+      interval: 10
+
+  - description: "Interval timer - fire every 5 minutes"
+    trigger_type: core.intervaltimer
+    trigger_config:
+      unit: "minutes"
+      interval: 5
+
+  - description: "Cron timer - fire every hour on the hour"
+    trigger_type: core.crontimer
+    trigger_config:
+      expression: "0 0 * * * *"
+
+  - description: "Cron timer - fire every weekday at 9 AM"
+    trigger_type: core.crontimer
+    trigger_config:
+      expression: "0 0 9 * * 1-5"
+      timezone: "UTC"
+
+  - description: "DateTime timer - fire once at specific time"
+    trigger_type: core.datetimetimer
+    trigger_config:
+      fire_at: "2024-12-31T23:59:59Z"
+      timezone: "UTC"
--- a/docker/distributable/packs/core/test_core_pack.sh
+++ b/docker/distributable/packs/core/test_core_pack.sh
@@ -0,0 +1,193 @@
+#!/bin/bash
+# Automated test script for Core Pack
+# Tests all actions to ensure they work correctly
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ACTIONS_DIR="$SCRIPT_DIR/actions"
+
+# Colors for output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Test counters
+TESTS_RUN=0
+TESTS_PASSED=0
+TESTS_FAILED=0
+
+# Function to print test result
+test_result() {
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if [ $? -eq 0 ]; then
+        echo -e "${GREEN}✓${NC} $1"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗${NC} $1"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Function to run a test
+run_test() {
+    local test_name="$1"
+    shift
+    echo -n "  Testing: $test_name... "
+    if "$@" > /dev/null 2>&1; then
+        echo -e "${GREEN}✓${NC}"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗${NC}"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+    TESTS_RUN=$((TESTS_RUN + 1))
+}
+
+echo "========================================="
+echo "Core Pack Test Suite"
+echo "========================================="
+echo ""
+
+# Check if actions directory exists
+if [ ! -d "$ACTIONS_DIR" ]; then
+    echo -e "${RED}ERROR:${NC} Actions directory not found at $ACTIONS_DIR"
+    exit 1
+fi
+
+# Check if scripts are executable
+echo "→ Checking script permissions..."
+for script in "$ACTIONS_DIR"/*.sh "$ACTIONS_DIR"/*.py; do
+    if [ -f "$script" ] && [ ! -x "$script" ]; then
+        echo -e "${YELLOW}WARNING:${NC} $script is not executable, fixing..."
+        chmod +x "$script"
+    fi
+done
+echo -e "${GREEN}✓${NC} All scripts have correct permissions"
+echo ""
+
+# Test core.echo
+echo "→ Testing core.echo..."
+export ATTUNE_ACTION_MESSAGE="Test message"
+export ATTUNE_ACTION_UPPERCASE=false
+run_test "basic echo" "$ACTIONS_DIR/echo.sh"
+
+export ATTUNE_ACTION_MESSAGE="test uppercase"
+export ATTUNE_ACTION_UPPERCASE=true
+OUTPUT=$("$ACTIONS_DIR/echo.sh")
+if [ "$OUTPUT" = "TEST UPPERCASE" ]; then
+    echo -e "  Testing: uppercase conversion... ${GREEN}✓${NC}"
+    TESTS_PASSED=$((TESTS_PASSED + 1))
+else
+    echo -e "  Testing: uppercase conversion... ${RED}✗${NC} (expected 'TEST UPPERCASE', got '$OUTPUT')"
+    TESTS_FAILED=$((TESTS_FAILED + 1))
+fi
+TESTS_RUN=$((TESTS_RUN + 1))
+
+unset ATTUNE_ACTION_MESSAGE ATTUNE_ACTION_UPPERCASE
+echo ""
+
+# Test core.sleep
+echo "→ Testing core.sleep..."
+export ATTUNE_ACTION_SECONDS=1
+export ATTUNE_ACTION_MESSAGE="Sleeping..."
+run_test "basic sleep (1 second)" "$ACTIONS_DIR/sleep.sh"
+
+# Test invalid seconds
+export ATTUNE_ACTION_SECONDS=-1
+if "$ACTIONS_DIR/sleep.sh" > /dev/null 2>&1; then
+    echo -e "  Testing: invalid seconds validation... ${RED}✗${NC} (should have failed)"
+    TESTS_FAILED=$((TESTS_FAILED + 1))
+else
+    echo -e "  Testing: invalid seconds validation... ${GREEN}✓${NC}"
+    TESTS_PASSED=$((TESTS_PASSED + 1))
+fi
+TESTS_RUN=$((TESTS_RUN + 1))
+
+unset ATTUNE_ACTION_SECONDS ATTUNE_ACTION_MESSAGE
+echo ""
+
+# Test core.noop
+echo "→ Testing core.noop..."
+export ATTUNE_ACTION_MESSAGE="Test noop"
+export ATTUNE_ACTION_EXIT_CODE=0
+run_test "basic noop with exit 0" "$ACTIONS_DIR/noop.sh"
+
+export ATTUNE_ACTION_EXIT_CODE=1
+if "$ACTIONS_DIR/noop.sh" > /dev/null 2>&1; then
+    echo -e "  Testing: custom exit code (1)... ${RED}✗${NC} (should have exited with 1)"
+    TESTS_FAILED=$((TESTS_FAILED + 1))
+else
+    EXIT_CODE=$?
+    if [ $EXIT_CODE -eq 1 ]; then
+        echo -e "  Testing: custom exit code (1)... ${GREEN}✓${NC}"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "  Testing: custom exit code (1)... ${RED}✗${NC} (exit code was $EXIT_CODE, expected 1)"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+fi
+TESTS_RUN=$((TESTS_RUN + 1))
+
+unset ATTUNE_ACTION_MESSAGE ATTUNE_ACTION_EXIT_CODE
+echo ""
+
+# Test core.http_request (requires Python and requests library)
+echo "→ Testing core.http_request..."
+
+# Check if Python is available
+if ! command -v python3 &> /dev/null; then
+    echo -e "${YELLOW}WARNING:${NC} Python 3 not found, skipping HTTP request tests"
+else
+    # Check if requests library is installed
+    if python3 -c "import requests" 2>/dev/null; then
+        export ATTUNE_ACTION_URL="https://httpbin.org/get"
+        export ATTUNE_ACTION_METHOD="GET"
+        export ATTUNE_ACTION_TIMEOUT=10
+        run_test "basic GET request" python3 "$ACTIONS_DIR/http_request.py"
+
+        export ATTUNE_ACTION_URL="https://httpbin.org/post"
+        export ATTUNE_ACTION_METHOD="POST"
+        export ATTUNE_ACTION_JSON_BODY='{"test": "data"}'
+        run_test "POST with JSON body" python3 "$ACTIONS_DIR/http_request.py"
+
+        # Test missing required parameter
+        unset ATTUNE_ACTION_URL
+        if python3 "$ACTIONS_DIR/http_request.py" > /dev/null 2>&1; then
+            echo -e "  Testing: missing URL validation... ${RED}✗${NC} (should have failed)"
+            TESTS_FAILED=$((TESTS_FAILED + 1))
+        else
+            echo -e "  Testing: missing URL validation... ${GREEN}✓${NC}"
+            TESTS_PASSED=$((TESTS_PASSED + 1))
+        fi
+        TESTS_RUN=$((TESTS_RUN + 1))
+
+        unset ATTUNE_ACTION_URL ATTUNE_ACTION_METHOD ATTUNE_ACTION_JSON_BODY ATTUNE_ACTION_TIMEOUT
+    else
+        echo -e "${YELLOW}WARNING:${NC} Python requests library not found, skipping HTTP tests"
+        echo "  Install with: pip install requests>=2.28.0"
+    fi
+fi
+echo ""
+
+# Summary
+echo "========================================="
+echo "Test Results"
+echo "========================================="
+echo "Total tests run:    $TESTS_RUN"
+echo -e "Tests passed:       ${GREEN}$TESTS_PASSED${NC}"
+if [ $TESTS_FAILED -gt 0 ]; then
+    echo -e "Tests failed:       ${RED}$TESTS_FAILED${NC}"
+else
+    echo -e "Tests failed:       ${GREEN}$TESTS_FAILED${NC}"
+fi
+echo ""
+
+if [ $TESTS_FAILED -eq 0 ]; then
+    echo -e "${GREEN}✓ All tests passed!${NC}"
+    exit 0
+else
+    echo -e "${RED}✗ Some tests failed${NC}"
+    exit 1
+fi
--- a/docker/distributable/packs/core/tests/README.md
+++ b/docker/distributable/packs/core/tests/README.md
@@ -0,0 +1,348 @@
+# Core Pack Unit Tests
+
+This directory contains comprehensive unit tests for the Attune Core Pack actions.
+
+> **Note**: These tests can be run manually (as documented below) or programmatically during pack installation via the Pack Testing Framework. See [`docs/pack-testing-framework.md`](../../../docs/pack-testing-framework.md) for details on automatic test execution during pack installation.
+
+## Overview
+
+The test suite validates that all core pack actions work correctly with:
+- Valid inputs
+- Invalid inputs (error handling)
+- Edge cases
+- Default values
+- Various parameter combinations
+
+## Test Files
+
+- **`run_tests.sh`** - Bash-based test runner with colored output
+- **`test_actions.py`** - Python unittest/pytest suite for comprehensive testing
+- **`README.md`** - This file
+
+## Running Tests
+
+### Quick Test (Bash Runner)
+
+```bash
+cd packs/core/tests
+chmod +x run_tests.sh
+./run_tests.sh
+```
+
+**Features:**
+- Color-coded output (green = pass, red = fail)
+- Fast execution
+- No dependencies beyond bash and python3
+- Tests all actions automatically
+- Validates YAML schemas
+- Checks file permissions
+
+### Comprehensive Tests (Python)
+
+```bash
+cd packs/core/tests
+
+# Using unittest
+python3 test_actions.py
+
+# Using pytest (recommended)
+pytest test_actions.py -v
+
+# Run specific test class
+pytest test_actions.py::TestEchoAction -v
+
+# Run specific test
+pytest test_actions.py::TestEchoAction::test_basic_echo -v
+```
+
+**Features:**
+- Structured test cases with setUp/tearDown
+- Detailed assertions and error messages
+- Subtest support for parameterized tests
+- Better integration with CI/CD
+- Test discovery and filtering
+
+## Prerequisites
+
+### Required
+- Bash (for shell action tests)
+- Python 3.8+ (for Python action tests)
+
+### Optional
+- `pytest` for better test output: `pip install pytest`
+- `PyYAML` for YAML validation: `pip install pyyaml`
+- `requests` for HTTP tests: `pip install requests>=2.28.0`
+
+## Test Coverage
+
+### core.echo
+
+- ✅ Basic echo with custom message
+- ✅ Default message when none provided
+- ✅ Uppercase conversion (true/false)
+- ✅ Empty messages
+- ✅ Special characters
+- ✅ Multiline messages
+- ✅ Exit code validation
+
+**Total: 7 tests**
+
+### core.noop
+
+- ✅ Basic no-op execution
+- ✅ Custom message logging
+- ✅ Exit code 0 (success)
+- ✅ Custom exit codes (1-255)
+- ✅ Invalid negative exit codes (error)
+- ✅ Invalid large exit codes (error)
+- ✅ Invalid non-numeric exit codes (error)
+- ✅ Maximum valid exit code (255)
+
+**Total: 8 tests**
+
+### core.sleep
+
+- ✅ Basic sleep (1 second)
+- ✅ Zero seconds sleep
+- ✅ Custom message display
+- ✅ Default duration (1 second)
+- ✅ Multi-second sleep (timing validation)
+- ✅ Invalid negative seconds (error)
+- ✅ Invalid large seconds >3600 (error)
+- ✅ Invalid non-numeric seconds (error)
+
+**Total: 8 tests**
+
+### core.http_request
+
+- ✅ Simple GET request
+- ✅ Missing required URL (error)
+- ✅ POST with JSON body
+- ✅ Custom headers
+- ✅ Query parameters
+- ✅ Timeout handling
+- ✅ 404 status code handling
+- ✅ Different HTTP methods (PUT, PATCH, DELETE, HEAD, OPTIONS)
+- ✅ Elapsed time reporting
+- ✅ Response parsing (JSON/text)
+
+**Total: 10+ tests**
+
+### Additional Tests
+
+- ✅ File permissions (all scripts executable)
+- ✅ YAML schema validation
+- ✅ pack.yaml structure
+- ✅ Action YAML schemas
+
+**Total: 4+ tests**
+
+## Test Results
+
+When all tests pass, you should see output like:
+
+```
+========================================
+Core Pack Unit Tests
+========================================
+
+Testing core.echo
+  [1] echo: basic message ... PASS
+  [2] echo: default message ... PASS
+  [3] echo: uppercase conversion ... PASS
+  [4] echo: uppercase false ... PASS
+  [5] echo: exit code 0 ... PASS
+
+Testing core.noop
+  [6] noop: basic execution ... PASS
+  [7] noop: with message ... PASS
+  ...
+
+========================================
+Test Results
+========================================
+
+Total Tests:  37
+Passed:       37
+Failed:       0
+
+✓ All tests passed!
+```
+
+## Adding New Tests
+
+### Adding to Bash Test Runner
+
+Edit `run_tests.sh` and add new test cases:
+
+```bash
+# Test new action
+echo -e "${BLUE}Testing core.my_action${NC}"
+
+check_output \
+    "my_action: basic test" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_PARAM='value' ./my_action.sh" \
+    "Expected output"
+
+run_test_expect_fail \
+    "my_action: invalid input" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_PARAM='invalid' ./my_action.sh"
+```
+
+### Adding to Python Test Suite
+
+Add a new test class to `test_actions.py`:
+
+```python
+class TestMyAction(CorePackTestCase):
+    """Tests for core.my_action"""
+
+    def test_basic_functionality(self):
+        """Test basic functionality"""
+        stdout, stderr, code = self.run_action(
+            "my_action.sh",
+            {"ATTUNE_ACTION_PARAM": "value"}
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("expected output", stdout)
+
+    def test_error_handling(self):
+        """Test error handling"""
+        stdout, stderr, code = self.run_action(
+            "my_action.sh",
+            {"ATTUNE_ACTION_PARAM": "invalid"},
+            expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+```
+
+## Continuous Integration
+
+### GitHub Actions Example
+
+```yaml
+name: Core Pack Tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+      
+      - name: Install dependencies
+        run: pip install pytest pyyaml requests
+      
+      - name: Run bash tests
+        run: |
+          cd packs/core/tests
+          chmod +x run_tests.sh
+          ./run_tests.sh
+      
+      - name: Run python tests
+        run: |
+          cd packs/core/tests
+          pytest test_actions.py -v
+```
+
+## Troubleshooting
+
+### Tests fail with "Permission denied"
+
+```bash
+chmod +x packs/core/actions/*.sh
+chmod +x packs/core/actions/*.py
+```
+
+### Python import errors
+
+```bash
+# Install required libraries
+pip install requests>=2.28.0 pyyaml
+```
+
+### HTTP tests timing out
+
+The `httpbin.org` service may be slow or unavailable. Try:
+- Increasing timeout in tests
+- Running tests again later
+- Using a local httpbin instance
+
+### YAML validation fails
+
+Ensure PyYAML is installed:
+```bash
+pip install pyyaml
+```
+
+## Best Practices
+
+1. **Test both success and failure cases** - Don't just test the happy path
+2. **Use descriptive test names** - Make it clear what each test validates
+3. **Test edge cases** - Empty strings, zero values, boundary conditions
+4. **Validate error messages** - Ensure helpful errors are returned
+5. **Keep tests fast** - Use minimal sleep times, short timeouts
+6. **Make tests independent** - Each test should work in isolation
+7. **Document expected behavior** - Add comments for complex tests
+
+## Performance
+
+Expected test execution times:
+
+- **Bash runner**: ~15-30 seconds (with HTTP tests)
+- **Python suite**: ~20-40 seconds (with HTTP tests)
+- **Without HTTP tests**: ~5-10 seconds
+
+Slowest tests:
+- `core.sleep` timing validation tests (intentional delays)
+- `core.http_request` network requests
+
+## Future Improvements
+
+- [ ] Add integration tests with Attune services
+- [ ] Add performance benchmarks
+- [ ] Test concurrent action execution
+- [ ] Mock HTTP requests for faster tests
+- [ ] Add property-based testing (hypothesis)
+- [ ] Test sensor functionality
+- [ ] Test trigger functionality
+- [ ] Add coverage reporting
+
+## Programmatic Test Execution
+
+The Core Pack includes a `testing` section in `pack.yaml` that enables automatic test execution during pack installation:
+
+```yaml
+testing:
+  enabled: true
+  runners:
+    shell:
+      entry_point: "tests/run_tests.sh"
+      timeout: 60
+    python:
+      entry_point: "tests/test_actions.py"
+      timeout: 120
+  min_pass_rate: 1.0
+  on_failure: "block"
+```
+
+When installing the pack with `attune pack install`, these tests will run automatically to verify the pack works in the target environment.
+
+## Resources
+
+- [Core Pack Documentation](../README.md)
+- [Testing Guide](../TESTING.md)
+- [Pack Testing Framework](../../../docs/pack-testing-framework.md) - Programmatic test execution
+- [Action Development Guide](../../../docs/action-development.md)
+- [Python unittest docs](https://docs.python.org/3/library/unittest.html)
+- [pytest docs](https://docs.pytest.org/)
+
+---
+
+**Last Updated**: 2024-01-20  
+**Maintainer**: Attune Team
--- a/docker/distributable/packs/core/tests/TEST_RESULTS.md
+++ b/docker/distributable/packs/core/tests/TEST_RESULTS.md
@@ -0,0 +1,235 @@
+# Core Pack Unit Test Results
+
+**Date**: 2024-01-20  
+**Status**: ✅ ALL TESTS PASSING  
+**Total Tests**: 38 (Bash) + 38 (Python) = 76 tests
+
+---
+
+## Summary
+
+Comprehensive unit tests have been implemented for all core pack actions. Both bash-based and Python-based test suites are available and all tests are passing.
+
+## Test Coverage by Action
+
+### ✅ core.echo (7 tests)
+- Basic echo with custom message
+- Default message handling
+- Uppercase conversion (true/false)
+- Empty messages
+- Special characters
+- Multiline messages
+- Exit code validation
+
+### ✅ core.noop (8 tests)
+- Basic no-op execution
+- Custom message logging
+- Exit code 0 (success)
+- Custom exit codes (1-255)
+- Invalid negative exit codes (error handling)
+- Invalid large exit codes (error handling)
+- Invalid non-numeric exit codes (error handling)
+- Maximum valid exit code (255)
+
+### ✅ core.sleep (8 tests)
+- Basic sleep (1 second)
+- Zero seconds sleep
+- Custom message display
+- Default duration (1 second)
+- Multi-second sleep with timing validation
+- Invalid negative seconds (error handling)
+- Invalid large seconds >3600 (error handling)
+- Invalid non-numeric seconds (error handling)
+
+### ✅ core.http_request (10 tests)
+- Simple GET request
+- Missing required URL (error handling)
+- POST with JSON body
+- Custom headers
+- Query parameters
+- Timeout handling
+- 404 status code handling
+- Different HTTP methods (PUT, PATCH, DELETE, HEAD, OPTIONS)
+- Elapsed time reporting
+- Response parsing (JSON/text)
+
+### ✅ File Permissions (4 tests)
+- All action scripts are executable
+- Proper file permissions set
+
+### ✅ YAML Validation (Optional)
+- pack.yaml structure validation
+- Action YAML schemas validation
+- (Skipped if PyYAML not installed)
+
+---
+
+## Test Execution
+
+### Bash Test Runner
+```bash
+cd packs/core/tests
+./run_tests.sh
+```
+
+**Results:**
+```
+Total Tests:  36
+Passed:       36
+Failed:       0
+
+✓ All tests passed!
+```
+
+**Execution Time**: ~15-30 seconds (including HTTP tests)
+
+### Python Test Suite
+```bash
+cd packs/core/tests
+python3 test_actions.py
+```
+
+**Results:**
+```
+Ran 38 tests in 11.797s
+OK (skipped=2)
+```
+
+**Execution Time**: ~12 seconds
+
+---
+
+## Test Features
+
+### Error Handling Coverage
+✅ Missing required parameters  
+✅ Invalid parameter types  
+✅ Out-of-range values  
+✅ Negative values where inappropriate  
+✅ Non-numeric values for numeric parameters  
+✅ Empty values  
+✅ Network timeouts  
+✅ HTTP error responses  
+
+### Positive Test Coverage
+✅ Default parameter values  
+✅ Minimum/maximum valid values  
+✅ Various parameter combinations  
+✅ Success paths  
+✅ Output validation  
+✅ Exit code verification  
+✅ Timing validation (for sleep action)  
+
+### Integration Tests
+✅ Network requests (HTTP action)  
+✅ File system operations  
+✅ Environment variable parsing  
+✅ Script execution  
+
+---
+
+## Fixed Issues
+
+### Issue 1: SECONDS Variable Conflict
+**Problem**: The `sleep.sh` script used `SECONDS` as a variable name, which conflicts with bash's built-in `SECONDS` variable that tracks shell uptime.
+
+**Solution**: Renamed the variable to `SLEEP_SECONDS` to avoid the conflict.
+
+**Files Modified**: `packs/core/actions/sleep.sh`
+
+---
+
+## Test Infrastructure
+
+### Test Files
+- `run_tests.sh` - Bash-based test runner (36 tests)
+- `test_actions.py` - Python unittest suite (38 tests)
+- `README.md` - Testing documentation
+- `TEST_RESULTS.md` - This file
+
+### Dependencies
+**Required:**
+- bash
+- python3
+
+**Optional:**
+- `pytest` - Better test output
+- `PyYAML` - YAML validation
+- `requests` - HTTP action tests
+
+### CI/CD Ready
+Both test suites are designed for continuous integration:
+- Non-zero exit codes on failure
+- Clear pass/fail reporting
+- Color-coded output (bash runner)
+- Structured test results (Python suite)
+- Optional dependency handling
+
+---
+
+## Test Maintenance
+
+### Adding New Tests
+1. Add test cases to `run_tests.sh` for quick validation
+2. Add test methods to `test_actions.py` for comprehensive coverage
+3. Update this document with new test counts
+4. Run both test suites to verify
+
+### When to Run Tests
+- ✅ Before committing changes to actions
+- ✅ After modifying action scripts
+- ✅ Before releasing new pack versions
+- ✅ In CI/CD pipelines
+- ✅ When troubleshooting action behavior
+
+---
+
+## Known Limitations
+
+1. **HTTP Tests**: Depend on external service (httpbin.org)
+   - May fail if service is down
+   - May be slow depending on network
+   - Could be replaced with local mock server
+
+2. **Timing Tests**: Sleep action timing tests have tolerance
+   - Allow for system scheduling delays
+   - May be slower on heavily loaded systems
+
+3. **Optional Dependencies**: Some tests skipped if:
+   - PyYAML not installed (YAML validation)
+   - requests not installed (HTTP tests)
+
+---
+
+## Future Enhancements
+
+- [ ] Add sensor unit tests
+- [ ] Add trigger unit tests  
+- [ ] Mock HTTP requests for faster tests
+- [ ] Add performance benchmarks
+- [ ] Add concurrent execution tests
+- [ ] Add code coverage reporting
+- [ ] Add property-based testing (hypothesis)
+- [ ] Integration tests with Attune services
+
+---
+
+## Conclusion
+
+✅ **All core pack actions are thoroughly tested and working correctly.**
+
+The test suite provides:
+- Comprehensive coverage of success and failure cases
+- Fast execution for rapid development feedback
+- Clear documentation of expected behavior
+- Confidence in core pack reliability
+
+Both bash and Python test runners are available for different use cases:
+- **Bash runner**: Quick, minimal dependencies, great for local development
+- **Python suite**: Structured, detailed, perfect for CI/CD and debugging
+
+---
+
+**Maintained by**: Attune Team  
+**Last Updated**: 2024-01-20  
+**Next Review**: When new actions are added
--- a/docker/distributable/packs/core/tests/run_tests.sh
+++ b/docker/distributable/packs/core/tests/run_tests.sh
@@ -0,0 +1,393 @@
+#!/bin/bash
+# Core Pack Unit Test Runner
+# Runs all unit tests for core pack actions and reports results
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Test counters
+TOTAL_TESTS=0
+PASSED_TESTS=0
+FAILED_TESTS=0
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PACK_DIR="$(dirname "$SCRIPT_DIR")"
+ACTIONS_DIR="$PACK_DIR/actions"
+
+# Test results array
+declare -a FAILED_TEST_NAMES
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Core Pack Unit Tests${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+# Function to run a test
+run_test() {
+    local test_name="$1"
+    local test_command="$2"
+
+    TOTAL_TESTS=$((TOTAL_TESTS + 1))
+
+    echo -n "  [$TOTAL_TESTS] $test_name ... "
+
+    if eval "$test_command" > /dev/null 2>&1; then
+        echo -e "${GREEN}PASS${NC}"
+        PASSED_TESTS=$((PASSED_TESTS + 1))
+        return 0
+    else
+        echo -e "${RED}FAIL${NC}"
+        FAILED_TESTS=$((FAILED_TESTS + 1))
+        FAILED_TEST_NAMES+=("$test_name")
+        return 1
+    fi
+}
+
+# Function to run a test expecting failure
+run_test_expect_fail() {
+    local test_name="$1"
+    local test_command="$2"
+
+    TOTAL_TESTS=$((TOTAL_TESTS + 1))
+
+    echo -n "  [$TOTAL_TESTS] $test_name ... "
+
+    if eval "$test_command" > /dev/null 2>&1; then
+        echo -e "${RED}FAIL${NC} (expected failure but passed)"
+        FAILED_TESTS=$((FAILED_TESTS + 1))
+        FAILED_TEST_NAMES+=("$test_name")
+        return 1
+    else
+        echo -e "${GREEN}PASS${NC} (failed as expected)"
+        PASSED_TESTS=$((PASSED_TESTS + 1))
+        return 0
+    fi
+}
+
+# Function to check output contains text
+check_output() {
+    local test_name="$1"
+    local command="$2"
+    local expected="$3"
+
+    TOTAL_TESTS=$((TOTAL_TESTS + 1))
+
+    echo -n "  [$TOTAL_TESTS] $test_name ... "
+
+    local output=$(eval "$command" 2>&1)
+
+    if echo "$output" | grep -q "$expected"; then
+        echo -e "${GREEN}PASS${NC}"
+        PASSED_TESTS=$((PASSED_TESTS + 1))
+        return 0
+    else
+        echo -e "${RED}FAIL${NC}"
+        echo "    Expected output to contain: '$expected'"
+        echo "    Got: '$output'"
+        FAILED_TESTS=$((FAILED_TESTS + 1))
+        FAILED_TEST_NAMES+=("$test_name")
+        return 1
+    fi
+}
+
+# Check prerequisites
+echo -e "${YELLOW}Checking prerequisites...${NC}"
+
+if [ ! -f "$ACTIONS_DIR/echo.sh" ]; then
+    echo -e "${RED}ERROR: Actions directory not found at $ACTIONS_DIR${NC}"
+    exit 1
+fi
+
+# Check Python for http_request tests
+if ! command -v python3 &> /dev/null; then
+    echo -e "${YELLOW}WARNING: python3 not found, skipping Python tests${NC}"
+    SKIP_PYTHON=true
+else
+    echo "  ✓ python3 found"
+fi
+
+# Check Python requests library
+if [ "$SKIP_PYTHON" != "true" ]; then
+    if ! python3 -c "import requests" 2>/dev/null; then
+        echo -e "${YELLOW}WARNING: requests library not installed, skipping HTTP tests${NC}"
+        SKIP_HTTP=true
+    else
+        echo "  ✓ requests library found"
+    fi
+fi
+
+echo ""
+
+# ========================================
+# Test: core.echo
+# ========================================
+echo -e "${BLUE}Testing core.echo${NC}"
+
+# Test 1: Basic echo
+check_output \
+    "echo: basic message" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Hello, Attune!' ./echo.sh" \
+    "Hello, Attune!"
+
+# Test 2: Default message
+check_output \
+    "echo: default message" \
+    "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_MESSAGE && ./echo.sh" \
+    "Hello, World!"
+
+# Test 3: Uppercase conversion
+check_output \
+    "echo: uppercase conversion" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='test message' ATTUNE_ACTION_UPPERCASE=true ./echo.sh" \
+    "TEST MESSAGE"
+
+# Test 4: Uppercase false
+check_output \
+    "echo: uppercase false" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Mixed Case' ATTUNE_ACTION_UPPERCASE=false ./echo.sh" \
+    "Mixed Case"
+
+# Test 5: Exit code success
+run_test \
+    "echo: exit code 0" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='test' ./echo.sh && [ \$? -eq 0 ]"
+
+echo ""
+
+# ========================================
+# Test: core.noop
+# ========================================
+echo -e "${BLUE}Testing core.noop${NC}"
+
+# Test 1: Basic noop
+check_output \
+    "noop: basic execution" \
+    "cd '$ACTIONS_DIR' && ./noop.sh" \
+    "No operation completed successfully"
+
+# Test 2: With message
+check_output \
+    "noop: with message" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Test noop' ./noop.sh" \
+    "Test noop"
+
+# Test 3: Exit code 0
+run_test \
+    "noop: exit code 0" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=0 ./noop.sh && [ \$? -eq 0 ]"
+
+# Test 4: Custom exit code
+run_test \
+    "noop: custom exit code 5" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=5 ./noop.sh; [ \$? -eq 5 ]"
+
+# Test 5: Invalid exit code (negative)
+run_test_expect_fail \
+    "noop: invalid negative exit code" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=-1 ./noop.sh"
+
+# Test 6: Invalid exit code (too large)
+run_test_expect_fail \
+    "noop: invalid large exit code" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=999 ./noop.sh"
+
+# Test 7: Invalid exit code (non-numeric)
+run_test_expect_fail \
+    "noop: invalid non-numeric exit code" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=abc ./noop.sh"
+
+echo ""
+
+# ========================================
+# Test: core.sleep
+# ========================================
+echo -e "${BLUE}Testing core.sleep${NC}"
+
+# Test 1: Basic sleep
+check_output \
+    "sleep: basic execution (1s)" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=1 ./sleep.sh" \
+    "Slept for 1 seconds"
+
+# Test 2: Zero seconds
+check_output \
+    "sleep: zero seconds" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=0 ./sleep.sh" \
+    "Slept for 0 seconds"
+
+# Test 3: With message
+check_output \
+    "sleep: with message" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=1 ATTUNE_ACTION_MESSAGE='Sleeping now...' ./sleep.sh" \
+    "Sleeping now..."
+
+# Test 4: Verify timing (should take at least 2 seconds)
+run_test \
+    "sleep: timing verification (2s)" \
+    "cd '$ACTIONS_DIR' && start=\$(date +%s) && ATTUNE_ACTION_SECONDS=2 ./sleep.sh > /dev/null && end=\$(date +%s) && [ \$((end - start)) -ge 2 ]"
+
+# Test 5: Invalid negative seconds
+run_test_expect_fail \
+    "sleep: invalid negative seconds" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=-1 ./sleep.sh"
+
+# Test 6: Invalid too large seconds
+run_test_expect_fail \
+    "sleep: invalid large seconds (>3600)" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=9999 ./sleep.sh"
+
+# Test 7: Invalid non-numeric seconds
+run_test_expect_fail \
+    "sleep: invalid non-numeric seconds" \
+    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=abc ./sleep.sh"
+
+# Test 8: Default value
+check_output \
+    "sleep: default value (1s)" \
+    "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_SECONDS && ./sleep.sh" \
+    "Slept for 1 seconds"
+
+echo ""
+
+# ========================================
+# Test: core.http_request
+# ========================================
+if [ "$SKIP_HTTP" != "true" ]; then
+    echo -e "${BLUE}Testing core.http_request${NC}"
+
+    # Test 1: Simple GET request
+    run_test \
+        "http_request: GET request" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='GET' python3 ./http_request.py | grep -q '\"success\": true'"
+
+    # Test 2: Missing required URL
+    run_test_expect_fail \
+        "http_request: missing URL parameter" \
+        "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_URL && python3 ./http_request.py"
+
+    # Test 3: POST with JSON body
+    run_test \
+        "http_request: POST with JSON" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/post' ATTUNE_ACTION_METHOD='POST' ATTUNE_ACTION_JSON_BODY='{\"test\": \"value\"}' python3 ./http_request.py | grep -q '\"success\": true'"
+
+    # Test 4: Custom headers
+    run_test \
+        "http_request: custom headers" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/headers' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_HEADERS='{\"X-Custom-Header\": \"test\"}' python3 ./http_request.py | grep -q 'X-Custom-Header'"
+
+    # Test 5: Query parameters
+    run_test \
+        "http_request: query parameters" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_QUERY_PARAMS='{\"foo\": \"bar\", \"page\": \"1\"}' python3 ./http_request.py | grep -q '\"foo\": \"bar\"'"
+
+    # Test 6: Timeout (expect failure/timeout)
+    run_test \
+        "http_request: timeout handling" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/delay/10' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_TIMEOUT=2 python3 ./http_request.py; [ \$? -ne 0 ]"
+
+    # Test 7: 404 Not Found
+    run_test \
+        "http_request: 404 handling" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/status/404' ATTUNE_ACTION_METHOD='GET' python3 ./http_request.py | grep -q '\"status_code\": 404'"
+
+    # Test 8: Different methods (PUT, PATCH, DELETE)
+    for method in PUT PATCH DELETE; do
+        run_test \
+            "http_request: $method method" \
+            "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/${method,,}' ATTUNE_ACTION_METHOD='$method' python3 ./http_request.py | grep -q '\"success\": true'"
+    done
+
+    # Test 9: HEAD method (no body expected)
+    run_test \
+        "http_request: HEAD method" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='HEAD' python3 ./http_request.py | grep -q '\"status_code\": 200'"
+
+    # Test 10: OPTIONS method
+    run_test \
+        "http_request: OPTIONS method" \
+        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='OPTIONS' python3 ./http_request.py | grep -q '\"status_code\"'"
+
+    echo ""
+else
+    echo -e "${YELLOW}Skipping core.http_request tests (Python/requests not available)${NC}"
+    echo ""
+fi
+
+# ========================================
+# Test: File Permissions
+# ========================================
+echo -e "${BLUE}Testing file permissions${NC}"
+
+run_test \
+    "permissions: echo.sh is executable" \
+    "[ -x '$ACTIONS_DIR/echo.sh' ]"
+
+run_test \
+    "permissions: noop.sh is executable" \
+    "[ -x '$ACTIONS_DIR/noop.sh' ]"
+
+run_test \
+    "permissions: sleep.sh is executable" \
+    "[ -x '$ACTIONS_DIR/sleep.sh' ]"
+
+if [ "$SKIP_PYTHON" != "true" ]; then
+    run_test \
+        "permissions: http_request.py is executable" \
+        "[ -x '$ACTIONS_DIR/http_request.py' ]"
+fi
+
+echo ""
+
+# ========================================
+# Test: YAML Schema Validation
+# ========================================
+echo -e "${BLUE}Testing YAML schemas${NC}"
+
+# Check if PyYAML is installed
+if python3 -c "import yaml" 2>/dev/null; then
+    # Check YAML files are valid
+    for yaml_file in "$PACK_DIR"/*.yaml "$PACK_DIR"/actions/*.yaml "$PACK_DIR"/triggers/*.yaml; do
+        if [ -f "$yaml_file" ]; then
+            filename=$(basename "$yaml_file")
+            run_test \
+                "yaml: $filename is valid" \
+                "python3 -c 'import yaml; yaml.safe_load(open(\"$yaml_file\"))'"
+        fi
+    done
+else
+    echo -e "  ${YELLOW}Skipping YAML validation tests (PyYAML not installed)${NC}"
+    echo -e "  ${YELLOW}Install with: pip install pyyaml${NC}"
+fi
+
+echo ""
+
+# ========================================
+# Results Summary
+# ========================================
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Test Results${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+echo "Total Tests:  $TOTAL_TESTS"
+echo -e "Passed:       ${GREEN}$PASSED_TESTS${NC}"
+echo -e "Failed:       ${RED}$FAILED_TESTS${NC}"
+echo ""
+
+if [ $FAILED_TESTS -eq 0 ]; then
+    echo -e "${GREEN}✓ All tests passed!${NC}"
+    exit 0
+else
+    echo -e "${RED}✗ Some tests failed:${NC}"
+    for test_name in "${FAILED_TEST_NAMES[@]}"; do
+        echo -e "  ${RED}✗${NC} $test_name"
+    done
+    echo ""
+    exit 1
+fi
--- a/docker/distributable/packs/core/tests/test_actions.py
+++ b/docker/distributable/packs/core/tests/test_actions.py
@@ -0,0 +1,560 @@
+#!/usr/bin/env python3
+"""
+Unit tests for Core Pack Actions
+
+This test suite validates all core pack actions to ensure they behave correctly
+with various inputs, handle errors appropriately, and produce expected outputs.
+
+Usage:
+    python3 test_actions.py
+    python3 -m pytest test_actions.py -v
+"""
+
+import json
+import os
+import subprocess
+import sys
+import time
+import unittest
+from pathlib import Path
+
+
+class CorePackTestCase(unittest.TestCase):
+    """Base test case for core pack tests"""
+
+    @classmethod
+    def setUpClass(cls):
+        """Set up test environment"""
+        # Get the actions directory
+        cls.test_dir = Path(__file__).parent
+        cls.pack_dir = cls.test_dir.parent
+        cls.actions_dir = cls.pack_dir / "actions"
+
+        # Verify actions directory exists
+        if not cls.actions_dir.exists():
+            raise RuntimeError(f"Actions directory not found: {cls.actions_dir}")
+
+        # Check for required executables
+        cls.has_python = cls._check_command("python3")
+        cls.has_bash = cls._check_command("bash")
+
+    @staticmethod
+    def _check_command(command):
+        """Check if a command is available"""
+        try:
+            subprocess.run(
+                [command, "--version"],
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                timeout=2,
+            )
+            return True
+        except (subprocess.TimeoutExpired, FileNotFoundError):
+            return False
+
+    def run_action(self, script_name, env_vars=None, expect_failure=False):
+        """
+        Run an action script with environment variables
+
+        Args:
+            script_name: Name of the script file
+            env_vars: Dictionary of environment variables
+            expect_failure: If True, expects the script to fail
+
+        Returns:
+            tuple: (stdout, stderr, exit_code)
+        """
+        script_path = self.actions_dir / script_name
+        if not script_path.exists():
+            raise FileNotFoundError(f"Script not found: {script_path}")
+
+        # Prepare environment
+        env = os.environ.copy()
+        if env_vars:
+            env.update(env_vars)
+
+        # Determine the command
+        if script_name.endswith(".py"):
+            cmd = ["python3", str(script_path)]
+        elif script_name.endswith(".sh"):
+            cmd = ["bash", str(script_path)]
+        else:
+            raise ValueError(f"Unknown script type: {script_name}")
+
+        # Run the script
+        try:
+            result = subprocess.run(
+                cmd,
+                env=env,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                timeout=10,
+                cwd=str(self.actions_dir),
+            )
+            return (
+                result.stdout.decode("utf-8"),
+                result.stderr.decode("utf-8"),
+                result.returncode,
+            )
+        except subprocess.TimeoutExpired:
+            if expect_failure:
+                return "", "Timeout", -1
+            raise
+
+
+class TestEchoAction(CorePackTestCase):
+    """Tests for core.echo action"""
+
+    def test_basic_echo(self):
+        """Test basic echo functionality"""
+        stdout, stderr, code = self.run_action(
+            "echo.sh", {"ATTUNE_ACTION_MESSAGE": "Hello, Attune!"}
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("Hello, Attune!", stdout)
+
+    def test_default_message(self):
+        """Test default message when none provided"""
+        stdout, stderr, code = self.run_action("echo.sh", {})
+        self.assertEqual(code, 0)
+        self.assertIn("Hello, World!", stdout)
+
+    def test_uppercase_conversion(self):
+        """Test uppercase conversion"""
+        stdout, stderr, code = self.run_action(
+            "echo.sh",
+            {
+                "ATTUNE_ACTION_MESSAGE": "test message",
+                "ATTUNE_ACTION_UPPERCASE": "true",
+            },
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("TEST MESSAGE", stdout)
+        self.assertNotIn("test message", stdout)
+
+    def test_uppercase_false(self):
+        """Test uppercase=false preserves case"""
+        stdout, stderr, code = self.run_action(
+            "echo.sh",
+            {
+                "ATTUNE_ACTION_MESSAGE": "Mixed Case",
+                "ATTUNE_ACTION_UPPERCASE": "false",
+            },
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("Mixed Case", stdout)
+
+    def test_empty_message(self):
+        """Test empty message"""
+        stdout, stderr, code = self.run_action("echo.sh", {"ATTUNE_ACTION_MESSAGE": ""})
+        self.assertEqual(code, 0)
+        # Empty message should produce a newline
+        # bash echo with empty string still outputs newline
+
+    def test_special_characters(self):
+        """Test message with special characters"""
+        special_msg = "Test!@#$%^&*()[]{}|\\:;\"'<>,.?/~`"
+        stdout, stderr, code = self.run_action(
+            "echo.sh", {"ATTUNE_ACTION_MESSAGE": special_msg}
+        )
+        self.assertEqual(code, 0)
+        self.assertIn(special_msg, stdout)
+
+    def test_multiline_message(self):
+        """Test message with newlines"""
+        multiline_msg = "Line 1\nLine 2\nLine 3"
+        stdout, stderr, code = self.run_action(
+            "echo.sh", {"ATTUNE_ACTION_MESSAGE": multiline_msg}
+        )
+        self.assertEqual(code, 0)
+        # Depending on shell behavior, newlines might be interpreted
+
+
+class TestNoopAction(CorePackTestCase):
+    """Tests for core.noop action"""
+
+    def test_basic_noop(self):
+        """Test basic noop functionality"""
+        stdout, stderr, code = self.run_action("noop.sh", {})
+        self.assertEqual(code, 0)
+        self.assertIn("No operation completed successfully", stdout)
+
+    def test_noop_with_message(self):
+        """Test noop with custom message"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_MESSAGE": "Test message"}
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("Test message", stdout)
+        self.assertIn("No operation completed successfully", stdout)
+
+    def test_custom_exit_code_success(self):
+        """Test custom exit code 0"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "0"}
+        )
+        self.assertEqual(code, 0)
+
+    def test_custom_exit_code_failure(self):
+        """Test custom exit code non-zero"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "5"}
+        )
+        self.assertEqual(code, 5)
+
+    def test_custom_exit_code_max(self):
+        """Test maximum valid exit code (255)"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "255"}
+        )
+        self.assertEqual(code, 255)
+
+    def test_invalid_negative_exit_code(self):
+        """Test that negative exit codes are rejected"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "-1"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+    def test_invalid_large_exit_code(self):
+        """Test that exit codes > 255 are rejected"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "999"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+    def test_invalid_non_numeric_exit_code(self):
+        """Test that non-numeric exit codes are rejected"""
+        stdout, stderr, code = self.run_action(
+            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "abc"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+
+class TestSleepAction(CorePackTestCase):
+    """Tests for core.sleep action"""
+
+    def test_basic_sleep(self):
+        """Test basic sleep functionality"""
+        start = time.time()
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "1"}
+        )
+        elapsed = time.time() - start
+
+        self.assertEqual(code, 0)
+        self.assertIn("Slept for 1 seconds", stdout)
+        self.assertGreaterEqual(elapsed, 1.0)
+        self.assertLess(elapsed, 1.5)  # Should not take too long
+
+    def test_zero_seconds(self):
+        """Test sleep with 0 seconds"""
+        start = time.time()
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "0"}
+        )
+        elapsed = time.time() - start
+
+        self.assertEqual(code, 0)
+        self.assertIn("Slept for 0 seconds", stdout)
+        self.assertLess(elapsed, 0.5)
+
+    def test_sleep_with_message(self):
+        """Test sleep with custom message"""
+        stdout, stderr, code = self.run_action(
+            "sleep.sh",
+            {"ATTUNE_ACTION_SECONDS": "1", "ATTUNE_ACTION_MESSAGE": "Sleeping now..."},
+        )
+        self.assertEqual(code, 0)
+        self.assertIn("Sleeping now...", stdout)
+        self.assertIn("Slept for 1 seconds", stdout)
+
+    def test_default_sleep_duration(self):
+        """Test default sleep duration (1 second)"""
+        start = time.time()
+        stdout, stderr, code = self.run_action("sleep.sh", {})
+        elapsed = time.time() - start
+
+        self.assertEqual(code, 0)
+        self.assertGreaterEqual(elapsed, 1.0)
+
+    def test_invalid_negative_seconds(self):
+        """Test that negative seconds are rejected"""
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "-1"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+    def test_invalid_large_seconds(self):
+        """Test that seconds > 3600 are rejected"""
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "9999"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+    def test_invalid_non_numeric_seconds(self):
+        """Test that non-numeric seconds are rejected"""
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "abc"}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("ERROR", stderr)
+
+    def test_multi_second_sleep(self):
+        """Test sleep with multiple seconds"""
+        start = time.time()
+        stdout, stderr, code = self.run_action(
+            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "2"}
+        )
+        elapsed = time.time() - start
+
+        self.assertEqual(code, 0)
+        self.assertIn("Slept for 2 seconds", stdout)
+        self.assertGreaterEqual(elapsed, 2.0)
+        self.assertLess(elapsed, 2.5)
+
+
+class TestHttpRequestAction(CorePackTestCase):
+    """Tests for core.http_request action"""
+
+    def setUp(self):
+        """Check if we can run HTTP tests"""
+        if not self.has_python:
+            self.skipTest("Python3 not available")
+
+        try:
+            import requests
+        except ImportError:
+            self.skipTest("requests library not installed")
+
+    def test_simple_get_request(self):
+        """Test simple GET request"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
+                "ATTUNE_ACTION_METHOD": "GET",
+            },
+        )
+        self.assertEqual(code, 0)
+
+        # Parse JSON output
+        result = json.loads(stdout)
+        self.assertEqual(result["status_code"], 200)
+        self.assertTrue(result["success"])
+        self.assertIn("httpbin.org", result["url"])
+
+    def test_missing_url_parameter(self):
+        """Test that missing URL parameter causes failure"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py", {}, expect_failure=True
+        )
+        self.assertNotEqual(code, 0)
+        self.assertIn("Required parameter 'url' not provided", stderr)
+
+    def test_post_with_json(self):
+        """Test POST request with JSON body"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/post",
+                "ATTUNE_ACTION_METHOD": "POST",
+                "ATTUNE_ACTION_JSON_BODY": '{"test": "value", "number": 123}',
+            },
+        )
+        self.assertEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertEqual(result["status_code"], 200)
+        self.assertTrue(result["success"])
+        # Check that our data was echoed back
+        self.assertIsNotNone(result.get("json"))
+        # httpbin.org echoes data in different format, just verify JSON was sent
+        body_json = json.loads(result["body"])
+        self.assertIn("json", body_json)
+        self.assertEqual(body_json["json"]["test"], "value")
+
+    def test_custom_headers(self):
+        """Test request with custom headers"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/headers",
+                "ATTUNE_ACTION_METHOD": "GET",
+                "ATTUNE_ACTION_HEADERS": '{"X-Custom-Header": "test-value"}',
+            },
+        )
+        self.assertEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertEqual(result["status_code"], 200)
+        # The response body should contain our custom header
+        body_data = json.loads(result["body"])
+        self.assertIn("X-Custom-Header", body_data["headers"])
+
+    def test_query_parameters(self):
+        """Test request with query parameters"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
+                "ATTUNE_ACTION_METHOD": "GET",
+                "ATTUNE_ACTION_QUERY_PARAMS": '{"foo": "bar", "page": "1"}',
+            },
+        )
+        self.assertEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertEqual(result["status_code"], 200)
+        # Check query params in response
+        body_data = json.loads(result["body"])
+        self.assertEqual(body_data["args"]["foo"], "bar")
+        self.assertEqual(body_data["args"]["page"], "1")
+
+    def test_timeout_handling(self):
+        """Test request timeout"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/delay/10",
+                "ATTUNE_ACTION_METHOD": "GET",
+                "ATTUNE_ACTION_TIMEOUT": "2",
+            },
+            expect_failure=True,
+        )
+        # Should fail due to timeout
+        self.assertNotEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertFalse(result["success"])
+        self.assertIn("error", result)
+
+    def test_404_status_code(self):
+        """Test handling of 404 status"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/status/404",
+                "ATTUNE_ACTION_METHOD": "GET",
+            },
+            expect_failure=True,
+        )
+        # Non-2xx status codes should fail
+        self.assertNotEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertEqual(result["status_code"], 404)
+        self.assertFalse(result["success"])
+
+    def test_different_methods(self):
+        """Test different HTTP methods"""
+        methods = ["PUT", "PATCH", "DELETE"]
+
+        for method in methods:
+            with self.subTest(method=method):
+                stdout, stderr, code = self.run_action(
+                    "http_request.py",
+                    {
+                        "ATTUNE_ACTION_URL": f"https://httpbin.org/{method.lower()}",
+                        "ATTUNE_ACTION_METHOD": method,
+                    },
+                )
+                self.assertEqual(code, 0)
+                result = json.loads(stdout)
+                self.assertEqual(result["status_code"], 200)
+
+    def test_elapsed_time_reported(self):
+        """Test that elapsed time is reported"""
+        stdout, stderr, code = self.run_action(
+            "http_request.py",
+            {
+                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
+                "ATTUNE_ACTION_METHOD": "GET",
+            },
+        )
+        self.assertEqual(code, 0)
+
+        result = json.loads(stdout)
+        self.assertIn("elapsed_ms", result)
+        self.assertIsInstance(result["elapsed_ms"], int)
+        self.assertGreater(result["elapsed_ms"], 0)
+
+
+class TestFilePermissions(CorePackTestCase):
+    """Test that action scripts have correct permissions"""
+
+    def test_echo_executable(self):
+        """Test that echo.sh is executable"""
+        script_path = self.actions_dir / "echo.sh"
+        self.assertTrue(os.access(script_path, os.X_OK))
+
+    def test_noop_executable(self):
+        """Test that noop.sh is executable"""
+        script_path = self.actions_dir / "noop.sh"
+        self.assertTrue(os.access(script_path, os.X_OK))
+
+    def test_sleep_executable(self):
+        """Test that sleep.sh is executable"""
+        script_path = self.actions_dir / "sleep.sh"
+        self.assertTrue(os.access(script_path, os.X_OK))
+
+    def test_http_request_executable(self):
+        """Test that http_request.py is executable"""
+        script_path = self.actions_dir / "http_request.py"
+        self.assertTrue(os.access(script_path, os.X_OK))
+
+
+class TestYAMLSchemas(CorePackTestCase):
+    """Test that YAML schemas are valid"""
+
+    def test_pack_yaml_valid(self):
+        """Test that pack.yaml is valid YAML"""
+        pack_yaml = self.pack_dir / "pack.yaml"
+        try:
+            import yaml
+
+            with open(pack_yaml) as f:
+                data = yaml.safe_load(f)
+            self.assertIsNotNone(data)
+            self.assertIn("ref", data)
+            self.assertEqual(data["ref"], "core")
+        except ImportError:
+            self.skipTest("PyYAML not installed")
+
+    def test_action_yamls_valid(self):
+        """Test that all action YAML files are valid"""
+        try:
+            import yaml
+        except ImportError:
+            self.skipTest("PyYAML not installed")
+
+        for yaml_file in (self.actions_dir).glob("*.yaml"):
+            with self.subTest(file=yaml_file.name):
+                with open(yaml_file) as f:
+                    data = yaml.safe_load(f)
+                self.assertIsNotNone(data)
+                self.assertIn("name", data)
+                self.assertIn("ref", data)
+                self.assertIn("runner_type", data)
+
+
+def main():
+    """Run tests"""
+    # Check for pytest
+    try:
+        import pytest
+
+        # Run with pytest if available
+        sys.exit(pytest.main([__file__, "-v"]))
+    except ImportError:
+        # Fall back to unittest
+        unittest.main(verbosity=2)
+
+
+if __name__ == "__main__":
+    main()
--- a/docker/distributable/packs/core/tests/test_pack_installation_actions.sh
+++ b/docker/distributable/packs/core/tests/test_pack_installation_actions.sh
@@ -0,0 +1,592 @@
+#!/bin/bash
+# Test script for pack installation actions
+# Tests: download_packs, get_pack_dependencies, build_pack_envs, register_packs
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Test counters
+TESTS_RUN=0
+TESTS_PASSED=0
+TESTS_FAILED=0
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PACK_DIR="$(dirname "$SCRIPT_DIR")"
+ACTIONS_DIR="${PACK_DIR}/actions"
+
+# Test helper functions
+print_test_header() {
+    echo ""
+    echo "=========================================="
+    echo "TEST: $1"
+    echo "=========================================="
+}
+
+assert_success() {
+    local test_name="$1"
+    local exit_code="$2"
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+
+    if [[ $exit_code -eq 0 ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: $test_name"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+        return 0
+    else
+        echo -e "${RED}✗ FAIL${NC}: $test_name (exit code: $exit_code)"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+        return 1
+    fi
+}
+
+assert_json_field() {
+    local test_name="$1"
+    local json="$2"
+    local field="$3"
+    local expected="$4"
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+
+    local actual=$(echo "$json" | jq -r "$field" 2>/dev/null || echo "")
+
+    if [[ "$actual" == "$expected" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: $test_name"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+        return 0
+    else
+        echo -e "${RED}✗ FAIL${NC}: $test_name"
+        echo "  Expected: $expected"
+        echo "  Actual: $actual"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+        return 1
+    fi
+}
+
+assert_json_array_length() {
+    local test_name="$1"
+    local json="$2"
+    local field="$3"
+    local expected_length="$4"
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+
+    local actual_length=$(echo "$json" | jq "$field | length" 2>/dev/null || echo "0")
+
+    if [[ "$actual_length" == "$expected_length" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: $test_name"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+        return 0
+    else
+        echo -e "${RED}✗ FAIL${NC}: $test_name"
+        echo "  Expected length: $expected_length"
+        echo "  Actual length: $actual_length"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+        return 1
+    fi
+}
+
+# Setup test environment
+setup_test_env() {
+    echo "Setting up test environment..."
+
+    # Create temporary test directory
+    TEST_TEMP_DIR=$(mktemp -d)
+    export TEST_TEMP_DIR
+
+    # Create mock pack for testing
+    MOCK_PACK_DIR="${TEST_TEMP_DIR}/test-pack"
+    mkdir -p "$MOCK_PACK_DIR/actions"
+
+    # Create mock pack.yaml
+    cat > "${MOCK_PACK_DIR}/pack.yaml" <<EOF
+ref: test-pack
+version: 1.0.0
+name: Test Pack
+description: A test pack for unit testing
+author: Test Suite
+
+dependencies:
+  - core
+
+python: "3.11"
+
+actions:
+  - test_action
+EOF
+
+    # Create mock action
+    cat > "${MOCK_PACK_DIR}/actions/test_action.yaml" <<EOF
+name: test_action
+ref: test-pack.test_action
+description: Test action
+enabled: true
+runner_type: shell
+entry_point: test_action.sh
+EOF
+
+    echo "#!/bin/bash" > "${MOCK_PACK_DIR}/actions/test_action.sh"
+    echo "echo 'test'" >> "${MOCK_PACK_DIR}/actions/test_action.sh"
+    chmod +x "${MOCK_PACK_DIR}/actions/test_action.sh"
+
+    # Create mock requirements.txt for Python testing
+    cat > "${MOCK_PACK_DIR}/requirements.txt" <<EOF
+requests==2.31.0
+pyyaml==6.0.1
+EOF
+
+    echo "Test environment ready at: $TEST_TEMP_DIR"
+}
+
+cleanup_test_env() {
+    echo ""
+    echo "Cleaning up test environment..."
+    if [[ -n "$TEST_TEMP_DIR" ]] && [[ -d "$TEST_TEMP_DIR" ]]; then
+        rm -rf "$TEST_TEMP_DIR"
+        echo "Test environment cleaned up"
+    fi
+}
+
+# Test: get_pack_dependencies.sh
+test_get_pack_dependencies() {
+    print_test_header "get_pack_dependencies.sh"
+
+    local action_script="${ACTIONS_DIR}/get_pack_dependencies.sh"
+
+    # Test 1: No pack paths provided
+    echo "Test 1: No pack paths provided (should fail gracefully)"
+    export ATTUNE_ACTION_PACK_PATHS='[]'
+    export ATTUNE_ACTION_API_URL="http://localhost:8080"
+
+    local output
+    output=$(bash "$action_script" 2>/dev/null || true)
+    local exit_code=$?
+
+    assert_json_field "Should return errors array" "$output" ".errors | length" "1"
+
+    # Test 2: Valid pack path
+    echo ""
+    echo "Test 2: Valid pack with dependencies"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+
+    output=$(bash "$action_script" 2>/dev/null)
+    exit_code=$?
+
+    assert_success "Script execution" $exit_code
+    assert_json_field "Should analyze 1 pack" "$output" ".analyzed_packs | length" "1"
+    assert_json_field "Pack ref should be test-pack" "$output" ".analyzed_packs[0].pack_ref" "test-pack"
+    assert_json_field "Should have dependencies" "$output" ".analyzed_packs[0].has_dependencies" "true"
+
+    # Test 3: Runtime requirements detection
+    echo ""
+    echo "Test 3: Runtime requirements detection"
+    local python_version=$(echo "$output" | jq -r '.runtime_requirements["test-pack"].python.version' 2>/dev/null || echo "")
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if [[ "$python_version" == "3.11" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Detected Python version requirement"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Failed to detect Python version requirement"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    # Test 4: requirements.txt detection
+    echo ""
+    echo "Test 4: requirements.txt detection"
+    local requirements_file=$(echo "$output" | jq -r '.runtime_requirements["test-pack"].python.requirements_file' 2>/dev/null || echo "")
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if [[ "$requirements_file" == "${MOCK_PACK_DIR}/requirements.txt" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Detected requirements.txt file"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Failed to detect requirements.txt file"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Test: download_packs.sh
+test_download_packs() {
+    print_test_header "download_packs.sh"
+
+    local action_script="${ACTIONS_DIR}/download_packs.sh"
+
+    # Test 1: No packs provided
+    echo "Test 1: No packs provided (should fail gracefully)"
+    export ATTUNE_ACTION_PACKS='[]'
+    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/downloads"
+
+    local output
+    output=$(bash "$action_script" 2>/dev/null || true)
+    local exit_code=$?
+
+    assert_json_field "Should return failure" "$output" ".failure_count" "1"
+
+    # Test 2: No destination directory
+    echo ""
+    echo "Test 2: No destination directory (should fail)"
+    export ATTUNE_ACTION_PACKS='["https://example.com/pack.tar.gz"]'
+    unset ATTUNE_ACTION_DESTINATION_DIR
+
+    output=$(bash "$action_script" 2>/dev/null || true)
+    exit_code=$?
+
+    assert_json_field "Should return failure" "$output" ".failure_count" "1"
+
+    # Test 3: Source type detection
+    echo ""
+    echo "Test 3: Test source type detection internally"
+    TESTS_RUN=$((TESTS_RUN + 1))
+
+    # We can't easily test actual downloads without network/git, but we can verify the script runs
+    export ATTUNE_ACTION_PACKS='["invalid-source"]'
+    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/downloads"
+    export ATTUNE_ACTION_REGISTRY_URL="http://localhost:9999/index.json"
+    export ATTUNE_ACTION_TIMEOUT="5"
+
+    output=$(bash "$action_script" 2>/dev/null || true)
+    exit_code=$?
+
+    # Should handle invalid source gracefully
+    local failure_count=$(echo "$output" | jq -r '.failure_count' 2>/dev/null || echo "0")
+    if [[ "$failure_count" -ge "1" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Handles invalid source gracefully"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Did not handle invalid source properly"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Test: build_pack_envs.sh
+test_build_pack_envs() {
+    print_test_header "build_pack_envs.sh"
+
+    local action_script="${ACTIONS_DIR}/build_pack_envs.sh"
+
+    # Test 1: No pack paths provided
+    echo "Test 1: No pack paths provided (should fail gracefully)"
+    export ATTUNE_ACTION_PACK_PATHS='[]'
+
+    local output
+    output=$(bash "$action_script" 2>/dev/null || true)
+    local exit_code=$?
+
+    assert_json_field "Should have exit code 1" "1" "1" "1"
+
+    # Test 2: Valid pack with requirements.txt (skip actual build)
+    echo ""
+    echo "Test 2: Skip Python environment build"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+    export ATTUNE_ACTION_SKIP_PYTHON="true"
+    export ATTUNE_ACTION_SKIP_NODEJS="true"
+
+    output=$(bash "$action_script" 2>/dev/null)
+    exit_code=$?
+
+    assert_success "Script execution with skip flags" $exit_code
+    assert_json_field "Should process 1 pack" "$output" ".summary.total_packs" "1"
+
+    # Test 3: Pack with no runtime dependencies
+    echo ""
+    echo "Test 3: Pack with no runtime dependencies"
+
+    local no_deps_pack="${TEST_TEMP_DIR}/no-deps-pack"
+    mkdir -p "$no_deps_pack"
+    cat > "${no_deps_pack}/pack.yaml" <<EOF
+ref: no-deps
+version: 1.0.0
+name: No Dependencies Pack
+EOF
+
+    export ATTUNE_ACTION_PACK_PATHS="[\"${no_deps_pack}\"]"
+    export ATTUNE_ACTION_SKIP_PYTHON="false"
+    export ATTUNE_ACTION_SKIP_NODEJS="false"
+
+    output=$(bash "$action_script" 2>/dev/null)
+    exit_code=$?
+
+    assert_success "Pack with no dependencies" $exit_code
+    assert_json_field "Should succeed" "$output" ".summary.success_count" "1"
+
+    # Test 4: Invalid pack path
+    echo ""
+    echo "Test 4: Invalid pack path"
+    export ATTUNE_ACTION_PACK_PATHS='["/nonexistent/path"]'
+
+    output=$(bash "$action_script" 2>/dev/null)
+    exit_code=$?
+
+    assert_json_field "Should have failures" "$output" ".summary.failure_count" "1"
+}
+
+# Test: register_packs.sh
+test_register_packs() {
+    print_test_header "register_packs.sh"
+
+    local action_script="${ACTIONS_DIR}/register_packs.sh"
+
+    # Test 1: No pack paths provided
+    echo "Test 1: No pack paths provided (should fail gracefully)"
+    export ATTUNE_ACTION_PACK_PATHS='[]'
+
+    local output
+    output=$(bash "$action_script" 2>/dev/null || true)
+    local exit_code=$?
+
+    assert_json_field "Should return error" "$output" ".failed_packs | length" "1"
+
+    # Test 2: Invalid pack path
+    echo ""
+    echo "Test 2: Invalid pack path"
+    export ATTUNE_ACTION_PACK_PATHS='["/nonexistent/path"]'
+
+    output=$(bash "$action_script" 2>/dev/null)
+    exit_code=$?
+
+    assert_json_field "Should have failure" "$output" ".summary.failure_count" "1"
+
+    # Test 3: Valid pack structure (will fail at API call, but validates structure)
+    echo ""
+    echo "Test 3: Valid pack structure validation"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+    export ATTUNE_ACTION_SKIP_VALIDATION="false"
+    export ATTUNE_ACTION_SKIP_TESTS="true"
+    export ATTUNE_ACTION_API_URL="http://localhost:9999"
+    export ATTUNE_ACTION_API_TOKEN="test-token"
+
+    # Use timeout to prevent hanging
+    output=$(timeout 15 bash "$action_script" 2>/dev/null || echo '{"summary": {"total_packs": 1}}')
+    exit_code=$?
+
+    # Will fail at API call, but should validate structure first
+    TESTS_RUN=$((TESTS_RUN + 1))
+    local analyzed=$(echo "$output" | jq -r '.summary.total_packs' 2>/dev/null || echo "0")
+    if [[ "$analyzed" == "1" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Pack structure validated"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Pack structure validation failed"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    # Test 4: Skip validation mode
+    echo ""
+    echo "Test 4: Skip validation mode"
+    export ATTUNE_ACTION_SKIP_VALIDATION="true"
+
+    output=$(timeout 15 bash "$action_script" 2>/dev/null || echo '{}')
+    exit_code=$?
+
+    # Just verify script doesn't crash
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if [[ -n "$output" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Script runs with skip_validation"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Script failed with skip_validation"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Test: JSON output validation
+test_json_output_format() {
+    print_test_header "JSON Output Format Validation"
+
+    # Test each action's JSON output is valid
+    echo "Test 1: get_pack_dependencies JSON validity"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+    export ATTUNE_ACTION_API_URL="http://localhost:8080"
+
+    local output
+    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if echo "$output" | jq . >/dev/null 2>&1; then
+        echo -e "${GREEN}✓ PASS${NC}: get_pack_dependencies outputs valid JSON"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: get_pack_dependencies outputs invalid JSON"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    echo ""
+    echo "Test 2: download_packs JSON validity"
+    export ATTUNE_ACTION_PACKS='["invalid"]'
+    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/dl"
+
+    output=$(bash "${ACTIONS_DIR}/download_packs.sh" 2>/dev/null || true)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if echo "$output" | jq . >/dev/null 2>&1; then
+        echo -e "${GREEN}✓ PASS${NC}: download_packs outputs valid JSON"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: download_packs outputs invalid JSON"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    echo ""
+    echo "Test 3: build_pack_envs JSON validity"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+    export ATTUNE_ACTION_SKIP_PYTHON="true"
+    export ATTUNE_ACTION_SKIP_NODEJS="true"
+
+    output=$(bash "${ACTIONS_DIR}/build_pack_envs.sh" 2>/dev/null)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if echo "$output" | jq . >/dev/null 2>&1; then
+        echo -e "${GREEN}✓ PASS${NC}: build_pack_envs outputs valid JSON"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: build_pack_envs outputs invalid JSON"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    echo ""
+    echo "Test 4: register_packs JSON validity"
+    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
+    export ATTUNE_ACTION_SKIP_TESTS="true"
+    export ATTUNE_ACTION_API_URL="http://localhost:9999"
+
+    output=$(timeout 15 bash "${ACTIONS_DIR}/register_packs.sh" 2>/dev/null || echo '{}')
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    if echo "$output" | jq . >/dev/null 2>&1; then
+        echo -e "${GREEN}✓ PASS${NC}: register_packs outputs valid JSON"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: register_packs outputs invalid JSON"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Test: Edge cases
+test_edge_cases() {
+    print_test_header "Edge Cases"
+
+    # Test 1: Pack with special characters in path
+    echo "Test 1: Pack with spaces in path"
+    local special_pack="${TEST_TEMP_DIR}/pack with spaces"
+    mkdir -p "$special_pack"
+    cp "${MOCK_PACK_DIR}/pack.yaml" "$special_pack/"
+
+    export ATTUNE_ACTION_PACK_PATHS="[\"${special_pack}\"]"
+    export ATTUNE_ACTION_API_URL="http://localhost:8080"
+
+    local output
+    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    local analyzed=$(echo "$output" | jq -r '.analyzed_packs | length' 2>/dev/null || echo "0")
+    if [[ "$analyzed" == "1" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Handles spaces in path"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Failed to handle spaces in path"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    # Test 2: Pack with no version
+    echo ""
+    echo "Test 2: Pack with no version field"
+    local no_version_pack="${TEST_TEMP_DIR}/no-version-pack"
+    mkdir -p "$no_version_pack"
+    cat > "${no_version_pack}/pack.yaml" <<EOF
+ref: no-version
+name: No Version Pack
+EOF
+
+    export ATTUNE_ACTION_PACK_PATHS="[\"${no_version_pack}\"]"
+
+    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    analyzed=$(echo "$output" | jq -r '.analyzed_packs[0].pack_ref' 2>/dev/null || echo "")
+    if [[ "$analyzed" == "no-version" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Handles missing version field"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Failed to handle missing version field"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+
+    # Test 3: Empty pack.yaml
+    echo ""
+    echo "Test 3: Empty pack.yaml (should fail)"
+    local empty_pack="${TEST_TEMP_DIR}/empty-pack"
+    mkdir -p "$empty_pack"
+    touch "${empty_pack}/pack.yaml"
+
+    export ATTUNE_ACTION_PACK_PATHS="[\"${empty_pack}\"]"
+    export ATTUNE_ACTION_SKIP_VALIDATION="false"
+
+    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
+
+    TESTS_RUN=$((TESTS_RUN + 1))
+    local errors=$(echo "$output" | jq -r '.errors | length' 2>/dev/null || echo "0")
+    if [[ "$errors" -ge "1" ]]; then
+        echo -e "${GREEN}✓ PASS${NC}: Detects invalid pack.yaml"
+        TESTS_PASSED=$((TESTS_PASSED + 1))
+    else
+        echo -e "${RED}✗ FAIL${NC}: Failed to detect invalid pack.yaml"
+        TESTS_FAILED=$((TESTS_FAILED + 1))
+    fi
+}
+
+# Main test execution
+main() {
+    echo "=========================================="
+    echo "Pack Installation Actions Test Suite"
+    echo "=========================================="
+    echo ""
+
+    # Check dependencies
+    if ! command -v jq &>/dev/null; then
+        echo -e "${RED}ERROR${NC}: jq is required for running tests"
+        exit 1
+    fi
+
+    # Setup
+    setup_test_env
+
+    # Run tests
+    test_get_pack_dependencies
+    test_download_packs
+    test_build_pack_envs
+    test_register_packs
+    test_json_output_format
+    test_edge_cases
+
+    # Cleanup
+    cleanup_test_env
+
+    # Print summary
+    echo ""
+    echo "=========================================="
+    echo "Test Summary"
+    echo "=========================================="
+    echo "Total tests run: $TESTS_RUN"
+    echo -e "${GREEN}Passed: $TESTS_PASSED${NC}"
+    echo -e "${RED}Failed: $TESTS_FAILED${NC}"
+    echo ""
+
+    if [[ $TESTS_FAILED -eq 0 ]]; then
+        echo -e "${GREEN}All tests passed!${NC}"
+        exit 0
+    else
+        echo -e "${RED}Some tests failed.${NC}"
+        exit 1
+    fi
+}
+
+# Run main if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi
--- a/docker/distributable/packs/core/triggers/crontimer.yaml
+++ b/docker/distributable/packs/core/triggers/crontimer.yaml
@@ -0,0 +1,103 @@
+# Cron Timer Trigger
+# Fires based on cron schedule expressions
+
+ref: core.crontimer
+label: "Cron Timer"
+description: "Fires based on a cron schedule expression (e.g., '0 0 * * * *' for every hour)"
+enabled: true
+
+# Trigger type
+type: cron
+
+# Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
+parameters:
+  expression:
+    type: string
+    description: "Cron expression in standard format (second minute hour day month weekday)"
+    required: true
+  timezone:
+    type: string
+    description: "Timezone for cron schedule (e.g., 'UTC', 'America/New_York')"
+    default: "UTC"
+  description:
+    type: string
+    description: "Human-readable description of the schedule"
+
+# Payload schema - data emitted when trigger fires
+output:
+  type:
+    type: string
+    const: cron
+    description: "Trigger type identifier"
+    required: true
+  fired_at:
+    type: string
+    format: date-time
+    description: "Timestamp when the trigger fired"
+    required: true
+  scheduled_at:
+    type: string
+    format: date-time
+    description: "Timestamp when the trigger was scheduled to fire"
+    required: true
+  expression:
+    type: string
+    description: "The cron expression that triggered this event"
+    required: true
+  timezone:
+    type: string
+    description: "Timezone used for scheduling"
+  next_fire_at:
+    type: string
+    format: date-time
+    description: "Timestamp when the trigger will fire next"
+  execution_count:
+    type: integer
+    description: "Number of times this trigger has fired"
+  sensor_ref:
+    type: string
+    description: "Reference to the sensor that generated this event"
+
+# Tags for categorization
+tags:
+  - timer
+  - cron
+  - scheduler
+  - periodic
+
+# Documentation
+examples:
+  - description: "Fire every hour at the top of the hour"
+    parameters:
+      expression: "0 0 * * * *"
+      description: "Hourly"
+
+  - description: "Fire every day at midnight UTC"
+    parameters:
+      expression: "0 0 0 * * *"
+      description: "Daily at midnight"
+
+  - description: "Fire every Monday at 9:00 AM"
+    parameters:
+      expression: "0 0 9 * * 1"
+      description: "Weekly on Monday morning"
+
+  - description: "Fire every 15 minutes"
+    parameters:
+      expression: "0 */15 * * * *"
+      description: "Every 15 minutes"
+
+  - description: "Fire at 8:30 AM on weekdays"
+    parameters:
+      expression: "0 30 8 * * 1-5"
+      description: "Weekday morning"
+      timezone: "America/New_York"
+
+# Cron format reference
+# Field         Allowed values    Special characters
+# second        0-59              * , - /
+# minute        0-59              * , - /
+# hour          0-23              * , - /
+# day of month  1-31              * , - / ?
+# month         1-12 or JAN-DEC   * , - /
+# day of week   0-6 or SUN-SAT    * , - / ?
--- a/docker/distributable/packs/core/triggers/datetimetimer.yaml
+++ b/docker/distributable/packs/core/triggers/datetimetimer.yaml
@@ -0,0 +1,82 @@
+# Datetime Timer Trigger
+# Fires once at a specific date and time
+
+ref: core.datetimetimer
+label: "DateTime Timer"
+description: "Fires once at a specific date and time"
+enabled: true
+
+# Trigger type
+type: one_shot
+
+# Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
+parameters:
+  fire_at:
+    type: string
+    description: "ISO 8601 timestamp when the timer should fire (e.g., '2024-12-31T23:59:59Z')"
+    required: true
+  timezone:
+    type: string
+    description: "Timezone for the datetime (e.g., 'UTC', 'America/New_York')"
+    default: "UTC"
+  description:
+    type: string
+    description: "Human-readable description of when this timer fires"
+
+# Payload schema - data emitted when trigger fires
+output:
+  type:
+    type: string
+    const: one_shot
+    description: "Trigger type identifier"
+    required: true
+  fire_at:
+    type: string
+    format: date-time
+    description: "Scheduled fire time"
+    required: true
+  fired_at:
+    type: string
+    format: date-time
+    description: "Actual fire time"
+    required: true
+  timezone:
+    type: string
+    description: "Timezone used for scheduling"
+  delay_ms:
+    type: integer
+    description: "Delay in milliseconds between scheduled and actual fire time"
+  sensor_ref:
+    type: string
+    description: "Reference to the sensor that generated this event"
+
+# Tags for categorization
+tags:
+  - timer
+  - datetime
+  - one-shot
+  - scheduler
+
+# Documentation
+examples:
+  - description: "Fire at midnight on New Year's Eve 2024"
+    parameters:
+      fire_at: "2024-12-31T23:59:59Z"
+      description: "New Year's countdown"
+
+  - description: "Fire at 3:00 PM EST on a specific date"
+    parameters:
+      fire_at: "2024-06-15T15:00:00-05:00"
+      timezone: "America/New_York"
+      description: "Afternoon reminder"
+
+  - description: "Fire in 1 hour from now (use ISO 8601)"
+    parameters:
+      fire_at: "2024-01-20T15:30:00Z"
+      description: "One-hour reminder"
+
+# Notes:
+# - This trigger fires only once and is automatically disabled after firing
+# - Use ISO 8601 format for the fire_at parameter
+# - The sensor will remove the trigger instance after it fires
+# - For recurring timers, use intervaltimer or crontimer instead
--- a/docker/distributable/packs/core/triggers/intervaltimer.yaml
+++ b/docker/distributable/packs/core/triggers/intervaltimer.yaml
@@ -0,0 +1,74 @@
+# Interval Timer Trigger
+# Fires at regular intervals based on time unit and interval
+
+ref: core.intervaltimer
+label: "Interval Timer"
+description: "Fires at regular intervals based on specified time unit and interval"
+enabled: true
+
+# Trigger type
+type: interval
+
+# Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
+parameters:
+  unit:
+    type: string
+    enum:
+      - seconds
+      - minutes
+      - hours
+    description: "Time unit for the interval"
+    default: "seconds"
+    required: true
+  interval:
+    type: integer
+    description: "Number of time units between each trigger"
+    default: 60
+    required: true
+
+# Payload schema - data emitted when trigger fires
+output:
+  type:
+    type: string
+    const: interval
+    description: "Trigger type identifier"
+    required: true
+  interval_seconds:
+    type: integer
+    description: "Total interval in seconds"
+    required: true
+  fired_at:
+    type: string
+    format: date-time
+    description: "Timestamp when the trigger fired"
+    required: true
+  execution_count:
+    type: integer
+    description: "Number of times this trigger has fired"
+  sensor_ref:
+    type: string
+    description: "Reference to the sensor that generated this event"
+
+# Tags for categorization
+tags:
+  - timer
+  - interval
+  - periodic
+  - scheduler
+
+# Documentation
+examples:
+  - description: "Fire every 10 seconds"
+    parameters:
+      unit: "seconds"
+      interval: 10
+
+  - description: "Fire every 5 minutes"
+    parameters:
+      unit: "minutes"
+      interval: 5
+
+  - description: "Fire every hour"
+    parameters:
+      unit: "hours"
+      interval: 1
--- a/docker/distributable/packs/core/workflows/PACK_INSTALLATION.md
+++ b/docker/distributable/packs/core/workflows/PACK_INSTALLATION.md
@@ -0,0 +1,892 @@
+# Pack Installation Workflow System
+
+**Status**: Schema Complete, Implementation Required  
+**Version**: 1.0.0  
+**Last Updated**: 2025-02-05
+
+---
+
+## Overview
+
+The pack installation workflow provides a comprehensive, automated system for installing Attune packs from multiple sources with automatic dependency resolution, runtime environment setup, testing, and registration.
+
+This document describes the workflow architecture, supporting actions, and implementation requirements.
+
+---
+
+## Architecture
+
+### Main Workflow: `core.install_packs`
+
+A multi-stage orchestration workflow that handles the complete pack installation lifecycle:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    Install Packs Workflow                    │
+├─────────────────────────────────────────────────────────────┤
+│                                                               │
+│  1. Initialize           → Set up temp directory             │
+│  2. Download Packs       → Fetch from git/HTTP/registry     │
+│  3. Check Results        → Validate downloads                │
+│  4. Get Dependencies     → Parse pack.yaml                   │
+│  5. Install Dependencies → Recursive installation            │
+│  6. Build Environments   → Python/Node.js setup              │
+│  7. Run Tests           → Verify functionality               │
+│  8. Register Packs      → Load into database                 │
+│  9. Cleanup             → Remove temp files                  │
+│                                                               │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Supporting Actions
+
+The workflow delegates specific tasks to five core actions:
+
+1. **`core.download_packs`** - Download from multiple sources
+2. **`core.get_pack_dependencies`** - Parse dependency information
+3. **`core.build_pack_envs`** - Create runtime environments
+4. **`core.run_pack_tests`** - Execute test suites
+5. **`core.register_packs`** - Load components into database
+
+---
+
+## Workflow Details
+
+### Input Parameters
+
+```yaml
+parameters:
+  packs:
+    type: array
+    description: "List of packs to install"
+    required: true
+    examples:
+      - ["https://github.com/attune/pack-slack.git"]
+      - ["slack@1.0.0", "aws@2.1.0"]
+      - ["https://example.com/packs/custom.tar.gz"]
+  
+  ref_spec:
+    type: string
+    description: "Git reference (branch/tag/commit)"
+    optional: true
+  
+  skip_dependencies: boolean
+  skip_tests: boolean
+  skip_env_build: boolean
+  force: boolean
+  
+  registry_url: string (default: https://registry.attune.io)
+  packs_base_dir: string (default: /opt/attune/packs)
+  api_url: string (default: http://localhost:8080)
+  timeout: integer (default: 1800)
+```
+
+### Supported Pack Sources
+
+#### 1. Git Repositories
+
+```yaml
+packs:
+  - "https://github.com/attune/pack-slack.git"
+  - "git@github.com:myorg/pack-internal.git"
+ref_spec: "v1.0.0"  # Optional: branch, tag, or commit
+```
+
+**Features:**
+- HTTPS and SSH URLs supported
+- Shallow clones for efficiency
+- Specific ref checkout (branch/tag/commit)
+- Submodule support (if configured)
+
+#### 2. HTTP Archives
+
+```yaml
+packs:
+  - "https://example.com/packs/custom-pack.tar.gz"
+  - "https://cdn.example.com/slack-pack.zip"
+```
+
+**Supported formats:**
+- `.tar.gz` / `.tgz`
+- `.zip`
+
+#### 3. Pack Registry References
+
+```yaml
+packs:
+  - "slack@1.0.0"      # Specific version
+  - "aws@^2.1.0"       # Semver range
+  - "kubernetes"       # Latest version
+```
+
+**Features:**
+- Automatic URL resolution from registry
+- Version constraint support
+- Centralized pack metadata
+
+---
+
+## Action Specifications
+
+### 1. Download Packs (`core.download_packs`)
+
+**Purpose**: Download packs from various sources to a temporary directory.
+
+**Responsibilities:**
+- Detect source type (git/HTTP/registry)
+- Clone git repositories with optional ref checkout
+- Download and extract HTTP archives
+- Resolve pack registry references to download URLs
+- Locate and parse `pack.yaml` files
+- Calculate directory checksums
+- Return download metadata for downstream tasks
+
+**Input:**
+```yaml
+packs: ["https://github.com/attune/pack-slack.git"]
+destination_dir: "/tmp/attune-pack-install-abc123"
+registry_url: "https://registry.attune.io/index.json"
+ref_spec: "v1.0.0"
+timeout: 300
+verify_ssl: true
+api_url: "http://localhost:8080"
+```
+
+**Output:**
+```json
+{
+  "downloaded_packs": [
+    {
+      "source": "https://github.com/attune/pack-slack.git",
+      "source_type": "git",
+      "pack_path": "/tmp/attune-pack-install-abc123/slack",
+      "pack_ref": "slack",
+      "pack_version": "1.0.0",
+      "git_commit": "a1b2c3d4e5",
+      "checksum": "sha256:..."
+    }
+  ],
+  "failed_packs": [],
+  "total_count": 1,
+  "success_count": 1,
+  "failure_count": 0
+}
+```
+
+**Implementation Notes:**
+- Should call API endpoint or implement git/HTTP logic directly
+- Must handle authentication (SSH keys for git, API tokens)
+- Must validate `pack.yaml` exists and is readable
+- Should support both root-level and `pack/` subdirectory structures
+
+---
+
+### 2. Get Pack Dependencies (`core.get_pack_dependencies`)
+
+**Purpose**: Parse `pack.yaml` files to identify pack and runtime dependencies.
+
+**Responsibilities:**
+- Read and parse `pack.yaml` files (YAML parsing)
+- Extract `dependencies` section (pack dependencies)
+- Extract `python` and `nodejs` runtime requirements
+- Check which pack dependencies are already installed
+- Identify `requirements.txt` and `package.json` files
+- Build list of missing dependencies for installation
+
+**Input:**
+```yaml
+pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
+api_url: "http://localhost:8080"
+skip_validation: false
+```
+
+**Output:**
+```json
+{
+  "dependencies": [
+    {
+      "pack_ref": "core",
+      "version_spec": ">=1.0.0",
+      "required_by": "slack",
+      "already_installed": true
+    }
+  ],
+  "runtime_requirements": {
+    "slack": {
+      "pack_ref": "slack",
+      "python": {
+        "version": ">=3.8",
+        "requirements_file": "/tmp/.../slack/requirements.txt"
+      }
+    }
+  },
+  "missing_dependencies": [
+    {
+      "pack_ref": "http",
+      "version_spec": "^1.0.0",
+      "required_by": "slack"
+    }
+  ],
+  "analyzed_packs": [
+    {
+      "pack_ref": "slack",
+      "pack_path": "/tmp/.../slack",
+      "has_dependencies": true,
+      "dependency_count": 2
+    }
+  ],
+  "errors": []
+}
+```
+
+**Implementation Notes:**
+- Must parse YAML files (use `yq`, Python, or API call)
+- Should call `GET /api/v1/packs` to check installed packs
+- Must handle missing or malformed `pack.yaml` files gracefully
+- Should validate version specifications (semver)
+
+---
+
+### 3. Build Pack Environments (`core.build_pack_envs`)
+
+**Purpose**: Create runtime environments and install dependencies.
+
+**Responsibilities:**
+- Create Python virtualenvs for packs with Python dependencies
+- Install packages from `requirements.txt` using pip
+- Run `npm install` for packs with Node.js dependencies
+- Handle environment creation failures gracefully
+- Track installed package counts and build times
+- Support force rebuild of existing environments
+
+**Input:**
+```yaml
+pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
+packs_base_dir: "/opt/attune/packs"
+python_version: "3.11"
+nodejs_version: "20"
+skip_python: false
+skip_nodejs: false
+force_rebuild: false
+timeout: 600
+```
+
+**Output:**
+```json
+{
+  "built_environments": [
+    {
+      "pack_ref": "slack",
+      "pack_path": "/tmp/.../slack",
+      "environments": {
+        "python": {
+          "virtualenv_path": "/tmp/.../slack/virtualenv",
+          "requirements_installed": true,
+          "package_count": 15,
+          "python_version": "3.11.2"
+        }
+      },
+      "duration_ms": 45000
+    }
+  ],
+  "failed_environments": [],
+  "summary": {
+    "total_packs": 1,
+    "success_count": 1,
+    "failure_count": 0,
+    "python_envs_built": 1,
+    "nodejs_envs_built": 0,
+    "total_duration_ms": 45000
+  }
+}
+```
+
+**Implementation Notes:**
+- Python virtualenv creation: `python -m venv {pack_path}/virtualenv`
+- Pip install: `source virtualenv/bin/activate && pip install -r requirements.txt`
+- Node.js install: `npm install --production` in pack directory
+- Must handle timeouts and cleanup on failure
+- Should use containerized workers for isolation
+
+---
+
+### 4. Run Pack Tests (`core.run_pack_tests`)
+
+**Purpose**: Execute pack test suites to verify functionality.
+
+**Responsibilities:**
+- Detect test framework (pytest, unittest, npm test, shell scripts)
+- Execute tests in isolated environment
+- Capture test output and results
+- Return pass/fail status with details
+- Support parallel test execution
+- Handle test timeouts
+
+**Input:**
+```yaml
+pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
+timeout: 300
+fail_on_error: false
+```
+
+**Output:**
+```json
+{
+  "test_results": [
+    {
+      "pack_ref": "slack",
+      "status": "passed",
+      "total_tests": 25,
+      "passed": 25,
+      "failed": 0,
+      "skipped": 0,
+      "duration_ms": 12000,
+      "output": "..."
+    }
+  ],
+  "summary": {
+    "total_packs": 1,
+    "all_passed": true,
+    "total_tests": 25,
+    "total_passed": 25,
+    "total_failed": 0
+  }
+}
+```
+
+**Implementation Notes:**
+- Check for `test` section in `pack.yaml`
+- Default test discovery: `tests/` directory
+- Python: Run pytest or unittest
+- Node.js: Run `npm test`
+- Shell: Execute `test.sh` scripts
+- Should capture stdout/stderr for debugging
+
+---
+
+### 5. Register Packs (`core.register_packs`)
+
+**Purpose**: Validate schemas, load components into database, copy to storage.
+
+**Responsibilities:**
+- Validate `pack.yaml` schema
+- Scan for component files (actions, sensors, triggers, rules, workflows, policies)
+- Validate each component schema
+- Call API endpoint to register pack in database
+- Copy pack files to permanent storage (`/opt/attune/packs/{pack_ref}/`)
+- Record installation metadata
+- Handle registration rollback on failure (atomic operation)
+
+**Input:**
+```yaml
+pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
+packs_base_dir: "/opt/attune/packs"
+skip_validation: false
+skip_tests: false
+force: false
+api_url: "http://localhost:8080"
+api_token: "jwt_token_here"
+```
+
+**Output:**
+```json
+{
+  "registered_packs": [
+    {
+      "pack_ref": "slack",
+      "pack_id": 42,
+      "pack_version": "1.0.0",
+      "storage_path": "/opt/attune/packs/slack",
+      "components_registered": {
+        "actions": 15,
+        "sensors": 3,
+        "triggers": 2,
+        "rules": 5,
+        "workflows": 2,
+        "policies": 0
+      },
+      "test_result": {
+        "status": "passed",
+        "total_tests": 25,
+        "passed": 25,
+        "failed": 0
+      },
+      "validation_results": {
+        "valid": true,
+        "errors": []
+      }
+    }
+  ],
+  "failed_packs": [],
+  "summary": {
+    "total_packs": 1,
+    "success_count": 1,
+    "failure_count": 0,
+    "total_components": 27,
+    "duration_ms": 8000
+  }
+}
+```
+
+**Implementation Notes:**
+- **Primary approach**: Call `POST /api/v1/packs/register` endpoint
+- The API already implements:
+  - Pack metadata validation
+  - Component scanning and registration
+  - Database record creation
+  - File copying to permanent storage
+  - Installation metadata tracking
+- This action should be a thin wrapper for API calls
+- Must handle authentication (JWT token)
+- Must implement proper error handling and retries
+- Should validate API response and extract relevant data
+
+**API Endpoint Reference:**
+```
+POST /api/v1/packs/register
+Content-Type: application/json
+Authorization: Bearer {token}
+
+{
+  "path": "/tmp/attune-pack-install-abc123/slack",
+  "force": false,
+  "skip_tests": false
+}
+
+Response:
+{
+  "data": {
+    "pack_id": 42,
+    "pack": { ... },
+    "test_result": { ... }
+  }
+}
+```
+
+---
+
+## Workflow Execution Flow
+
+### Success Path
+
+```
+1. Initialize
+   ↓
+2. Download Packs
+   ↓ (if any downloads succeeded)
+3. Check Results
+   ↓ (if not skip_dependencies)
+4. Get Dependencies
+   ↓ (if missing dependencies found)
+5. Install Dependencies (recursive call)
+   ↓
+6. Build Environments
+   ↓ (if not skip_tests)
+7. Run Tests
+   ↓
+8. Register Packs
+   ↓
+9. Cleanup Success
+   ✓ Complete
+```
+
+### Failure Handling
+
+Each stage can fail and trigger cleanup:
+
+- **Download fails**: Go to cleanup_on_failure
+- **Dependency installation fails**: 
+  - If `force=true`: Continue to build_environments
+  - If `force=false`: Go to cleanup_on_failure
+- **Environment build fails**:
+  - If `force=true` or `skip_env_build=true`: Continue
+  - If `force=false`: Go to cleanup_on_failure
+- **Tests fail**:
+  - If `force=true`: Continue to register_packs
+  - If `force=false`: Go to cleanup_on_failure
+- **Registration fails**: Go to cleanup_on_failure
+
+### Force Mode Behavior
+
+When `force: true`:
+
+- ✓ Continue even if downloads fail
+- ✓ Skip dependency validation failures
+- ✓ Skip environment build failures
+- ✓ Skip test failures
+- ✓ Override existing pack installations
+
+**Use Cases:**
+- Development and testing
+- Emergency deployments
+- Pack upgrades
+- Recovery from partial installations
+
+**Warning:** Force mode bypasses safety checks. Use cautiously in production.
+
+---
+
+## Recursive Dependency Resolution
+
+The workflow supports recursive dependency installation:
+
+```
+install_packs(["slack"])
+  ↓
+  Depends on: ["core@>=1.0.0", "http@^1.0.0"]
+  ↓
+  install_packs(["http"])  # Recursive call
+    ↓
+    Depends on: ["core@>=1.0.0"]
+    ↓
+    core already installed ✓
+  ✓
+  http installed ✓
+  ↓
+slack installed ✓
+```
+
+**Features:**
+- Automatically detects and installs missing dependencies
+- Prevents circular dependencies (each pack registered once)
+- Respects version constraints (semver)
+- Installs dependencies depth-first
+- Tracks installed packs to avoid duplicates
+
+---
+
+## Error Handling
+
+### Atomic Registration
+
+Pack registration is atomic - all components are registered or none:
+
+- ✓ Validates all component schemas first
+- ✓ Creates database transaction for registration
+- ✓ Rolls back on any component failure
+- ✓ Prevents partial pack installations
+
+### Cleanup Strategy
+
+Temporary directories are always cleaned up:
+
+- **On success**: Remove temp directory after registration
+- **On failure**: Remove temp directory and report errors
+- **On timeout**: Cleanup triggered by workflow timeout handler
+
+### Error Reporting
+
+Comprehensive error information returned:
+
+```json
+{
+  "failed_packs": [
+    {
+      "pack_path": "/tmp/.../custom-pack",
+      "pack_ref": "custom",
+      "error": "Schema validation failed: action 'do_thing' missing required field 'runner_type'",
+      "error_stage": "validation"
+    }
+  ]
+}
+```
+
+Error stages:
+- `validation` - Schema validation failed
+- `testing` - Pack tests failed
+- `database_registration` - Database operation failed
+- `file_copy` - File system operation failed
+- `api_call` - API request failed
+
+---
+
+## Implementation Status
+
+### ✅ Complete
+
+- Workflow YAML schema (`install_packs.yaml`)
+- Action YAML schemas (5 actions)
+- Action placeholder scripts (.sh files)
+- Documentation
+- Error handling structure
+- Output schemas
+
+### 🔄 Requires Implementation
+
+All action scripts currently return placeholder responses. Each needs proper implementation:
+
+#### 1. `download_packs.sh`
+
+**Implementation Options:**
+
+**Option A: API-based** (Recommended)
+- Create API endpoint: `POST /api/v1/packs/download`
+- Action calls API with pack list
+- API handles git/HTTP/registry logic
+- Returns download results to action
+
+**Option B: Direct implementation**
+- Implement git cloning logic in script
+- Implement HTTP download and extraction
+- Implement registry lookup and resolution
+- Handle all error cases
+
+**Recommendation**: Option A (API-based) keeps action scripts lean and centralizes pack handling logic in the API service.
+
+#### 2. `get_pack_dependencies.sh`
+
+**Implementation approach:**
+- Parse YAML files (use `yq` tool or Python script)
+- Extract dependencies from `pack.yaml`
+- Call `GET /api/v1/packs` to get installed packs
+- Compare and build missing dependencies list
+
+#### 3. `build_pack_envs.sh`
+
+**Implementation approach:**
+- For each pack with `requirements.txt`:
+  ```bash
+  python -m venv {pack_path}/virtualenv
+  source {pack_path}/virtualenv/bin/activate
+  pip install -r {pack_path}/requirements.txt
+  ```
+- For each pack with `package.json`:
+  ```bash
+  cd {pack_path}
+  npm install --production
+  ```
+- Handle timeouts and errors
+- Use containerized workers for isolation
+
+#### 4. `run_pack_tests.sh`
+
+**Implementation approach:**
+- Already exists in core pack: `core.run_pack_tests`
+- May need minor updates for integration
+- Supports pytest, unittest, npm test
+
+#### 5. `register_packs.sh`
+
+**Implementation approach:**
+- Call existing API endpoint: `POST /api/v1/packs/register`
+- Send pack path and options
+- Parse API response
+- Handle authentication (JWT token from workflow context)
+
+**API Integration:**
+```bash
+curl -X POST "$API_URL/api/v1/packs/register" \
+  -H "Authorization: Bearer $API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"path\": \"$pack_path\",
+    \"force\": $FORCE,
+    \"skip_tests\": $SKIP_TESTS
+  }"
+```
+
+---
+
+## Testing Strategy
+
+### Unit Tests
+
+Test each action independently:
+
+```bash
+# Test download_packs with mock git repo
+./actions/download_packs.sh \
+  ATTUNE_ACTION_PACKS='["https://github.com/test/pack-test.git"]' \
+  ATTUNE_ACTION_DESTINATION_DIR=/tmp/test
+
+# Verify output structure
+jq '.downloaded_packs | length' output.json
+```
+
+### Integration Tests
+
+Test complete workflow:
+
+```bash
+# Execute workflow via API
+curl -X POST "$API_URL/api/v1/workflows/execute" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "workflow": "core.install_packs",
+    "input": {
+      "packs": ["https://github.com/attune/pack-test.git"],
+      "skip_tests": false,
+      "force": false
+    }
+  }'
+
+# Check execution status
+curl "$API_URL/api/v1/executions/$EXECUTION_ID"
+
+# Verify pack registered
+curl "$API_URL/api/v1/packs/test-pack"
+```
+
+### End-to-End Tests
+
+Test with real packs:
+
+1. Install core pack (already installed)
+2. Install pack with dependencies
+3. Install pack from HTTP archive
+4. Install pack from registry reference
+5. Test force mode reinstallation
+6. Test error handling (invalid pack)
+
+---
+
+## Usage Examples
+
+### Example 1: Install Single Pack from Git
+
+```yaml
+workflow: core.install_packs
+input:
+  packs:
+    - "https://github.com/attune/pack-slack.git"
+  ref_spec: "v1.0.0"
+  skip_dependencies: false
+  skip_tests: false
+  force: false
+```
+
+### Example 2: Install Multiple Packs from Registry
+
+```yaml
+workflow: core.install_packs
+input:
+  packs:
+    - "slack@1.0.0"
+    - "aws@^2.1.0"
+    - "kubernetes@>=3.0.0"
+  skip_dependencies: false
+  skip_tests: false
+```
+
+### Example 3: Force Reinstall with Skip Tests
+
+```yaml
+workflow: core.install_packs
+input:
+  packs:
+    - "https://github.com/myorg/pack-custom.git"
+  ref_spec: "main"
+  skip_dependencies: true
+  skip_tests: true
+  force: true
+```
+
+### Example 4: Install from HTTP Archive
+
+```yaml
+workflow: core.install_packs
+input:
+  packs:
+    - "https://example.com/packs/custom-pack-1.0.0.tar.gz"
+  skip_dependencies: false
+  skip_tests: false
+```
+
+---
+
+## Future Enhancements
+
+### Phase 2 Features
+
+1. **Pack Upgrade Workflow**
+   - Detect installed version
+   - Download new version
+   - Run migration scripts
+   - Update in-place or side-by-side
+
+2. **Pack Uninstall Workflow**
+   - Check for dependent packs
+   - Remove from database
+   - Remove from filesystem
+   - Optional backup before removal
+
+3. **Pack Validation Workflow**
+   - Validate without installing
+   - Check dependencies
+   - Run tests in isolated environment
+   - Report validation results
+
+4. **Batch Operations**
+   - Install all packs from registry
+   - Upgrade all installed packs
+   - Validate all installed packs
+
+### Phase 3 Features
+
+1. **Registry Integration**
+   - Automatic version discovery
+   - Dependency resolution from registry
+   - Pack popularity metrics
+   - Security vulnerability scanning
+
+2. **Advanced Dependency Management**
+   - Conflict detection
+   - Version constraint solving
+   - Dependency graphs
+   - Optional dependencies
+
+3. **Rollback Support**
+   - Snapshot before installation
+   - Rollback on failure
+   - Version history
+   - Migration scripts
+
+4. **Performance Optimizations**
+   - Parallel downloads
+   - Cached dependencies
+   - Incremental updates
+   - Build caching
+
+---
+
+## Related Documentation
+
+- [Pack Structure](../../../docs/packs/pack-structure.md) - Pack directory format
+- [Pack Installation from Git](../../../docs/packs/pack-installation-git.md) - Git installation guide
+- [Pack Registry Specification](../../../docs/packs/pack-registry-spec.md) - Registry format
+- [Pack Testing Framework](../../../docs/packs/pack-testing-framework.md) - Testing packs
+- [API Documentation](../../../docs/api/api-packs.md) - Pack API endpoints
+
+---
+
+## Support
+
+For questions or issues:
+
+- GitHub Issues: https://github.com/attune-io/attune/issues
+- Documentation: https://docs.attune.io/workflows/pack-installation
+- Community: https://community.attune.io
+
+---
+
+## Changelog
+
+### v1.0.0 (2025-02-05)
+
+- Initial workflow schema design
+- Five supporting action schemas
+- Comprehensive documentation
+- Placeholder implementation scripts
+- Error handling structure
+- Output schemas defined
+
+### Next Steps
+
+1. Implement `download_packs.sh` (or create API endpoint)
+2. Implement `get_pack_dependencies.sh`
+3. Implement `build_pack_envs.sh`
+4. Update `run_pack_tests.sh` if needed
+5. Implement `register_packs.sh` (API wrapper)
+6. End-to-end testing
+7. Documentation updates based on testing
--- a/docker/distributable/packs/core/workflows/install_packs.yaml
+++ b/docker/distributable/packs/core/workflows/install_packs.yaml
@@ -0,0 +1,330 @@
+# Install Packs Workflow
+# Complete workflow for installing packs from multiple sources with dependency resolution
+
+name: install_packs
+ref: core.install_packs
+label: "Install Packs"
+description: "Install one or more packs from git repositories, HTTP archives, or pack registry with automatic dependency resolution"
+version: "1.0.0"
+
+# Input parameters (StackStorm-style with inline required/secret)
+parameters:
+  packs:
+    type: array
+    description: "List of packs to install (git URLs, HTTP URLs, or pack refs like 'slack@1.0.0')"
+    items:
+      type: string
+    minItems: 1
+    required: true
+  ref_spec:
+    type: string
+    description: "Git reference to checkout for git URLs (branch, tag, or commit)"
+  skip_dependencies:
+    type: boolean
+    description: "Skip installing pack dependencies"
+    default: false
+  skip_tests:
+    type: boolean
+    description: "Skip running pack tests before registration"
+    default: false
+  skip_env_build:
+    type: boolean
+    description: "Skip building runtime environments (Python/Node.js)"
+    default: false
+  force:
+    type: boolean
+    description: "Force installation even if packs already exist or tests fail"
+    default: false
+  registry_url:
+    type: string
+    description: "Pack registry URL for resolving pack refs"
+    default: "https://registry.attune.io/index.json"
+  packs_base_dir:
+    type: string
+    description: "Base directory for permanent pack storage"
+    default: "/opt/attune/packs"
+  api_url:
+    type: string
+    description: "Attune API URL"
+    default: "http://localhost:8080"
+  timeout:
+    type: integer
+    description: "Timeout in seconds for the entire workflow"
+    default: 1800
+    minimum: 300
+    maximum: 7200
+
+# Workflow variables
+vars:
+  - temp_dir: null
+  - downloaded_packs: []
+  - missing_dependencies: []
+  - installed_pack_refs: []
+  - failed_packs: []
+  - start_time: null
+
+# Workflow tasks
+tasks:
+  # Task 1: Initialize workflow
+  - name: initialize
+    action: core.noop
+    input:
+      message: "Starting pack installation workflow"
+    publish:
+      - start_time: "{{ now() }}"
+      - temp_dir: "/tmp/attune-pack-install-{{ uuid() }}"
+    on_success: download_packs
+
+  # Task 2: Download packs from specified sources
+  - name: download_packs
+    action: core.download_packs
+    input:
+      packs: "{{ parameters.packs }}"
+      destination_dir: "{{ workflow.temp_dir }}"
+      registry_url: "{{ parameters.registry_url }}"
+      ref_spec: "{{ parameters.ref_spec }}"
+      api_url: "{{ parameters.api_url }}"
+      timeout: 300
+      verify_ssl: true
+    publish:
+      - downloaded_packs: "{{ task.download_packs.result.downloaded_packs }}"
+      - failed_packs: "{{ task.download_packs.result.failed_packs }}"
+    on_success:
+      - when: "{{ task.download_packs.result.success_count > 0 }}"
+        do: check_download_results
+    on_failure: cleanup_on_failure
+
+  # Task 3: Check if any packs were successfully downloaded
+  - name: check_download_results
+    action: core.noop
+    input:
+      message: "Downloaded {{ task.download_packs.result.success_count }} pack(s)"
+    on_success:
+      - when: "{{ not parameters.skip_dependencies }}"
+        do: get_dependencies
+      - when: "{{ parameters.skip_dependencies }}"
+        do: build_environments
+
+  # Task 4: Get pack dependencies from pack.yaml files
+  - name: get_dependencies
+    action: core.get_pack_dependencies
+    input:
+      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
+      api_url: "{{ parameters.api_url }}"
+      skip_validation: false
+    publish:
+      - missing_dependencies: "{{ task.get_dependencies.result.missing_dependencies }}"
+    on_success:
+      - when: "{{ task.get_dependencies.result.missing_dependencies | length > 0 }}"
+        do: install_dependencies
+      - when: "{{ task.get_dependencies.result.missing_dependencies | length == 0 }}"
+        do: build_environments
+    on_failure: cleanup_on_failure
+
+  # Task 5: Recursively install missing pack dependencies
+  - name: install_dependencies
+    action: core.install_packs
+    input:
+      packs: "{{ workflow.missing_dependencies | map(attribute='pack_ref') | list }}"
+      skip_dependencies: false
+      skip_tests: "{{ parameters.skip_tests }}"
+      skip_env_build: "{{ parameters.skip_env_build }}"
+      force: "{{ parameters.force }}"
+      registry_url: "{{ parameters.registry_url }}"
+      packs_base_dir: "{{ parameters.packs_base_dir }}"
+      api_url: "{{ parameters.api_url }}"
+      timeout: 900
+    publish:
+      - installed_pack_refs: "{{ task.install_dependencies.result.registered_packs | map(attribute='pack_ref') | list }}"
+    on_success: build_environments
+    on_failure:
+      - when: "{{ parameters.force }}"
+        do: build_environments
+      - when: "{{ not parameters.force }}"
+        do: cleanup_on_failure
+
+  # Task 6: Build runtime environments (Python virtualenvs, npm install)
+  - name: build_environments
+    action: core.build_pack_envs
+    input:
+      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
+      packs_base_dir: "{{ parameters.packs_base_dir }}"
+      python_version: "3.11"
+      nodejs_version: "20"
+      skip_python: false
+      skip_nodejs: false
+      force_rebuild: "{{ parameters.force }}"
+      timeout: 600
+    on_success:
+      - when: "{{ not parameters.skip_tests }}"
+        do: run_tests
+      - when: "{{ parameters.skip_tests }}"
+        do: register_packs
+    on_failure:
+      - when: "{{ parameters.force or parameters.skip_env_build }}"
+        do:
+          - when: "{{ not parameters.skip_tests }}"
+            next: run_tests
+          - when: "{{ parameters.skip_tests }}"
+            next: register_packs
+      - when: "{{ not parameters.force and not parameters.skip_env_build }}"
+        do: cleanup_on_failure
+
+  # Task 7: Run pack tests to verify functionality
+  - name: run_tests
+    action: core.run_pack_tests
+    input:
+      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
+      timeout: 300
+      fail_on_error: false
+    on_success: register_packs
+    on_failure:
+      - when: "{{ parameters.force }}"
+        do: register_packs
+      - when: "{{ not parameters.force }}"
+        do: cleanup_on_failure
+
+  # Task 8: Register packs in database and copy to permanent storage
+  - name: register_packs
+    action: core.register_packs
+    input:
+      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
+      packs_base_dir: "{{ parameters.packs_base_dir }}"
+      skip_validation: false
+      skip_tests: "{{ parameters.skip_tests }}"
+      force: "{{ parameters.force }}"
+      api_url: "{{ parameters.api_url }}"
+    on_success: cleanup_success
+    on_failure: cleanup_on_failure
+
+  # Task 9: Cleanup temporary directory on success
+  - name: cleanup_success
+    action: core.noop
+    input:
+      message: "Pack installation completed successfully. Cleaning up temporary directory: {{ workflow.temp_dir }}"
+    publish:
+      - cleanup_status: "success"
+
+  # Task 10: Cleanup temporary directory on failure
+  - name: cleanup_on_failure
+    action: core.noop
+    input:
+      message: "Pack installation failed. Cleaning up temporary directory: {{ workflow.temp_dir }}"
+    publish:
+      - cleanup_status: "failed"
+
+# Output schema
+output_schema:
+  registered_packs:
+    type: array
+    description: "Successfully registered packs"
+    items:
+      type: object
+      properties:
+        pack_ref:
+          type: string
+        pack_id:
+          type: integer
+        pack_version:
+          type: string
+        storage_path:
+          type: string
+        components_count:
+          type: integer
+  failed_packs:
+    type: array
+    description: "Packs that failed to install"
+    items:
+      type: object
+      properties:
+        source:
+          type: string
+        error:
+          type: string
+        stage:
+          type: string
+  installed_dependencies:
+    type: array
+    description: "Pack dependencies that were installed"
+    items:
+      type: string
+  summary:
+    type: object
+    description: "Installation summary"
+    properties:
+      total_requested:
+        type: integer
+      success_count:
+        type: integer
+      failure_count:
+        type: integer
+      dependencies_installed:
+        type: integer
+      duration_seconds:
+        type: integer
+
+# Metadata
+metadata:
+  description: |
+    This workflow orchestrates the complete pack installation process:
+
+    1. Download Packs: Downloads packs from git repositories, HTTP archives, or pack registry
+    2. Get Dependencies: Analyzes pack.yaml files to identify dependencies
+    3. Install Dependencies: Recursively installs missing pack dependencies
+    4. Build Environments: Creates Python virtualenvs, installs requirements.txt and package.json deps
+    5. Run Tests: Executes pack test suites (if present and not skipped)
+    6. Register Packs: Loads pack components into database and copies to permanent storage
+
+    The workflow supports:
+    - Multiple pack sources (git URLs, HTTP archives, pack refs)
+    - Automatic dependency resolution (recursive)
+    - Runtime environment setup (Python, Node.js)
+    - Pack testing before registration
+    - Force mode to override validation failures
+    - Comprehensive error handling and cleanup
+
+  examples:
+    - name: "Install pack from git repository"
+      input:
+        packs:
+          - "https://github.com/attune/pack-slack.git"
+        ref_spec: "v1.0.0"
+        skip_dependencies: false
+        skip_tests: false
+        force: false
+
+    - name: "Install multiple packs from registry"
+      input:
+        packs:
+          - "slack@1.0.0"
+          - "aws@2.1.0"
+          - "kubernetes@3.0.0"
+        skip_dependencies: false
+        skip_tests: false
+        force: false
+
+    - name: "Install pack with force mode (skip validations)"
+      input:
+        packs:
+          - "https://github.com/myorg/pack-custom.git"
+        ref_spec: "main"
+        skip_dependencies: true
+        skip_tests: true
+        force: true
+
+    - name: "Install from HTTP archive"
+      input:
+        packs:
+          - "https://example.com/packs/custom-pack.tar.gz"
+        skip_dependencies: false
+        skip_tests: false
+        force: false
+
+  tags:
+    - pack
+    - installation
+    - workflow
+    - automation
+    - dependencies
+    - git
+    - registry
--- a/docker/distributable/scripts/load_core_pack.py
+++ b/docker/distributable/scripts/load_core_pack.py
@@ -0,0 +1,881 @@
+#!/usr/bin/env python3
+"""
+Pack Loader for Attune
+
+This script loads a pack from the filesystem into the database.
+It reads pack.yaml, permission set definitions, action definitions, trigger
+definitions, and sensor definitions and creates all necessary database entries.
+
+Usage:
+    python3 scripts/load_core_pack.py [--database-url URL] [--pack-dir DIR] [--pack-name NAME]
+
+Environment Variables:
+    DATABASE_URL: PostgreSQL connection string (default: from config or localhost)
+    ATTUNE_PACKS_DIR: Base directory for packs (default: ./packs)
+"""
+
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+import psycopg2
+import psycopg2.extras
+import yaml
+
+# Default configuration
+DEFAULT_DATABASE_URL = "postgresql://postgres:postgres@localhost:5432/attune"
+DEFAULT_PACKS_DIR = "./packs"
+
+
+def generate_label(name: str) -> str:
+    """Generate a human-readable label from a name.
+
+    Examples:
+        'crontimer' -> 'Crontimer'
+        'http_request' -> 'Http Request'
+        'datetime_timer' -> 'Datetime Timer'
+    """
+    # Replace underscores with spaces and capitalize each word
+    return " ".join(word.capitalize() for word in name.replace("_", " ").split())
+
+
+class PackLoader:
+    """Loads a pack into the database"""
+
+    def __init__(
+        self, database_url: str, packs_dir: Path, pack_name: str, schema: str = "public"
+    ):
+        self.database_url = database_url
+        self.packs_dir = packs_dir
+        self.pack_name = pack_name
+        self.pack_dir = packs_dir / pack_name
+        self.schema = schema
+        self.conn = None
+        self.pack_id = None
+        self.pack_ref = None
+
+    def connect(self):
+        """Connect to the database"""
+        print(f"Connecting to database...")
+        self.conn = psycopg2.connect(self.database_url)
+        self.conn.autocommit = False
+
+        # Set search_path to use the correct schema
+        cursor = self.conn.cursor()
+        cursor.execute(f"SET search_path TO {self.schema}, public")
+        cursor.close()
+        self.conn.commit()
+
+        print(f"✓ Connected to database (schema: {self.schema})")
+
+    def close(self):
+        """Close database connection"""
+        if self.conn:
+            self.conn.close()
+
+    def load_yaml(self, file_path: Path) -> Dict[str, Any]:
+        """Load and parse YAML file"""
+        with open(file_path, "r") as f:
+            return yaml.safe_load(f)
+
+    def upsert_pack(self) -> int:
+        """Create or update the pack"""
+        print("\n→ Loading pack metadata...")
+
+        pack_yaml_path = self.pack_dir / "pack.yaml"
+        if not pack_yaml_path.exists():
+            raise FileNotFoundError(f"pack.yaml not found at {pack_yaml_path}")
+
+        pack_data = self.load_yaml(pack_yaml_path)
+
+        cursor = self.conn.cursor()
+
+        # Prepare pack data
+        ref = pack_data["ref"]
+        self.pack_ref = ref
+        label = pack_data["label"]
+        description = pack_data.get("description", "")
+        version = pack_data["version"]
+        conf_schema = json.dumps(pack_data.get("conf_schema", {}))
+        config = json.dumps(pack_data.get("config", {}))
+        meta = json.dumps(pack_data.get("meta", {}))
+        tags = pack_data.get("tags", [])
+        runtime_deps = pack_data.get("runtime_deps", [])
+        is_standard = pack_data.get("system", False)
+
+        # Upsert pack
+        cursor.execute(
+            """
+            INSERT INTO pack (
+                ref, label, description, version,
+                conf_schema, config, meta, tags, runtime_deps, is_standard
+            )
+            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+            ON CONFLICT (ref) DO UPDATE SET
+                label = EXCLUDED.label,
+                description = EXCLUDED.description,
+                version = EXCLUDED.version,
+                conf_schema = EXCLUDED.conf_schema,
+                config = EXCLUDED.config,
+                meta = EXCLUDED.meta,
+                tags = EXCLUDED.tags,
+                runtime_deps = EXCLUDED.runtime_deps,
+                is_standard = EXCLUDED.is_standard,
+                updated = NOW()
+            RETURNING id
+        """,
+            (
+                ref,
+                label,
+                description,
+                version,
+                conf_schema,
+                config,
+                meta,
+                tags,
+                runtime_deps,
+                is_standard,
+            ),
+        )
+
+        self.pack_id = cursor.fetchone()[0]
+        cursor.close()
+
+        print(f"✓ Pack '{ref}' loaded (ID: {self.pack_id})")
+        return self.pack_id
+
+    def upsert_permission_sets(self) -> Dict[str, int]:
+        """Load permission set definitions from permission_sets/*.yaml."""
+        print("\n→ Loading permission sets...")
+
+        permission_sets_dir = self.pack_dir / "permission_sets"
+        if not permission_sets_dir.exists():
+            print("  No permission_sets directory found")
+            return {}
+
+        permission_set_ids = {}
+        cursor = self.conn.cursor()
+
+        for yaml_file in sorted(permission_sets_dir.glob("*.yaml")):
+            permission_set_data = self.load_yaml(yaml_file)
+            if not permission_set_data:
+                continue
+
+            ref = permission_set_data.get("ref")
+            if not ref:
+                print(
+                    f"  ⚠ Permission set YAML {yaml_file.name} missing 'ref' field, skipping"
+                )
+                continue
+
+            label = permission_set_data.get("label")
+            description = permission_set_data.get("description")
+            grants = permission_set_data.get("grants", [])
+
+            if not isinstance(grants, list):
+                print(
+                    f"  ⚠ Permission set '{ref}' has non-array grants, skipping"
+                )
+                continue
+
+            cursor.execute(
+                """
+                INSERT INTO permission_set (
+                    ref, pack, pack_ref, label, description, grants
+                )
+                VALUES (%s, %s, %s, %s, %s, %s)
+                ON CONFLICT (ref) DO UPDATE SET
+                    label = EXCLUDED.label,
+                    description = EXCLUDED.description,
+                    grants = EXCLUDED.grants,
+                    updated = NOW()
+                RETURNING id
+            """,
+                (
+                    ref,
+                    self.pack_id,
+                    self.pack_ref,
+                    label,
+                    description,
+                    json.dumps(grants),
+                ),
+            )
+
+            permission_set_id = cursor.fetchone()[0]
+            permission_set_ids[ref] = permission_set_id
+            print(f"  ✓ Permission set '{ref}' (ID: {permission_set_id})")
+
+        cursor.close()
+        return permission_set_ids
+
+    def upsert_triggers(self) -> Dict[str, int]:
+        """Load trigger definitions"""
+        print("\n→ Loading triggers...")
+
+        triggers_dir = self.pack_dir / "triggers"
+        if not triggers_dir.exists():
+            print("  No triggers directory found")
+            return {}
+
+        trigger_ids = {}
+        cursor = self.conn.cursor()
+
+        for yaml_file in sorted(triggers_dir.glob("*.yaml")):
+            trigger_data = self.load_yaml(yaml_file)
+
+            # Use ref from YAML (new format) or construct from name (old format)
+            ref = trigger_data.get("ref")
+            if not ref:
+                # Fallback for old format - should not happen with new pack format
+                ref = f"{self.pack_ref}.{trigger_data['name']}"
+
+            # Extract name from ref for label generation
+            name = ref.split(".")[-1] if "." in ref else ref
+            label = trigger_data.get("label") or generate_label(name)
+            description = trigger_data.get("description", "")
+            enabled = trigger_data.get("enabled", True)
+            param_schema = json.dumps(trigger_data.get("parameters", {}))
+            out_schema = json.dumps(trigger_data.get("output", {}))
+
+            cursor.execute(
+                """
+                INSERT INTO trigger (
+                    ref, pack, pack_ref, label, description,
+                    enabled, param_schema, out_schema, is_adhoc
+                )
+                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)
+                ON CONFLICT (ref) DO UPDATE SET
+                    label = EXCLUDED.label,
+                    description = EXCLUDED.description,
+                    enabled = EXCLUDED.enabled,
+                    param_schema = EXCLUDED.param_schema,
+                    out_schema = EXCLUDED.out_schema,
+                    updated = NOW()
+                RETURNING id
+            """,
+                (
+                    ref,
+                    self.pack_id,
+                    self.pack_ref,
+                    label,
+                    description,
+                    enabled,
+                    param_schema,
+                    out_schema,
+                    False,  # Pack-installed triggers are not ad-hoc
+                ),
+            )
+
+            trigger_id = cursor.fetchone()[0]
+            trigger_ids[ref] = trigger_id
+            print(f"  ✓ Trigger '{ref}' (ID: {trigger_id})")
+
+        cursor.close()
+        return trigger_ids
+
+    def upsert_runtimes(self) -> Dict[str, int]:
+        """Load runtime definitions from runtimes/*.yaml"""
+        print("\n→ Loading runtimes...")
+
+        runtimes_dir = self.pack_dir / "runtimes"
+        if not runtimes_dir.exists():
+            print("  No runtimes directory found")
+            return {}
+
+        runtime_ids = {}
+        cursor = self.conn.cursor()
+
+        for yaml_file in sorted(runtimes_dir.glob("*.yaml")):
+            runtime_data = self.load_yaml(yaml_file)
+            if not runtime_data:
+                continue
+
+            ref = runtime_data.get("ref")
+            if not ref:
+                print(
+                    f"  ⚠ Runtime YAML {yaml_file.name} missing 'ref' field, skipping"
+                )
+                continue
+
+            name = runtime_data.get("name", ref.split(".")[-1])
+            description = runtime_data.get("description", "")
+            aliases = [alias.lower() for alias in runtime_data.get("aliases", [])]
+            distributions = json.dumps(runtime_data.get("distributions", {}))
+            installation = json.dumps(runtime_data.get("installation", {}))
+            execution_config = json.dumps(runtime_data.get("execution_config", {}))
+
+            cursor.execute(
+                """
+                INSERT INTO runtime (
+                    ref, pack, pack_ref, name, description,
+                    aliases, distributions, installation, execution_config
+                )
+                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)
+                ON CONFLICT (ref) DO UPDATE SET
+                    name = EXCLUDED.name,
+                    description = EXCLUDED.description,
+                    aliases = EXCLUDED.aliases,
+                    distributions = EXCLUDED.distributions,
+                    installation = EXCLUDED.installation,
+                    execution_config = EXCLUDED.execution_config,
+                    updated = NOW()
+                RETURNING id
+            """,
+                (
+                    ref,
+                    self.pack_id,
+                    self.pack_ref,
+                    name,
+                    description,
+                    aliases,
+                    distributions,
+                    installation,
+                    execution_config,
+                ),
+            )
+
+            runtime_id = cursor.fetchone()[0]
+            runtime_ids[ref] = runtime_id
+            # Also index by lowercase name for easy lookup by runner_type
+            runtime_ids[name.lower()] = runtime_id
+            for alias in aliases:
+                runtime_ids[alias] = runtime_id
+            print(f"  ✓ Runtime '{ref}' (ID: {runtime_id})")
+
+        cursor.close()
+        return runtime_ids
+
+    def resolve_action_runtime(
+        self, action_data: Dict, runtime_ids: Dict[str, int]
+    ) -> Optional[int]:
+        """Resolve the runtime ID for an action based on runner_type or entrypoint."""
+        runner_type = action_data.get("runner_type", "").lower()
+
+        if not runner_type:
+            # Try to infer from entrypoint extension
+            entrypoint = action_data.get("entry_point", "")
+            if entrypoint.endswith(".py"):
+                runner_type = "python"
+            elif entrypoint.endswith(".js"):
+                runner_type = "node.js"
+            else:
+                runner_type = "shell"
+
+        # Map runner_type names to runtime refs/names
+        lookup_keys = {
+            "shell": ["shell", "core.shell"],
+            "python": ["python", "core.python"],
+            "python3": ["python", "core.python"],
+            "node": ["node.js", "nodejs", "core.nodejs"],
+            "nodejs": ["node.js", "nodejs", "core.nodejs"],
+            "node.js": ["node.js", "nodejs", "core.nodejs"],
+            "native": ["native", "core.native"],
+        }
+
+        keys_to_try = lookup_keys.get(runner_type, [runner_type])
+        for key in keys_to_try:
+            if key in runtime_ids:
+                return runtime_ids[key]
+
+        print(f"  ⚠ Could not resolve runtime for runner_type '{runner_type}'")
+        return None
+
+    def upsert_workflow_definition(
+        self,
+        cursor,
+        workflow_file_path: str,
+        action_ref: str,
+        action_data: Dict[str, Any],
+    ) -> Optional[int]:
+        """Load a workflow definition file and upsert it in the database.
+
+        When an action YAML contains a `workflow_file` field, this method reads
+        the referenced workflow YAML, creates or updates the corresponding
+        `workflow_definition` row, and returns its ID so the action can be linked
+        via the `workflow_def` FK.
+
+        The action YAML's `parameters` and `output` fields take precedence over
+        the workflow file's own schemas (allowing the action to customise the
+        exposed interface without touching the workflow graph).
+
+        Args:
+            cursor: Database cursor.
+            workflow_file_path: Path to the workflow file relative to the
+                ``actions/`` directory (e.g. ``workflows/deploy.workflow.yaml``).
+            action_ref: The ref of the action that references this workflow.
+            action_data: The parsed action YAML dict (used for schema overrides).
+
+        Returns:
+            The database ID of the workflow_definition row, or None on failure.
+        """
+        actions_dir = self.pack_dir / "actions"
+        full_path = actions_dir / workflow_file_path
+        if not full_path.exists():
+            print(f"  ⚠ Workflow file '{workflow_file_path}' not found at {full_path}")
+            return None
+
+        try:
+            workflow_data = self.load_yaml(full_path)
+        except Exception as e:
+            print(f"  ⚠ Failed to parse workflow file '{workflow_file_path}': {e}")
+            return None
+
+        # The action YAML is authoritative for action-level metadata.
+        # Fall back to the workflow file's own values only when present
+        # (standalone workflow files in workflows/ still carry them).
+        workflow_ref = workflow_data.get("ref") or action_ref
+        label = workflow_data.get("label") or action_data.get("label", "")
+        description = workflow_data.get("description") or action_data.get(
+            "description", ""
+        )
+        version = workflow_data.get("version", "1.0.0")
+        tags = workflow_data.get("tags") or action_data.get("tags", [])
+
+        # The action YAML is authoritative for param_schema / out_schema.
+        # Fall back to the workflow file's own schemas only if the action
+        # YAML doesn't define them.
+        param_schema = action_data.get("parameters") or workflow_data.get("parameters")
+        out_schema = action_data.get("output") or workflow_data.get("output")
+
+        param_schema_json = json.dumps(param_schema) if param_schema else None
+        out_schema_json = json.dumps(out_schema) if out_schema else None
+
+        # Store the full workflow definition as JSON
+        definition_json = json.dumps(workflow_data)
+        tags_list = tags if isinstance(tags, list) else []
+
+        cursor.execute(
+            """
+            INSERT INTO workflow_definition (
+                ref, pack, pack_ref, label, description, version,
+                param_schema, out_schema, definition, tags, enabled
+            )
+            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+            ON CONFLICT (ref) DO UPDATE SET
+                label = EXCLUDED.label,
+                description = EXCLUDED.description,
+                version = EXCLUDED.version,
+                param_schema = EXCLUDED.param_schema,
+                out_schema = EXCLUDED.out_schema,
+                definition = EXCLUDED.definition,
+                tags = EXCLUDED.tags,
+                enabled = EXCLUDED.enabled,
+                updated = NOW()
+            RETURNING id
+        """,
+            (
+                workflow_ref,
+                self.pack_id,
+                self.pack_ref,
+                label,
+                description,
+                version,
+                param_schema_json,
+                out_schema_json,
+                definition_json,
+                tags_list,
+                True,
+            ),
+        )
+
+        workflow_def_id = cursor.fetchone()[0]
+        print(f"    ✓ Workflow definition '{workflow_ref}' (ID: {workflow_def_id})")
+        return workflow_def_id
+
+    def upsert_actions(self, runtime_ids: Dict[str, int]) -> Dict[str, int]:
+        """Load action definitions.
+
+        When an action YAML contains a ``workflow_file`` field, the loader reads
+        the referenced workflow definition, upserts a ``workflow_definition``
+        record, and links the action to it via ``action.workflow_def``.  This
+        allows the action YAML to control action-level metadata independently
+        of the workflow graph, and lets multiple actions share a workflow file.
+        """
+        print("\n→ Loading actions...")
+
+        actions_dir = self.pack_dir / "actions"
+        if not actions_dir.exists():
+            print("  No actions directory found")
+            return {}
+
+        action_ids = {}
+        workflow_count = 0
+        cursor = self.conn.cursor()
+
+        for yaml_file in sorted(actions_dir.glob("*.yaml")):
+            action_data = self.load_yaml(yaml_file)
+
+            # Use ref from YAML (new format) or construct from name (old format)
+            ref = action_data.get("ref")
+            if not ref:
+                # Fallback for old format - should not happen with new pack format
+                ref = f"{self.pack_ref}.{action_data['name']}"
+
+            # Extract name from ref for label generation and entrypoint detection
+            name = ref.split(".")[-1] if "." in ref else ref
+            label = action_data.get("label") or generate_label(name)
+            description = action_data.get("description", "")
+
+            # ── Workflow file handling ───────────────────────────────────
+            workflow_file = action_data.get("workflow_file")
+            workflow_def_id: Optional[int] = None
+
+            if workflow_file:
+                workflow_def_id = self.upsert_workflow_definition(
+                    cursor, workflow_file, ref, action_data
+                )
+                if workflow_def_id is not None:
+                    workflow_count += 1
+
+            # For workflow actions the entrypoint is the workflow file path;
+            # for regular actions it comes from entry_point in the YAML.
+            if workflow_file:
+                entrypoint = workflow_file
+            else:
+                entrypoint = action_data.get("entry_point", "")
+                if not entrypoint:
+                    # Try to find corresponding script file
+                    for ext in [".sh", ".py"]:
+                        script_path = actions_dir / f"{name}{ext}"
+                        if script_path.exists():
+                            entrypoint = str(script_path.relative_to(self.packs_dir))
+                            break
+
+            # Resolve runtime ID (workflow actions have no runtime)
+            if workflow_file:
+                runtime_id = None
+            else:
+                runtime_id = self.resolve_action_runtime(action_data, runtime_ids)
+
+            param_schema = json.dumps(action_data.get("parameters", {}))
+            out_schema = json.dumps(action_data.get("output", {}))
+
+            # Parameter delivery and format (defaults: stdin + json for security)
+            parameter_delivery = action_data.get("parameter_delivery", "stdin").lower()
+            parameter_format = action_data.get("parameter_format", "json").lower()
+
+            # Output format (defaults: text for no parsing)
+            output_format = action_data.get("output_format", "text").lower()
+
+            # Validate parameter delivery method (only stdin and file allowed)
+            if parameter_delivery not in ["stdin", "file"]:
+                print(
+                    f"  ⚠ Invalid parameter_delivery '{parameter_delivery}' for '{ref}', defaulting to 'stdin'"
+                )
+                parameter_delivery = "stdin"
+
+            # Validate parameter format
+            if parameter_format not in ["dotenv", "json", "yaml"]:
+                print(
+                    f"  ⚠ Invalid parameter_format '{parameter_format}' for '{ref}', defaulting to 'json'"
+                )
+                parameter_format = "json"
+
+            # Validate output format
+            if output_format not in ["text", "json", "yaml", "jsonl"]:
+                print(
+                    f"  ⚠ Invalid output_format '{output_format}' for '{ref}', defaulting to 'text'"
+                )
+                output_format = "text"
+
+            cursor.execute(
+                """
+                INSERT INTO action (
+                    ref, pack, pack_ref, label, description,
+                    entrypoint, runtime, param_schema, out_schema, is_adhoc,
+                    parameter_delivery, parameter_format, output_format
+                )
+                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+                ON CONFLICT (ref) DO UPDATE SET
+                    label = EXCLUDED.label,
+                    description = EXCLUDED.description,
+                    entrypoint = EXCLUDED.entrypoint,
+                    param_schema = EXCLUDED.param_schema,
+                    out_schema = EXCLUDED.out_schema,
+                    parameter_delivery = EXCLUDED.parameter_delivery,
+                    parameter_format = EXCLUDED.parameter_format,
+                    output_format = EXCLUDED.output_format,
+                    updated = NOW()
+                RETURNING id
+            """,
+                (
+                    ref,
+                    self.pack_id,
+                    self.pack_ref,
+                    label,
+                    description,
+                    entrypoint,
+                    runtime_id,
+                    param_schema,
+                    out_schema,
+                    False,  # Pack-installed actions are not ad-hoc
+                    parameter_delivery,
+                    parameter_format,
+                    output_format,
+                ),
+            )
+
+            action_id = cursor.fetchone()[0]
+            action_ids[ref] = action_id
+
+            # Link action to workflow definition if present
+            if workflow_def_id is not None:
+                cursor.execute(
+                    """
+                    UPDATE action SET workflow_def = %s, updated = NOW()
+                    WHERE id = %s
+                """,
+                    (workflow_def_id, action_id),
+                )
+                print(
+                    f"  ✓ Action '{ref}' (ID: {action_id}) → workflow def {workflow_def_id}"
+                )
+            else:
+                print(f"  ✓ Action '{ref}' (ID: {action_id})")
+
+        cursor.close()
+        if workflow_count > 0:
+            print(f"  ({workflow_count} workflow definition(s) registered)")
+        return action_ids
+
+    def upsert_sensors(
+        self, trigger_ids: Dict[str, int], runtime_ids: Dict[str, int]
+    ) -> Dict[str, int]:
+        """Load sensor definitions"""
+        print("\n→ Loading sensors...")
+
+        sensors_dir = self.pack_dir / "sensors"
+        if not sensors_dir.exists():
+            print("  No sensors directory found")
+            return {}
+
+        sensor_ids = {}
+        cursor = self.conn.cursor()
+
+        # Runtime name mapping: runner_type values to core runtime refs
+        runner_type_to_ref = {
+            "native": "core.native",
+            "standalone": "core.native",
+            "builtin": "core.native",
+            "shell": "core.shell",
+            "bash": "core.shell",
+            "sh": "core.shell",
+            "python": "core.python",
+            "python3": "core.python",
+            "node": "core.nodejs",
+            "nodejs": "core.nodejs",
+            "node.js": "core.nodejs",
+        }
+
+        for yaml_file in sorted(sensors_dir.glob("*.yaml")):
+            sensor_data = self.load_yaml(yaml_file)
+
+            # Use ref from YAML (new format) or construct from name (old format)
+            ref = sensor_data.get("ref")
+            if not ref:
+                # Fallback for old format - should not happen with new pack format
+                ref = f"{self.pack_ref}.{sensor_data['name']}"
+
+            # Extract name from ref for label generation and entrypoint detection
+            name = ref.split(".")[-1] if "." in ref else ref
+            label = sensor_data.get("label") or generate_label(name)
+            description = sensor_data.get("description", "")
+            enabled = sensor_data.get("enabled", True)
+
+            # Get trigger reference (handle both trigger_type and trigger_types)
+            trigger_types = sensor_data.get("trigger_types", [])
+            if not trigger_types:
+                # Fallback to singular trigger_type
+                trigger_type = sensor_data.get("trigger_type", "")
+                trigger_types = [trigger_type] if trigger_type else []
+
+            # Use the first trigger type (sensors currently support one trigger)
+            trigger_ref = None
+            trigger_id = None
+            if trigger_types:
+                # Check if it's already a full ref or just the type name
+                first_trigger = trigger_types[0]
+                if "." in first_trigger:
+                    trigger_ref = first_trigger
+                else:
+                    trigger_ref = f"{self.pack_ref}.{first_trigger}"
+                trigger_id = trigger_ids.get(trigger_ref)
+
+            # Resolve sensor runtime from YAML runner_type field
+            # Defaults to "native" (compiled binary, no interpreter)
+            runner_type = sensor_data.get("runner_type", "native").lower()
+            runtime_ref = runner_type_to_ref.get(runner_type, runner_type)
+            # Look up runtime ID: try the mapped ref, then the raw runner_type
+            sensor_runtime_id = runtime_ids.get(runtime_ref)
+            if not sensor_runtime_id:
+                # Try looking up by the short name (e.g., "python" key in runtime_ids)
+                sensor_runtime_id = runtime_ids.get(runner_type)
+            if not sensor_runtime_id:
+                print(
+                    f"  ⚠ No runtime found for runner_type '{runner_type}' (ref: {runtime_ref}), sensor will have no runtime"
+                )
+
+            # Determine entrypoint
+            entry_point = sensor_data.get("entry_point", "")
+            if not entry_point:
+                for ext in [".py", ".sh"]:
+                    script_path = sensors_dir / f"{name}{ext}"
+                    if script_path.exists():
+                        entry_point = str(script_path.relative_to(self.packs_dir))
+                        break
+
+            config = json.dumps(sensor_data.get("config", {}))
+
+            cursor.execute(
+                """
+                INSERT INTO sensor (
+                    ref, pack, pack_ref, label, description,
+                    entrypoint, runtime, runtime_ref, trigger, trigger_ref,
+                    enabled, config
+                )
+                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
+                ON CONFLICT (ref) DO UPDATE SET
+                    label = EXCLUDED.label,
+                    description = EXCLUDED.description,
+                    entrypoint = EXCLUDED.entrypoint,
+                    runtime = EXCLUDED.runtime,
+                    runtime_ref = EXCLUDED.runtime_ref,
+                    trigger = EXCLUDED.trigger,
+                    trigger_ref = EXCLUDED.trigger_ref,
+                    enabled = EXCLUDED.enabled,
+                    config = EXCLUDED.config,
+                    updated = NOW()
+                RETURNING id
+            """,
+                (
+                    ref,
+                    self.pack_id,
+                    self.pack_ref,
+                    label,
+                    description,
+                    entry_point,
+                    sensor_runtime_id,
+                    runtime_ref,
+                    trigger_id,
+                    trigger_ref,
+                    enabled,
+                    config,
+                ),
+            )
+
+            sensor_id = cursor.fetchone()[0]
+            sensor_ids[ref] = sensor_id
+            print(f"  ✓ Sensor '{ref}' (ID: {sensor_id})")
+
+        cursor.close()
+        return sensor_ids
+
+    def load_pack(self):
+        """Main loading process.
+
+        Components are loaded in dependency order:
+        1. Permission sets (no dependencies)
+        2. Runtimes (no dependencies)
+        3. Triggers (no dependencies)
+        4. Actions (depend on runtime; workflow actions also create
+           workflow_definition records)
+        5. Sensors (depend on triggers and runtime)
+        """
+        print("=" * 60)
+        print(f"Pack Loader - {self.pack_name}")
+        print("=" * 60)
+
+        if not self.pack_dir.exists():
+            raise FileNotFoundError(f"Pack directory not found: {self.pack_dir}")
+
+        try:
+            self.connect()
+
+            # Load pack metadata
+            self.upsert_pack()
+
+            # Load permission sets first (authorization metadata)
+            permission_set_ids = self.upsert_permission_sets()
+
+            # Load runtimes (actions and sensors depend on them)
+            runtime_ids = self.upsert_runtimes()
+
+            # Load triggers
+            trigger_ids = self.upsert_triggers()
+
+            # Load actions (with runtime resolution + workflow definitions)
+            action_ids = self.upsert_actions(runtime_ids)
+
+            # Load sensors
+            sensor_ids = self.upsert_sensors(trigger_ids, runtime_ids)
+
+            # Commit all changes
+            self.conn.commit()
+
+            print("\n" + "=" * 60)
+            print(f"✓ Pack '{self.pack_name}' loaded successfully!")
+            print("=" * 60)
+            print(f"  Pack ID: {self.pack_id}")
+            print(f"  Permission sets: {len(permission_set_ids)}")
+            print(f"  Runtimes: {len(set(runtime_ids.values()))}")
+            print(f"  Triggers: {len(trigger_ids)}")
+            print(f"  Actions: {len(action_ids)}")
+            print(f"  Sensors: {len(sensor_ids)}")
+            print()
+
+        except Exception as e:
+            if self.conn:
+                self.conn.rollback()
+            print(f"\n✗ Error loading pack '{self.pack_name}': {e}")
+            import traceback
+
+            traceback.print_exc()
+            sys.exit(1)
+        finally:
+            self.close()
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Load a pack into the Attune database")
+    parser.add_argument(
+        "--database-url",
+        default=os.getenv("DATABASE_URL", DEFAULT_DATABASE_URL),
+        help=f"PostgreSQL connection string (default: {DEFAULT_DATABASE_URL})",
+    )
+    parser.add_argument(
+        "--pack-dir",
+        type=Path,
+        default=Path(os.getenv("ATTUNE_PACKS_DIR", DEFAULT_PACKS_DIR)),
+        help=f"Base directory for packs (default: {DEFAULT_PACKS_DIR})",
+    )
+    parser.add_argument(
+        "--pack-name",
+        default="core",
+        help="Name of the pack to load (default: core)",
+    )
+    parser.add_argument(
+        "--schema",
+        default=os.getenv("DB_SCHEMA", "public"),
+        help="Database schema to use (default: public)",
+    )
+    parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Print what would be done without making changes",
+    )
+
+    args = parser.parse_args()
+
+    if args.dry_run:
+        print("DRY RUN MODE: No changes will be made")
+        print()
+
+    loader = PackLoader(args.database_url, args.pack_dir, args.pack_name, args.schema)
+    loader.load_pack()
+
+
+if __name__ == "__main__":
+    main()
--- a/scripts/package-docker-dist.sh
+++ b/scripts/package-docker-dist.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+bundle_dir="${1:-${repo_root}/docker/distributable}"
+archive_path="${2:-${repo_root}/artifacts/attune-docker-dist.tar.gz}"
+
+template_dir="${repo_root}/docker/distributable"
+bundle_dir="$(realpath -m "${bundle_dir}")"
+archive_path="$(realpath -m "${archive_path}")"
+template_dir="$(realpath -m "${template_dir}")"
+
+mkdir -p "${bundle_dir}/docker" "${bundle_dir}/migrations" "${bundle_dir}/packs" "${bundle_dir}/scripts"
+mkdir -p "$(dirname "${archive_path}")"
+
+copy_file() {
+    local src="$1"
+    local dst="$2"
+    mkdir -p "$(dirname "${dst}")"
+    cp "${src}" "${dst}"
+}
+
+# Keep the distributable compose file, README, and config as the maintained templates.
+if [ "${bundle_dir}" != "${template_dir}" ]; then
+    copy_file "${template_dir}/docker-compose.yaml" "${bundle_dir}/docker-compose.yaml"
+    copy_file "${template_dir}/README.md" "${bundle_dir}/README.md"
+    copy_file "${template_dir}/config.docker.yaml" "${bundle_dir}/config.docker.yaml"
+fi
+
+copy_file "${repo_root}/docker/run-migrations.sh" "${bundle_dir}/docker/run-migrations.sh"
+copy_file "${repo_root}/docker/init-user.sh" "${bundle_dir}/docker/init-user.sh"
+copy_file "${repo_root}/docker/init-packs.sh" "${bundle_dir}/docker/init-packs.sh"
+copy_file "${repo_root}/docker/init-roles.sql" "${bundle_dir}/docker/init-roles.sql"
+copy_file "${repo_root}/docker/nginx.conf" "${bundle_dir}/docker/nginx.conf"
+copy_file "${repo_root}/docker/inject-env.sh" "${bundle_dir}/docker/inject-env.sh"
+copy_file "${repo_root}/scripts/load_core_pack.py" "${bundle_dir}/scripts/load_core_pack.py"
+
+rm -rf "${bundle_dir}/migrations" "${bundle_dir}/packs/core"
+mkdir -p "${bundle_dir}/migrations" "${bundle_dir}/packs"
+cp -R "${repo_root}/migrations/." "${bundle_dir}/migrations/"
+cp -R "${repo_root}/packs/core" "${bundle_dir}/packs/core"
+
+tar -C "$(dirname "${bundle_dir}")" -czf "${archive_path}" "$(basename "${bundle_dir}")"
+
+echo "Docker dist bundle refreshed at ${bundle_dir}"
+echo "Docker dist archive created at ${archive_path}"
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -3655,9 +3655,9 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -4337,9 +4337,9 @@
      }
    },
    "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "peer": true,
@@ -4609,9 +4609,9 @@
      }
    },
    "node_modules/vite/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "peer": true,