fixing docker compose distribution

fixing audit finding
2026-03-26 15:39:07 -05:00 · 2026-03-26 14:05:53 -05:00 · 2026-03-26 14:04:57 -05:00 · 2026-03-26 12:26:23 -05:00 · 2026-03-26 08:46:18 -05:00 · 2026-03-26 07:40:07 -05:00
83 changed files with 15505 additions and 152 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -19,7 +19,7 @@ env:
 jobs:
  rust-fmt:
    name: Rustfmt
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -45,7 +45,7 @@ jobs:
  rust-clippy:
    name: Clippy
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -91,7 +91,7 @@ jobs:
  rust-test:
    name: Tests
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -135,7 +135,7 @@ jobs:
  rust-audit:
    name: Cargo Audit & Deny
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -188,7 +188,7 @@ jobs:
  web-blocking:
    name: Web Blocking Checks
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    defaults:
      run:
        working-directory: web
@@ -217,7 +217,7 @@ jobs:
  security-blocking:
    name: Security Blocking Checks
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -250,7 +250,7 @@ jobs:
  web-advisory:
    name: Web Advisory Checks
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    continue-on-error: true
    defaults:
      run:
@@ -279,7 +279,7 @@ jobs:
  security-advisory:
    name: Security Advisory Checks
-    runs-on: ubuntu-latest
+    runs-on: build-amd64
    continue-on-error: true
    steps:
      - name: Checkout
--- a/.gitea/workflows/publish.yml
+++ b/.gitea/workflows/publish.yml
@@ -20,6 +20,7 @@ on:
          - executor
          - notifier
          - agent
          - docker-dist
          - web
        default: all
  push:
@@ -33,7 +34,9 @@ env:
  REGISTRY_HOST: ${{ vars.CLUSTER_GITEA_HOST }}
  REGISTRY_NAMESPACE: ${{ vars.CONTAINER_REGISTRY_NAMESPACE }}
  REGISTRY_PLAIN_HTTP: ${{ vars.CONTAINER_REGISTRY_INSECURE }}
-  ARTIFACT_REPOSITORY: attune-build-artifacts
+  REPOSITORY_NAME: attune
  ARTIFACT_REPOSITORY: attune/build-artifacts
  GNU_GLIBC_VERSION: "2.28"
  CARGO_TERM_COLOR: always
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
@@ -133,9 +136,13 @@ jobs:
        include:
          - arch: amd64
            runner_label: build-amd64
            service_rust_target: x86_64-unknown-linux-gnu
            service_target: x86_64-unknown-linux-gnu.2.28
            musl_target: x86_64-unknown-linux-musl
          - arch: arm64
-            runner_label: build-arm64
+            runner_label: build-amd64
            service_rust_target: aarch64-unknown-linux-gnu
            service_target: aarch64-unknown-linux-gnu.2.28
            musl_target: aarch64-unknown-linux-musl
    steps:
      - name: Checkout
@@ -156,7 +163,9 @@ jobs:
      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable
        with:
-          targets: ${{ matrix.musl_target }}
+          targets: |
            ${{ matrix.service_rust_target }}
            ${{ matrix.musl_target }}
      - name: Cache Cargo registry + index
        uses: actions/cache@v4
@@ -184,22 +193,69 @@ jobs:
        run: |
          set -euo pipefail
          apt-get update
-          apt-get install -y pkg-config libssl-dev musl-tools file
+          apt-get install -y pkg-config libssl-dev file binutils python3 python3-pip
      - name: Install Zig
        shell: bash
        run: |
          set -euo pipefail
          pip3 install --break-system-packages --no-cache-dir ziglang
      - name: Install cargo-zigbuild
        shell: bash
        run: |
          set -euo pipefail
          if ! command -v cargo-zigbuild >/dev/null 2>&1; then
            cargo install --locked cargo-zigbuild
          fi
      - name: Build release binaries
        shell: bash
        run: |
          set -euo pipefail
-          cargo build --release \
+          cargo zigbuild --release \
            --target "${{ matrix.service_target }}" \
            --bin attune-api \
            --bin attune-executor \
            --bin attune-notifier
      - name: Verify minimum glibc requirement
        shell: bash
        run: |
          set -euo pipefail
          output_dir="target/${{ matrix.service_rust_target }}/release"
          get_min_glibc() {
            local file_path="$1"
            readelf -W --version-info --dyn-syms "$file_path" \
              | grep 'Name: GLIBC_' \
              | sed -E 's/.*GLIBC_([0-9.]+).*/\1/' \
              | sort -t . -k1,1n -k2,2n \
              | tail -n 1
          }
          version_gt() {
            [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n 1)" = "$1" ] && [ "$1" != "$2" ]
          }
          for binary in attune-api attune-executor attune-notifier; do
            min_glibc="$(get_min_glibc "${output_dir}/${binary}")"
            if [ -z "${min_glibc}" ]; then
              echo "Failed to determine glibc requirement for ${binary}"
              exit 1
            fi
            echo "${binary} requires glibc ${min_glibc}"
            if version_gt "${min_glibc}" "${GNU_GLIBC_VERSION}"; then
              echo "Expected ${binary} to require glibc <= ${GNU_GLIBC_VERSION}, got ${min_glibc}"
              exit 1
            fi
          done
      - name: Build static agent binaries
        shell: bash
        run: |
          set -euo pipefail
-          cargo build --release \
+          cargo zigbuild --release \
            --target "${{ matrix.musl_target }}" \
            --bin attune-agent \
            --bin attune-sensor-agent
@@ -210,11 +266,12 @@ jobs:
          set -euo pipefail
          bundle_root="dist/bundle/${{ matrix.arch }}"
          service_output_dir="target/${{ matrix.service_rust_target }}/release"
          mkdir -p "$bundle_root/bin" "$bundle_root/agent"
-          cp target/release/attune-api "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-api" "$bundle_root/bin/"
-          cp target/release/attune-executor "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-executor" "$bundle_root/bin/"
-          cp target/release/attune-notifier "$bundle_root/bin/"
+          cp "${service_output_dir}/attune-notifier" "$bundle_root/bin/"
          cp target/${{ matrix.musl_target }}/release/attune-agent "$bundle_root/agent/"
          cp target/${{ matrix.musl_target }}/release/attune-sensor-agent "$bundle_root/agent/"
@@ -263,16 +320,187 @@ jobs:
        run: |
          set -euo pipefail
          push_args=()
          artifact_file="attune-binaries-${{ matrix.arch }}.tar.gz"
          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
            push_args+=(--plain-http)
          fi
          cp "dist/${artifact_file}" "${artifact_file}"
          oras push \
            "${push_args[@]}" \
            "${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}" \
            --artifact-type application/vnd.attune.rust-binaries.v1 \
-            "dist/attune-binaries-${{ matrix.arch }}.tar.gz:application/vnd.attune.rust-binaries.layer.v1.tar+gzip"
+            "${artifact_file}:application/vnd.attune.rust-binaries.layer.v1.tar+gzip"
      - name: Link binary bundle package to repository
        shell: bash
        env:
          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          api_base="${{ github.server_url }}/api/v1"
          package_name="${ARTIFACT_REPOSITORY}"
          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
          case "${status_code}" in
            200|201|204|409)
              ;;
            400|404)
              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
              cat /tmp/package-link-response.txt
              ;;
            *)
              cat /tmp/package-link-response.txt
              exit 1
              ;;
          esac
  publish-docker-dist:
    name: Publish Docker Dist Bundle
    runs-on: build-amd64
    needs: metadata
    if: |
      github.event_name != 'workflow_dispatch' ||
      inputs.target_image == 'all' ||
      inputs.target_image == 'docker-dist'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Build docker dist bundle
        shell: bash
        run: |
          set -euo pipefail
          bash scripts/package-docker-dist.sh docker/distributable artifacts/attune-docker-dist.tar.gz
      - name: Upload docker dist archive
        uses: actions/upload-artifact@v4
        with:
          name: attune-docker-dist-${{ needs.metadata.outputs.image_tag }}
          path: artifacts/attune-docker-dist.tar.gz
          if-no-files-found: error
      - name: Attach docker dist archive to release
        if: github.ref_type == 'tag'
        shell: bash
        env:
          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          if [ -z "${REGISTRY_USERNAME:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
            echo "CONTAINER_REGISTRY_USERNAME and CONTAINER_REGISTRY_PASSWORD are required to attach the docker dist archive to a release"
            exit 1
          fi
          api_base="${{ github.server_url }}/api/v1"
          owner_repo="${{ github.repository }}"
          tag_name="${{ github.ref_name }}"
          archive_path="artifacts/attune-docker-dist.tar.gz"
          asset_name="attune-docker-dist-${tag_name}.tar.gz"
          release_response_file="$(mktemp)"
          status_code="$(curl -sS -o "${release_response_file}" -w '%{http_code}' \
            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
            "${api_base}/repos/${owner_repo}/releases/tags/${tag_name}")"
          if [ "${status_code}" = "404" ]; then
            create_payload="$(TAG_NAME="${tag_name}" python3 - <<'PY'
            import json
            import os
            tag = os.environ["TAG_NAME"]
            print(json.dumps({
                "tag_name": tag,
                "name": tag,
                "draft": False,
                "prerelease": "-" in tag,
            }))
            PY
            )"
            status_code="$(curl -sS -o "${release_response_file}" -w '%{http_code}' \
              -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
              -H "Content-Type: application/json" \
              -X POST \
              -d "${create_payload}" \
              "${api_base}/repos/${owner_repo}/releases")"
          fi
          case "${status_code}" in
            200|201)
              ;;
            *)
              echo "Failed to fetch or create release for tag ${tag_name}"
              cat "${release_response_file}"
              exit 1
              ;;
          esac
          release_id="$(python3 - "${release_response_file}" <<'PY'
          import json
          import sys
          with open(sys.argv[1], "r", encoding="utf-8") as fh:
              data = json.load(fh)
          print(data["id"])
          PY
          )"
          existing_asset_id="$(python3 - "${release_response_file}" "${asset_name}" <<'PY'
          import json
          import sys
          with open(sys.argv[1], "r", encoding="utf-8") as fh:
              data = json.load(fh)
          name = sys.argv[2]
          for asset in data.get("assets", []):
              if asset.get("name") == name:
                  print(asset["id"])
                  break
          PY
          )"
          if [ -n "${existing_asset_id}" ]; then
            curl -sS \
              -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
              -X DELETE \
              "${api_base}/repos/${owner_repo}/releases/${release_id}/assets/${existing_asset_id}" \
              >/dev/null
          fi
          encoded_asset_name="$(ASSET_NAME="${asset_name}" python3 - <<'PY'
          import os
          import urllib.parse
          print(urllib.parse.quote(os.environ["ASSET_NAME"], safe=""))
          PY
          )"
          upload_response_file="$(mktemp)"
          status_code="$(curl -sS -o "${upload_response_file}" -w '%{http_code}' \
            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
            -H "Content-Type: application/gzip" \
            --data-binary "@${archive_path}" \
            "${api_base}/repos/${owner_repo}/releases/${release_id}/assets?name=${encoded_asset_name}")"
          case "${status_code}" in
            201)
              ;;
            *)
              echo "Failed to upload release asset ${asset_name}"
              cat "${upload_response_file}"
              exit 1
              ;;
          esac
  publish-rust-images:
    name: Publish ${{ matrix.image.name }} (${{ matrix.arch }})
@@ -296,7 +524,7 @@ jobs:
            platform: linux/amd64
            image:
              name: api
-              repository: attune-api
+              repository: attune/api
              source_path: bin/attune-api
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -304,7 +532,7 @@ jobs:
            platform: linux/amd64
            image:
              name: executor
-              repository: attune-executor
+              repository: attune/executor
              source_path: bin/attune-executor
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -312,7 +540,7 @@ jobs:
            platform: linux/amd64
            image:
              name: notifier
-              repository: attune-notifier
+              repository: attune/notifier
              source_path: bin/attune-notifier
              dockerfile: docker/Dockerfile.runtime
          - arch: amd64
@@ -320,7 +548,7 @@ jobs:
            platform: linux/amd64
            image:
              name: agent
-              repository: attune-agent
+              repository: attune/agent
              source_path: agent/attune-agent
              dockerfile: docker/Dockerfile.agent-package
          - arch: arm64
@@ -328,7 +556,7 @@ jobs:
            platform: linux/arm64
            image:
              name: api
-              repository: attune-api
+              repository: attune/api
              source_path: bin/attune-api
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -336,7 +564,7 @@ jobs:
            platform: linux/arm64
            image:
              name: executor
-              repository: attune-executor
+              repository: attune/executor
              source_path: bin/attune-executor
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -344,7 +572,7 @@ jobs:
            platform: linux/arm64
            image:
              name: notifier
-              repository: attune-notifier
+              repository: attune/notifier
              source_path: bin/attune-notifier
              dockerfile: docker/Dockerfile.runtime
          - arch: arm64
@@ -352,7 +580,7 @@ jobs:
            platform: linux/arm64
            image:
              name: agent
-              repository: attune-agent
+              repository: attune/agent
              source_path: agent/attune-agent
              dockerfile: docker/Dockerfile.agent-package
    steps:
@@ -419,17 +647,23 @@ jobs:
        run: |
          set -euo pipefail
          pull_args=()
          artifact_ref="${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
            pull_args+=(--plain-http)
          fi
          echo "Pulling binary bundle artifact"
          echo "  ref: ${artifact_ref}"
          echo "  arch: ${{ matrix.arch }}"
          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
          mkdir -p dist/artifact
          cd dist/artifact
          oras pull \
            "${pull_args[@]}" \
-            "${{ needs.metadata.outputs.artifact_ref_base }}:rust-binaries-${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
+            "${artifact_ref}"
          tar -xzf "attune-binaries-${{ matrix.arch }}.tar.gz"
@@ -440,6 +674,12 @@ jobs:
          rm -rf dist/image
          mkdir -p dist/image
          echo "Preparing packaging context"
          echo "  image: ${{ matrix.image.name }}"
          echo "  repository: ${{ matrix.image.repository }}"
          echo "  source_path: ${{ matrix.image.source_path }}"
          echo "  dockerfile: ${{ matrix.image.dockerfile }}"
          case "${{ matrix.image.name }}" in
            api|executor|notifier)
              cp "dist/artifact/${{ matrix.image.source_path }}" dist/attune-service-binary
@@ -459,6 +699,29 @@ jobs:
        run: |
          set -euo pipefail
          run_with_retries() {
            local max_attempts="$1"
            local delay_seconds="$2"
            shift 2
            local attempt=1
            while true; do
              if "$@"; then
                return 0
              fi
              if [ "$attempt" -ge "$max_attempts" ]; then
                echo "Command failed after ${attempt} attempts: $*"
                return 1
              fi
              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
              echo "Retrying in ${delay_seconds}s..."
              sleep "$delay_seconds"
              attempt=$((attempt + 1))
            done
          }
          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/${{ matrix.image.repository }}:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
          build_cmd=(
@@ -474,7 +737,43 @@ jobs:
            build_cmd+=(--tag "$image_ref" --push)
          fi
-          "${build_cmd[@]}"
+          echo "Publishing architecture image"
          echo "  image: ${{ matrix.image.name }}"
          echo "  repository: ${{ matrix.image.repository }}"
          echo "  platform: ${{ matrix.platform }}"
          echo "  dockerfile: ${{ matrix.image.dockerfile }}"
          echo "  destination: ${image_ref}"
          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
          run_with_retries 3 5 "${build_cmd[@]}"
      - name: Link container package to repository
        shell: bash
        env:
          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          api_base="${{ github.server_url }}/api/v1"
          package_name="${{ matrix.image.repository }}"
          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
          case "${status_code}" in
            200|201|204|409)
              ;;
            400|404)
              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
              cat /tmp/package-link-response.txt
              ;;
            *)
              cat /tmp/package-link-response.txt
              exit 1
              ;;
          esac
  publish-web-images:
    name: Publish web (${{ matrix.arch }})
@@ -548,13 +847,38 @@ jobs:
        run: |
          set -euo pipefail
-          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/attune-web:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
+          run_with_retries() {
            local max_attempts="$1"
            local delay_seconds="$2"
            shift 2
            local attempt=1
            while true; do
              if "$@"; then
                return 0
              fi
              if [ "$attempt" -ge "$max_attempts" ]; then
                echo "Command failed after ${attempt} attempts: $*"
                return 1
              fi
              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
              echo "Retrying in ${delay_seconds}s..."
              sleep "$delay_seconds"
              attempt=$((attempt + 1))
            done
          }
          image_ref="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/attune/web:${{ needs.metadata.outputs.image_tag }}-${{ matrix.arch }}"
          build_cmd=(
            docker buildx build
            .
            --platform "${{ matrix.platform }}"
            --file docker/Dockerfile.web
            --provenance=false
            --sbom=false
          )
          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
@@ -563,7 +887,43 @@ jobs:
            build_cmd+=(--tag "$image_ref" --push)
          fi
-          "${build_cmd[@]}"
+          echo "Publishing architecture image"
          echo "  image: web"
          echo "  repository: attune/web"
          echo "  platform: ${{ matrix.platform }}"
          echo "  dockerfile: docker/Dockerfile.web"
          echo "  destination: ${image_ref}"
          echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
          run_with_retries 3 5 "${build_cmd[@]}"
      - name: Link web container package to repository
        shell: bash
        env:
          REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          api_base="${{ github.server_url }}/api/v1"
          package_name="attune/web"
          encoded_package_name="$(PACKAGE_NAME="${package_name}" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["PACKAGE_NAME"], safe=""))')"
          status_code="$(curl -sS -o /tmp/package-link-response.txt -w '%{http_code}' -X POST \
            -u "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" \
            "${api_base}/packages/${{ needs.metadata.outputs.namespace }}/container/${encoded_package_name}/-/link/${REPOSITORY_NAME}")"
          case "${status_code}" in
            200|201|204|409)
              ;;
            400|404)
              echo "Package link unsupported for package '${package_name}' on this Gitea endpoint; continuing"
              cat /tmp/package-link-response.txt
              ;;
            *)
              cat /tmp/package-link-response.txt
              exit 1
              ;;
          esac
  publish-manifests:
    name: Publish manifest ${{ matrix.repository }}
@@ -579,12 +939,25 @@ jobs:
      fail-fast: false
      matrix:
        repository:
-          - attune-api
+          - attune/api
-          - attune-executor
+          - attune/executor
-          - attune-notifier
+          - attune/notifier
-          - attune-agent
+          - attune/agent
-          - attune-web
+          - attune/web
    steps:
      - name: Setup Docker Buildx
        if: needs.metadata.outputs.registry_plain_http != 'true'
        uses: docker/setup-buildx-action@v3
      - name: Setup Docker Buildx For Plain HTTP Registry
        if: needs.metadata.outputs.registry_plain_http == 'true'
        uses: docker/setup-buildx-action@v3
        with:
          buildkitd-config-inline: |
            [registry."${{ needs.metadata.outputs.registry }}"]
              http = true
              insecure = true
      - name: Configure OCI registry auth
        shell: bash
        env:
@@ -619,10 +992,35 @@ jobs:
        run: |
          set -euo pipefail
          run_with_retries() {
            local max_attempts="$1"
            local delay_seconds="$2"
            shift 2
            local attempt=1
            while true; do
              if "$@"; then
                return 0
              fi
              if [ "$attempt" -ge "$max_attempts" ]; then
                echo "Command failed after ${attempt} attempts: $*"
                return 1
              fi
              echo "Command failed on attempt ${attempt}/${max_attempts}: $*"
              echo "Retrying in ${delay_seconds}s..."
              sleep "$delay_seconds"
              attempt=$((attempt + 1))
            done
          }
          image_base="${{ needs.metadata.outputs.registry }}/${{ needs.metadata.outputs.namespace }}/${{ matrix.repository }}"
          create_args=()
          push_args=()
          if [ "${{ needs.metadata.outputs.registry_plain_http }}" = "true" ]; then
            create_args+=(--insecure)
            push_args+=(--insecure)
          fi
@@ -632,9 +1030,33 @@ jobs:
            amd64_ref="${image_base}:${{ needs.metadata.outputs.image_tag }}-amd64"
            arm64_ref="${image_base}:${{ needs.metadata.outputs.image_tag }}-arm64"
-            docker manifest rm "$manifest_ref" >/dev/null 2>&1 || true
+            if [ "${{ matrix.repository }}" = "attune/web" ]; then
-            docker manifest create "$manifest_ref" "$amd64_ref" "$arm64_ref"
+              echo "Publishing multi-arch manifest with docker manifest"
-            docker manifest annotate "$manifest_ref" "$amd64_ref" --os linux --arch amd64
+              echo "  repository: ${{ matrix.repository }}"
-            docker manifest annotate "$manifest_ref" "$arm64_ref" --os linux --arch arm64
+              echo "  manifest_tag: ${tag}"
-            docker manifest push "${push_args[@]}" "$manifest_ref"
+              echo "  manifest_ref: ${manifest_ref}"
              echo "  source_amd64: ${amd64_ref}"
              echo "  source_arm64: ${arm64_ref}"
              echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
              docker manifest rm "$manifest_ref" >/dev/null 2>&1 || true
              run_with_retries 3 5 \
                docker manifest create "${create_args[@]}" "$manifest_ref" "$amd64_ref" "$arm64_ref"
              docker manifest annotate "$manifest_ref" "$amd64_ref" --os linux --arch amd64
              docker manifest annotate "$manifest_ref" "$arm64_ref" --os linux --arch arm64
              run_with_retries 3 5 \
                docker manifest push "${push_args[@]}" "$manifest_ref"
            else
              echo "Publishing multi-arch manifest with buildx imagetools"
              echo "  repository: ${{ matrix.repository }}"
              echo "  manifest_tag: ${tag}"
              echo "  manifest_ref: ${manifest_ref}"
              echo "  source_amd64: ${amd64_ref}"
              echo "  source_arm64: ${arm64_ref}"
              echo "  plain_http: ${{ needs.metadata.outputs.registry_plain_http }}"
              run_with_retries 3 5 \
                docker buildx imagetools create \
                --tag "$manifest_ref" \
                "$amd64_ref" \
                "$arm64_ref"
            fi
          done
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ target/
 # Configuration files (keep *.example.yaml)
 config.yaml
 config.*.yaml
 !docker/distributable/config.docker.yaml
 !config.example.yaml
 !config.development.yaml
 !config.test.yaml
@@ -35,6 +36,7 @@ logs/
 # Build artifacts
 dist/
 build/
 artifacts/
 # Testing
 coverage/
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2150,21 +2150,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 [[package]]
 name = "foreign-types"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
 dependencies = [
 "foreign-types-shared",
 ]
 [[package]]
 name = "foreign-types-shared"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -3065,15 +3050,17 @@ dependencies = [
 "futures-util",
 "lber",
 "log",
 "native-tls",
 "nom 7.1.3",
 "percent-encoding",
 "rustls",
 "rustls-native-certs",
 "thiserror 2.0.18",
 "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
 "tokio-stream",
 "tokio-util",
 "url",
 "x509-parser",
 ]
 [[package]]
@@ -3314,23 +3301,6 @@ dependencies = [
 "version_check",
 ]
 [[package]]
 name = "native-tls"
 version = "0.2.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
 dependencies = [
 "libc",
 "log",
 "openssl",
 "openssl-probe",
 "openssl-sys",
 "schannel",
 "security-framework",
 "security-framework-sys",
 "tempfile",
 ]
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -3576,50 +3546,12 @@ dependencies = [
 "url",
 ]
 [[package]]
 name = "openssl"
 version = "0.10.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
 dependencies = [
 "bitflags",
 "cfg-if",
 "foreign-types",
 "libc",
 "once_cell",
 "openssl-macros",
 "openssl-sys",
 ]
 [[package]]
 name = "openssl-macros"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 [[package]]
 name = "openssl-sys"
 version = "0.9.112"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
 dependencies = [
 "cc",
 "libc",
 "pkg-config",
 "vcpkg",
 ]
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@@ -4642,6 +4574,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
 "aws-lc-rs",
 "log",
 "once_cell",
 "ring",
 "rustls-pki-types",
@@ -5698,16 +5631,6 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "tokio-native-tls"
 version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
 dependencies = [
 "native-tls",
 "tokio",
 ]
 [[package]]
 name = "tokio-rustls"
 version = "0.26.4"
@@ -5749,9 +5672,11 @@ checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
 dependencies = [
 "futures-util",
 "log",
- "native-tls",
+ "rustls",
 "rustls-native-certs",
 "rustls-pki-types",
 "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
 "tungstenite",
 ]
@@ -5938,8 +5863,9 @@ dependencies = [
 "http",
 "httparse",
 "log",
 "native-tls",
 "rand 0.9.2",
 "rustls",
 "rustls-pki-types",
 "sha1",
 "thiserror 2.0.18",
 "utf-8",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -101,7 +101,7 @@ tar = "0.4"
 flate2 = "1.1"
 # WebSocket client
-tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.28", features = ["rustls-tls-native-roots"] }
 # URL parsing
 url = "2.5"
--- a/20
+++ b/20
@@ -238,22 +238,24 @@ docker-build-web:
 	docker compose build web
 # Agent binary (statically-linked for injection into any container)
 AGENT_RUST_TARGET ?= x86_64-unknown-linux-musl
 build-agent:
 	@echo "Installing musl target (if not already installed)..."
-	rustup target add x86_64-unknown-linux-musl 2>/dev/null || true
+	rustup target add $(AGENT_RUST_TARGET) 2>/dev/null || true
 	@echo "Building statically-linked worker and sensor agent binaries..."
-	SQLX_OFFLINE=true cargo build --release --target x86_64-unknown-linux-musl --bin attune-agent --bin attune-sensor-agent
+	SQLX_OFFLINE=true cargo build --release --target $(AGENT_RUST_TARGET) --bin attune-agent --bin attune-sensor-agent
-	strip target/x86_64-unknown-linux-musl/release/attune-agent
+	strip target/$(AGENT_RUST_TARGET)/release/attune-agent
-	strip target/x86_64-unknown-linux-musl/release/attune-sensor-agent
+	strip target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent
 	@echo "✅ Agent binaries built:"
-	@echo "   - target/x86_64-unknown-linux-musl/release/attune-agent"
+	@echo "   - target/$(AGENT_RUST_TARGET)/release/attune-agent"
-	@echo "   - target/x86_64-unknown-linux-musl/release/attune-sensor-agent"
+	@echo "   - target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent"
-	@ls -lh target/x86_64-unknown-linux-musl/release/attune-agent
+	@ls -lh target/$(AGENT_RUST_TARGET)/release/attune-agent
-	@ls -lh target/x86_64-unknown-linux-musl/release/attune-sensor-agent
+	@ls -lh target/$(AGENT_RUST_TARGET)/release/attune-sensor-agent
 docker-build-agent:
 	@echo "Building agent Docker image (statically-linked binary)..."
-	DOCKER_BUILDKIT=1 docker buildx build --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
+	DOCKER_BUILDKIT=1 docker buildx build --build-arg RUST_TARGET=$(AGENT_RUST_TARGET) --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
 	@echo "✅ Agent image built: attune-agent:latest"
 run-agent:
--- a/crates/api/Cargo.toml
+++ b/crates/api/Cargo.toml
@@ -70,7 +70,7 @@ jsonschema = { workspace = true }
 # HTTP client
 reqwest = { workspace = true }
 openidconnect = "4.0"
-ldap3 = "0.12"
+ldap3 = { version = "0.12", default-features = false, features = ["sync", "tls-rustls-ring"] }
 url = { workspace = true }
 # Archive/compression
--- a/crates/common/src/repositories/runtime.rs
+++ b/crates/common/src/repositories/runtime.rs
@@ -237,7 +237,7 @@ impl Update for RuntimeRepository {
        query.push(", updated = NOW() WHERE id = ");
        query.push_bind(id);
-        query.push(&format!(" RETURNING {}", SELECT_COLUMNS));
+        query.push(format!(" RETURNING {}", SELECT_COLUMNS));
        let runtime = query
            .build_query_as::<Runtime>()
--- a/crates/worker/src/registration.rs
+++ b/crates/worker/src/registration.rs
@@ -452,7 +452,7 @@ mod tests {
    #[test]
    fn test_detected_runtimes_json_structure() {
        // Test the JSON structure that set_detected_runtimes builds
-        let runtimes = vec![
+        let runtimes = [
            DetectedRuntime {
                name: "python".to_string(),
                path: "/usr/bin/python3".to_string(),
--- a/docker/Dockerfile.agent
+++ b/docker/Dockerfile.agent
@@ -28,12 +28,15 @@
 ARG RUST_VERSION=1.92
 ARG DEBIAN_VERSION=bookworm
 ARG RUST_TARGET=x86_64-unknown-linux-musl
 # ============================================================================
 # Stage 1: Builder - Cross-compile a statically-linked binary with musl
 # ============================================================================
 FROM rust:${RUST_VERSION}-${DEBIAN_VERSION} AS builder
 ARG RUST_TARGET
 # Install musl toolchain for static linking
 RUN apt-get update && apt-get install -y \
    musl-tools \
@@ -42,8 +45,8 @@ RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*
-# Add the musl target for fully static binaries
+# Add the requested musl target for fully static binaries
-RUN rustup target add x86_64-unknown-linux-musl
+RUN rustup target add ${RUST_TARGET}
 WORKDIR /build
@@ -104,9 +107,9 @@ COPY crates/ ./crates/
 RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=shared \
    --mount=type=cache,target=/usr/local/cargo/git,sharing=shared \
    --mount=type=cache,id=agent-target,target=/build/target,sharing=locked \
-    cargo build --release --target x86_64-unknown-linux-musl --bin attune-agent --bin attune-sensor-agent && \
+    cargo build --release --target ${RUST_TARGET} --bin attune-agent --bin attune-sensor-agent && \
-    cp /build/target/x86_64-unknown-linux-musl/release/attune-agent /build/attune-agent && \
+    cp /build/target/${RUST_TARGET}/release/attune-agent /build/attune-agent && \
-    cp /build/target/x86_64-unknown-linux-musl/release/attune-sensor-agent /build/attune-sensor-agent
+    cp /build/target/${RUST_TARGET}/release/attune-sensor-agent /build/attune-sensor-agent
 # Strip the binaries to minimize size
 RUN strip /build/attune-agent && strip /build/attune-sensor-agent
--- a/docker/distributable/README.md
+++ b/docker/distributable/README.md
@@ -0,0 +1,64 @@
 # Attune Docker Dist Bundle
 This directory is a distributable Docker bundle built from the main workspace compose setup.
 It is designed to run Attune without building the Rust services locally:
 - `api`, `executor`, `notifier`, `agent`, and `web` pull published images
 - database bootstrap, user bootstrap, and pack loading run from local scripts shipped in this bundle
 - workers and sensor still use stock runtime images plus the published injected agent binaries
 ## Registry Defaults
 The compose file defaults to:
 - registry: `git.rdrx.app/attune-system`
 - tag: `latest`
 Override them with env vars:
 ```bash
 export ATTUNE_IMAGE_REGISTRY=git.rdrx.app/attune-system
 export ATTUNE_IMAGE_TAG=latest
 ```
 If the registry requires auth:
 ```bash
 docker login git.rdrx.app
 ```
 ## Run
 From this directory:
 ```bash
 docker compose up -d
 ```
 Or with an explicit tag:
 ```bash
 ATTUNE_IMAGE_TAG=sha-xxxxxxxxxxxx docker compose up -d
 ```
 ## Rebuild Bundle
 Refresh this bundle and create a tarball from the workspace root:
 ```bash
 bash scripts/package-docker-dist.sh
 ```
 ## Included Assets
 - `docker-compose.yaml` - published-image compose stack
 - `config.docker.yaml` - container config mounted into services
 - `docker/` - init scripts and SQL helpers
 - `migrations/` - schema migrations for the bootstrap job
 - `packs/core/` - builtin core pack content
 - `scripts/load_core_pack.py` - pack loader used by `init-packs`
 ## Current Limitation
 The publish workflow does not currently publish dedicated worker or sensor runtime images. This bundle therefore keeps using stock runtime images with the published `attune/agent` image for injection.
--- a/docker/distributable/config.docker.yaml
+++ b/docker/distributable/config.docker.yaml
@@ -0,0 +1,159 @@
 # Attune Docker Environment Configuration
 # This file overrides base config.yaml settings for Docker deployments
 environment: docker
 # Docker database (PostgreSQL container)
 database:
  url: postgresql://attune:attune@postgres:5432/attune
  max_connections: 20
  min_connections: 5
  acquire_timeout: 30
  idle_timeout: 600
  max_lifetime: 1800
  log_statements: false
  schema: "attune"
 # Docker message queue (RabbitMQ container)
 message_queue:
  url: amqp://attune:attune@rabbitmq:5672
  connection_timeout: 30
  heartbeat: 60
  prefetch_count: 10
  rabbitmq:
    worker_queue_ttl_ms: 300000 # 5 minutes - expire unprocessed executions
    dead_letter:
      enabled: true
      exchange: attune.dlx
      ttl_ms: 86400000 # 24 hours - retain DLQ messages for debugging
 # Docker cache (Redis container - optional)
 cache:
  enabled: true
  url: redis://redis:6379
  connection_timeout: 5
  default_ttl: 3600
 # API server configuration
 server:
  host: 0.0.0.0
  port: 8080
  cors_origins:
    - http://localhost
    - http://localhost:3000
    - http://localhost:3001
    - http://localhost:3002
    - http://localhost:5173
    - http://127.0.0.1:3000
    - http://127.0.0.1:3001
    - http://127.0.0.1:3002
    - http://127.0.0.1:5173
    - http://web
  request_timeout: 60
  max_request_size: 10485760 # 10MB
 # Logging configuration
 log:
  level: info
  format: json # Structured logs for container environments
  console: true
 # Security settings (MUST override via environment variables in production)
 security:
  jwt_secret: ${JWT_SECRET}
  jwt_access_expiration: 3600 # 1 hour
  jwt_refresh_expiration: 604800 # 7 days
  encryption_key: ${ENCRYPTION_KEY}
  enable_auth: true
  allow_self_registration: false
  login_page:
    show_local_login: true
    show_oidc_login: true
  oidc:
    # example local dev
    enabled: false
    discovery_url: https://my.sso.provider.com/.well-known/openid-configuration
    client_id: 31d194737840d32bd3afe6474826976bae346d77247a158c4dc43887278eb605
    client_secret: xL2C9WOC8shZ2QrZs9VFa10JK1Ob95xcMtZU3N86H1Pz0my5
    provider_name: my-sso-provider
    provider_label: My SSO Provider
    provider_icon_url: https://my.sso.provider.com/favicon.ico
    redirect_uri: http://localhost:3000/auth/callback
    post_logout_redirect_uri: http://localhost:3000/login
    scopes:
      - groups
 # Packs directory (mounted volume in containers)
 packs_base_dir: /opt/attune/packs
 # Runtime environments directory (isolated envs like virtualenvs, node_modules).
 # Kept separate from packs so pack directories remain clean and read-only.
 # Pattern: {runtime_envs_dir}/{pack_ref}/{runtime_name}
 runtime_envs_dir: /opt/attune/runtime_envs
 # Artifacts directory (shared volume for file-based artifact storage).
 # File-type artifacts are written here by execution processes and served by the API.
 # Pattern: {artifacts_dir}/{ref_slug}/v{version}.{ext}
 artifacts_dir: /opt/attune/artifacts
 # Executor service configuration
 executor:
  service_name: attune-executor
  max_concurrent_executions: 50
  heartbeat_interval: 30
  task_timeout: 300
  cleanup_interval: 120
  scheduling_interval: 5
  retry_max_attempts: 3
  retry_backoff_multiplier: 2.0
  retry_backoff_max: 300
  scheduled_timeout: 300 # 5 minutes - fail executions stuck in SCHEDULED
  timeout_check_interval: 60 # Check every minute for stale executions
  enable_timeout_monitor: true
 # Worker service configuration
 worker:
  service_name: attune-worker
  worker_type: container
  max_concurrent_tasks: 20
  heartbeat_interval: 10 # Reduced from 30s for faster stale detection (staleness = 30s)
  task_timeout: 300
  cleanup_interval: 120
  work_dir: /tmp/attune-worker
  python:
    executable: python3
    venv_dir: /tmp/attune-worker/venvs
    requirements_timeout: 300
  nodejs:
    executable: node
    npm_executable: npm
    modules_dir: /tmp/attune-worker/node_modules
    install_timeout: 300
  shell:
    executable: /bin/bash
    allowed_shells:
      - /bin/bash
      - /bin/sh
 # Sensor service configuration
 sensor:
  service_name: attune-sensor
  heartbeat_interval: 10 # Reduced from 30s for faster stale detection
  max_concurrent_sensors: 50
  sensor_timeout: 300
  polling_interval: 10
  cleanup_interval: 120
 # Notifier service configuration
 notifier:
  service_name: attune-notifier
  websocket_host: 0.0.0.0
  websocket_port: 8081
  heartbeat_interval: 30
  connection_timeout: 60
  max_connections: 1000
  message_buffer_size: 10000
 # Agent binary distribution (serves the agent binary via API for remote downloads)
 agent:
  binary_dir: /opt/attune/agent
--- a/docker/distributable/docker-compose.yaml
+++ b/docker/distributable/docker-compose.yaml
@@ -0,0 +1,581 @@
 name: attune
 services:
  postgres:
    image: timescale/timescaledb:2.17.2-pg16
    container_name: attune-postgres
    environment:
      POSTGRES_USER: attune
      POSTGRES_PASSWORD: attune
      POSTGRES_DB: attune
      PGDATA: /var/lib/postgresql/data/pgdata
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U attune"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - attune-network
    restart: unless-stopped
  migrations:
    image: postgres:16-alpine
    container_name: attune-migrations
    volumes:
      - ./migrations:/migrations:ro
      - ./docker/run-migrations.sh:/run-migrations.sh:ro
      - ./docker/init-roles.sql:/docker/init-roles.sql:ro
    environment:
      DB_HOST: postgres
      DB_PORT: 5432
      DB_USER: attune
      DB_PASSWORD: attune
      DB_NAME: attune
      MIGRATIONS_DIR: /migrations
    command: ["/bin/sh", "/run-migrations.sh"]
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - attune-network
    restart: on-failure
  init-user:
    image: postgres:16-alpine
    container_name: attune-init-user
    volumes:
      - ./docker/init-user.sh:/init-user.sh:ro
    environment:
      DB_HOST: postgres
      DB_PORT: 5432
      DB_USER: attune
      DB_PASSWORD: attune
      DB_NAME: attune
      DB_SCHEMA: public
      TEST_LOGIN: ${ATTUNE_TEST_LOGIN:-test@attune.local}
      TEST_PASSWORD: ${ATTUNE_TEST_PASSWORD:-TestPass123!}
      TEST_DISPLAY_NAME: ${ATTUNE_TEST_DISPLAY_NAME:-Test User}
    command: ["/bin/sh", "/init-user.sh"]
    depends_on:
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    networks:
      - attune-network
    restart: on-failure
  init-packs:
    image: python:3.11-slim
    container_name: attune-init-packs
    volumes:
      - ./packs:/source/packs:ro
      - ./scripts/load_core_pack.py:/scripts/load_core_pack.py:ro
      - ./docker/init-packs.sh:/init-packs.sh:ro
      - packs_data:/opt/attune/packs
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
    environment:
      DB_HOST: postgres
      DB_PORT: 5432
      DB_USER: attune
      DB_PASSWORD: attune
      DB_NAME: attune
      DB_SCHEMA: public
      SOURCE_PACKS_DIR: /source/packs
      TARGET_PACKS_DIR: /opt/attune/packs
      LOADER_SCRIPT: /scripts/load_core_pack.py
      DEFAULT_ADMIN_LOGIN: ${ATTUNE_TEST_LOGIN:-test@attune.local}
      DEFAULT_ADMIN_PERMISSION_SET_REF: core.admin
    command: ["/bin/sh", "/init-packs.sh"]
    depends_on:
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    networks:
      - attune-network
    restart: on-failure
    entrypoint: ""
  init-agent:
    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/agent:${ATTUNE_IMAGE_TAG:-latest}
    container_name: attune-init-agent
    volumes:
      - agent_bin:/opt/attune/agent
    entrypoint:
      [
        "/bin/sh",
        "-c",
        "cp /usr/local/bin/attune-agent /opt/attune/agent/attune-agent && cp /usr/local/bin/attune-sensor-agent /opt/attune/agent/attune-sensor-agent && chmod +x /opt/attune/agent/attune-agent /opt/attune/agent/attune-sensor-agent && /usr/local/bin/attune-agent --version > /opt/attune/agent/attune-agent.version && /usr/local/bin/attune-sensor-agent --version > /opt/attune/agent/attune-sensor-agent.version && echo 'Agent binaries copied successfully'",
      ]
    restart: "no"
    networks:
      - attune-network
  rabbitmq:
    image: rabbitmq:3.13-management-alpine
    container_name: attune-rabbitmq
    environment:
      RABBITMQ_DEFAULT_USER: attune
      RABBITMQ_DEFAULT_PASS: attune
      RABBITMQ_DEFAULT_VHOST: /
    ports:
      - "5672:5672"
      - "15672:15672"
    volumes:
      - rabbitmq_data:/var/lib/rabbitmq
    healthcheck:
      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - attune-network
    restart: unless-stopped
  redis:
    image: redis:7-alpine
    container_name: attune-redis
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - attune-network
    restart: unless-stopped
    command: redis-server --appendonly yes
  api:
    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/api:${ATTUNE_IMAGE_TAG:-latest}
    container_name: attune-api
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE__CACHE__URL: redis://redis:6379
      ATTUNE__WORKER__WORKER_TYPE: container
    ports:
      - "8080:8080"
    volumes:
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:rw
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
      - api_logs:/opt/attune/logs
      - agent_bin:/opt/attune/agent:ro
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  executor:
    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/executor:${ATTUNE_IMAGE_TAG:-latest}
    container_name: attune-executor
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE__CACHE__URL: redis://redis:6379
      ATTUNE__WORKER__WORKER_TYPE: container
    volumes:
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:ro
      - artifacts_data:/opt/attune/artifacts:ro
      - executor_logs:/opt/attune/logs
    depends_on:
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "kill -0 1 || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  worker-shell:
    image: debian:bookworm-slim
    container_name: attune-worker-shell
    entrypoint: ["/opt/attune/agent/attune-agent"]
    stop_grace_period: 45s
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE_WORKER_TYPE: container
      ATTUNE_WORKER_NAME: worker-shell-01
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE_API_URL: http://attune-api:8080
    volumes:
      - agent_bin:/opt/attune/agent:ro
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:ro
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
      - worker_shell_logs:/opt/attune/logs
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  worker-python:
    image: python:3.12-slim
    container_name: attune-worker-python
    entrypoint: ["/opt/attune/agent/attune-agent"]
    stop_grace_period: 45s
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE_WORKER_TYPE: container
      ATTUNE_WORKER_NAME: worker-python-01
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE_API_URL: http://attune-api:8080
    volumes:
      - agent_bin:/opt/attune/agent:ro
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:ro
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
      - worker_python_logs:/opt/attune/logs
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  worker-node:
    image: node:22-slim
    container_name: attune-worker-node
    entrypoint: ["/opt/attune/agent/attune-agent"]
    stop_grace_period: 45s
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE_WORKER_TYPE: container
      ATTUNE_WORKER_NAME: worker-node-01
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE_API_URL: http://attune-api:8080
    volumes:
      - agent_bin:/opt/attune/agent:ro
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:ro
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
      - worker_node_logs:/opt/attune/logs
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  worker-full:
    image: nikolaik/python-nodejs:python3.12-nodejs22-slim
    container_name: attune-worker-full
    entrypoint: ["/opt/attune/agent/attune-agent"]
    stop_grace_period: 45s
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE_WORKER_RUNTIMES: shell,python,node,native
      ATTUNE_WORKER_TYPE: container
      ATTUNE_WORKER_NAME: worker-full-01
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE_API_URL: http://attune-api:8080
    volumes:
      - agent_bin:/opt/attune/agent:ro
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:ro
      - runtime_envs:/opt/attune/runtime_envs
      - artifacts_data:/opt/attune/artifacts
      - worker_full_logs:/opt/attune/logs
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "pgrep -f attune-agent || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  sensor:
    image: nikolaik/python-nodejs:python3.12-nodejs22-slim
    container_name: attune-sensor
    entrypoint: ["/opt/attune/agent/attune-sensor-agent"]
    stop_grace_period: 45s
    environment:
      RUST_LOG: debug
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE_SENSOR_RUNTIMES: shell,python,node,native
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE__WORKER__WORKER_TYPE: container
      ATTUNE_API_URL: http://attune-api:8080
      ATTUNE_MQ_URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE_PACKS_BASE_DIR: /opt/attune/packs
    volumes:
      - agent_bin:/opt/attune/agent:ro
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - packs_data:/opt/attune/packs:rw
      - runtime_envs:/opt/attune/runtime_envs
      - sensor_logs:/opt/attune/logs
    depends_on:
      init-agent:
        condition: service_completed_successfully
      init-packs:
        condition: service_completed_successfully
      init-user:
        condition: service_completed_successfully
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "kill -0 1 || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  notifier:
    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/notifier:${ATTUNE_IMAGE_TAG:-latest}
    container_name: attune-notifier
    environment:
      RUST_LOG: info
      ATTUNE_CONFIG: /opt/attune/config/config.yaml
      ATTUNE__SECURITY__JWT_SECRET: ${JWT_SECRET:-docker-dev-secret-change-in-production}
      ATTUNE__SECURITY__ENCRYPTION_KEY: ${ENCRYPTION_KEY:-docker-dev-encryption-key-please-change-in-production-32plus}
      ATTUNE__DATABASE__URL: postgresql://attune:attune@postgres:5432/attune
      ATTUNE__DATABASE__SCHEMA: public
      ATTUNE__MESSAGE_QUEUE__URL: amqp://attune:attune@rabbitmq:5672
      ATTUNE__WORKER__WORKER_TYPE: container
    ports:
      - "8081:8081"
    volumes:
      - ${ATTUNE_DOCKER_CONFIG_PATH:-./config.docker.yaml}:/opt/attune/config/config.yaml:ro
      - notifier_logs:/opt/attune/logs
    depends_on:
      migrations:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8081/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 20s
    networks:
      - attune-network
    restart: unless-stopped
  web:
    image: ${ATTUNE_IMAGE_REGISTRY:-git.rdrx.app/attune-system}/attune/web:${ATTUNE_IMAGE_TAG:-latest}
    container_name: attune-web
    environment:
      API_URL: ${API_URL:-http://localhost:8080}
      WS_URL: ${WS_URL:-ws://localhost:8081}
      ENVIRONMENT: docker
    ports:
      - "3000:80"
    depends_on:
      api:
        condition: service_healthy
      notifier:
        condition: service_healthy
    healthcheck:
      test:
        [
          "CMD",
          "wget",
          "--no-verbose",
          "--tries=1",
          "--spider",
          "http://localhost/health",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    networks:
      - attune-network
    restart: unless-stopped
 volumes:
  postgres_data:
    driver: local
  rabbitmq_data:
    driver: local
  redis_data:
    driver: local
  api_logs:
    driver: local
  executor_logs:
    driver: local
  worker_shell_logs:
    driver: local
  worker_python_logs:
    driver: local
  worker_node_logs:
    driver: local
  worker_full_logs:
    driver: local
  sensor_logs:
    driver: local
  notifier_logs:
    driver: local
  packs_data:
    driver: local
  runtime_envs:
    driver: local
  artifacts_data:
    driver: local
  agent_bin:
    driver: local
 networks:
  attune-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16
--- a/docker/distributable/docker/init-packs.sh
+++ b/docker/distributable/docker/init-packs.sh
@@ -0,0 +1,296 @@
 #!/bin/sh
 # Initialize builtin packs for Attune
 # This script copies pack files to the shared volume and registers them in the database
 # Designed to run on python:3.11-slim (Debian-based) image
 set -e
 # Color output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Configuration from environment
 DB_HOST="${DB_HOST:-postgres}"
 DB_PORT="${DB_PORT:-5432}"
 DB_USER="${DB_USER:-attune}"
 DB_PASSWORD="${DB_PASSWORD:-attune}"
 DB_NAME="${DB_NAME:-attune}"
 DB_SCHEMA="${DB_SCHEMA:-public}"
 # Pack directories
 SOURCE_PACKS_DIR="${SOURCE_PACKS_DIR:-/source/packs}"
 TARGET_PACKS_DIR="${TARGET_PACKS_DIR:-/opt/attune/packs}"
 # Python loader script
 LOADER_SCRIPT="${LOADER_SCRIPT:-/scripts/load_core_pack.py}"
 DEFAULT_ADMIN_LOGIN="${DEFAULT_ADMIN_LOGIN:-}"
 DEFAULT_ADMIN_PERMISSION_SET_REF="${DEFAULT_ADMIN_PERMISSION_SET_REF:-core.admin}"
 echo ""
 echo -e "${BLUE}╔════════════════════════════════════════════════╗${NC}"
 echo -e "${BLUE}║    Attune Builtin Packs Initialization         ║${NC}"
 echo -e "${BLUE}╚════════════════════════════════════════════════╝${NC}"
 echo ""
 # Install Python dependencies
 echo -e "${YELLOW}→${NC} Installing Python dependencies..."
 if pip install --quiet --no-cache-dir psycopg2-binary pyyaml; then
    echo -e "${GREEN}✓${NC} Python dependencies installed"
 else
    echo -e "${RED}✗${NC} Failed to install Python dependencies"
    exit 1
 fi
 echo ""
 # Wait for database to be ready (using Python instead of psql to avoid needing postgresql-client)
 echo -e "${YELLOW}→${NC} Waiting for database to be ready..."
 until python3 -c "
 import psycopg2, sys
 try:
    conn = psycopg2.connect(host='$DB_HOST', port=$DB_PORT, user='$DB_USER', password='$DB_PASSWORD', dbname='$DB_NAME', connect_timeout=3)
    conn.close()
    sys.exit(0)
 except Exception:
    sys.exit(1)
 " 2>/dev/null; do
  echo -e "${YELLOW}  ...${NC} Database is unavailable - sleeping"
  sleep 2
 done
 echo -e "${GREEN}✓${NC} Database is ready"
 # Create target packs directory if it doesn't exist
 echo -e "${YELLOW}→${NC} Ensuring packs directory exists..."
 mkdir -p "$TARGET_PACKS_DIR"
 # Ensure the attune user (uid 1000) can write to the packs directory
 # so the API service can install packs at runtime
 chown -R 1000:1000 "$TARGET_PACKS_DIR"
 echo -e "${GREEN}✓${NC} Packs directory ready at: $TARGET_PACKS_DIR"
 # Initialise runtime environments volume with correct ownership.
 # Workers (running as attune uid 1000) need write access to create
 # virtualenvs, node_modules, etc. at runtime.
 RUNTIME_ENVS_DIR="${RUNTIME_ENVS_DIR:-/opt/attune/runtime_envs}"
 if [ -d "$RUNTIME_ENVS_DIR" ] || mkdir -p "$RUNTIME_ENVS_DIR" 2>/dev/null; then
    chown -R 1000:1000 "$RUNTIME_ENVS_DIR"
    echo -e "${GREEN}✓${NC} Runtime environments directory ready at: $RUNTIME_ENVS_DIR"
 else
    echo -e "${YELLOW}⚠${NC} Runtime environments directory not mounted, skipping"
 fi
 # Initialise artifacts volume with correct ownership.
 # The API service (creates directories for file-backed artifact versions) and
 # workers (write artifact files during execution) both run as attune uid 1000.
 ARTIFACTS_DIR="${ARTIFACTS_DIR:-/opt/attune/artifacts}"
 if [ -d "$ARTIFACTS_DIR" ] || mkdir -p "$ARTIFACTS_DIR" 2>/dev/null; then
    chown -R 1000:1000 "$ARTIFACTS_DIR"
    echo -e "${GREEN}✓${NC} Artifacts directory ready at: $ARTIFACTS_DIR"
 else
    echo -e "${YELLOW}⚠${NC} Artifacts directory not mounted, skipping"
 fi
 # Check if source packs directory exists
 if [ ! -d "$SOURCE_PACKS_DIR" ]; then
    echo -e "${RED}✗${NC} Source packs directory not found: $SOURCE_PACKS_DIR"
    exit 1
 fi
 # Find all pack directories (directories with pack.yaml)
 echo ""
 echo -e "${BLUE}Discovering builtin packs...${NC}"
 echo "----------------------------------------"
 PACK_COUNT=0
 COPIED_COUNT=0
 LOADED_COUNT=0
 for pack_dir in "$SOURCE_PACKS_DIR"/*; do
    if [ -d "$pack_dir" ]; then
        pack_name=$(basename "$pack_dir")
        pack_yaml="$pack_dir/pack.yaml"
        if [ -f "$pack_yaml" ]; then
            PACK_COUNT=$((PACK_COUNT + 1))
            echo -e "${BLUE}→${NC} Found pack: ${GREEN}$pack_name${NC}"
            # Check if pack already exists in target
            target_pack_dir="$TARGET_PACKS_DIR/$pack_name"
            if [ -d "$target_pack_dir" ]; then
                # Pack exists, update files to ensure we have latest (especially binaries)
                echo -e "${YELLOW}  ⟳${NC} Pack exists at: $target_pack_dir, updating files..."
                if cp -rf "$pack_dir"/* "$target_pack_dir"/; then
                    echo -e "${GREEN}  ✓${NC} Updated pack files at: $target_pack_dir"
                else
                    echo -e "${RED}  ✗${NC} Failed to update pack"
                    exit 1
                fi
            else
                # Copy pack to target directory
                echo -e "${YELLOW}  →${NC} Copying pack files..."
                if cp -r "$pack_dir" "$target_pack_dir"; then
                    COPIED_COUNT=$((COPIED_COUNT + 1))
                    echo -e "${GREEN}  ✓${NC} Copied to: $target_pack_dir"
                else
                    echo -e "${RED}  ✗${NC} Failed to copy pack"
                    exit 1
                fi
            fi
        fi
    fi
 done
 echo "----------------------------------------"
 echo ""
 if [ $PACK_COUNT -eq 0 ]; then
    echo -e "${YELLOW}⚠${NC} No builtin packs found in $SOURCE_PACKS_DIR"
    echo -e "${BLUE}ℹ${NC} This is OK if you're running with no packs"
    exit 0
 fi
 echo -e "${BLUE}Pack Discovery Summary:${NC}"
 echo "  Total packs found: $PACK_COUNT"
 echo "  Newly copied: $COPIED_COUNT"
 echo "  Already present: $((PACK_COUNT - COPIED_COUNT))"
 echo ""
 # Load packs into database using Python loader
 if [ -f "$LOADER_SCRIPT" ]; then
    echo -e "${BLUE}Loading packs into database...${NC}"
    echo "----------------------------------------"
    # Build database URL with schema support
    DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@$DB_HOST:$DB_PORT/$DB_NAME"
    # Set search_path for the Python script if not using default schema
    if [ "$DB_SCHEMA" != "public" ]; then
        export PGOPTIONS="-c search_path=$DB_SCHEMA,public"
    fi
    # Run the Python loader for each pack
    for pack_dir in "$TARGET_PACKS_DIR"/*; do
        if [ -d "$pack_dir" ]; then
            pack_name=$(basename "$pack_dir")
            pack_yaml="$pack_dir/pack.yaml"
            if [ -f "$pack_yaml" ]; then
                echo -e "${YELLOW}→${NC} Loading pack: ${GREEN}$pack_name${NC}"
                # Run Python loader
                if python3 "$LOADER_SCRIPT" \
                    --database-url "$DATABASE_URL" \
                    --pack-dir "$TARGET_PACKS_DIR" \
                    --pack-name "$pack_name" \
                    --schema "$DB_SCHEMA"; then
                    LOADED_COUNT=$((LOADED_COUNT + 1))
                    echo -e "${GREEN}✓${NC} Loaded pack: $pack_name"
                else
                    echo -e "${RED}✗${NC} Failed to load pack: $pack_name"
                    echo -e "${YELLOW}⚠${NC} Continuing with other packs..."
                fi
            fi
        fi
    done
    echo "----------------------------------------"
    echo ""
    echo -e "${BLUE}Database Loading Summary:${NC}"
    echo "  Successfully loaded: $LOADED_COUNT"
    echo "  Failed: $((PACK_COUNT - LOADED_COUNT))"
    echo ""
 else
    echo -e "${YELLOW}⚠${NC} Pack loader script not found: $LOADER_SCRIPT"
    echo -e "${BLUE}ℹ${NC} Packs copied but not registered in database"
    echo -e "${BLUE}ℹ${NC} You can manually load them later"
 fi
 if [ -n "$DEFAULT_ADMIN_LOGIN" ] && [ "$LOADED_COUNT" -gt 0 ]; then
    echo ""
    echo -e "${BLUE}Bootstrapping local admin assignment...${NC}"
    if python3 - <<PY
 import psycopg2
 import sys
 conn = psycopg2.connect(
    host="${DB_HOST}",
    port=${DB_PORT},
    user="${DB_USER}",
    password="${DB_PASSWORD}",
    dbname="${DB_NAME}",
 )
 conn.autocommit = False
 try:
    with conn.cursor() as cur:
        cur.execute("SET search_path TO ${DB_SCHEMA}, public")
        cur.execute("SELECT id FROM identity WHERE login = %s", ("${DEFAULT_ADMIN_LOGIN}",))
        identity_row = cur.fetchone()
        if identity_row is None:
            print("  ⚠ Default admin identity not found; skipping assignment")
            conn.rollback()
            sys.exit(0)
        cur.execute("SELECT id FROM permission_set WHERE ref = %s", ("${DEFAULT_ADMIN_PERMISSION_SET_REF}",))
        permset_row = cur.fetchone()
        if permset_row is None:
            print("  ⚠ Default admin permission set not found; skipping assignment")
            conn.rollback()
            sys.exit(0)
        cur.execute(
            """
            INSERT INTO permission_assignment (identity, permset)
            VALUES (%s, %s)
            ON CONFLICT (identity, permset) DO NOTHING
            """,
            (identity_row[0], permset_row[0]),
        )
    conn.commit()
    print("  ✓ Default admin permission assignment ensured")
 except Exception as exc:
    conn.rollback()
    print(f"  ✗ Failed to ensure default admin assignment: {exc}")
    sys.exit(1)
 finally:
    conn.close()
 PY
    then
        :
    else
        exit 1
    fi
 fi
 # Summary
 echo ""
 echo -e "${GREEN}╔════════════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║    Builtin Packs Initialization Complete!      ║${NC}"
 echo -e "${GREEN}╚════════════════════════════════════════════════╝${NC}"
 echo ""
 echo -e "${BLUE}Packs Location:${NC} ${GREEN}$TARGET_PACKS_DIR${NC}"
 echo -e "${BLUE}Packs Available:${NC}"
 for pack_dir in "$TARGET_PACKS_DIR"/*; do
    if [ -d "$pack_dir" ]; then
        pack_name=$(basename "$pack_dir")
        pack_yaml="$pack_dir/pack.yaml"
        if [ -f "$pack_yaml" ]; then
            # Try to extract version from pack.yaml
            version=$(grep "^version:" "$pack_yaml" | head -1 | sed 's/version:[[:space:]]*//' | tr -d '"')
            echo -e "  • ${GREEN}$pack_name${NC} ${BLUE}($version)${NC}"
        fi
    fi
 done
 echo ""
 # Ensure ownership is correct after all packs have been copied
 # The API service (running as attune uid 1000) needs write access to install new packs
 chown -R 1000:1000 "$TARGET_PACKS_DIR"
 echo -e "${BLUE}ℹ${NC} Pack files are accessible to all services via shared volume"
 echo ""
 exit 0
--- a/docker/distributable/docker/init-roles.sql
+++ b/docker/distributable/docker/init-roles.sql
@@ -0,0 +1,29 @@
 -- Docker initialization script
 -- Creates the svc_attune role needed by migrations
 -- This runs before migrations via docker-compose
 -- Create service role for the application
 DO $$
 BEGIN
    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'svc_attune') THEN
        CREATE ROLE svc_attune WITH LOGIN PASSWORD 'attune_service_password';
    END IF;
 END
 $$;
 -- Create API role
 DO $$
 BEGIN
    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'attune_api') THEN
        CREATE ROLE attune_api WITH LOGIN PASSWORD 'attune_api_password';
    END IF;
 END
 $$;
 -- Grant basic permissions
 GRANT ALL PRIVILEGES ON DATABASE attune TO svc_attune;
 GRANT ALL PRIVILEGES ON DATABASE attune TO attune_api;
 -- Enable required extensions
 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 CREATE EXTENSION IF NOT EXISTS "pgcrypto";
--- a/docker/distributable/docker/init-user.sh
+++ b/docker/distributable/docker/init-user.sh
@@ -0,0 +1,108 @@
 #!/bin/sh
 # Initialize default test user for Attune
 # This script creates a default test user if it doesn't already exist
 set -e
 # Color output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Database configuration from environment
 DB_HOST="${DB_HOST:-postgres}"
 DB_PORT="${DB_PORT:-5432}"
 DB_USER="${DB_USER:-attune}"
 DB_PASSWORD="${DB_PASSWORD:-attune}"
 DB_NAME="${DB_NAME:-attune}"
 DB_SCHEMA="${DB_SCHEMA:-public}"
 # Test user configuration
 TEST_LOGIN="${TEST_LOGIN:-test@attune.local}"
 TEST_DISPLAY_NAME="${TEST_DISPLAY_NAME:-Test User}"
 TEST_PASSWORD="${TEST_PASSWORD:-TestPass123!}"
 # Pre-computed Argon2id hash for "TestPass123!"
 # Using: m=19456, t=2, p=1 (default Argon2id parameters)
 DEFAULT_PASSWORD_HASH='$argon2id$v=19$m=19456,t=2,p=1$AuZJ0xsGuSRk6LdCd58OOA$vBZnaflJwR9L4LPWoGGrcnRsIOf95FV4uIsoe3PjRE0'
 echo ""
 echo -e "${BLUE}╔════════════════════════════════════════════════╗${NC}"
 echo -e "${BLUE}║    Attune Default User Initialization         ║${NC}"
 echo -e "${BLUE}╚════════════════════════════════════════════════╝${NC}"
 echo ""
 # Wait for database to be ready
 echo -e "${YELLOW}→${NC} Waiting for database to be ready..."
 until PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c '\q' 2>/dev/null; do
  echo -e "${YELLOW}  ...${NC} Database is unavailable - sleeping"
  sleep 2
 done
 echo -e "${GREEN}✓${NC} Database is ready"
 # Check if user already exists
 echo -e "${YELLOW}→${NC} Checking if user exists..."
 USER_EXISTS=$(PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -tAc \
  "SELECT COUNT(*) FROM ${DB_SCHEMA}.identity WHERE login = '$TEST_LOGIN';")
 if [ "$USER_EXISTS" -gt 0 ]; then
    echo -e "${GREEN}✓${NC} User '$TEST_LOGIN' already exists"
    echo -e "${BLUE}ℹ${NC} Skipping user creation"
 else
    echo -e "${YELLOW}→${NC} Creating default test user..."
    # Use the pre-computed hash for default password
    if [ "$TEST_PASSWORD" = "TestPass123!" ]; then
        PASSWORD_HASH="$DEFAULT_PASSWORD_HASH"
        echo -e "${BLUE}ℹ${NC} Using default password hash"
    else
        echo -e "${YELLOW}⚠${NC} Custom password detected - using basic hash"
        echo -e "${YELLOW}⚠${NC} For production, generate proper Argon2id hash"
        # Note: For custom passwords in Docker, you should pre-generate the hash
        # This is a fallback that will work but is less secure
        PASSWORD_HASH="$DEFAULT_PASSWORD_HASH"
    fi
    # Insert the user
    PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" << EOF
 INSERT INTO ${DB_SCHEMA}.identity (login, display_name, password_hash, attributes)
 VALUES (
    '$TEST_LOGIN',
    '$TEST_DISPLAY_NAME',
    '$PASSWORD_HASH',
    jsonb_build_object(
        'email', '$TEST_LOGIN',
        'created_via', 'docker-init',
        'is_test_user', true
    )
 );
 EOF
    if [ $? -eq 0 ]; then
        echo -e "${GREEN}✓${NC} User created successfully"
    else
        echo -e "${RED}✗${NC} Failed to create user"
        exit 1
    fi
 fi
 echo ""
 echo -e "${GREEN}╔════════════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║  Default User Initialization Complete!        ║${NC}"
 echo -e "${GREEN}╚════════════════════════════════════════════════╝${NC}"
 echo ""
 echo -e "${BLUE}Default User Credentials:${NC}"
 echo -e "  Login:    ${GREEN}$TEST_LOGIN${NC}"
 echo -e "  Password: ${GREEN}$TEST_PASSWORD${NC}"
 echo ""
 echo -e "${BLUE}Test Login:${NC}"
 echo -e "  ${YELLOW}curl -X POST http://localhost:8080/auth/login \\${NC}"
 echo -e "    ${YELLOW}-H 'Content-Type: application/json' \\${NC}"
 echo -e "    ${YELLOW}-d '{\"login\":\"$TEST_LOGIN\",\"password\":\"$TEST_PASSWORD\"}'${NC}"
 echo ""
 echo -e "${BLUE}ℹ${NC} For custom users, see: docs/testing/test-user-setup.md"
 echo ""
 exit 0
--- a/docker/distributable/docker/inject-env.sh
+++ b/docker/distributable/docker/inject-env.sh
@@ -0,0 +1,24 @@
 #!/bin/sh
 # inject-env.sh - Injects runtime environment variables into the Web UI
 # This script runs at container startup to make environment variables available to the browser
 set -e
 # Default values
 API_URL="${API_URL:-http://localhost:8080}"
 WS_URL="${WS_URL:-ws://localhost:8081}"
 # Create runtime configuration file
 cat > /usr/share/nginx/html/config/runtime-config.js <<EOF
 // Runtime configuration injected at container startup
 window.ATTUNE_CONFIG = {
  apiUrl: '${API_URL}',
  wsUrl: '${WS_URL}',
  environment: '${ENVIRONMENT:-production}'
 };
 EOF
 echo "Runtime configuration injected:"
 echo "  API_URL: ${API_URL}"
 echo "  WS_URL: ${WS_URL}"
 echo "  ENVIRONMENT: ${ENVIRONMENT:-production}"
--- a/docker/distributable/docker/nginx.conf
+++ b/docker/distributable/docker/nginx.conf
@@ -0,0 +1,125 @@
 # Nginx configuration for Attune Web UI
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;
    # Enable gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml+rss application/json;
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    # Health check endpoint
    location /health {
        access_log off;
        return 200 "OK\n";
        add_header Content-Type text/plain;
    }
    # Use Docker's embedded DNS resolver so that proxy_pass with variables
    # resolves hostnames at request time, not config load time.
    # This prevents nginx from crashing if backends aren't ready yet.
    resolver 127.0.0.11 valid=10s;
    set $api_upstream http://api:8080;
    set $notifier_upstream http://notifier:8081;
    # Auth proxy - forward auth requests to backend
    # With variable proxy_pass (no URI path), the full original request URI
    # (e.g. /auth/login) is passed through to the backend as-is.
    location /auth/ {
        proxy_pass $api_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    # API proxy - forward API requests to backend (preserves /api prefix)
    # With variable proxy_pass (no URI path), the full original request URI
    # (e.g. /api/packs?page=1) is passed through to the backend as-is.
    location /api/ {
        proxy_pass $api_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    # WebSocket proxy for notifier service
    # Strip the /ws/ prefix before proxying (notifier expects paths at root).
    # e.g. /ws/events → /events
    location /ws/ {
        rewrite ^/ws/(.*) /$1 break;
        proxy_pass $notifier_upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket timeouts
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }
    # Serve static assets with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
    # Runtime configuration endpoint
    location /config/runtime-config.js {
        expires -1;
        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
    }
    # SPA routing - serve index.html for all routes
    location / {
        try_files $uri $uri/ /index.html;
        # Disable caching for index.html
        location = /index.html {
            expires -1;
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
        }
    }
    # Deny access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
 }
--- a/docker/distributable/docker/run-migrations.sh
+++ b/docker/distributable/docker/run-migrations.sh
@@ -0,0 +1,189 @@
 #!/bin/bash
 # Migration script for Attune database
 # Runs all SQL migration files in order
 set -e
 echo "=========================================="
 echo "Attune Database Migration Runner"
 echo "=========================================="
 echo ""
 # Database connection parameters
 DB_HOST="${DB_HOST:-postgres}"
 DB_PORT="${DB_PORT:-5432}"
 DB_USER="${DB_USER:-attune}"
 DB_PASSWORD="${DB_PASSWORD:-attune}"
 DB_NAME="${DB_NAME:-attune}"
 MIGRATIONS_DIR="${MIGRATIONS_DIR:-/migrations}"
 # Export password for psql
 export PGPASSWORD="$DB_PASSWORD"
 # Color output
 GREEN='\033[0;32m'
 RED='\033[0;31m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # Function to wait for PostgreSQL to be ready
 wait_for_postgres() {
    echo "Waiting for PostgreSQL to be ready..."
    local max_attempts=30
    local attempt=1
    while [ $attempt -le $max_attempts ]; do
        if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c '\q' 2>/dev/null; then
            echo -e "${GREEN}✓ PostgreSQL is ready${NC}"
            return 0
        fi
        echo "  Attempt $attempt/$max_attempts: PostgreSQL not ready yet..."
        sleep 2
        attempt=$((attempt + 1))
    done
    echo -e "${RED}✗ PostgreSQL failed to become ready after $max_attempts attempts${NC}"
    return 1
 }
 # Function to check if migrations table exists
 setup_migrations_table() {
    echo "Setting up migrations tracking table..."
    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 <<-EOSQL
        CREATE TABLE IF NOT EXISTS _migrations (
            id SERIAL PRIMARY KEY,
            filename VARCHAR(255) UNIQUE NOT NULL,
            applied_at TIMESTAMP DEFAULT NOW()
        );
 EOSQL
    echo -e "${GREEN}✓ Migrations table ready${NC}"
 }
 # Function to check if a migration has been applied
 is_migration_applied() {
    local filename=$1
    local count=$(psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -t -c \
        "SELECT COUNT(*) FROM _migrations WHERE filename = '$filename';" | tr -d ' ')
    [ "$count" -gt 0 ]
 }
 # Function to mark migration as applied
 mark_migration_applied() {
    local filename=$1
    psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c \
        "INSERT INTO _migrations (filename) VALUES ('$filename');" > /dev/null
 }
 # Function to run a migration file
 run_migration() {
    local filepath=$1
    local filename=$(basename "$filepath")
    if is_migration_applied "$filename"; then
        echo -e "${YELLOW}⊘ Skipping $filename (already applied)${NC}"
        return 0
    fi
    echo -e "${GREEN}→ Applying $filename...${NC}"
    # Run migration in a transaction with detailed error reporting
    if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 \
        -c "BEGIN;" \
        -f "$filepath" \
        -c "COMMIT;" > /tmp/migration_output.log 2>&1; then
        mark_migration_applied "$filename"
        echo -e "${GREEN}✓ Applied $filename${NC}"
        return 0
    else
        echo -e "${RED}✗ Failed to apply $filename${NC}"
        echo ""
        echo "Error details:"
        cat /tmp/migration_output.log
        echo ""
        echo "Migration rolled back due to error."
        return 1
    fi
 }
 # Function to initialize Docker-specific roles and extensions
 init_docker_roles() {
    echo "Initializing Docker roles and extensions..."
    if [ -f "/docker/init-roles.sql" ]; then
        if psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -v ON_ERROR_STOP=1 -f "/docker/init-roles.sql" > /dev/null 2>&1; then
            echo -e "${GREEN}✓ Docker roles initialized${NC}"
            return 0
        else
            echo -e "${YELLOW}⚠ Warning: Could not initialize Docker roles (may already exist)${NC}"
            return 0
        fi
    else
        echo -e "${YELLOW}⚠ No Docker init script found, skipping${NC}"
        return 0
    fi
 }
 # Main migration process
 main() {
    echo "Configuration:"
    echo "  Database: $DB_HOST:$DB_PORT/$DB_NAME"
    echo "  User: $DB_USER"
    echo "  Migrations directory: $MIGRATIONS_DIR"
    echo ""
    # Wait for database
    wait_for_postgres || exit 1
    # Initialize Docker-specific roles
    init_docker_roles || exit 1
    # Setup migrations tracking
    setup_migrations_table || exit 1
    echo ""
    echo "Running migrations..."
    echo "----------------------------------------"
    # Find and sort migration files
    local migration_count=0
    local applied_count=0
    local skipped_count=0
    # Process migrations in sorted order
    for migration_file in $(find "$MIGRATIONS_DIR" -name "*.sql" -type f | sort); do
        migration_count=$((migration_count + 1))
        if is_migration_applied "$(basename "$migration_file")"; then
            skipped_count=$((skipped_count + 1))
            run_migration "$migration_file"
        else
            if run_migration "$migration_file"; then
                applied_count=$((applied_count + 1))
            else
                echo -e "${RED}Migration failed!${NC}"
                exit 1
            fi
        fi
    done
    echo "----------------------------------------"
    echo ""
    echo "Migration Summary:"
    echo "  Total migrations: $migration_count"
    echo "  Newly applied: $applied_count"
    echo "  Already applied: $skipped_count"
    echo ""
    if [ $applied_count -gt 0 ]; then
        echo -e "${GREEN}✓ All migrations applied successfully!${NC}"
    else
        echo -e "${GREEN}✓ Database is up to date (no new migrations)${NC}"
    fi
 }
 # Run main function
 main
--- a/docker/distributable/migrations/20250101000001_initial_setup.sql
+++ b/docker/distributable/migrations/20250101000001_initial_setup.sql
@@ -0,0 +1,230 @@
 -- Migration: Initial Setup
 -- Description: Creates the attune schema, enums, and shared database functions
 -- Version: 20250101000001
 -- ============================================================================
 -- EXTENSIONS
 -- ============================================================================
 -- Enable required extensions
 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 CREATE EXTENSION IF NOT EXISTS "pgcrypto";
 -- ============================================================================
 -- ENUM TYPES
 -- ============================================================================
 -- WorkerType enum
 DO $$ BEGIN
    CREATE TYPE worker_type_enum AS ENUM (
        'local',
        'remote',
        'container'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE worker_type_enum IS 'Type of worker deployment';
 -- WorkerRole enum
 DO $$ BEGIN
    CREATE TYPE worker_role_enum AS ENUM (
        'action',
        'sensor',
        'hybrid'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE worker_role_enum IS 'Role of worker (action executor, sensor, or both)';
 -- WorkerStatus enum
 DO $$ BEGIN
    CREATE TYPE worker_status_enum AS ENUM (
        'active',
        'inactive',
        'busy',
        'error'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE worker_status_enum IS 'Worker operational status';
 -- EnforcementStatus enum
 DO $$ BEGIN
    CREATE TYPE enforcement_status_enum AS ENUM (
        'created',
        'processed',
        'disabled'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE enforcement_status_enum IS 'Enforcement processing status';
 -- EnforcementCondition enum
 DO $$ BEGIN
    CREATE TYPE enforcement_condition_enum AS ENUM (
        'any',
        'all'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE enforcement_condition_enum IS 'Logical operator for conditions (OR/AND)';
 -- ExecutionStatus enum
 DO $$ BEGIN
    CREATE TYPE execution_status_enum AS ENUM (
        'requested',
        'scheduling',
        'scheduled',
        'running',
        'completed',
        'failed',
        'canceling',
        'cancelled',
        'timeout',
        'abandoned'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE execution_status_enum IS 'Execution lifecycle status';
 -- InquiryStatus enum
 DO $$ BEGIN
    CREATE TYPE inquiry_status_enum AS ENUM (
        'pending',
        'responded',
        'timeout',
        'cancelled'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE inquiry_status_enum IS 'Inquiry lifecycle status';
 -- PolicyMethod enum
 DO $$ BEGIN
    CREATE TYPE policy_method_enum AS ENUM (
        'cancel',
        'enqueue'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE policy_method_enum IS 'Policy enforcement method';
 -- OwnerType enum
 DO $$ BEGIN
    CREATE TYPE owner_type_enum AS ENUM (
        'system',
        'identity',
        'pack',
        'action',
        'sensor'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE owner_type_enum IS 'Type of resource owner';
 -- NotificationState enum
 DO $$ BEGIN
    CREATE TYPE notification_status_enum AS ENUM (
        'created',
        'queued',
        'processing',
        'error'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE notification_status_enum IS 'Notification processing state';
 -- ArtifactType enum
 DO $$ BEGIN
    CREATE TYPE artifact_type_enum AS ENUM (
        'file_binary',
        'file_datatable',
        'file_image',
        'file_text',
        'other',
        'progress',
        'url'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE artifact_type_enum IS 'Type of artifact';
 -- RetentionPolicyType enum
 DO $$ BEGIN
    CREATE TYPE artifact_retention_enum AS ENUM (
        'versions',
        'days',
        'hours',
        'minutes'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE artifact_retention_enum IS 'Type of retention policy';
 -- ArtifactVisibility enum
 DO $$ BEGIN
    CREATE TYPE artifact_visibility_enum AS ENUM (
        'public',
        'private'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE artifact_visibility_enum IS 'Visibility of an artifact (public = viewable by all users, private = scoped by owner)';
 -- PackEnvironmentStatus enum
 DO $$ BEGIN
    CREATE TYPE pack_environment_status_enum AS ENUM (
        'pending',
        'installing',
        'ready',
        'failed',
        'outdated'
    );
 EXCEPTION
    WHEN duplicate_object THEN null;
 END $$;
 COMMENT ON TYPE pack_environment_status_enum IS 'Status of pack runtime environment installation';
 -- ============================================================================
 -- SHARED FUNCTIONS
 -- ============================================================================
 -- Function to automatically update the 'updated' timestamp
 CREATE OR REPLACE FUNCTION update_updated_column()
 RETURNS TRIGGER AS $$
 BEGIN
    NEW.updated = NOW();
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION update_updated_column() IS 'Automatically updates the updated timestamp on row modification';
--- a/docker/distributable/migrations/20250101000002_pack_system.sql
+++ b/docker/distributable/migrations/20250101000002_pack_system.sql
@@ -0,0 +1,262 @@
 -- Migration: Pack System
 -- Description: Creates pack, runtime, and runtime_version tables
 -- Version: 20250101000002
 -- ============================================================================
 -- PACK TABLE
 -- ============================================================================
 CREATE TABLE pack (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    label TEXT NOT NULL,
    description TEXT,
    version TEXT NOT NULL,
    conf_schema JSONB NOT NULL DEFAULT '{}'::jsonb,
    config JSONB NOT NULL DEFAULT '{}'::jsonb,
    meta JSONB NOT NULL DEFAULT '{}'::jsonb,
    tags TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
    runtime_deps TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
    dependencies TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
    is_standard BOOLEAN NOT NULL DEFAULT FALSE,
    installers JSONB DEFAULT '[]'::jsonb,
    -- Installation metadata (nullable for non-installed packs)
    source_type TEXT,
    source_url TEXT,
    source_ref TEXT,
    checksum TEXT,
    checksum_verified BOOLEAN DEFAULT FALSE,
    installed_at TIMESTAMPTZ,
    installed_by BIGINT,
    installation_method TEXT,
    storage_path TEXT,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT pack_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT pack_ref_format CHECK (ref ~ '^[a-z][a-z0-9_-]+$'),
    CONSTRAINT pack_version_semver CHECK (
        version ~ '^\d+\.\d+\.\d+(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'
    )
 );
 -- Indexes
 CREATE INDEX idx_pack_ref ON pack(ref);
 CREATE INDEX idx_pack_created ON pack(created DESC);
 CREATE INDEX idx_pack_is_standard ON pack(is_standard) WHERE is_standard = TRUE;
 CREATE INDEX idx_pack_is_standard_created ON pack(is_standard, created DESC);
 CREATE INDEX idx_pack_version_created ON pack(version, created DESC);
 CREATE INDEX idx_pack_config_gin ON pack USING GIN (config);
 CREATE INDEX idx_pack_meta_gin ON pack USING GIN (meta);
 CREATE INDEX idx_pack_tags_gin ON pack USING GIN (tags);
 CREATE INDEX idx_pack_runtime_deps_gin ON pack USING GIN (runtime_deps);
 CREATE INDEX idx_pack_dependencies_gin ON pack USING GIN (dependencies);
 CREATE INDEX idx_pack_installed_at ON pack(installed_at DESC) WHERE installed_at IS NOT NULL;
 CREATE INDEX idx_pack_installed_by ON pack(installed_by) WHERE installed_by IS NOT NULL;
 CREATE INDEX idx_pack_source_type ON pack(source_type) WHERE source_type IS NOT NULL;
 -- Trigger
 CREATE TRIGGER update_pack_updated
    BEFORE UPDATE ON pack
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE pack IS 'Packs bundle related automation components';
 COMMENT ON COLUMN pack.ref IS 'Unique pack reference identifier (e.g., "slack", "github")';
 COMMENT ON COLUMN pack.label IS 'Human-readable pack name';
 COMMENT ON COLUMN pack.version IS 'Semantic version of the pack';
 COMMENT ON COLUMN pack.conf_schema IS 'JSON schema for pack configuration';
 COMMENT ON COLUMN pack.config IS 'Pack configuration values';
 COMMENT ON COLUMN pack.meta IS 'Pack metadata';
 COMMENT ON COLUMN pack.runtime_deps IS 'Array of required runtime references (e.g., shell, python, nodejs)';
 COMMENT ON COLUMN pack.dependencies IS 'Array of required pack references (e.g., core, utils)';
 COMMENT ON COLUMN pack.is_standard IS 'Whether this is a core/built-in pack';
 COMMENT ON COLUMN pack.source_type IS 'Installation source type (e.g., "git", "local", "registry")';
 COMMENT ON COLUMN pack.source_url IS 'URL or path where pack was installed from';
 COMMENT ON COLUMN pack.source_ref IS 'Git ref, version tag, or other source reference';
 COMMENT ON COLUMN pack.checksum IS 'Content checksum for verification';
 COMMENT ON COLUMN pack.checksum_verified IS 'Whether checksum has been verified';
 COMMENT ON COLUMN pack.installed_at IS 'Timestamp when pack was installed';
 COMMENT ON COLUMN pack.installed_by IS 'Identity ID of user who installed the pack';
 COMMENT ON COLUMN pack.installation_method IS 'Method used for installation (e.g., "cli", "api", "auto")';
 COMMENT ON COLUMN pack.storage_path IS 'Filesystem path where pack files are stored';
 -- ============================================================================
 -- RUNTIME TABLE
 -- ============================================================================
 CREATE TABLE runtime (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT,
    description TEXT,
    name TEXT NOT NULL,
    aliases TEXT[] NOT NULL DEFAULT '{}'::text[],
    distributions JSONB NOT NULL,
    installation JSONB,
    installers JSONB DEFAULT '[]'::jsonb,
    -- Execution configuration: describes how to execute actions using this runtime,
    -- how to create isolated environments, and how to install dependencies.
    --
    -- Structure:
    -- {
    --   "interpreter": {
    --     "binary": "python3",          -- interpreter binary name or path
    --     "args": [],                   -- additional args before the action file
    --     "file_extension": ".py"       -- file extension this runtime handles
    --   },
    --   "environment": {               -- optional: isolated environment config
    --     "env_type": "virtualenv",     -- "virtualenv", "node_modules", "none"
    --     "dir_name": ".venv",          -- directory name relative to pack dir
    --     "create_command": ["python3", "-m", "venv", "{env_dir}"],
    --     "interpreter_path": "{env_dir}/bin/python3"  -- overrides interpreter.binary
    --   },
    --   "dependencies": {              -- optional: dependency management config
    --     "manifest_file": "requirements.txt",
    --     "install_command": ["{interpreter}", "-m", "pip", "install", "-r", "{manifest_path}"]
    --   }
    -- }
    --
    -- Template variables:
    --   {pack_dir}      - absolute path to the pack directory
    --   {env_dir}       - resolved environment directory (pack_dir/dir_name)
    --   {interpreter}   - resolved interpreter path
    --   {action_file}   - absolute path to the action script file
    --   {manifest_path} - absolute path to the dependency manifest file
    execution_config JSONB NOT NULL DEFAULT '{}'::jsonb,
    -- Whether this runtime was auto-registered by an agent
    -- (vs. loaded from a pack's YAML file during pack registration)
    auto_detected BOOLEAN NOT NULL DEFAULT FALSE,
    -- Detection metadata for auto-discovered runtimes.
    -- Stores how the agent discovered this runtime (binary path, version, etc.)
    -- enables re-verification on restart.
    -- Example: { "detected_path": "/usr/bin/ruby", "detected_name": "ruby",
    --            "detected_version": "3.3.0" }
    detection_config JSONB NOT NULL DEFAULT '{}'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT runtime_ref_lowercase CHECK (ref = LOWER(ref))
 );
 -- Indexes
 CREATE INDEX idx_runtime_ref ON runtime(ref);
 CREATE INDEX idx_runtime_pack ON runtime(pack);
 CREATE INDEX idx_runtime_created ON runtime(created DESC);
 CREATE INDEX idx_runtime_name ON runtime(name);
 CREATE INDEX idx_runtime_verification ON runtime USING GIN ((distributions->'verification'));
 CREATE INDEX idx_runtime_execution_config ON runtime USING GIN (execution_config);
 CREATE INDEX idx_runtime_auto_detected ON runtime(auto_detected);
 CREATE INDEX idx_runtime_detection_config ON runtime USING GIN (detection_config);
 CREATE INDEX idx_runtime_aliases ON runtime USING GIN (aliases);
 -- Trigger
 CREATE TRIGGER update_runtime_updated
    BEFORE UPDATE ON runtime
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE runtime IS 'Runtime environments for executing actions and sensors (unified)';
 COMMENT ON COLUMN runtime.ref IS 'Unique runtime reference (format: pack.name, e.g., core.python)';
 COMMENT ON COLUMN runtime.name IS 'Runtime name (e.g., "Python", "Node.js", "Shell")';
 COMMENT ON COLUMN runtime.aliases IS 'Lowercase alias names for this runtime (e.g., ["ruby", "rb"] for the Ruby runtime). Used for alias-aware matching during auto-detection and scheduling.';
 COMMENT ON COLUMN runtime.distributions IS 'Runtime distribution metadata including verification commands, version requirements, and capabilities';
 COMMENT ON COLUMN runtime.installation IS 'Installation requirements and instructions including package managers and setup steps';
 COMMENT ON COLUMN runtime.installers IS 'Array of installer actions to create pack-specific runtime environments. Each installer defines commands to set up isolated environments (e.g., Python venv, npm install).';
 COMMENT ON COLUMN runtime.execution_config IS 'Execution configuration: interpreter, environment setup, and dependency management. Drives how the worker executes actions and how pack install sets up environments.';
 COMMENT ON COLUMN runtime.auto_detected IS 'Whether this runtime was auto-registered by an agent (true) vs. loaded from a pack YAML (false)';
 COMMENT ON COLUMN runtime.detection_config IS 'Detection metadata for auto-discovered runtimes: binaries probed, version regex, detected path/version';
 -- ============================================================================
 -- RUNTIME VERSION TABLE
 -- ============================================================================
 CREATE TABLE runtime_version (
    id BIGSERIAL PRIMARY KEY,
    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
    runtime_ref TEXT NOT NULL,
    -- Semantic version string (e.g., "3.12.1", "20.11.0")
    version TEXT NOT NULL,
    -- Individual version components for efficient range queries.
    -- Nullable because some runtimes may use non-numeric versioning.
    version_major INT,
    version_minor INT,
    version_patch INT,
    -- Complete execution configuration for this specific version.
    -- This is NOT a diff/override — it is a full standalone config that can
    -- replace the parent runtime's execution_config when this version is selected.
    -- Structure is identical to runtime.execution_config (RuntimeExecutionConfig).
    execution_config JSONB NOT NULL DEFAULT '{}'::jsonb,
    -- Version-specific distribution/verification metadata.
    -- Structure mirrors runtime.distributions but with version-specific commands.
    -- Example: verification commands that check for a specific binary like python3.12.
    distributions JSONB NOT NULL DEFAULT '{}'::jsonb,
    -- Whether this version is the default for the parent runtime.
    -- At most one version per runtime should be marked as default.
    is_default BOOLEAN NOT NULL DEFAULT FALSE,
    -- Whether this version has been verified as available on the current system.
    available BOOLEAN NOT NULL DEFAULT TRUE,
    -- When this version was last verified (via running verification commands).
    verified_at TIMESTAMPTZ,
    -- Arbitrary version-specific metadata (e.g., EOL date, release notes URL,
    -- feature flags, platform-specific notes).
    meta JSONB NOT NULL DEFAULT '{}'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT runtime_version_unique UNIQUE(runtime, version)
 );
 -- Indexes
 CREATE INDEX idx_runtime_version_runtime ON runtime_version(runtime);
 CREATE INDEX idx_runtime_version_runtime_ref ON runtime_version(runtime_ref);
 CREATE INDEX idx_runtime_version_version ON runtime_version(version);
 CREATE INDEX idx_runtime_version_available ON runtime_version(available) WHERE available = TRUE;
 CREATE INDEX idx_runtime_version_is_default ON runtime_version(is_default) WHERE is_default = TRUE;
 CREATE INDEX idx_runtime_version_components ON runtime_version(runtime, version_major, version_minor, version_patch);
 CREATE INDEX idx_runtime_version_created ON runtime_version(created DESC);
 CREATE INDEX idx_runtime_version_execution_config ON runtime_version USING GIN (execution_config);
 CREATE INDEX idx_runtime_version_meta ON runtime_version USING GIN (meta);
 -- Trigger
 CREATE TRIGGER update_runtime_version_updated
    BEFORE UPDATE ON runtime_version
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE runtime_version IS 'Specific versions of a runtime (e.g., Python 3.11, 3.12) with version-specific execution configuration';
 COMMENT ON COLUMN runtime_version.runtime IS 'Parent runtime this version belongs to';
 COMMENT ON COLUMN runtime_version.runtime_ref IS 'Parent runtime ref (e.g., core.python) for display/filtering';
 COMMENT ON COLUMN runtime_version.version IS 'Semantic version string (e.g., "3.12.1", "20.11.0")';
 COMMENT ON COLUMN runtime_version.version_major IS 'Major version component for efficient range queries';
 COMMENT ON COLUMN runtime_version.version_minor IS 'Minor version component for efficient range queries';
 COMMENT ON COLUMN runtime_version.version_patch IS 'Patch version component for efficient range queries';
 COMMENT ON COLUMN runtime_version.execution_config IS 'Complete execution configuration for this version (same structure as runtime.execution_config)';
 COMMENT ON COLUMN runtime_version.distributions IS 'Version-specific distribution/verification metadata';
 COMMENT ON COLUMN runtime_version.is_default IS 'Whether this is the default version for the parent runtime (at most one per runtime)';
 COMMENT ON COLUMN runtime_version.available IS 'Whether this version has been verified as available on the system';
 COMMENT ON COLUMN runtime_version.verified_at IS 'Timestamp of last availability verification';
 COMMENT ON COLUMN runtime_version.meta IS 'Arbitrary version-specific metadata';
--- a/docker/distributable/migrations/20250101000003_identity_and_auth.sql
+++ b/docker/distributable/migrations/20250101000003_identity_and_auth.sql
@@ -0,0 +1,223 @@
 -- Migration: Identity and Authentication
 -- Description: Creates identity, permission, and policy tables
 -- Version: 20250101000002
 -- ============================================================================
 -- IDENTITY TABLE
 -- ============================================================================
 CREATE TABLE identity (
    id BIGSERIAL PRIMARY KEY,
    login TEXT NOT NULL UNIQUE,
    display_name TEXT,
    password_hash TEXT,
    attributes JSONB NOT NULL DEFAULT '{}'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_identity_login ON identity(login);
 CREATE INDEX idx_identity_created ON identity(created DESC);
 CREATE INDEX idx_identity_password_hash ON identity(password_hash) WHERE password_hash IS NOT NULL;
 CREATE INDEX idx_identity_attributes_gin ON identity USING GIN (attributes);
 -- Trigger
 CREATE TRIGGER update_identity_updated
    BEFORE UPDATE ON identity
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE identity IS 'Identities represent users or service accounts';
 COMMENT ON COLUMN identity.login IS 'Unique login identifier';
 COMMENT ON COLUMN identity.display_name IS 'Human-readable name';
 COMMENT ON COLUMN identity.password_hash IS 'Argon2 hashed password for authentication (NULL for service accounts or external auth)';
 COMMENT ON COLUMN identity.attributes IS 'Custom attributes (email, groups, etc.)';
 -- ============================================================================
 -- ADD FOREIGN KEY CONSTRAINTS TO EXISTING TABLES
 -- ============================================================================
 -- Add foreign key constraint for pack.installed_by now that identity table exists
 ALTER TABLE pack
    ADD CONSTRAINT fk_pack_installed_by
    FOREIGN KEY (installed_by)
    REFERENCES identity(id)
    ON DELETE SET NULL;
 -- ============================================================================
 -- ============================================================================
 -- PERMISSION_SET TABLE
 -- ============================================================================
 CREATE TABLE permission_set (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT,
    label TEXT,
    description TEXT,
    grants JSONB NOT NULL DEFAULT '[]'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT permission_set_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT permission_set_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
 );
 -- Indexes
 CREATE INDEX idx_permission_set_ref ON permission_set(ref);
 CREATE INDEX idx_permission_set_pack ON permission_set(pack);
 CREATE INDEX idx_permission_set_created ON permission_set(created DESC);
 -- Trigger
 CREATE TRIGGER update_permission_set_updated
    BEFORE UPDATE ON permission_set
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE permission_set IS 'Permission sets group permissions together (like roles)';
 COMMENT ON COLUMN permission_set.ref IS 'Unique permission set reference (format: pack.name)';
 COMMENT ON COLUMN permission_set.label IS 'Human-readable name';
 COMMENT ON COLUMN permission_set.grants IS 'Array of permission grants';
 -- ============================================================================
 -- ============================================================================
 -- PERMISSION_ASSIGNMENT TABLE
 -- ============================================================================
 CREATE TABLE permission_assignment (
    id BIGSERIAL PRIMARY KEY,
    identity BIGINT NOT NULL REFERENCES identity(id) ON DELETE CASCADE,
    permset BIGINT NOT NULL REFERENCES permission_set(id) ON DELETE CASCADE,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Unique constraint to prevent duplicate assignments
    CONSTRAINT unique_identity_permset UNIQUE (identity, permset)
 );
 -- Indexes
 CREATE INDEX idx_permission_assignment_identity ON permission_assignment(identity);
 CREATE INDEX idx_permission_assignment_permset ON permission_assignment(permset);
 CREATE INDEX idx_permission_assignment_created ON permission_assignment(created DESC);
 CREATE INDEX idx_permission_assignment_identity_created ON permission_assignment(identity, created DESC);
 CREATE INDEX idx_permission_assignment_permset_created ON permission_assignment(permset, created DESC);
 -- Comments
 COMMENT ON TABLE permission_assignment IS 'Links identities to permission sets (many-to-many)';
 COMMENT ON COLUMN permission_assignment.identity IS 'Identity being granted permissions';
 COMMENT ON COLUMN permission_assignment.permset IS 'Permission set being assigned';
 -- ============================================================================
 ALTER TABLE identity
    ADD COLUMN frozen BOOLEAN NOT NULL DEFAULT false;
 CREATE INDEX idx_identity_frozen ON identity(frozen);
 COMMENT ON COLUMN identity.frozen IS 'If true, authentication is blocked for this identity';
 CREATE TABLE identity_role_assignment (
    id BIGSERIAL PRIMARY KEY,
    identity BIGINT NOT NULL REFERENCES identity(id) ON DELETE CASCADE,
    role TEXT NOT NULL,
    source TEXT NOT NULL DEFAULT 'manual',
    managed BOOLEAN NOT NULL DEFAULT false,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT unique_identity_role_assignment UNIQUE (identity, role)
 );
 CREATE INDEX idx_identity_role_assignment_identity
    ON identity_role_assignment(identity);
 CREATE INDEX idx_identity_role_assignment_role
    ON identity_role_assignment(role);
 CREATE INDEX idx_identity_role_assignment_source
    ON identity_role_assignment(source);
 CREATE TRIGGER update_identity_role_assignment_updated
    BEFORE UPDATE ON identity_role_assignment
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 COMMENT ON TABLE identity_role_assignment IS 'Links identities to role labels from manual assignment or external identity providers';
 COMMENT ON COLUMN identity_role_assignment.role IS 'Opaque role/group label (e.g. IDP group name)';
 COMMENT ON COLUMN identity_role_assignment.source IS 'Where the role assignment originated (manual, oidc, ldap, sync, etc.)';
 COMMENT ON COLUMN identity_role_assignment.managed IS 'True when the assignment is managed by external sync and should not be edited manually';
 CREATE TABLE permission_set_role_assignment (
    id BIGSERIAL PRIMARY KEY,
    permset BIGINT NOT NULL REFERENCES permission_set(id) ON DELETE CASCADE,
    role TEXT NOT NULL,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT unique_permission_set_role_assignment UNIQUE (permset, role)
 );
 CREATE INDEX idx_permission_set_role_assignment_permset
    ON permission_set_role_assignment(permset);
 CREATE INDEX idx_permission_set_role_assignment_role
    ON permission_set_role_assignment(role);
 COMMENT ON TABLE permission_set_role_assignment IS 'Links permission sets to role labels for role-based grant expansion';
 COMMENT ON COLUMN permission_set_role_assignment.role IS 'Opaque role/group label associated with the permission set';
 -- ============================================================================
 -- ============================================================================
 -- POLICY TABLE
 -- ============================================================================
 CREATE TABLE policy (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT,
    action BIGINT, -- Forward reference to action table, will add constraint in next migration
    action_ref TEXT,
    parameters TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
    method policy_method_enum NOT NULL,
    threshold INTEGER NOT NULL,
    name TEXT NOT NULL,
    description TEXT,
    tags TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT policy_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT policy_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$'),
    CONSTRAINT policy_threshold_positive CHECK (threshold > 0)
 );
 -- Indexes
 CREATE INDEX idx_policy_ref ON policy(ref);
 CREATE INDEX idx_policy_pack ON policy(pack);
 CREATE INDEX idx_policy_action ON policy(action);
 CREATE INDEX idx_policy_created ON policy(created DESC);
 CREATE INDEX idx_policy_action_created ON policy(action, created DESC);
 CREATE INDEX idx_policy_pack_created ON policy(pack, created DESC);
 CREATE INDEX idx_policy_parameters_gin ON policy USING GIN (parameters);
 CREATE INDEX idx_policy_tags_gin ON policy USING GIN (tags);
 -- Trigger
 CREATE TRIGGER update_policy_updated
    BEFORE UPDATE ON policy
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE policy IS 'Policies define execution controls (rate limiting, concurrency)';
 COMMENT ON COLUMN policy.ref IS 'Unique policy reference (format: pack.name)';
 COMMENT ON COLUMN policy.action IS 'Action this policy applies to';
 COMMENT ON COLUMN policy.parameters IS 'Parameter names used for policy grouping';
 COMMENT ON COLUMN policy.method IS 'How to handle policy violations (cancel/enqueue)';
 COMMENT ON COLUMN policy.threshold IS 'Numeric limit (e.g., max concurrent executions)';
 -- ============================================================================
--- a/docker/distributable/migrations/20250101000004_trigger_sensor_event_rule.sql
+++ b/docker/distributable/migrations/20250101000004_trigger_sensor_event_rule.sql
@@ -0,0 +1,290 @@
 -- Migration: Event System and Actions
 -- Description: Creates trigger, sensor, event, enforcement, and action tables
 --              with runtime version constraint support. Includes webhook key
 --              generation function used by webhook management functions in 000007.
 --
 --              NOTE: The event and enforcement tables are converted to TimescaleDB
 --              hypertables in migration 000009. Hypertables cannot be the target of
 --              FK constraints, so enforcement.event is a plain BIGINT with no FK.
 --              FKs *from* hypertables to regular tables (e.g., event.trigger → trigger,
 --              enforcement.rule → rule) are supported by TimescaleDB 2.x and are kept.
 -- Version: 20250101000004
 -- ============================================================================
 -- WEBHOOK KEY GENERATION
 -- ============================================================================
 -- Generates a unique webhook key in the format: wh_<32 random hex chars>
 -- Used by enable_trigger_webhook() and regenerate_trigger_webhook_key() in 000007.
 CREATE OR REPLACE FUNCTION generate_webhook_key()
 RETURNS VARCHAR(64) AS $$
 BEGIN
    RETURN 'wh_' || encode(gen_random_bytes(16), 'hex');
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION generate_webhook_key() IS 'Generates a unique webhook key (format: wh_<32 hex chars>) for trigger webhook authentication';
 -- ============================================================================
 -- TRIGGER TABLE
 -- ============================================================================
 CREATE TABLE trigger (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT,
    label TEXT NOT NULL,
    description TEXT,
    enabled BOOLEAN NOT NULL DEFAULT TRUE,
    is_adhoc BOOLEAN DEFAULT false NOT NULL,
    param_schema JSONB,
    out_schema JSONB,
    webhook_enabled BOOLEAN NOT NULL DEFAULT FALSE,
    webhook_key VARCHAR(64) UNIQUE,
    webhook_config JSONB DEFAULT '{}'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT trigger_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT trigger_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
 );
 -- Indexes
 CREATE INDEX idx_trigger_ref ON trigger(ref);
 CREATE INDEX idx_trigger_pack ON trigger(pack);
 CREATE INDEX idx_trigger_enabled ON trigger(enabled) WHERE enabled = TRUE;
 CREATE INDEX idx_trigger_created ON trigger(created DESC);
 CREATE INDEX idx_trigger_pack_enabled ON trigger(pack, enabled);
 CREATE INDEX idx_trigger_webhook_key ON trigger(webhook_key) WHERE webhook_key IS NOT NULL;
 CREATE INDEX idx_trigger_enabled_created ON trigger(enabled, created DESC) WHERE enabled = TRUE;
 -- Trigger
 CREATE TRIGGER update_trigger_updated
    BEFORE UPDATE ON trigger
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE trigger IS 'Trigger definitions that can activate rules';
 COMMENT ON COLUMN trigger.ref IS 'Unique trigger reference (format: pack.name)';
 COMMENT ON COLUMN trigger.label IS 'Human-readable trigger name';
 COMMENT ON COLUMN trigger.enabled IS 'Whether this trigger is active';
 COMMENT ON COLUMN trigger.param_schema IS 'JSON schema defining the expected configuration parameters when this trigger is used';
 COMMENT ON COLUMN trigger.out_schema IS 'JSON schema defining the structure of event payloads generated by this trigger';
 -- ============================================================================
 -- ============================================================================
 -- SENSOR TABLE
 -- ============================================================================
 CREATE TABLE sensor (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT,
    label TEXT NOT NULL,
    description TEXT,
    entrypoint TEXT NOT NULL,
    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
    runtime_ref TEXT NOT NULL,
    trigger BIGINT NOT NULL REFERENCES trigger(id) ON DELETE CASCADE,
    trigger_ref TEXT NOT NULL,
    enabled BOOLEAN NOT NULL,
    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
    param_schema JSONB,
    config JSONB,
    runtime_version_constraint TEXT,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT sensor_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT sensor_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
 );
 -- Indexes
 CREATE INDEX idx_sensor_ref ON sensor(ref);
 CREATE INDEX idx_sensor_pack ON sensor(pack);
 CREATE INDEX idx_sensor_runtime ON sensor(runtime);
 CREATE INDEX idx_sensor_trigger ON sensor(trigger);
 CREATE INDEX idx_sensor_enabled ON sensor(enabled) WHERE enabled = TRUE;
 CREATE INDEX idx_sensor_is_adhoc ON sensor(is_adhoc) WHERE is_adhoc = true;
 CREATE INDEX idx_sensor_created ON sensor(created DESC);
 -- Trigger
 CREATE TRIGGER update_sensor_updated
    BEFORE UPDATE ON sensor
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE sensor IS 'Sensors monitor for events and create trigger instances';
 COMMENT ON COLUMN sensor.ref IS 'Unique sensor reference (format: pack.name)';
 COMMENT ON COLUMN sensor.label IS 'Human-readable sensor name';
 COMMENT ON COLUMN sensor.entrypoint IS 'Script or command to execute';
 COMMENT ON COLUMN sensor.runtime IS 'Runtime environment for execution';
 COMMENT ON COLUMN sensor.trigger IS 'Trigger type this sensor creates events for';
 COMMENT ON COLUMN sensor.enabled IS 'Whether this sensor is active';
 COMMENT ON COLUMN sensor.is_adhoc IS 'True if sensor was manually created (ad-hoc), false if installed from pack';
 COMMENT ON COLUMN sensor.runtime_version_constraint IS 'Semver version constraint for the runtime (e.g., ">=3.12", ">=3.12,<4.0", "~18.0"). NULL means any version.';
 -- ============================================================================
 -- EVENT TABLE
 -- ============================================================================
 CREATE TABLE event (
    id BIGSERIAL PRIMARY KEY,
    trigger BIGINT REFERENCES trigger(id) ON DELETE SET NULL,
    trigger_ref TEXT NOT NULL,
    config JSONB,
    payload JSONB,
    source BIGINT REFERENCES sensor(id) ON DELETE SET NULL,
    source_ref TEXT,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    rule BIGINT,
    rule_ref TEXT
 );
 -- Indexes
 CREATE INDEX idx_event_trigger ON event(trigger);
 CREATE INDEX idx_event_trigger_ref ON event(trigger_ref);
 CREATE INDEX idx_event_source ON event(source);
 CREATE INDEX idx_event_created ON event(created DESC);
 CREATE INDEX idx_event_trigger_created ON event(trigger, created DESC);
 CREATE INDEX idx_event_trigger_ref_created ON event(trigger_ref, created DESC);
 CREATE INDEX idx_event_source_created ON event(source, created DESC);
 CREATE INDEX idx_event_payload_gin ON event USING GIN (payload);
 -- Comments
 COMMENT ON TABLE event IS 'Events are instances of triggers firing';
 COMMENT ON COLUMN event.trigger IS 'Trigger that fired (may be null if trigger deleted)';
 COMMENT ON COLUMN event.trigger_ref IS 'Trigger reference (preserved even if trigger deleted)';
 COMMENT ON COLUMN event.config IS 'Snapshot of trigger/sensor configuration at event time';
 COMMENT ON COLUMN event.payload IS 'Event data payload';
 COMMENT ON COLUMN event.source IS 'Sensor that generated this event';
 -- ============================================================================
 -- ENFORCEMENT TABLE
 -- ============================================================================
 CREATE TABLE enforcement (
    id BIGSERIAL PRIMARY KEY,
    rule BIGINT, -- Forward reference to rule table, will add constraint after rule is created
    rule_ref TEXT NOT NULL,
    trigger_ref TEXT NOT NULL,
    config JSONB,
    event BIGINT,           -- references event(id); no FK because event becomes a hypertable
    status enforcement_status_enum NOT NULL DEFAULT 'created',
    payload JSONB NOT NULL,
    condition enforcement_condition_enum NOT NULL DEFAULT 'all',
    conditions JSONB NOT NULL DEFAULT '[]'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    resolved_at TIMESTAMPTZ,
    -- Constraints
    CONSTRAINT enforcement_condition_check CHECK (condition IN ('any', 'all'))
 );
 -- Indexes
 CREATE INDEX idx_enforcement_rule ON enforcement(rule);
 CREATE INDEX idx_enforcement_rule_ref ON enforcement(rule_ref);
 CREATE INDEX idx_enforcement_trigger_ref ON enforcement(trigger_ref);
 CREATE INDEX idx_enforcement_event ON enforcement(event);
 CREATE INDEX idx_enforcement_status ON enforcement(status);
 CREATE INDEX idx_enforcement_created ON enforcement(created DESC);
 CREATE INDEX idx_enforcement_status_created ON enforcement(status, created DESC);
 CREATE INDEX idx_enforcement_rule_status ON enforcement(rule, status);
 CREATE INDEX idx_enforcement_event_status ON enforcement(event, status);
 CREATE INDEX idx_enforcement_payload_gin ON enforcement USING GIN (payload);
 CREATE INDEX idx_enforcement_conditions_gin ON enforcement USING GIN (conditions);
 -- Comments
 COMMENT ON TABLE enforcement IS 'Enforcements represent rule triggering by events';
 COMMENT ON COLUMN enforcement.rule IS 'Rule being enforced (may be null if rule deleted)';
 COMMENT ON COLUMN enforcement.rule_ref IS 'Rule reference (preserved even if rule deleted)';
 COMMENT ON COLUMN enforcement.event IS 'Event that triggered this enforcement (no FK — event is a hypertable)';
 COMMENT ON COLUMN enforcement.status IS 'Processing status (created → processed or disabled)';
 COMMENT ON COLUMN enforcement.resolved_at IS 'Timestamp when the enforcement was resolved (status changed from created to processed/disabled). NULL while status is created.';
 COMMENT ON COLUMN enforcement.payload IS 'Event payload for rule evaluation';
 COMMENT ON COLUMN enforcement.condition IS 'Logical operator for conditions (any=OR, all=AND)';
 COMMENT ON COLUMN enforcement.conditions IS 'Condition expressions to evaluate';
 -- ============================================================================
 -- ACTION TABLE
 -- ============================================================================
 CREATE TABLE action (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT NOT NULL,
    label TEXT NOT NULL,
    description TEXT,
    entrypoint TEXT NOT NULL,
    runtime BIGINT REFERENCES runtime(id),
    param_schema JSONB,
    out_schema JSONB,
    parameter_delivery TEXT NOT NULL DEFAULT 'stdin' CHECK (parameter_delivery IN ('stdin', 'file')),
    parameter_format TEXT NOT NULL DEFAULT 'json' CHECK (parameter_format IN ('dotenv', 'json', 'yaml')),
    output_format TEXT NOT NULL DEFAULT 'text' CHECK (output_format IN ('text', 'json', 'yaml', 'jsonl')),
    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
    timeout_seconds INTEGER,
    max_retries INTEGER DEFAULT 0,
    runtime_version_constraint TEXT,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT action_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT action_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
 );
 -- Indexes
 CREATE INDEX idx_action_ref ON action(ref);
 CREATE INDEX idx_action_pack ON action(pack);
 CREATE INDEX idx_action_runtime ON action(runtime);
 CREATE INDEX idx_action_parameter_delivery ON action(parameter_delivery);
 CREATE INDEX idx_action_parameter_format ON action(parameter_format);
 CREATE INDEX idx_action_output_format ON action(output_format);
 CREATE INDEX idx_action_is_adhoc ON action(is_adhoc) WHERE is_adhoc = true;
 CREATE INDEX idx_action_created ON action(created DESC);
 -- Trigger
 CREATE TRIGGER update_action_updated
    BEFORE UPDATE ON action
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE action IS 'Actions are executable tasks that can be triggered';
 COMMENT ON COLUMN action.ref IS 'Unique action reference (format: pack.name)';
 COMMENT ON COLUMN action.pack IS 'Pack this action belongs to';
 COMMENT ON COLUMN action.label IS 'Human-readable action name';
 COMMENT ON COLUMN action.entrypoint IS 'Script or command to execute';
 COMMENT ON COLUMN action.runtime IS 'Runtime environment for execution';
 COMMENT ON COLUMN action.param_schema IS 'JSON schema for action parameters';
 COMMENT ON COLUMN action.out_schema IS 'JSON schema for action output';
 COMMENT ON COLUMN action.parameter_delivery IS 'How parameters are delivered: stdin (standard input - secure), file (temporary file - secure for large payloads). Environment variables are set separately via execution.env_vars.';
 COMMENT ON COLUMN action.parameter_format IS 'Parameter serialization format: json (JSON object - default), dotenv (KEY=''VALUE''), yaml (YAML format)';
 COMMENT ON COLUMN action.output_format IS 'Output parsing format: text (no parsing - raw stdout), json (parse stdout as JSON), yaml (parse stdout as YAML), jsonl (parse each line as JSON, collect into array)';
 COMMENT ON COLUMN action.is_adhoc IS 'True if action was manually created (ad-hoc), false if installed from pack';
 COMMENT ON COLUMN action.timeout_seconds IS 'Worker queue TTL override in seconds. If NULL, uses global worker_queue_ttl_ms config. Allows per-action timeout tuning.';
 COMMENT ON COLUMN action.max_retries IS 'Maximum number of automatic retry attempts for failed executions. 0 = no retries (default).';
 COMMENT ON COLUMN action.runtime_version_constraint IS 'Semver version constraint for the runtime (e.g., ">=3.12", ">=3.12,<4.0", "~18.0"). NULL means any version.';
 -- ============================================================================
 -- Add foreign key constraint for policy table
 ALTER TABLE policy
    ADD CONSTRAINT policy_action_fkey
    FOREIGN KEY (action) REFERENCES action(id) ON DELETE CASCADE;
 -- Note: Foreign key constraints for key table (key_owner_action_fkey, key_owner_sensor_fkey)
 -- will be added in migration 000007_supporting_systems.sql after the key table is created
 -- Note: Rule table will be created in migration 000005 after execution table exists
 -- Note: Foreign key constraints for enforcement.rule and event.rule will be added there
--- a/docker/distributable/migrations/20250101000005_execution_and_operations.sql
+++ b/docker/distributable/migrations/20250101000005_execution_and_operations.sql
@@ -0,0 +1,410 @@
 -- Migration: Execution and Operations
 -- Description: Creates execution, inquiry, rule, worker, and notification tables.
 --              Includes retry tracking, worker health views, and helper functions.
 --              Consolidates former migrations: 000006 (execution_system), 000008
 --              (worker_notification), 000014 (worker_table), and 20260209 (phase3).
 --
 --              NOTE: The execution table is converted to a TimescaleDB hypertable in
 --              migration 000009. Hypertables cannot be the target of FK constraints,
 --              so columns referencing execution (inquiry.execution, workflow_execution.execution)
 --              are plain BIGINT with no FK. Similarly, columns ON the execution table that
 --              would self-reference or reference other hypertables (parent, enforcement,
 --              original_execution) are plain BIGINT. The action and executor FKs are also
 --              omitted since they would need to be dropped during hypertable conversion.
 -- Version: 20250101000005
 -- ============================================================================
 -- EXECUTION TABLE
 -- ============================================================================
 CREATE TABLE execution (
    id BIGSERIAL PRIMARY KEY,
    action BIGINT,          -- references action(id); no FK because execution becomes a hypertable
    action_ref TEXT NOT NULL,
    config JSONB,
    env_vars JSONB,
    parent BIGINT,          -- self-reference; no FK because execution becomes a hypertable
    enforcement BIGINT,     -- references enforcement(id); no FK (both are hypertables)
    executor BIGINT,        -- references identity(id); no FK because execution becomes a hypertable
    worker BIGINT,          -- references worker(id); no FK because execution becomes a hypertable
    status execution_status_enum NOT NULL DEFAULT 'requested',
    result JSONB,
    started_at TIMESTAMPTZ,         -- set when execution transitions to 'running'
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    is_workflow BOOLEAN DEFAULT false NOT NULL,
    workflow_def BIGINT,    -- references workflow_definition(id); no FK because execution becomes a hypertable
    workflow_task JSONB,
    -- Retry tracking (baked in from phase 3)
    retry_count INTEGER NOT NULL DEFAULT 0,
    max_retries INTEGER,
    retry_reason TEXT,
    original_execution BIGINT, -- self-reference; no FK because execution becomes a hypertable
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_execution_action ON execution(action);
 CREATE INDEX idx_execution_action_ref ON execution(action_ref);
 CREATE INDEX idx_execution_parent ON execution(parent);
 CREATE INDEX idx_execution_enforcement ON execution(enforcement);
 CREATE INDEX idx_execution_executor ON execution(executor);
 CREATE INDEX idx_execution_worker ON execution(worker);
 CREATE INDEX idx_execution_status ON execution(status);
 CREATE INDEX idx_execution_created ON execution(created DESC);
 CREATE INDEX idx_execution_updated ON execution(updated DESC);
 CREATE INDEX idx_execution_status_created ON execution(status, created DESC);
 CREATE INDEX idx_execution_status_updated ON execution(status, updated DESC);
 CREATE INDEX idx_execution_action_status ON execution(action, status);
 CREATE INDEX idx_execution_executor_created ON execution(executor, created DESC);
 CREATE INDEX idx_execution_worker_created ON execution(worker, created DESC);
 CREATE INDEX idx_execution_parent_created ON execution(parent, created DESC);
 CREATE INDEX idx_execution_result_gin ON execution USING GIN (result);
 CREATE INDEX idx_execution_env_vars_gin ON execution USING GIN (env_vars);
 CREATE INDEX idx_execution_original_execution ON execution(original_execution) WHERE original_execution IS NOT NULL;
 CREATE INDEX idx_execution_status_retry ON execution(status, retry_count) WHERE status = 'failed' AND retry_count < COALESCE(max_retries, 0);
 -- Trigger
 CREATE TRIGGER update_execution_updated
    BEFORE UPDATE ON execution
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE execution IS 'Executions represent action runs, supports nested workflows';
 COMMENT ON COLUMN execution.action IS 'Action being executed (may be null if action deleted)';
 COMMENT ON COLUMN execution.action_ref IS 'Action reference (preserved even if action deleted)';
 COMMENT ON COLUMN execution.config IS 'Snapshot of action configuration at execution time';
 COMMENT ON COLUMN execution.env_vars IS 'Environment variables for this execution as key-value pairs (string -> string). These are set in the execution environment and are separate from action parameters. Used for execution context, configuration, and non-sensitive metadata.';
 COMMENT ON COLUMN execution.parent IS 'Parent execution ID for workflow hierarchies (no FK — execution is a hypertable)';
 COMMENT ON COLUMN execution.enforcement IS 'Enforcement that triggered this execution (no FK — both are hypertables)';
 COMMENT ON COLUMN execution.executor IS 'Identity that initiated the execution (no FK — execution is a hypertable)';
 COMMENT ON COLUMN execution.worker IS 'Assigned worker handling this execution (no FK — execution is a hypertable)';
 COMMENT ON COLUMN execution.status IS 'Current execution lifecycle status';
 COMMENT ON COLUMN execution.result IS 'Execution output/results';
 COMMENT ON COLUMN execution.retry_count IS 'Current retry attempt number (0 = first attempt, 1 = first retry, etc.)';
 COMMENT ON COLUMN execution.max_retries IS 'Maximum retries for this execution. Copied from action.max_retries at creation time.';
 COMMENT ON COLUMN execution.retry_reason IS 'Reason for retry (e.g., "worker_unavailable", "transient_error", "manual_retry")';
 COMMENT ON COLUMN execution.original_execution IS 'ID of the original execution if this is a retry. Forms a retry chain.';
 -- ============================================================================
 -- ============================================================================
 -- INQUIRY TABLE
 -- ============================================================================
 CREATE TABLE inquiry (
    id BIGSERIAL PRIMARY KEY,
    execution BIGINT NOT NULL, -- references execution(id); no FK because execution is a hypertable
    prompt TEXT NOT NULL,
    response_schema JSONB,
    assigned_to BIGINT REFERENCES identity(id) ON DELETE SET NULL,
    status inquiry_status_enum NOT NULL DEFAULT 'pending',
    response JSONB,
    timeout_at TIMESTAMPTZ,
    responded_at TIMESTAMPTZ,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_inquiry_execution ON inquiry(execution);
 CREATE INDEX idx_inquiry_assigned_to ON inquiry(assigned_to);
 CREATE INDEX idx_inquiry_status ON inquiry(status);
 CREATE INDEX idx_inquiry_timeout_at ON inquiry(timeout_at) WHERE timeout_at IS NOT NULL;
 CREATE INDEX idx_inquiry_created ON inquiry(created DESC);
 CREATE INDEX idx_inquiry_status_created ON inquiry(status, created DESC);
 CREATE INDEX idx_inquiry_assigned_status ON inquiry(assigned_to, status);
 CREATE INDEX idx_inquiry_execution_status ON inquiry(execution, status);
 CREATE INDEX idx_inquiry_response_gin ON inquiry USING GIN (response);
 -- Trigger
 CREATE TRIGGER update_inquiry_updated
    BEFORE UPDATE ON inquiry
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE inquiry IS 'Inquiries enable human-in-the-loop workflows with async user interactions';
 COMMENT ON COLUMN inquiry.execution IS 'Execution that is waiting on this inquiry (no FK — execution is a hypertable)';
 COMMENT ON COLUMN inquiry.prompt IS 'Question or prompt text for the user';
 COMMENT ON COLUMN inquiry.response_schema IS 'JSON schema defining expected response format';
 COMMENT ON COLUMN inquiry.assigned_to IS 'Identity who should respond to this inquiry';
 COMMENT ON COLUMN inquiry.status IS 'Current inquiry lifecycle status';
 COMMENT ON COLUMN inquiry.response IS 'User response data';
 COMMENT ON COLUMN inquiry.timeout_at IS 'When this inquiry expires';
 COMMENT ON COLUMN inquiry.responded_at IS 'When the response was received';
 -- ============================================================================
 -- ============================================================================
 -- RULE TABLE
 -- ============================================================================
 CREATE TABLE rule (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT NOT NULL,
    label TEXT NOT NULL,
    description TEXT,
    action BIGINT REFERENCES action(id) ON DELETE SET NULL,
    action_ref TEXT NOT NULL,
    trigger BIGINT REFERENCES trigger(id) ON DELETE SET NULL,
    trigger_ref TEXT NOT NULL,
    conditions JSONB NOT NULL DEFAULT '[]'::jsonb,
    action_params JSONB DEFAULT '{}'::jsonb,
    trigger_params JSONB DEFAULT '{}'::jsonb,
    enabled BOOLEAN NOT NULL,
    is_adhoc BOOLEAN NOT NULL DEFAULT FALSE,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT rule_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT rule_ref_format CHECK (ref ~ '^[^.]+\.[^.]+$')
 );
 -- Indexes
 CREATE INDEX idx_rule_ref ON rule(ref);
 CREATE INDEX idx_rule_pack ON rule(pack);
 CREATE INDEX idx_rule_action ON rule(action);
 CREATE INDEX idx_rule_trigger ON rule(trigger);
 CREATE INDEX idx_rule_enabled ON rule(enabled) WHERE enabled = TRUE;
 CREATE INDEX idx_rule_is_adhoc ON rule(is_adhoc) WHERE is_adhoc = true;
 CREATE INDEX idx_rule_created ON rule(created DESC);
 CREATE INDEX idx_rule_trigger_enabled ON rule(trigger, enabled);
 CREATE INDEX idx_rule_action_enabled ON rule(action, enabled);
 CREATE INDEX idx_rule_pack_enabled ON rule(pack, enabled);
 CREATE INDEX idx_rule_action_params_gin ON rule USING GIN (action_params);
 CREATE INDEX idx_rule_trigger_params_gin ON rule USING GIN (trigger_params);
 -- Trigger
 CREATE TRIGGER update_rule_updated
    BEFORE UPDATE ON rule
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE rule IS 'Rules link triggers to actions with conditions';
 COMMENT ON COLUMN rule.ref IS 'Unique rule reference (format: pack.name)';
 COMMENT ON COLUMN rule.label IS 'Human-readable rule name';
 COMMENT ON COLUMN rule.action IS 'Action to execute when rule triggers (null if action deleted)';
 COMMENT ON COLUMN rule.trigger IS 'Trigger that activates this rule (null if trigger deleted)';
 COMMENT ON COLUMN rule.conditions IS 'Condition expressions to evaluate before executing action';
 COMMENT ON COLUMN rule.action_params IS 'Parameter overrides for the action';
 COMMENT ON COLUMN rule.trigger_params IS 'Parameter overrides for the trigger';
 COMMENT ON COLUMN rule.enabled IS 'Whether this rule is active';
 COMMENT ON COLUMN rule.is_adhoc IS 'True if rule was manually created (ad-hoc), false if installed from pack';
 -- ============================================================================
 -- Add foreign key constraints now that rule table exists
 ALTER TABLE enforcement
    ADD CONSTRAINT enforcement_rule_fkey
    FOREIGN KEY (rule) REFERENCES rule(id) ON DELETE SET NULL;
 ALTER TABLE event
    ADD CONSTRAINT event_rule_fkey
    FOREIGN KEY (rule) REFERENCES rule(id) ON DELETE SET NULL;
 -- ============================================================================
 -- WORKER TABLE
 -- ============================================================================
 CREATE TABLE worker (
    id BIGSERIAL PRIMARY KEY,
    name TEXT NOT NULL UNIQUE,
    worker_type worker_type_enum NOT NULL,
    worker_role worker_role_enum NOT NULL,
    runtime BIGINT REFERENCES runtime(id) ON DELETE SET NULL,
    host TEXT,
    port INTEGER,
    status worker_status_enum NOT NULL DEFAULT 'active',
    capabilities JSONB,
    meta JSONB,
    last_heartbeat TIMESTAMPTZ,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_worker_name ON worker(name);
 CREATE INDEX idx_worker_type ON worker(worker_type);
 CREATE INDEX idx_worker_role ON worker(worker_role);
 CREATE INDEX idx_worker_runtime ON worker(runtime);
 CREATE INDEX idx_worker_status ON worker(status);
 CREATE INDEX idx_worker_last_heartbeat ON worker(last_heartbeat DESC) WHERE last_heartbeat IS NOT NULL;
 CREATE INDEX idx_worker_created ON worker(created DESC);
 CREATE INDEX idx_worker_status_role ON worker(status, worker_role);
 CREATE INDEX idx_worker_capabilities_gin ON worker USING GIN (capabilities);
 CREATE INDEX idx_worker_meta_gin ON worker USING GIN (meta);
 CREATE INDEX idx_worker_capabilities_health_status ON worker USING GIN ((capabilities -> 'health' -> 'status'));
 -- Trigger
 CREATE TRIGGER update_worker_updated
    BEFORE UPDATE ON worker
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE worker IS 'Worker registration and tracking table for action and sensor workers';
 COMMENT ON COLUMN worker.name IS 'Unique worker identifier (typically hostname-based)';
 COMMENT ON COLUMN worker.worker_type IS 'Worker deployment type (local or remote)';
 COMMENT ON COLUMN worker.worker_role IS 'Worker role (action or sensor)';
 COMMENT ON COLUMN worker.runtime IS 'Runtime environment this worker supports (optional)';
 COMMENT ON COLUMN worker.host IS 'Worker host address';
 COMMENT ON COLUMN worker.port IS 'Worker port number';
 COMMENT ON COLUMN worker.status IS 'Worker operational status';
 COMMENT ON COLUMN worker.capabilities IS 'Worker capabilities (e.g., max_concurrent_executions, supported runtimes)';
 COMMENT ON COLUMN worker.meta IS 'Additional worker metadata';
 COMMENT ON COLUMN worker.last_heartbeat IS 'Timestamp of last heartbeat from worker';
 -- ============================================================================
 -- NOTIFICATION TABLE
 -- ============================================================================
 CREATE TABLE notification (
    id BIGSERIAL PRIMARY KEY,
    channel TEXT NOT NULL,
    entity_type TEXT NOT NULL,
    entity TEXT NOT NULL,
    activity TEXT NOT NULL,
    state notification_status_enum NOT NULL DEFAULT 'created',
    content JSONB,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_notification_channel ON notification(channel);
 CREATE INDEX idx_notification_entity_type ON notification(entity_type);
 CREATE INDEX idx_notification_entity ON notification(entity);
 CREATE INDEX idx_notification_state ON notification(state);
 CREATE INDEX idx_notification_created ON notification(created DESC);
 CREATE INDEX idx_notification_channel_state ON notification(channel, state);
 CREATE INDEX idx_notification_entity_type_entity ON notification(entity_type, entity);
 CREATE INDEX idx_notification_state_created ON notification(state, created DESC);
 CREATE INDEX idx_notification_content_gin ON notification USING GIN (content);
 -- Trigger
 CREATE TRIGGER update_notification_updated
    BEFORE UPDATE ON notification
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Function for pg_notify on notification insert
 CREATE OR REPLACE FUNCTION notify_on_insert()
 RETURNS TRIGGER AS $$
 DECLARE
    payload TEXT;
 BEGIN
    -- Build JSON payload with id, entity, and activity
    payload := json_build_object(
        'id', NEW.id,
        'entity_type', NEW.entity_type,
        'entity', NEW.entity,
        'activity', NEW.activity
    )::text;
    -- Send notification to the specified channel
    PERFORM pg_notify(NEW.channel, payload);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger to send pg_notify on notification insert
 CREATE TRIGGER notify_on_notification_insert
    AFTER INSERT ON notification
    FOR EACH ROW
    EXECUTE FUNCTION notify_on_insert();
 -- Comments
 COMMENT ON TABLE notification IS 'System notifications about entity changes for real-time updates';
 COMMENT ON COLUMN notification.channel IS 'Notification channel (typically table name)';
 COMMENT ON COLUMN notification.entity_type IS 'Type of entity (table name)';
 COMMENT ON COLUMN notification.entity IS 'Entity identifier (typically ID or ref)';
 COMMENT ON COLUMN notification.activity IS 'Activity type (e.g., "created", "updated", "completed")';
 COMMENT ON COLUMN notification.state IS 'Processing state of notification';
 COMMENT ON COLUMN notification.content IS 'Optional notification payload data';
 -- ============================================================================
 -- WORKER HEALTH VIEWS AND FUNCTIONS
 -- ============================================================================
 -- View for healthy workers (convenience for queries)
 CREATE OR REPLACE VIEW healthy_workers AS
 SELECT
    w.id,
    w.name,
    w.worker_type,
    w.worker_role,
    w.runtime,
    w.status,
    w.capabilities,
    w.last_heartbeat,
    (w.capabilities -> 'health' ->> 'status')::TEXT as health_status,
    (w.capabilities -> 'health' ->> 'queue_depth')::INTEGER as queue_depth,
    (w.capabilities -> 'health' ->> 'consecutive_failures')::INTEGER as consecutive_failures
 FROM worker w
 WHERE
    w.status = 'active'
    AND w.last_heartbeat > NOW() - INTERVAL '30 seconds'
    AND (
        -- Healthy if no health info (backward compatible)
        w.capabilities -> 'health' IS NULL
        OR
        -- Or explicitly marked healthy
        w.capabilities -> 'health' ->> 'status' IN ('healthy', 'degraded')
    );
 COMMENT ON VIEW healthy_workers IS 'Workers that are active, have fresh heartbeat, and are healthy or degraded (not unhealthy)';
 -- Function to get worker queue depth estimate
 CREATE OR REPLACE FUNCTION get_worker_queue_depth(worker_id_param BIGINT)
 RETURNS INTEGER AS $$
 BEGIN
    RETURN (
        SELECT (capabilities -> 'health' ->> 'queue_depth')::INTEGER
        FROM worker
        WHERE id = worker_id_param
    );
 END;
 $$ LANGUAGE plpgsql STABLE;
 COMMENT ON FUNCTION get_worker_queue_depth IS 'Extract current queue depth from worker health metadata';
 -- Function to check if execution is retriable
 CREATE OR REPLACE FUNCTION is_execution_retriable(execution_id_param BIGINT)
 RETURNS BOOLEAN AS $$
 DECLARE
    exec_record RECORD;
 BEGIN
    SELECT
        e.retry_count,
        e.max_retries,
        e.status
    INTO exec_record
    FROM execution e
    WHERE e.id = execution_id_param;
    IF NOT FOUND THEN
        RETURN FALSE;
    END IF;
    -- Can retry if:
    -- 1. Status is failed
    -- 2. max_retries is set and > 0
    -- 3. retry_count < max_retries
    RETURN (
        exec_record.status = 'failed'
        AND exec_record.max_retries IS NOT NULL
        AND exec_record.max_retries > 0
        AND exec_record.retry_count < exec_record.max_retries
    );
 END;
 $$ LANGUAGE plpgsql STABLE;
 COMMENT ON FUNCTION is_execution_retriable IS 'Check if a failed execution can be automatically retried based on retry limits';
--- a/docker/distributable/migrations/20250101000006_workflow_system.sql
+++ b/docker/distributable/migrations/20250101000006_workflow_system.sql
@@ -0,0 +1,145 @@
 -- Migration: Workflow System
 -- Description: Creates workflow_definition and workflow_execution tables
 --              (workflow_task_execution consolidated into execution.workflow_task JSONB)
 --
 --              NOTE: The execution table is converted to a TimescaleDB hypertable in
 --              migration 000009. Hypertables cannot be the target of FK constraints,
 --              so workflow_execution.execution is a plain BIGINT with no FK.
 --              execution.workflow_def also has no FK (added as plain BIGINT in 000005)
 --              since execution is a hypertable and FKs from hypertables are only
 --              supported for simple cases — we omit it for consistency.
 -- Version: 20250101000006
 -- ============================================================================
 -- WORKFLOW DEFINITION TABLE
 -- ============================================================================
 CREATE TABLE workflow_definition (
    id BIGSERIAL PRIMARY KEY,
    ref VARCHAR(255) NOT NULL UNIQUE,
    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref VARCHAR(255) NOT NULL,
    label VARCHAR(255) NOT NULL,
    description TEXT,
    version VARCHAR(50) NOT NULL,
    param_schema JSONB,
    out_schema JSONB,
    definition JSONB NOT NULL,
    tags TEXT[] DEFAULT '{}',
    created TIMESTAMPTZ DEFAULT NOW() NOT NULL,
    updated TIMESTAMPTZ DEFAULT NOW() NOT NULL
 );
 -- Indexes
 CREATE INDEX idx_workflow_def_pack ON workflow_definition(pack);
 CREATE INDEX idx_workflow_def_ref ON workflow_definition(ref);
 CREATE INDEX idx_workflow_def_tags ON workflow_definition USING gin(tags);
 -- Trigger
 CREATE TRIGGER update_workflow_definition_updated
    BEFORE UPDATE ON workflow_definition
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE workflow_definition IS 'Stores workflow definitions (YAML parsed to JSON)';
 COMMENT ON COLUMN workflow_definition.ref IS 'Unique workflow reference (e.g., pack_name.workflow_name)';
 COMMENT ON COLUMN workflow_definition.definition IS 'Complete workflow specification including tasks, variables, and transitions';
 COMMENT ON COLUMN workflow_definition.param_schema IS 'JSON schema for workflow input parameters';
 COMMENT ON COLUMN workflow_definition.out_schema IS 'JSON schema for workflow output';
 -- ============================================================================
 -- WORKFLOW EXECUTION TABLE
 -- ============================================================================
 CREATE TABLE workflow_execution (
    id BIGSERIAL PRIMARY KEY,
    execution BIGINT NOT NULL, -- references execution(id); no FK because execution is a hypertable
    workflow_def BIGINT NOT NULL REFERENCES workflow_definition(id) ON DELETE CASCADE,
    current_tasks TEXT[] DEFAULT '{}',
    completed_tasks TEXT[] DEFAULT '{}',
    failed_tasks TEXT[] DEFAULT '{}',
    skipped_tasks TEXT[] DEFAULT '{}',
    variables JSONB DEFAULT '{}',
    task_graph JSONB NOT NULL,
    status execution_status_enum NOT NULL DEFAULT 'requested',
    error_message TEXT,
    paused BOOLEAN DEFAULT false NOT NULL,
    pause_reason TEXT,
    created TIMESTAMPTZ DEFAULT NOW() NOT NULL,
    updated TIMESTAMPTZ DEFAULT NOW() NOT NULL
 );
 -- Indexes
 CREATE INDEX idx_workflow_exec_execution ON workflow_execution(execution);
 CREATE INDEX idx_workflow_exec_workflow_def ON workflow_execution(workflow_def);
 CREATE INDEX idx_workflow_exec_status ON workflow_execution(status);
 CREATE INDEX idx_workflow_exec_paused ON workflow_execution(paused) WHERE paused = true;
 -- Trigger
 CREATE TRIGGER update_workflow_execution_updated
    BEFORE UPDATE ON workflow_execution
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE workflow_execution IS 'Runtime state tracking for workflow executions. execution column has no FK — execution is a hypertable.';
 COMMENT ON COLUMN workflow_execution.variables IS 'Workflow-scoped variables, updated via publish directives';
 COMMENT ON COLUMN workflow_execution.task_graph IS 'Execution graph with dependencies and transitions';
 COMMENT ON COLUMN workflow_execution.current_tasks IS 'Array of task names currently executing';
 COMMENT ON COLUMN workflow_execution.paused IS 'True if workflow execution is paused (can be resumed)';
 -- ============================================================================
 -- MODIFY ACTION TABLE - Add Workflow Support
 -- ============================================================================
 ALTER TABLE action
    ADD COLUMN workflow_def BIGINT REFERENCES workflow_definition(id) ON DELETE CASCADE;
 CREATE INDEX idx_action_workflow_def ON action(workflow_def);
 COMMENT ON COLUMN action.workflow_def IS 'Reference to workflow definition (non-null means this action is a workflow)';
 -- NOTE: execution.workflow_def has no FK constraint because execution is a
 -- TimescaleDB hypertable (converted in migration 000009). The column was
 -- created as a plain BIGINT in migration 000005.
 -- ============================================================================
 -- WORKFLOW VIEWS
 -- ============================================================================
 CREATE VIEW workflow_execution_summary AS
 SELECT
    we.id,
    we.execution,
    wd.ref as workflow_ref,
    wd.label as workflow_label,
    wd.version as workflow_version,
    we.status,
    we.paused,
    array_length(we.current_tasks, 1) as current_task_count,
    array_length(we.completed_tasks, 1) as completed_task_count,
    array_length(we.failed_tasks, 1) as failed_task_count,
    array_length(we.skipped_tasks, 1) as skipped_task_count,
    we.error_message,
    we.created,
    we.updated
 FROM workflow_execution we
 JOIN workflow_definition wd ON we.workflow_def = wd.id;
 COMMENT ON VIEW workflow_execution_summary IS 'Summary view of workflow executions with task counts';
 CREATE VIEW workflow_action_link AS
 SELECT
    wd.id as workflow_def_id,
    wd.ref as workflow_ref,
    wd.label,
    wd.version,
    a.id as action_id,
    a.ref as action_ref,
    a.pack as pack_id,
    a.pack_ref
 FROM workflow_definition wd
 LEFT JOIN action a ON a.workflow_def = wd.id;
 COMMENT ON VIEW workflow_action_link IS 'Links workflow definitions to their corresponding action records';
--- a/docker/distributable/migrations/20250101000007_supporting_systems.sql
+++ b/docker/distributable/migrations/20250101000007_supporting_systems.sql
@@ -0,0 +1,779 @@
 -- Migration: Supporting Systems
 -- Description: Creates keys, artifacts, queue_stats, pack_environment, pack_testing,
 --              and webhook function tables.
 --              Consolidates former migrations: 000009 (keys_artifacts), 000010 (webhook_system),
 --              000011 (pack_environments), and 000012 (pack_testing).
 -- Version: 20250101000007
 -- ============================================================================
 -- KEY TABLE
 -- ============================================================================
 CREATE TABLE key (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL UNIQUE,
    owner_type owner_type_enum NOT NULL,
    owner TEXT,
    owner_identity BIGINT REFERENCES identity(id),
    owner_pack BIGINT REFERENCES pack(id),
    owner_pack_ref TEXT,
    owner_action BIGINT, -- Forward reference to action table
    owner_action_ref TEXT,
    owner_sensor BIGINT, -- Forward reference to sensor table
    owner_sensor_ref TEXT,
    name TEXT NOT NULL,
    encrypted BOOLEAN NOT NULL,
    encryption_key_hash TEXT,
    value TEXT NOT NULL,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    -- Constraints
    CONSTRAINT key_ref_lowercase CHECK (ref = LOWER(ref)),
    CONSTRAINT key_ref_format CHECK (ref ~ '^[^.]+(\.[^.]+)*$')
 );
 -- Unique index on owner_type, owner, name
 CREATE UNIQUE INDEX idx_key_unique ON key(owner_type, owner, name);
 -- Indexes
 CREATE INDEX idx_key_ref ON key(ref);
 CREATE INDEX idx_key_owner_type ON key(owner_type);
 CREATE INDEX idx_key_owner_identity ON key(owner_identity);
 CREATE INDEX idx_key_owner_pack ON key(owner_pack);
 CREATE INDEX idx_key_owner_action ON key(owner_action);
 CREATE INDEX idx_key_owner_sensor ON key(owner_sensor);
 CREATE INDEX idx_key_created ON key(created DESC);
 CREATE INDEX idx_key_owner_type_owner ON key(owner_type, owner);
 CREATE INDEX idx_key_owner_identity_name ON key(owner_identity, name);
 CREATE INDEX idx_key_owner_pack_name ON key(owner_pack, name);
 -- Function to validate and set owner fields
 CREATE OR REPLACE FUNCTION validate_key_owner()
 RETURNS TRIGGER AS $$
 DECLARE
    owner_count INTEGER := 0;
 BEGIN
    -- Count how many owner fields are set
    IF NEW.owner_identity IS NOT NULL THEN owner_count := owner_count + 1; END IF;
    IF NEW.owner_pack IS NOT NULL THEN owner_count := owner_count + 1; END IF;
    IF NEW.owner_action IS NOT NULL THEN owner_count := owner_count + 1; END IF;
    IF NEW.owner_sensor IS NOT NULL THEN owner_count := owner_count + 1; END IF;
    -- System owner should have no owner fields set
    IF NEW.owner_type = 'system' THEN
        IF owner_count > 0 THEN
            RAISE EXCEPTION 'System owner cannot have specific owner fields set';
        END IF;
        NEW.owner := 'system';
    -- All other types must have exactly one owner field set
    ELSIF owner_count != 1 THEN
        RAISE EXCEPTION 'Exactly one owner field must be set for owner_type %', NEW.owner_type;
    -- Validate owner_type matches the populated field and set owner
    ELSIF NEW.owner_type = 'identity' THEN
        IF NEW.owner_identity IS NULL THEN
            RAISE EXCEPTION 'owner_identity must be set for owner_type identity';
        END IF;
        NEW.owner := NEW.owner_identity::TEXT;
    ELSIF NEW.owner_type = 'pack' THEN
        IF NEW.owner_pack IS NULL THEN
            RAISE EXCEPTION 'owner_pack must be set for owner_type pack';
        END IF;
        NEW.owner := NEW.owner_pack::TEXT;
    ELSIF NEW.owner_type = 'action' THEN
        IF NEW.owner_action IS NULL THEN
            RAISE EXCEPTION 'owner_action must be set for owner_type action';
        END IF;
        NEW.owner := NEW.owner_action::TEXT;
    ELSIF NEW.owner_type = 'sensor' THEN
        IF NEW.owner_sensor IS NULL THEN
            RAISE EXCEPTION 'owner_sensor must be set for owner_type sensor';
        END IF;
        NEW.owner := NEW.owner_sensor::TEXT;
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger to validate owner fields
 CREATE TRIGGER validate_key_owner_trigger
    BEFORE INSERT OR UPDATE ON key
    FOR EACH ROW
    EXECUTE FUNCTION validate_key_owner();
 -- Trigger for updated timestamp
 CREATE TRIGGER update_key_updated
    BEFORE UPDATE ON key
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE key IS 'Keys store configuration values and secrets with ownership scoping';
 COMMENT ON COLUMN key.ref IS 'Unique key reference (format: [owner.]name)';
 COMMENT ON COLUMN key.owner_type IS 'Type of owner (system, identity, pack, action, sensor)';
 COMMENT ON COLUMN key.owner IS 'Owner identifier (auto-populated by trigger)';
 COMMENT ON COLUMN key.owner_identity IS 'Identity owner (if owner_type=identity)';
 COMMENT ON COLUMN key.owner_pack IS 'Pack owner (if owner_type=pack)';
 COMMENT ON COLUMN key.owner_pack_ref IS 'Pack reference for owner_pack';
 COMMENT ON COLUMN key.owner_action IS 'Action owner (if owner_type=action)';
 COMMENT ON COLUMN key.owner_sensor IS 'Sensor owner (if owner_type=sensor)';
 COMMENT ON COLUMN key.name IS 'Key name within owner scope';
 COMMENT ON COLUMN key.encrypted IS 'Whether the value is encrypted';
 COMMENT ON COLUMN key.encryption_key_hash IS 'Hash of encryption key used';
 COMMENT ON COLUMN key.value IS 'The actual value (encrypted if encrypted=true)';
 -- Add foreign key constraints for action and sensor references
 ALTER TABLE key
    ADD CONSTRAINT key_owner_action_fkey
    FOREIGN KEY (owner_action) REFERENCES action(id) ON DELETE CASCADE;
 ALTER TABLE key
    ADD CONSTRAINT key_owner_sensor_fkey
    FOREIGN KEY (owner_sensor) REFERENCES sensor(id) ON DELETE CASCADE;
 -- ============================================================================
 -- ARTIFACT TABLE
 -- ============================================================================
 CREATE TABLE artifact (
    id BIGSERIAL PRIMARY KEY,
    ref TEXT NOT NULL,
    scope owner_type_enum NOT NULL DEFAULT 'system',
    owner TEXT NOT NULL DEFAULT '',
    type artifact_type_enum NOT NULL,
    visibility artifact_visibility_enum NOT NULL DEFAULT 'private',
    retention_policy artifact_retention_enum NOT NULL DEFAULT 'versions',
    retention_limit INTEGER NOT NULL DEFAULT 1,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_artifact_ref ON artifact(ref);
 CREATE INDEX idx_artifact_scope ON artifact(scope);
 CREATE INDEX idx_artifact_owner ON artifact(owner);
 CREATE INDEX idx_artifact_type ON artifact(type);
 CREATE INDEX idx_artifact_created ON artifact(created DESC);
 CREATE INDEX idx_artifact_scope_owner ON artifact(scope, owner);
 CREATE INDEX idx_artifact_type_created ON artifact(type, created DESC);
 CREATE INDEX idx_artifact_visibility ON artifact(visibility);
 CREATE INDEX idx_artifact_visibility_scope ON artifact(visibility, scope, owner);
 -- Trigger
 CREATE TRIGGER update_artifact_updated
    BEFORE UPDATE ON artifact
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE artifact IS 'Artifacts track files, logs, and outputs from executions';
 COMMENT ON COLUMN artifact.ref IS 'Artifact reference/path';
 COMMENT ON COLUMN artifact.scope IS 'Owner type (system, identity, pack, action, sensor)';
 COMMENT ON COLUMN artifact.owner IS 'Owner identifier';
 COMMENT ON COLUMN artifact.type IS 'Artifact type (file, url, progress, etc.)';
 COMMENT ON COLUMN artifact.visibility IS 'Visibility level: public (all users) or private (scoped by scope/owner)';
 COMMENT ON COLUMN artifact.retention_policy IS 'How to retain artifacts (versions, days, hours, minutes)';
 COMMENT ON COLUMN artifact.retention_limit IS 'Numeric limit for retention policy';
 -- ============================================================================
 -- QUEUE_STATS TABLE
 -- ============================================================================
 CREATE TABLE queue_stats (
    action_id BIGINT PRIMARY KEY REFERENCES action(id) ON DELETE CASCADE,
    queue_length INTEGER NOT NULL DEFAULT 0,
    active_count INTEGER NOT NULL DEFAULT 0,
    max_concurrent INTEGER NOT NULL DEFAULT 1,
    oldest_enqueued_at TIMESTAMPTZ,
    total_enqueued BIGINT NOT NULL DEFAULT 0,
    total_completed BIGINT NOT NULL DEFAULT 0,
    last_updated TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Indexes
 CREATE INDEX idx_queue_stats_last_updated ON queue_stats(last_updated);
 -- Comments
 COMMENT ON TABLE queue_stats IS 'Real-time queue statistics for action execution ordering';
 COMMENT ON COLUMN queue_stats.action_id IS 'Foreign key to action table';
 COMMENT ON COLUMN queue_stats.queue_length IS 'Number of executions waiting in queue';
 COMMENT ON COLUMN queue_stats.active_count IS 'Number of currently running executions';
 COMMENT ON COLUMN queue_stats.max_concurrent IS 'Maximum concurrent executions allowed';
 COMMENT ON COLUMN queue_stats.oldest_enqueued_at IS 'Timestamp of oldest queued execution (NULL if queue empty)';
 COMMENT ON COLUMN queue_stats.total_enqueued IS 'Total executions enqueued since queue creation';
 COMMENT ON COLUMN queue_stats.total_completed IS 'Total executions completed since queue creation';
 COMMENT ON COLUMN queue_stats.last_updated IS 'Timestamp of last statistics update';
 -- ============================================================================
 -- PACK ENVIRONMENT TABLE
 -- ============================================================================
 CREATE TABLE IF NOT EXISTS pack_environment (
    id BIGSERIAL PRIMARY KEY,
    pack BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
    pack_ref TEXT NOT NULL,
    runtime BIGINT NOT NULL REFERENCES runtime(id) ON DELETE CASCADE,
    runtime_ref TEXT NOT NULL,
    env_path TEXT NOT NULL,
    status pack_environment_status_enum NOT NULL DEFAULT 'pending',
    installed_at TIMESTAMPTZ,
    last_verified TIMESTAMPTZ,
    install_log TEXT,
    install_error TEXT,
    metadata JSONB DEFAULT '{}'::jsonb,
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    UNIQUE(pack, runtime)
 );
 -- Indexes
 CREATE INDEX IF NOT EXISTS idx_pack_environment_pack ON pack_environment(pack);
 CREATE INDEX IF NOT EXISTS idx_pack_environment_runtime ON pack_environment(runtime);
 CREATE INDEX IF NOT EXISTS idx_pack_environment_status ON pack_environment(status);
 CREATE INDEX IF NOT EXISTS idx_pack_environment_pack_ref ON pack_environment(pack_ref);
 CREATE INDEX IF NOT EXISTS idx_pack_environment_runtime_ref ON pack_environment(runtime_ref);
 CREATE INDEX IF NOT EXISTS idx_pack_environment_pack_runtime ON pack_environment(pack, runtime);
 -- Trigger for updated timestamp
 CREATE TRIGGER update_pack_environment_updated
    BEFORE UPDATE ON pack_environment
    FOR EACH ROW
    EXECUTE FUNCTION update_updated_column();
 -- Comments
 COMMENT ON TABLE pack_environment IS 'Tracks pack-specific runtime environments for dependency isolation';
 COMMENT ON COLUMN pack_environment.pack IS 'Pack that owns this environment';
 COMMENT ON COLUMN pack_environment.pack_ref IS 'Pack reference for quick lookup';
 COMMENT ON COLUMN pack_environment.runtime IS 'Runtime used for this environment';
 COMMENT ON COLUMN pack_environment.runtime_ref IS 'Runtime reference for quick lookup';
 COMMENT ON COLUMN pack_environment.env_path IS 'Filesystem path to the environment directory (e.g., /opt/attune/packenvs/mypack/python)';
 COMMENT ON COLUMN pack_environment.status IS 'Current installation status';
 COMMENT ON COLUMN pack_environment.installed_at IS 'When the environment was successfully installed';
 COMMENT ON COLUMN pack_environment.last_verified IS 'Last time the environment was verified as working';
 COMMENT ON COLUMN pack_environment.install_log IS 'Installation output logs';
 COMMENT ON COLUMN pack_environment.install_error IS 'Error message if installation failed';
 COMMENT ON COLUMN pack_environment.metadata IS 'Additional metadata (installed packages, versions, etc.)';
 -- ============================================================================
 -- PACK ENVIRONMENT: Update existing runtimes with installer metadata
 -- ============================================================================
 -- Python runtime installers
 UPDATE runtime
 SET installers = jsonb_build_object(
    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
    'installers', jsonb_build_array(
        jsonb_build_object(
            'name', 'create_venv',
            'description', 'Create Python virtual environment',
            'command', 'python3',
            'args', jsonb_build_array('-m', 'venv', '{env_path}'),
            'cwd', '{pack_path}',
            'env', jsonb_build_object(),
            'order', 1,
            'optional', false
        ),
        jsonb_build_object(
            'name', 'upgrade_pip',
            'description', 'Upgrade pip to latest version',
            'command', '{env_path}/bin/pip',
            'args', jsonb_build_array('install', '--upgrade', 'pip'),
            'cwd', '{pack_path}',
            'env', jsonb_build_object(),
            'order', 2,
            'optional', true
        ),
        jsonb_build_object(
            'name', 'install_requirements',
            'description', 'Install pack Python dependencies',
            'command', '{env_path}/bin/pip',
            'args', jsonb_build_array('install', '-r', '{pack_path}/requirements.txt'),
            'cwd', '{pack_path}',
            'env', jsonb_build_object(),
            'order', 3,
            'optional', false,
            'condition', jsonb_build_object(
                'file_exists', '{pack_path}/requirements.txt'
            )
        )
    ),
    'executable_templates', jsonb_build_object(
        'python', '{env_path}/bin/python',
        'pip', '{env_path}/bin/pip'
    )
 )
 WHERE ref = 'core.python';
 -- Node.js runtime installers
 UPDATE runtime
 SET installers = jsonb_build_object(
    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
    'installers', jsonb_build_array(
        jsonb_build_object(
            'name', 'npm_install',
            'description', 'Install Node.js dependencies',
            'command', 'npm',
            'args', jsonb_build_array('install', '--prefix', '{env_path}'),
            'cwd', '{pack_path}',
            'env', jsonb_build_object(
                'NODE_PATH', '{env_path}/node_modules'
            ),
            'order', 1,
            'optional', false,
            'condition', jsonb_build_object(
                'file_exists', '{pack_path}/package.json'
            )
        )
    ),
    'executable_templates', jsonb_build_object(
        'node', 'node',
        'npm', 'npm'
    ),
    'env_vars', jsonb_build_object(
        'NODE_PATH', '{env_path}/node_modules'
    )
 )
 WHERE ref = 'core.nodejs';
 -- Shell runtime (no environment needed, uses system shell)
 UPDATE runtime
 SET installers = jsonb_build_object(
    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
    'installers', jsonb_build_array(),
    'executable_templates', jsonb_build_object(
        'sh', 'sh',
        'bash', 'bash'
    ),
    'requires_environment', false
 )
 WHERE ref = 'core.shell';
 -- Native runtime (no environment needed, binaries are standalone)
 UPDATE runtime
 SET installers = jsonb_build_object(
    'base_path_template', '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}',
    'installers', jsonb_build_array(),
    'executable_templates', jsonb_build_object(),
    'requires_environment', false
 )
 WHERE ref = 'core.native';
 -- Built-in sensor runtime (internal, no environment)
 UPDATE runtime
 SET installers = jsonb_build_object(
    'installers', jsonb_build_array(),
    'requires_environment', false
 )
 WHERE ref = 'core.sensor.builtin';
 -- ============================================================================
 -- PACK ENVIRONMENT: Helper functions
 -- ============================================================================
 -- Function to get environment path for a pack/runtime combination
 CREATE OR REPLACE FUNCTION get_pack_environment_path(p_pack_ref TEXT, p_runtime_ref TEXT)
 RETURNS TEXT AS $$
 DECLARE
    v_runtime_name TEXT;
    v_base_template TEXT;
    v_result TEXT;
 BEGIN
    -- Get runtime name and base path template
    SELECT
        LOWER(name),
        installers->>'base_path_template'
    INTO v_runtime_name, v_base_template
    FROM runtime
    WHERE ref = p_runtime_ref;
    IF v_base_template IS NULL THEN
        v_base_template := '/opt/attune/packenvs/{pack_ref}/{runtime_name_lower}';
    END IF;
    -- Replace template variables
    v_result := v_base_template;
    v_result := REPLACE(v_result, '{pack_ref}', p_pack_ref);
    v_result := REPLACE(v_result, '{runtime_ref}', p_runtime_ref);
    v_result := REPLACE(v_result, '{runtime_name_lower}', v_runtime_name);
    RETURN v_result;
 END;
 $$ LANGUAGE plpgsql IMMUTABLE;
 COMMENT ON FUNCTION get_pack_environment_path IS 'Calculate the filesystem path for a pack runtime environment';
 -- Function to check if a runtime requires an environment
 CREATE OR REPLACE FUNCTION runtime_requires_environment(p_runtime_ref TEXT)
 RETURNS BOOLEAN AS $$
 DECLARE
    v_requires BOOLEAN;
 BEGIN
    SELECT COALESCE((installers->>'requires_environment')::boolean, true)
    INTO v_requires
    FROM runtime
    WHERE ref = p_runtime_ref;
    RETURN COALESCE(v_requires, false);
 END;
 $$ LANGUAGE plpgsql STABLE;
 COMMENT ON FUNCTION runtime_requires_environment IS 'Check if a runtime needs a pack-specific environment';
 -- ============================================================================
 -- PACK ENVIRONMENT: Status view
 -- ============================================================================
 CREATE OR REPLACE VIEW v_pack_environment_status AS
 SELECT
    pe.id,
    pe.pack,
    p.ref AS pack_ref,
    p.label AS pack_name,
    pe.runtime,
    r.ref AS runtime_ref,
    r.name AS runtime_name,
    pe.env_path,
    pe.status,
    pe.installed_at,
    pe.last_verified,
    CASE
        WHEN pe.status = 'ready' AND pe.last_verified < NOW() - INTERVAL '7 days' THEN true
        ELSE false
    END AS needs_verification,
    CASE
        WHEN pe.status = 'ready' THEN 'healthy'
        WHEN pe.status = 'failed' THEN 'unhealthy'
        WHEN pe.status IN ('pending', 'installing') THEN 'provisioning'
        WHEN pe.status = 'outdated' THEN 'needs_update'
        ELSE 'unknown'
    END AS health_status,
    pe.install_error,
    pe.created,
    pe.updated
 FROM pack_environment pe
 JOIN pack p ON pe.pack = p.id
 JOIN runtime r ON pe.runtime = r.id;
 COMMENT ON VIEW v_pack_environment_status IS 'Consolidated view of pack environment status with health indicators';
 -- ============================================================================
 -- PACK TEST EXECUTION TABLE
 -- ============================================================================
 CREATE TABLE IF NOT EXISTS pack_test_execution (
    id BIGSERIAL PRIMARY KEY,
    pack_id BIGINT NOT NULL REFERENCES pack(id) ON DELETE CASCADE,
    pack_version VARCHAR(50) NOT NULL,
    execution_time TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    trigger_reason VARCHAR(50) NOT NULL, -- 'install', 'update', 'manual', 'validation'
    total_tests INT NOT NULL,
    passed INT NOT NULL,
    failed INT NOT NULL,
    skipped INT NOT NULL,
    pass_rate DECIMAL(5,4) NOT NULL, -- 0.0000 to 1.0000
    duration_ms BIGINT NOT NULL,
    result JSONB NOT NULL, -- Full test result structure
    created TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT valid_test_counts CHECK (total_tests >= 0 AND passed >= 0 AND failed >= 0 AND skipped >= 0),
    CONSTRAINT valid_pass_rate CHECK (pass_rate >= 0.0 AND pass_rate <= 1.0),
    CONSTRAINT valid_trigger_reason CHECK (trigger_reason IN ('install', 'update', 'manual', 'validation'))
 );
 -- Indexes for efficient queries
 CREATE INDEX idx_pack_test_execution_pack_id ON pack_test_execution(pack_id);
 CREATE INDEX idx_pack_test_execution_time ON pack_test_execution(execution_time DESC);
 CREATE INDEX idx_pack_test_execution_pass_rate ON pack_test_execution(pass_rate);
 CREATE INDEX idx_pack_test_execution_trigger ON pack_test_execution(trigger_reason);
 -- Comments for documentation
 COMMENT ON TABLE pack_test_execution IS 'Tracks pack test execution results for validation and auditing';
 COMMENT ON COLUMN pack_test_execution.pack_id IS 'Reference to the pack being tested';
 COMMENT ON COLUMN pack_test_execution.pack_version IS 'Version of the pack at test time';
 COMMENT ON COLUMN pack_test_execution.trigger_reason IS 'What triggered the test: install, update, manual, validation';
 COMMENT ON COLUMN pack_test_execution.pass_rate IS 'Percentage of tests passed (0.0 to 1.0)';
 COMMENT ON COLUMN pack_test_execution.result IS 'Full JSON structure with detailed test results';
 -- Pack test result summary view (all test executions with pack info)
 CREATE OR REPLACE VIEW pack_test_summary AS
 SELECT
    p.id AS pack_id,
    p.ref AS pack_ref,
    p.label AS pack_label,
    pte.id AS test_execution_id,
    pte.pack_version,
    pte.execution_time AS test_time,
    pte.trigger_reason,
    pte.total_tests,
    pte.passed,
    pte.failed,
    pte.skipped,
    pte.pass_rate,
    pte.duration_ms,
    ROW_NUMBER() OVER (PARTITION BY p.id ORDER BY pte.execution_time DESC) AS rn
 FROM pack p
 LEFT JOIN pack_test_execution pte ON p.id = pte.pack_id
 WHERE pte.id IS NOT NULL;
 COMMENT ON VIEW pack_test_summary IS 'Summary of all pack test executions with pack details';
 -- Latest test results per pack view
 CREATE OR REPLACE VIEW pack_latest_test AS
 SELECT
    pack_id,
    pack_ref,
    pack_label,
    test_execution_id,
    pack_version,
    test_time,
    trigger_reason,
    total_tests,
    passed,
    failed,
    skipped,
    pass_rate,
    duration_ms
 FROM pack_test_summary
 WHERE rn = 1;
 COMMENT ON VIEW pack_latest_test IS 'Latest test results for each pack';
 -- Function to get pack test statistics
 CREATE OR REPLACE FUNCTION get_pack_test_stats(p_pack_id BIGINT)
 RETURNS TABLE (
    total_executions BIGINT,
    successful_executions BIGINT,
    failed_executions BIGINT,
    avg_pass_rate DECIMAL,
    avg_duration_ms BIGINT,
    last_test_time TIMESTAMPTZ,
    last_test_passed BOOLEAN
 ) AS $$
 BEGIN
    RETURN QUERY
    SELECT
        COUNT(*)::BIGINT AS total_executions,
        COUNT(*) FILTER (WHERE passed = total_tests)::BIGINT AS successful_executions,
        COUNT(*) FILTER (WHERE failed > 0)::BIGINT AS failed_executions,
        AVG(pass_rate) AS avg_pass_rate,
        AVG(duration_ms)::BIGINT AS avg_duration_ms,
        MAX(execution_time) AS last_test_time,
        (SELECT failed = 0 FROM pack_test_execution
         WHERE pack_id = p_pack_id
         ORDER BY execution_time DESC
         LIMIT 1) AS last_test_passed
    FROM pack_test_execution
    WHERE pack_id = p_pack_id;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION get_pack_test_stats IS 'Get statistical summary of test executions for a pack';
 -- Function to check if pack has recent passing tests
 CREATE OR REPLACE FUNCTION pack_has_passing_tests(
    p_pack_id BIGINT,
    p_hours_ago INT DEFAULT 24
 )
 RETURNS BOOLEAN AS $$
 DECLARE
    v_has_passing_tests BOOLEAN;
 BEGIN
    SELECT EXISTS(
        SELECT 1
        FROM pack_test_execution
        WHERE pack_id = p_pack_id
        AND execution_time > NOW() - (p_hours_ago || ' hours')::INTERVAL
        AND failed = 0
        AND total_tests > 0
    ) INTO v_has_passing_tests;
    RETURN v_has_passing_tests;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION pack_has_passing_tests IS 'Check if pack has recent passing test executions';
 -- Add trigger to update pack metadata on test execution
 CREATE OR REPLACE FUNCTION update_pack_test_metadata()
 RETURNS TRIGGER AS $$
 BEGIN
    -- Could update pack table with last_tested timestamp if we add that column
    -- For now, just a placeholder for future functionality
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 CREATE TRIGGER trigger_update_pack_test_metadata
    AFTER INSERT ON pack_test_execution
    FOR EACH ROW
    EXECUTE FUNCTION update_pack_test_metadata();
 COMMENT ON TRIGGER trigger_update_pack_test_metadata ON pack_test_execution IS 'Updates pack metadata when tests are executed';
 -- ============================================================================
 -- WEBHOOK FUNCTIONS
 -- ============================================================================
 -- Drop existing functions to avoid signature conflicts
 DROP FUNCTION IF EXISTS enable_trigger_webhook(BIGINT, JSONB);
 DROP FUNCTION IF EXISTS enable_trigger_webhook(BIGINT);
 DROP FUNCTION IF EXISTS disable_trigger_webhook(BIGINT);
 DROP FUNCTION IF EXISTS regenerate_trigger_webhook_key(BIGINT);
 -- Function to enable webhooks for a trigger
 CREATE OR REPLACE FUNCTION enable_trigger_webhook(
    p_trigger_id BIGINT,
    p_config JSONB DEFAULT '{}'::jsonb
 )
 RETURNS TABLE(
    webhook_enabled BOOLEAN,
    webhook_key VARCHAR(255),
    webhook_url TEXT
 ) AS $$
 DECLARE
    v_webhook_key VARCHAR(255);
    v_api_base_url TEXT := 'http://localhost:8080'; -- Default, should be configured
 BEGIN
    -- Check if trigger exists
    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
    END IF;
    -- Generate webhook key if one doesn't exist
    SELECT t.webhook_key INTO v_webhook_key
    FROM trigger t
    WHERE t.id = p_trigger_id;
    IF v_webhook_key IS NULL THEN
        v_webhook_key := generate_webhook_key();
    END IF;
    -- Update trigger to enable webhooks
    UPDATE trigger
    SET
        webhook_enabled = TRUE,
        webhook_key = v_webhook_key,
        webhook_config = p_config,
        updated = NOW()
    WHERE id = p_trigger_id;
    -- Return webhook details
    RETURN QUERY SELECT
        TRUE,
        v_webhook_key,
        v_api_base_url || '/api/v1/webhooks/' || v_webhook_key;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION enable_trigger_webhook(BIGINT, JSONB) IS
    'Enables webhooks for a trigger with optional configuration. Generates a new webhook key if one does not exist. Returns webhook details.';
 -- Function to disable webhooks for a trigger
 CREATE OR REPLACE FUNCTION disable_trigger_webhook(
    p_trigger_id BIGINT
 )
 RETURNS BOOLEAN AS $$
 BEGIN
    -- Check if trigger exists
    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
    END IF;
    -- Update trigger to disable webhooks
    -- Set webhook_key to NULL when disabling to remove it from API responses
    UPDATE trigger
    SET
        webhook_enabled = FALSE,
        webhook_key = NULL,
        updated = NOW()
    WHERE id = p_trigger_id;
    RETURN TRUE;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION disable_trigger_webhook(BIGINT) IS
    'Disables webhooks for a trigger. Webhook key is removed when disabled.';
 -- Function to regenerate webhook key for a trigger
 CREATE OR REPLACE FUNCTION regenerate_trigger_webhook_key(
    p_trigger_id BIGINT
 )
 RETURNS TABLE(
    webhook_key VARCHAR(255),
    previous_key_revoked BOOLEAN
 ) AS $$
 DECLARE
    v_new_key VARCHAR(255);
    v_old_key VARCHAR(255);
    v_webhook_enabled BOOLEAN;
 BEGIN
    -- Check if trigger exists
    IF NOT EXISTS (SELECT 1 FROM trigger WHERE id = p_trigger_id) THEN
        RAISE EXCEPTION 'Trigger with id % does not exist', p_trigger_id;
    END IF;
    -- Get current webhook state
    SELECT t.webhook_key, t.webhook_enabled INTO v_old_key, v_webhook_enabled
    FROM trigger t
    WHERE t.id = p_trigger_id;
    -- Check if webhooks are enabled
    IF NOT v_webhook_enabled THEN
        RAISE EXCEPTION 'Webhooks are not enabled for trigger %', p_trigger_id;
    END IF;
    -- Generate new key
    v_new_key := generate_webhook_key();
    -- Update trigger with new key
    UPDATE trigger
    SET
        webhook_key = v_new_key,
        updated = NOW()
    WHERE id = p_trigger_id;
    -- Return new key and whether old key was present
    RETURN QUERY SELECT
        v_new_key,
        (v_old_key IS NOT NULL);
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION regenerate_trigger_webhook_key(BIGINT) IS
    'Regenerates webhook key for a trigger. Returns new key and whether a previous key was revoked.';
 -- Verify all webhook functions exist
 DO $$
 BEGIN
    IF NOT EXISTS (
        SELECT 1 FROM pg_proc p
        JOIN pg_namespace n ON p.pronamespace = n.oid
        WHERE n.nspname = current_schema()
        AND p.proname = 'enable_trigger_webhook'
    ) THEN
        RAISE EXCEPTION 'enable_trigger_webhook function not found after migration';
    END IF;
    IF NOT EXISTS (
        SELECT 1 FROM pg_proc p
        JOIN pg_namespace n ON p.pronamespace = n.oid
        WHERE n.nspname = current_schema()
        AND p.proname = 'disable_trigger_webhook'
    ) THEN
        RAISE EXCEPTION 'disable_trigger_webhook function not found after migration';
    END IF;
    IF NOT EXISTS (
        SELECT 1 FROM pg_proc p
        JOIN pg_namespace n ON p.pronamespace = n.oid
        WHERE n.nspname = current_schema()
        AND p.proname = 'regenerate_trigger_webhook_key'
    ) THEN
        RAISE EXCEPTION 'regenerate_trigger_webhook_key function not found after migration';
    END IF;
    RAISE NOTICE 'All webhook functions successfully created';
 END $$;
--- a/docker/distributable/migrations/20250101000008_notify_triggers.sql
+++ b/docker/distributable/migrations/20250101000008_notify_triggers.sql
@@ -0,0 +1,428 @@
 -- Migration: LISTEN/NOTIFY Triggers
 -- Description: Consolidated PostgreSQL LISTEN/NOTIFY triggers for real-time event notifications
 -- Version: 20250101000008
 -- ============================================================================
 -- EXECUTION CHANGE NOTIFICATION
 -- ============================================================================
 -- Function to notify on execution creation
 CREATE OR REPLACE FUNCTION notify_execution_created()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
    enforcement_rule_ref TEXT;
    enforcement_trigger_ref TEXT;
 BEGIN
    -- Lookup enforcement details if this execution is linked to an enforcement
    IF NEW.enforcement IS NOT NULL THEN
        SELECT rule_ref, trigger_ref
        INTO enforcement_rule_ref, enforcement_trigger_ref
        FROM enforcement
        WHERE id = NEW.enforcement;
    END IF;
    payload := json_build_object(
        'entity_type', 'execution',
        'entity_id', NEW.id,
        'id', NEW.id,
        'action_id', NEW.action,
        'action_ref', NEW.action_ref,
        'status', NEW.status,
        'enforcement', NEW.enforcement,
        'rule_ref', enforcement_rule_ref,
        'trigger_ref', enforcement_trigger_ref,
        'parent', NEW.parent,
        'result', NEW.result,
        'started_at', NEW.started_at,
        'workflow_task', NEW.workflow_task,
        'created', NEW.created,
        'updated', NEW.updated
    );
    PERFORM pg_notify('execution_created', payload::text);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Function to notify on execution status changes
 CREATE OR REPLACE FUNCTION notify_execution_status_changed()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
    enforcement_rule_ref TEXT;
    enforcement_trigger_ref TEXT;
 BEGIN
    -- Only notify on updates, not inserts
    IF TG_OP = 'UPDATE' AND OLD.status IS DISTINCT FROM NEW.status THEN
        -- Lookup enforcement details if this execution is linked to an enforcement
        IF NEW.enforcement IS NOT NULL THEN
            SELECT rule_ref, trigger_ref
            INTO enforcement_rule_ref, enforcement_trigger_ref
            FROM enforcement
            WHERE id = NEW.enforcement;
        END IF;
        payload := json_build_object(
            'entity_type', 'execution',
            'entity_id', NEW.id,
            'id', NEW.id,
            'action_id', NEW.action,
            'action_ref', NEW.action_ref,
            'status', NEW.status,
            'old_status', OLD.status,
            'enforcement', NEW.enforcement,
            'rule_ref', enforcement_rule_ref,
            'trigger_ref', enforcement_trigger_ref,
            'parent', NEW.parent,
            'result', NEW.result,
            'started_at', NEW.started_at,
            'workflow_task', NEW.workflow_task,
            'created', NEW.created,
            'updated', NEW.updated
        );
        PERFORM pg_notify('execution_status_changed', payload::text);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on execution table for creation
 CREATE TRIGGER execution_created_notify
    AFTER INSERT ON execution
    FOR EACH ROW
    EXECUTE FUNCTION notify_execution_created();
 -- Trigger on execution table for status changes
 CREATE TRIGGER execution_status_changed_notify
    AFTER UPDATE ON execution
    FOR EACH ROW
    EXECUTE FUNCTION notify_execution_status_changed();
 COMMENT ON FUNCTION notify_execution_created() IS 'Sends execution creation notifications via PostgreSQL LISTEN/NOTIFY';
 COMMENT ON FUNCTION notify_execution_status_changed() IS 'Sends execution status change notifications via PostgreSQL LISTEN/NOTIFY';
 -- ============================================================================
 -- EVENT CREATION NOTIFICATION
 -- ============================================================================
 -- Function to notify on event creation
 CREATE OR REPLACE FUNCTION notify_event_created()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    payload := json_build_object(
        'entity_type', 'event',
        'entity_id', NEW.id,
        'id', NEW.id,
        'trigger', NEW.trigger,
        'trigger_ref', NEW.trigger_ref,
        'source', NEW.source,
        'source_ref', NEW.source_ref,
        'rule', NEW.rule,
        'rule_ref', NEW.rule_ref,
        'payload', NEW.payload,
        'created', NEW.created
    );
    PERFORM pg_notify('event_created', payload::text);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on event table
 CREATE TRIGGER event_created_notify
    AFTER INSERT ON event
    FOR EACH ROW
    EXECUTE FUNCTION notify_event_created();
 COMMENT ON FUNCTION notify_event_created() IS 'Sends event creation notifications via PostgreSQL LISTEN/NOTIFY';
 -- ============================================================================
 -- ENFORCEMENT CHANGE NOTIFICATION
 -- ============================================================================
 -- Function to notify on enforcement creation
 CREATE OR REPLACE FUNCTION notify_enforcement_created()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    payload := json_build_object(
        'entity_type', 'enforcement',
        'entity_id', NEW.id,
        'id', NEW.id,
        'rule', NEW.rule,
        'rule_ref', NEW.rule_ref,
        'trigger_ref', NEW.trigger_ref,
        'event', NEW.event,
        'status', NEW.status,
        'condition', NEW.condition,
        'conditions', NEW.conditions,
        'config', NEW.config,
        'payload', NEW.payload,
        'created', NEW.created,
        'resolved_at', NEW.resolved_at
    );
    PERFORM pg_notify('enforcement_created', payload::text);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on enforcement table
 CREATE TRIGGER enforcement_created_notify
    AFTER INSERT ON enforcement
    FOR EACH ROW
    EXECUTE FUNCTION notify_enforcement_created();
 COMMENT ON FUNCTION notify_enforcement_created() IS 'Sends enforcement creation notifications via PostgreSQL LISTEN/NOTIFY';
 -- Function to notify on enforcement status changes
 CREATE OR REPLACE FUNCTION notify_enforcement_status_changed()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    -- Only notify on updates when status actually changed
    IF TG_OP = 'UPDATE' AND OLD.status IS DISTINCT FROM NEW.status THEN
        payload := json_build_object(
            'entity_type', 'enforcement',
            'entity_id', NEW.id,
            'id', NEW.id,
            'rule', NEW.rule,
            'rule_ref', NEW.rule_ref,
            'trigger_ref', NEW.trigger_ref,
            'event', NEW.event,
            'status', NEW.status,
            'old_status', OLD.status,
            'condition', NEW.condition,
            'conditions', NEW.conditions,
            'config', NEW.config,
            'payload', NEW.payload,
            'created', NEW.created,
            'resolved_at', NEW.resolved_at
        );
        PERFORM pg_notify('enforcement_status_changed', payload::text);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on enforcement table for status changes
 CREATE TRIGGER enforcement_status_changed_notify
    AFTER UPDATE ON enforcement
    FOR EACH ROW
    EXECUTE FUNCTION notify_enforcement_status_changed();
 COMMENT ON FUNCTION notify_enforcement_status_changed() IS 'Sends enforcement status change notifications via PostgreSQL LISTEN/NOTIFY';
 -- ============================================================================
 -- INQUIRY NOTIFICATIONS
 -- ============================================================================
 -- Function to notify on inquiry creation
 CREATE OR REPLACE FUNCTION notify_inquiry_created()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    payload := json_build_object(
        'entity_type', 'inquiry',
        'entity_id', NEW.id,
        'id', NEW.id,
        'execution', NEW.execution,
        'status', NEW.status,
        'ttl', NEW.ttl,
        'created', NEW.created
    );
    PERFORM pg_notify('inquiry_created', payload::text);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Function to notify on inquiry response
 CREATE OR REPLACE FUNCTION notify_inquiry_responded()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    -- Only notify when status changes to 'responded'
    IF TG_OP = 'UPDATE' AND NEW.status = 'responded' AND OLD.status != 'responded' THEN
        payload := json_build_object(
            'entity_type', 'inquiry',
            'entity_id', NEW.id,
            'id', NEW.id,
            'execution', NEW.execution,
            'status', NEW.status,
            'response', NEW.response,
            'updated', NEW.updated
        );
        PERFORM pg_notify('inquiry_responded', payload::text);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on inquiry table for creation
 CREATE TRIGGER inquiry_created_notify
    AFTER INSERT ON inquiry
    FOR EACH ROW
    EXECUTE FUNCTION notify_inquiry_created();
 -- Trigger on inquiry table for responses
 CREATE TRIGGER inquiry_responded_notify
    AFTER UPDATE ON inquiry
    FOR EACH ROW
    EXECUTE FUNCTION notify_inquiry_responded();
 COMMENT ON FUNCTION notify_inquiry_created() IS 'Sends inquiry creation notifications via PostgreSQL LISTEN/NOTIFY';
 COMMENT ON FUNCTION notify_inquiry_responded() IS 'Sends inquiry response notifications via PostgreSQL LISTEN/NOTIFY';
 -- ============================================================================
 -- WORKFLOW EXECUTION NOTIFICATIONS
 -- ============================================================================
 -- Function to notify on workflow execution status changes
 CREATE OR REPLACE FUNCTION notify_workflow_execution_status_changed()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    -- Only notify for workflow executions when status changes
    IF TG_OP = 'UPDATE' AND NEW.is_workflow = true AND OLD.status IS DISTINCT FROM NEW.status THEN
        payload := json_build_object(
            'entity_type', 'execution',
            'entity_id', NEW.id,
            'id', NEW.id,
            'action_ref', NEW.action_ref,
            'status', NEW.status,
            'old_status', OLD.status,
            'workflow_def', NEW.workflow_def,
            'parent', NEW.parent,
            'created', NEW.created,
            'updated', NEW.updated
        );
        PERFORM pg_notify('workflow_execution_status_changed', payload::text);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on execution table for workflow status changes
 CREATE TRIGGER workflow_execution_status_changed_notify
    AFTER UPDATE ON execution
    FOR EACH ROW
    WHEN (NEW.is_workflow = true)
    EXECUTE FUNCTION notify_workflow_execution_status_changed();
 COMMENT ON FUNCTION notify_workflow_execution_status_changed() IS 'Sends workflow execution status change notifications via PostgreSQL LISTEN/NOTIFY';
 -- ============================================================================
 -- ARTIFACT NOTIFICATIONS
 -- ============================================================================
 -- Function to notify on artifact creation
 CREATE OR REPLACE FUNCTION notify_artifact_created()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
 BEGIN
    payload := json_build_object(
        'entity_type', 'artifact',
        'entity_id', NEW.id,
        'id', NEW.id,
        'ref', NEW.ref,
        'type', NEW.type,
        'visibility', NEW.visibility,
        'name', NEW.name,
        'execution', NEW.execution,
        'scope', NEW.scope,
        'owner', NEW.owner,
        'content_type', NEW.content_type,
        'size_bytes', NEW.size_bytes,
        'created', NEW.created
    );
    PERFORM pg_notify('artifact_created', payload::text);
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on artifact table for creation
 CREATE TRIGGER artifact_created_notify
    AFTER INSERT ON artifact
    FOR EACH ROW
    EXECUTE FUNCTION notify_artifact_created();
 COMMENT ON FUNCTION notify_artifact_created() IS 'Sends artifact creation notifications via PostgreSQL LISTEN/NOTIFY';
 -- Function to notify on artifact updates (progress appends, data changes)
 CREATE OR REPLACE FUNCTION notify_artifact_updated()
 RETURNS TRIGGER AS $$
 DECLARE
    payload JSON;
    latest_percent DOUBLE PRECISION;
    latest_message TEXT;
    entry_count INTEGER;
 BEGIN
    -- Only notify on actual changes
    IF TG_OP = 'UPDATE' THEN
        -- Extract progress summary from data array if this is a progress artifact
        IF NEW.type = 'progress' AND NEW.data IS NOT NULL AND jsonb_typeof(NEW.data) = 'array' THEN
            entry_count := jsonb_array_length(NEW.data);
            IF entry_count > 0 THEN
                latest_percent := (NEW.data -> (entry_count - 1) ->> 'percent')::DOUBLE PRECISION;
                latest_message := NEW.data -> (entry_count - 1) ->> 'message';
            END IF;
        END IF;
        payload := json_build_object(
            'entity_type', 'artifact',
            'entity_id', NEW.id,
            'id', NEW.id,
            'ref', NEW.ref,
            'type', NEW.type,
            'visibility', NEW.visibility,
            'name', NEW.name,
            'execution', NEW.execution,
            'scope', NEW.scope,
            'owner', NEW.owner,
            'content_type', NEW.content_type,
            'size_bytes', NEW.size_bytes,
            'progress_percent', latest_percent,
            'progress_message', latest_message,
            'progress_entries', entry_count,
            'created', NEW.created,
            'updated', NEW.updated
        );
        PERFORM pg_notify('artifact_updated', payload::text);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 -- Trigger on artifact table for updates
 CREATE TRIGGER artifact_updated_notify
    AFTER UPDATE ON artifact
    FOR EACH ROW
    EXECUTE FUNCTION notify_artifact_updated();
 COMMENT ON FUNCTION notify_artifact_updated() IS 'Sends artifact update notifications via PostgreSQL LISTEN/NOTIFY (includes progress summary for progress-type artifacts)';
--- a/docker/distributable/migrations/20250101000009_timescaledb_history.sql
+++ b/docker/distributable/migrations/20250101000009_timescaledb_history.sql
@@ -0,0 +1,616 @@
 -- Migration: TimescaleDB Entity History and Analytics
 -- Description: Creates append-only history hypertables for execution and worker tables.
 --              Uses JSONB diff format to track field-level changes via PostgreSQL triggers.
 --              Converts the event, enforcement, and execution tables into TimescaleDB
 --              hypertables (events are immutable; enforcements are updated exactly once;
 --              executions are updated ~4 times during their lifecycle).
 --              Includes continuous aggregates for dashboard analytics.
 --              See docs/plans/timescaledb-entity-history.md for full design.
 --
 --              NOTE: FK constraints that would reference hypertable targets were never
 --              created in earlier migrations (000004, 000005, 000006), so no DROP
 --              CONSTRAINT statements are needed here.
 -- Version: 20250101000009
 -- ============================================================================
 -- EXTENSION
 -- ============================================================================
 CREATE EXTENSION IF NOT EXISTS timescaledb;
 -- ============================================================================
 -- HELPER FUNCTIONS
 -- ============================================================================
 -- Returns a small {digest, size, type} object instead of the full JSONB value.
 -- Used in history triggers for columns that can be arbitrarily large (e.g. result).
 -- The full value is always available on the live row.
 CREATE OR REPLACE FUNCTION _jsonb_digest_summary(val JSONB)
 RETURNS JSONB AS $$
 BEGIN
    IF val IS NULL THEN
        RETURN NULL;
    END IF;
    RETURN jsonb_build_object(
        'digest', 'md5:' || md5(val::text),
        'size',   octet_length(val::text),
        'type',   jsonb_typeof(val)
    );
 END;
 $$ LANGUAGE plpgsql IMMUTABLE;
 COMMENT ON FUNCTION _jsonb_digest_summary(JSONB) IS
    'Returns a compact {digest, size, type} summary of a JSONB value for use in history tables. '
    'The digest is md5 of the text representation — sufficient for change-detection, not for security.';
 -- ============================================================================
 -- HISTORY TABLES
 -- ============================================================================
 -- ----------------------------------------------------------------------------
 -- execution_history
 -- ----------------------------------------------------------------------------
 CREATE TABLE execution_history (
    time             TIMESTAMPTZ    NOT NULL DEFAULT NOW(),
    operation        TEXT           NOT NULL,
    entity_id        BIGINT         NOT NULL,
    entity_ref       TEXT,
    changed_fields   TEXT[]         NOT NULL DEFAULT '{}',
    old_values       JSONB,
    new_values       JSONB
 );
 SELECT create_hypertable('execution_history', 'time',
    chunk_time_interval => INTERVAL '1 day');
 CREATE INDEX idx_execution_history_entity
    ON execution_history (entity_id, time DESC);
 CREATE INDEX idx_execution_history_entity_ref
    ON execution_history (entity_ref, time DESC);
 CREATE INDEX idx_execution_history_status_changes
    ON execution_history (time DESC)
    WHERE 'status' = ANY(changed_fields);
 CREATE INDEX idx_execution_history_changed_fields
    ON execution_history USING GIN (changed_fields);
 COMMENT ON TABLE execution_history IS 'Append-only history of field-level changes to the execution table (TimescaleDB hypertable)';
 COMMENT ON COLUMN execution_history.time IS 'When the change occurred (hypertable partitioning dimension)';
 COMMENT ON COLUMN execution_history.operation IS 'INSERT, UPDATE, or DELETE';
 COMMENT ON COLUMN execution_history.entity_id IS 'execution.id of the changed row';
 COMMENT ON COLUMN execution_history.entity_ref IS 'Denormalized action_ref for JOIN-free queries';
 COMMENT ON COLUMN execution_history.changed_fields IS 'Array of field names that changed (empty for INSERT/DELETE)';
 COMMENT ON COLUMN execution_history.old_values IS 'Previous values of changed fields (NULL for INSERT)';
 COMMENT ON COLUMN execution_history.new_values IS 'New values of changed fields (NULL for DELETE)';
 -- ----------------------------------------------------------------------------
 -- worker_history
 -- ----------------------------------------------------------------------------
 CREATE TABLE worker_history (
    time             TIMESTAMPTZ    NOT NULL DEFAULT NOW(),
    operation        TEXT           NOT NULL,
    entity_id        BIGINT         NOT NULL,
    entity_ref       TEXT,
    changed_fields   TEXT[]         NOT NULL DEFAULT '{}',
    old_values       JSONB,
    new_values       JSONB
 );
 SELECT create_hypertable('worker_history', 'time',
    chunk_time_interval => INTERVAL '7 days');
 CREATE INDEX idx_worker_history_entity
    ON worker_history (entity_id, time DESC);
 CREATE INDEX idx_worker_history_entity_ref
    ON worker_history (entity_ref, time DESC);
 CREATE INDEX idx_worker_history_status_changes
    ON worker_history (time DESC)
    WHERE 'status' = ANY(changed_fields);
 CREATE INDEX idx_worker_history_changed_fields
    ON worker_history USING GIN (changed_fields);
 COMMENT ON TABLE worker_history IS 'Append-only history of field-level changes to the worker table (TimescaleDB hypertable)';
 COMMENT ON COLUMN worker_history.entity_ref IS 'Denormalized worker name for JOIN-free queries';
 -- ============================================================================
 -- CONVERT EVENT TABLE TO HYPERTABLE
 -- ============================================================================
 -- Events are immutable after insert — they are never updated. Instead of
 -- maintaining a separate event_history table to track changes that never
 -- happen, we convert the event table itself into a TimescaleDB hypertable
 -- partitioned on `created`. This gives us automatic time-based partitioning,
 -- compression, and retention for free.
 --
 -- No FK constraints reference event(id) — enforcement.event was created as a
 -- plain BIGINT in migration 000004 (hypertables cannot be FK targets).
 -- ----------------------------------------------------------------------------
 -- Replace the single-column PK with a composite PK that includes the
 -- partitioning column (required by TimescaleDB).
 ALTER TABLE event DROP CONSTRAINT event_pkey;
 ALTER TABLE event ADD PRIMARY KEY (id, created);
 SELECT create_hypertable('event', 'created',
    chunk_time_interval => INTERVAL '1 day',
    migrate_data        => true);
 COMMENT ON TABLE event IS 'Events are instances of triggers firing (TimescaleDB hypertable partitioned on created)';
 -- ============================================================================
 -- CONVERT ENFORCEMENT TABLE TO HYPERTABLE
 -- ============================================================================
 -- Enforcements are created and then updated exactly once (status changes from
 -- `created` to `processed` or `disabled` within ~1 second). This single update
 -- happens well before the 7-day compression window, so UPDATE on uncompressed
 -- chunks works without issues.
 --
 -- No FK constraints reference enforcement(id) — execution.enforcement was
 -- created as a plain BIGINT in migration 000005.
 -- ----------------------------------------------------------------------------
 ALTER TABLE enforcement DROP CONSTRAINT enforcement_pkey;
 ALTER TABLE enforcement ADD PRIMARY KEY (id, created);
 SELECT create_hypertable('enforcement', 'created',
    chunk_time_interval => INTERVAL '1 day',
    migrate_data        => true);
 COMMENT ON TABLE enforcement IS 'Enforcements represent rule triggering by events (TimescaleDB hypertable partitioned on created)';
 -- ============================================================================
 -- CONVERT EXECUTION TABLE TO HYPERTABLE
 -- ============================================================================
 -- Executions are updated ~4 times during their lifecycle (requested → scheduled
 -- → running → completed/failed), completing within at most ~1 day — well before
 -- the 7-day compression window. The `updated` column and its BEFORE UPDATE
 -- trigger are preserved (used by timeout monitor and UI).
 --
 -- No FK constraints reference execution(id) — inquiry.execution,
 -- workflow_execution.execution, execution.parent, and execution.original_execution
 -- were all created as plain BIGINT columns in migrations 000005 and 000006.
 --
 -- The existing execution_history hypertable and its trigger are preserved —
 -- they track field-level diffs of each update, which remains valuable for
 -- a mutable table.
 -- ----------------------------------------------------------------------------
 ALTER TABLE execution DROP CONSTRAINT execution_pkey;
 ALTER TABLE execution ADD PRIMARY KEY (id, created);
 SELECT create_hypertable('execution', 'created',
    chunk_time_interval => INTERVAL '1 day',
    migrate_data        => true);
 COMMENT ON TABLE execution IS 'Executions represent action runs with workflow support (TimescaleDB hypertable partitioned on created). Updated ~4 times during lifecycle, completing within ~1 day (well before 7-day compression window).';
 -- ============================================================================
 -- TRIGGER FUNCTIONS
 -- ============================================================================
 -- ----------------------------------------------------------------------------
 -- execution history trigger
 -- Tracked fields: status, result, executor, worker, workflow_task, env_vars, started_at
 -- Note: result uses _jsonb_digest_summary() to avoid storing large payloads
 -- ----------------------------------------------------------------------------
 CREATE OR REPLACE FUNCTION record_execution_history()
 RETURNS TRIGGER AS $$
 DECLARE
    changed TEXT[] := '{}';
    old_vals JSONB := '{}';
    new_vals JSONB := '{}';
 BEGIN
    IF TG_OP = 'INSERT' THEN
        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'INSERT', NEW.id, NEW.action_ref, '{}', NULL,
                jsonb_build_object(
                    'status', NEW.status,
                    'action_ref', NEW.action_ref,
                    'executor', NEW.executor,
                    'worker', NEW.worker,
                    'parent', NEW.parent,
                    'enforcement', NEW.enforcement,
                    'started_at', NEW.started_at
                ));
        RETURN NEW;
    END IF;
    IF TG_OP = 'DELETE' THEN
        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'DELETE', OLD.id, OLD.action_ref, '{}', NULL, NULL);
        RETURN OLD;
    END IF;
    -- UPDATE: detect which fields changed
    IF OLD.status IS DISTINCT FROM NEW.status THEN
        changed := array_append(changed, 'status');
        old_vals := old_vals || jsonb_build_object('status', OLD.status);
        new_vals := new_vals || jsonb_build_object('status', NEW.status);
    END IF;
    -- Result: store a compact digest instead of the full JSONB to avoid bloat.
    -- The live execution row always has the complete result.
    IF OLD.result IS DISTINCT FROM NEW.result THEN
        changed := array_append(changed, 'result');
        old_vals := old_vals || jsonb_build_object('result', _jsonb_digest_summary(OLD.result));
        new_vals := new_vals || jsonb_build_object('result', _jsonb_digest_summary(NEW.result));
    END IF;
    IF OLD.executor IS DISTINCT FROM NEW.executor THEN
        changed := array_append(changed, 'executor');
        old_vals := old_vals || jsonb_build_object('executor', OLD.executor);
        new_vals := new_vals || jsonb_build_object('executor', NEW.executor);
    END IF;
    IF OLD.worker IS DISTINCT FROM NEW.worker THEN
        changed := array_append(changed, 'worker');
        old_vals := old_vals || jsonb_build_object('worker', OLD.worker);
        new_vals := new_vals || jsonb_build_object('worker', NEW.worker);
    END IF;
    IF OLD.workflow_task IS DISTINCT FROM NEW.workflow_task THEN
        changed := array_append(changed, 'workflow_task');
        old_vals := old_vals || jsonb_build_object('workflow_task', OLD.workflow_task);
        new_vals := new_vals || jsonb_build_object('workflow_task', NEW.workflow_task);
    END IF;
    IF OLD.env_vars IS DISTINCT FROM NEW.env_vars THEN
        changed := array_append(changed, 'env_vars');
        old_vals := old_vals || jsonb_build_object('env_vars', OLD.env_vars);
        new_vals := new_vals || jsonb_build_object('env_vars', NEW.env_vars);
    END IF;
    IF OLD.started_at IS DISTINCT FROM NEW.started_at THEN
        changed := array_append(changed, 'started_at');
        old_vals := old_vals || jsonb_build_object('started_at', OLD.started_at);
        new_vals := new_vals || jsonb_build_object('started_at', NEW.started_at);
    END IF;
    -- Only record if something actually changed
    IF array_length(changed, 1) > 0 THEN
        INSERT INTO execution_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'UPDATE', NEW.id, NEW.action_ref, changed, old_vals, new_vals);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION record_execution_history() IS 'Records field-level changes to execution table in execution_history hypertable';
 -- ----------------------------------------------------------------------------
 -- worker history trigger
 -- Tracked fields: name, status, capabilities, meta, host, port
 -- Excludes: last_heartbeat when it is the only field that changed
 -- ----------------------------------------------------------------------------
 CREATE OR REPLACE FUNCTION record_worker_history()
 RETURNS TRIGGER AS $$
 DECLARE
    changed TEXT[] := '{}';
    old_vals JSONB := '{}';
    new_vals JSONB := '{}';
 BEGIN
    IF TG_OP = 'INSERT' THEN
        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'INSERT', NEW.id, NEW.name, '{}', NULL,
                jsonb_build_object(
                    'name', NEW.name,
                    'worker_type', NEW.worker_type,
                    'worker_role', NEW.worker_role,
                    'status', NEW.status,
                    'host', NEW.host,
                    'port', NEW.port
                ));
        RETURN NEW;
    END IF;
    IF TG_OP = 'DELETE' THEN
        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'DELETE', OLD.id, OLD.name, '{}', NULL, NULL);
        RETURN OLD;
    END IF;
    -- UPDATE: detect which fields changed
    IF OLD.name IS DISTINCT FROM NEW.name THEN
        changed := array_append(changed, 'name');
        old_vals := old_vals || jsonb_build_object('name', OLD.name);
        new_vals := new_vals || jsonb_build_object('name', NEW.name);
    END IF;
    IF OLD.status IS DISTINCT FROM NEW.status THEN
        changed := array_append(changed, 'status');
        old_vals := old_vals || jsonb_build_object('status', OLD.status);
        new_vals := new_vals || jsonb_build_object('status', NEW.status);
    END IF;
    IF OLD.capabilities IS DISTINCT FROM NEW.capabilities THEN
        changed := array_append(changed, 'capabilities');
        old_vals := old_vals || jsonb_build_object('capabilities', OLD.capabilities);
        new_vals := new_vals || jsonb_build_object('capabilities', NEW.capabilities);
    END IF;
    IF OLD.meta IS DISTINCT FROM NEW.meta THEN
        changed := array_append(changed, 'meta');
        old_vals := old_vals || jsonb_build_object('meta', OLD.meta);
        new_vals := new_vals || jsonb_build_object('meta', NEW.meta);
    END IF;
    IF OLD.host IS DISTINCT FROM NEW.host THEN
        changed := array_append(changed, 'host');
        old_vals := old_vals || jsonb_build_object('host', OLD.host);
        new_vals := new_vals || jsonb_build_object('host', NEW.host);
    END IF;
    IF OLD.port IS DISTINCT FROM NEW.port THEN
        changed := array_append(changed, 'port');
        old_vals := old_vals || jsonb_build_object('port', OLD.port);
        new_vals := new_vals || jsonb_build_object('port', NEW.port);
    END IF;
    -- Only record if something besides last_heartbeat changed.
    -- Pure heartbeat-only updates are excluded to avoid high-volume noise.
    IF array_length(changed, 1) > 0 THEN
        INSERT INTO worker_history (time, operation, entity_id, entity_ref, changed_fields, old_values, new_values)
        VALUES (NOW(), 'UPDATE', NEW.id, NEW.name, changed, old_vals, new_vals);
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION record_worker_history() IS 'Records field-level changes to worker table in worker_history hypertable. Excludes heartbeat-only updates.';
 -- ============================================================================
 -- ATTACH TRIGGERS TO OPERATIONAL TABLES
 -- ============================================================================
 CREATE TRIGGER execution_history_trigger
    AFTER INSERT OR UPDATE OR DELETE ON execution
    FOR EACH ROW
    EXECUTE FUNCTION record_execution_history();
 CREATE TRIGGER worker_history_trigger
    AFTER INSERT OR UPDATE OR DELETE ON worker
    FOR EACH ROW
    EXECUTE FUNCTION record_worker_history();
 -- ============================================================================
 -- COMPRESSION POLICIES
 -- ============================================================================
 -- History tables
 ALTER TABLE execution_history SET (
    timescaledb.compress,
    timescaledb.compress_segmentby = 'entity_id',
    timescaledb.compress_orderby = 'time DESC'
 );
 SELECT add_compression_policy('execution_history', INTERVAL '7 days');
 ALTER TABLE worker_history SET (
    timescaledb.compress,
    timescaledb.compress_segmentby = 'entity_id',
    timescaledb.compress_orderby = 'time DESC'
 );
 SELECT add_compression_policy('worker_history', INTERVAL '7 days');
 -- Event table (hypertable)
 ALTER TABLE event SET (
    timescaledb.compress,
    timescaledb.compress_segmentby = 'trigger_ref',
    timescaledb.compress_orderby = 'created DESC'
 );
 SELECT add_compression_policy('event', INTERVAL '7 days');
 -- Enforcement table (hypertable)
 ALTER TABLE enforcement SET (
    timescaledb.compress,
    timescaledb.compress_segmentby = 'rule_ref',
    timescaledb.compress_orderby = 'created DESC'
 );
 SELECT add_compression_policy('enforcement', INTERVAL '7 days');
 -- Execution table (hypertable)
 ALTER TABLE execution SET (
    timescaledb.compress,
    timescaledb.compress_segmentby = 'action_ref',
    timescaledb.compress_orderby = 'created DESC'
 );
 SELECT add_compression_policy('execution', INTERVAL '7 days');
 -- ============================================================================
 -- RETENTION POLICIES
 -- ============================================================================
 SELECT add_retention_policy('execution_history', INTERVAL '90 days');
 SELECT add_retention_policy('worker_history', INTERVAL '180 days');
 SELECT add_retention_policy('event', INTERVAL '90 days');
 SELECT add_retention_policy('enforcement', INTERVAL '90 days');
 SELECT add_retention_policy('execution', INTERVAL '90 days');
 -- ============================================================================
 -- CONTINUOUS AGGREGATES
 -- ============================================================================
 -- Drop existing continuous aggregates if they exist, so this migration can be
 -- re-run safely after a partial failure. (TimescaleDB continuous aggregates
 -- must be dropped with CASCADE to remove their associated policies.)
 DROP MATERIALIZED VIEW IF EXISTS execution_status_hourly CASCADE;
 DROP MATERIALIZED VIEW IF EXISTS execution_throughput_hourly CASCADE;
 DROP MATERIALIZED VIEW IF EXISTS event_volume_hourly CASCADE;
 DROP MATERIALIZED VIEW IF EXISTS worker_status_hourly CASCADE;
 DROP MATERIALIZED VIEW IF EXISTS enforcement_volume_hourly CASCADE;
 DROP MATERIALIZED VIEW IF EXISTS execution_volume_hourly CASCADE;
 -- ----------------------------------------------------------------------------
 -- execution_status_hourly
 -- Tracks execution status transitions per hour, grouped by action_ref and new status.
 -- Powers: execution throughput chart, failure rate widget, status breakdown over time.
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW execution_status_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', time) AS bucket,
    entity_ref AS action_ref,
    new_values->>'status' AS new_status,
    COUNT(*) AS transition_count
 FROM execution_history
 WHERE 'status' = ANY(changed_fields)
 GROUP BY bucket, entity_ref, new_values->>'status'
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('execution_status_hourly',
    start_offset    => INTERVAL '7 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '30 minutes'
 );
 -- ----------------------------------------------------------------------------
 -- execution_throughput_hourly
 -- Tracks total execution creation volume per hour, regardless of status.
 -- Powers: execution throughput sparkline on the dashboard.
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW execution_throughput_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', time) AS bucket,
    entity_ref AS action_ref,
    COUNT(*) AS execution_count
 FROM execution_history
 WHERE operation = 'INSERT'
 GROUP BY bucket, entity_ref
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('execution_throughput_hourly',
    start_offset    => INTERVAL '7 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '30 minutes'
 );
 -- ----------------------------------------------------------------------------
 -- event_volume_hourly
 -- Tracks event creation volume per hour by trigger ref.
 -- Powers: event throughput monitoring widget.
 -- NOTE: Queries the event table directly (it is now a hypertable) instead of
 --       a separate event_history table.
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW event_volume_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', created) AS bucket,
    trigger_ref,
    COUNT(*) AS event_count
 FROM event
 GROUP BY bucket, trigger_ref
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('event_volume_hourly',
    start_offset    => INTERVAL '7 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '30 minutes'
 );
 -- ----------------------------------------------------------------------------
 -- worker_status_hourly
 -- Tracks worker status changes per hour (online/offline/draining transitions).
 -- Powers: worker health trends widget.
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW worker_status_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', time) AS bucket,
    entity_ref AS worker_name,
    new_values->>'status' AS new_status,
    COUNT(*) AS transition_count
 FROM worker_history
 WHERE 'status' = ANY(changed_fields)
 GROUP BY bucket, entity_ref, new_values->>'status'
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('worker_status_hourly',
    start_offset    => INTERVAL '30 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '1 hour'
 );
 -- ----------------------------------------------------------------------------
 -- enforcement_volume_hourly
 -- Tracks enforcement creation volume per hour by rule ref.
 -- Powers: rule activation rate monitoring.
 -- NOTE: Queries the enforcement table directly (it is now a hypertable)
 --       instead of a separate enforcement_history table.
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW enforcement_volume_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', created) AS bucket,
    rule_ref,
    COUNT(*) AS enforcement_count
 FROM enforcement
 GROUP BY bucket, rule_ref
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('enforcement_volume_hourly',
    start_offset    => INTERVAL '7 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '30 minutes'
 );
 -- ----------------------------------------------------------------------------
 -- execution_volume_hourly
 -- Tracks execution creation volume per hour by action_ref and status.
 -- This queries the execution hypertable directly (like event_volume_hourly
 -- queries the event table). Complements the existing execution_status_hourly
 -- and execution_throughput_hourly aggregates which query execution_history.
 --
 -- Use case: direct execution volume monitoring without relying on the history
 -- trigger (belt-and-suspenders, plus captures the initial status at creation).
 -- ----------------------------------------------------------------------------
 CREATE MATERIALIZED VIEW execution_volume_hourly
 WITH (timescaledb.continuous) AS
 SELECT
    time_bucket('1 hour', created) AS bucket,
    action_ref,
    status AS initial_status,
    COUNT(*) AS execution_count
 FROM execution
 GROUP BY bucket, action_ref, status
 WITH NO DATA;
 SELECT add_continuous_aggregate_policy('execution_volume_hourly',
    start_offset    => INTERVAL '7 days',
    end_offset      => INTERVAL '1 hour',
    schedule_interval => INTERVAL '30 minutes'
 );
 -- ============================================================================
 -- INITIAL REFRESH NOTE
 -- ============================================================================
 -- NOTE: refresh_continuous_aggregate() cannot run inside a transaction block,
 -- and the migration runner wraps each file in BEGIN/COMMIT. The continuous
 -- aggregate policies configured above will automatically backfill data within
 -- their first scheduled interval (30 min – 1 hour). On a fresh database there
 -- is no history data to backfill anyway.
 --
 -- If you need an immediate manual refresh after migration, run outside a
 -- transaction:
 --   CALL refresh_continuous_aggregate('execution_status_hourly', NULL, NOW());
 --   CALL refresh_continuous_aggregate('execution_throughput_hourly', NULL, NOW());
 --   CALL refresh_continuous_aggregate('event_volume_hourly', NULL, NOW());
 --   CALL refresh_continuous_aggregate('worker_status_hourly', NULL, NOW());
 --   CALL refresh_continuous_aggregate('enforcement_volume_hourly', NULL, NOW());
 --   CALL refresh_continuous_aggregate('execution_volume_hourly', NULL, NOW());
--- a/docker/distributable/migrations/20250101000010_artifact_content.sql
+++ b/docker/distributable/migrations/20250101000010_artifact_content.sql
@@ -0,0 +1,202 @@
 -- Migration: Artifact Content System
 -- Description: Enhances the artifact table with content fields (name, description,
 --              content_type, size_bytes, execution link, structured data, visibility)
 --              and creates the artifact_version table for versioned file/data storage.
 --
 --              The artifact table now serves as the "header" for a logical artifact,
 --              while artifact_version rows hold the actual immutable content snapshots.
 --              Progress-type artifacts store their live state directly in artifact.data
 --              (append-style updates without creating new versions).
 --
 -- Version: 20250101000010
 -- ============================================================================
 -- ENHANCE ARTIFACT TABLE
 -- ============================================================================
 -- Human-readable name (e.g. "Build Log", "Test Results")
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS name TEXT;
 -- Optional longer description
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS description TEXT;
 -- MIME content type (e.g. "application/json", "text/plain", "image/png")
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS content_type TEXT;
 -- Total size in bytes of the latest version's content (NULL for progress artifacts)
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS size_bytes BIGINT;
 -- Execution that produced/owns this artifact (plain BIGINT, no FK — execution is a hypertable)
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS execution BIGINT;
 -- Structured data for progress-type artifacts and small structured payloads.
 -- Progress artifacts append entries here; file artifacts may store parsed metadata.
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS data JSONB;
 -- Visibility: public artifacts are viewable by all authenticated users;
 -- private artifacts are restricted based on the artifact's scope/owner.
 -- The scope (identity, action, pack, etc.) + owner fields define who can access
 -- a private artifact. Full RBAC enforcement is deferred — for now the column
 -- enables filtering and is available for future permission checks.
 ALTER TABLE artifact ADD COLUMN IF NOT EXISTS visibility artifact_visibility_enum NOT NULL DEFAULT 'private';
 -- New indexes for the added columns
 CREATE INDEX IF NOT EXISTS idx_artifact_execution ON artifact(execution);
 CREATE INDEX IF NOT EXISTS idx_artifact_name ON artifact(name);
 CREATE INDEX IF NOT EXISTS idx_artifact_execution_type ON artifact(execution, type);
 CREATE INDEX IF NOT EXISTS idx_artifact_visibility ON artifact(visibility);
 CREATE INDEX IF NOT EXISTS idx_artifact_visibility_scope ON artifact(visibility, scope, owner);
 -- Comments for new columns
 COMMENT ON COLUMN artifact.name IS 'Human-readable artifact name';
 COMMENT ON COLUMN artifact.description IS 'Optional description of the artifact';
 COMMENT ON COLUMN artifact.content_type IS 'MIME content type (e.g. application/json, text/plain)';
 COMMENT ON COLUMN artifact.size_bytes IS 'Size of latest version content in bytes';
 COMMENT ON COLUMN artifact.execution IS 'Execution that produced this artifact (no FK — execution is a hypertable)';
 COMMENT ON COLUMN artifact.data IS 'Structured JSONB data for progress artifacts or metadata';
 COMMENT ON COLUMN artifact.visibility IS 'Access visibility: public (all users) or private (scope/owner-restricted)';
 -- ============================================================================
 -- ARTIFACT_VERSION TABLE
 -- ============================================================================
 -- Each row is an immutable snapshot of artifact content. File-type artifacts get
 -- a new version on each upload; progress-type artifacts do NOT use versions
 -- (they update artifact.data directly).
 CREATE TABLE artifact_version (
    id BIGSERIAL PRIMARY KEY,
    -- Parent artifact
    artifact BIGINT NOT NULL REFERENCES artifact(id) ON DELETE CASCADE,
    -- Monotonically increasing version number within the artifact (1-based)
    version INTEGER NOT NULL,
    -- MIME content type for this specific version (may differ from parent)
    content_type TEXT,
    -- Size of the content in bytes
    size_bytes BIGINT,
    -- Binary content (file uploads, DB-stored). NULL for file-backed versions.
    content BYTEA,
    -- Structured content (JSON payloads, parsed results, etc.)
    content_json JSONB,
    -- Relative path from artifacts_dir root for disk-stored content.
    -- When set, content BYTEA is NULL — file lives on shared volume.
    -- Pattern: {ref_slug}/v{version}.{ext}
    -- e.g., "mypack/build_log/v1.txt"
    file_path TEXT,
    -- Free-form metadata about this version (e.g. commit hash, build number)
    meta JSONB,
    -- Who or what created this version (identity ref, action ref, "system", etc.)
    created_by TEXT,
    -- Immutable — no updated column
    created TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 -- Unique constraint: one version number per artifact
 ALTER TABLE artifact_version
    ADD CONSTRAINT uq_artifact_version_artifact_version UNIQUE (artifact, version);
 -- Indexes
 CREATE INDEX idx_artifact_version_artifact ON artifact_version(artifact);
 CREATE INDEX idx_artifact_version_artifact_version ON artifact_version(artifact, version DESC);
 CREATE INDEX idx_artifact_version_created ON artifact_version(created DESC);
 CREATE INDEX idx_artifact_version_file_path ON artifact_version(file_path) WHERE file_path IS NOT NULL;
 -- Comments
 COMMENT ON TABLE artifact_version IS 'Immutable content snapshots for artifacts (file uploads, structured data)';
 COMMENT ON COLUMN artifact_version.artifact IS 'Parent artifact this version belongs to';
 COMMENT ON COLUMN artifact_version.version IS 'Version number (1-based, monotonically increasing per artifact)';
 COMMENT ON COLUMN artifact_version.content_type IS 'MIME content type for this version';
 COMMENT ON COLUMN artifact_version.size_bytes IS 'Size of content in bytes';
 COMMENT ON COLUMN artifact_version.content IS 'Binary content (file data)';
 COMMENT ON COLUMN artifact_version.content_json IS 'Structured JSON content';
 COMMENT ON COLUMN artifact_version.meta IS 'Free-form metadata about this version';
 COMMENT ON COLUMN artifact_version.created_by IS 'Who created this version (identity ref, action ref, system)';
 COMMENT ON COLUMN artifact_version.file_path IS 'Relative path from artifacts_dir root for disk-stored content. When set, content BYTEA is NULL — file lives on shared volume.';
 -- ============================================================================
 -- HELPER FUNCTION: next_artifact_version
 -- ============================================================================
 -- Returns the next version number for an artifact (MAX(version) + 1, or 1 if none).
 CREATE OR REPLACE FUNCTION next_artifact_version(p_artifact_id BIGINT)
 RETURNS INTEGER AS $$
 DECLARE
    v_next INTEGER;
 BEGIN
    SELECT COALESCE(MAX(version), 0) + 1
    INTO v_next
    FROM artifact_version
    WHERE artifact = p_artifact_id;
    RETURN v_next;
 END;
 $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION next_artifact_version IS 'Returns the next version number for the given artifact';
 -- ============================================================================
 -- RETENTION ENFORCEMENT FUNCTION
 -- ============================================================================
 -- Called after inserting a new version to enforce the artifact retention policy.
 -- For 'versions' policy: deletes oldest versions beyond the limit.
 -- Time-based policies (days/hours/minutes) are handled by a scheduled job (not this trigger).
 CREATE OR REPLACE FUNCTION enforce_artifact_retention()
 RETURNS TRIGGER AS $$
 DECLARE
    v_policy artifact_retention_enum;
    v_limit INTEGER;
    v_count INTEGER;
 BEGIN
    SELECT retention_policy, retention_limit
    INTO v_policy, v_limit
    FROM artifact
    WHERE id = NEW.artifact;
    IF v_policy = 'versions' AND v_limit > 0 THEN
        -- Count existing versions
        SELECT COUNT(*) INTO v_count
        FROM artifact_version
        WHERE artifact = NEW.artifact;
        -- If over limit, delete the oldest ones
        IF v_count > v_limit THEN
            DELETE FROM artifact_version
            WHERE id IN (
                SELECT id
                FROM artifact_version
                WHERE artifact = NEW.artifact
                ORDER BY version ASC
                LIMIT (v_count - v_limit)
            );
        END IF;
    END IF;
    -- Update parent artifact size_bytes with the new version's size
    UPDATE artifact
    SET size_bytes = NEW.size_bytes,
        content_type = COALESCE(NEW.content_type, content_type)
    WHERE id = NEW.artifact;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 CREATE TRIGGER trg_enforce_artifact_retention
    AFTER INSERT ON artifact_version
    FOR EACH ROW
    EXECUTE FUNCTION enforce_artifact_retention();
 COMMENT ON FUNCTION enforce_artifact_retention IS 'Enforces version-count retention policy and syncs size to parent artifact';
--- a/docker/distributable/migrations/20250101000011_key_value_jsonb.sql
+++ b/docker/distributable/migrations/20250101000011_key_value_jsonb.sql
@@ -0,0 +1,17 @@
 -- Migration: Convert key.value from TEXT to JSONB
 --
 -- This allows keys to store structured data (objects, arrays, numbers, booleans)
 -- in addition to plain strings. Existing string values are wrapped in JSON string
 -- literals so they remain valid and accessible.
 --
 -- Before: value TEXT NOT NULL  (e.g., 'my-secret-token')
 -- After:  value JSONB NOT NULL (e.g., '"my-secret-token"' or '{"user":"admin","pass":"s3cret"}')
 -- Step 1: Convert existing TEXT values to JSONB.
 -- to_jsonb(text) wraps a plain string as a JSON string literal, e.g.:
 --   'hello'  ->  '"hello"'
 -- This preserves all existing values perfectly — encrypted values (base64 strings)
 -- become JSON strings, and plain text values become JSON strings.
 ALTER TABLE key
    ALTER COLUMN value TYPE JSONB
    USING to_jsonb(value);
--- a/docker/distributable/migrations/README.md
+++ b/docker/distributable/migrations/README.md
@@ -0,0 +1,348 @@
 # Attune Database Migrations
 This directory contains SQL migrations for the Attune automation platform database schema.
 ## Overview
 Migrations are numbered and executed in order. Each migration file is named with a timestamp prefix to ensure proper ordering:
 ```
 YYYYMMDDHHMMSS_description.sql
 ```
 ## Migration Files
 The schema is organized into 5 logical migration files:
 | File | Description |
 |------|-------------|
 | `20250101000001_initial_setup.sql` | Creates schema, service role, all enum types, and shared functions |
 | `20250101000002_core_tables.sql` | Creates pack, runtime, worker, identity, permission_set, permission_assignment, policy, and key tables |
 | `20250101000003_event_system.sql` | Creates trigger, sensor, event, and enforcement tables |
 | `20250101000004_execution_system.sql` | Creates action, rule, execution, inquiry, workflow orchestration tables (workflow_definition, workflow_execution, workflow_task_execution), and workflow views |
 | `20250101000005_supporting_tables.sql` | Creates notification, artifact, and queue_stats tables with performance indexes |
 ### Migration Dependencies
 The migrations must be run in order due to foreign key dependencies:
 1. **Initial Setup** - Foundation (schema, enums, functions)
 2. **Core Tables** - Base entities (pack, runtime, worker, identity, permissions, policy, key)
 3. **Event System** - Event monitoring (trigger, sensor, event, enforcement)
 4. **Execution System** - Action execution (action, rule, execution, inquiry)
 5. **Supporting Tables** - Auxiliary features (notification, artifact)
 ## Running Migrations
 ### Using SQLx CLI
 ```bash
 # Install sqlx-cli if not already installed
 cargo install sqlx-cli --no-default-features --features postgres
 # Run all pending migrations
 sqlx migrate run
 # Check migration status
 sqlx migrate info
 # Revert last migration (if needed)
 sqlx migrate revert
 ```
 ### Manual Execution
 You can also run migrations manually using `psql`:
 ```bash
 # Run all migrations in order
 for file in migrations/202501*.sql; do
    psql -U postgres -d attune -f "$file"
 done
 ```
 Or individually:
 ```bash
 psql -U postgres -d attune -f migrations/20250101000001_initial_setup.sql
 psql -U postgres -d attune -f migrations/20250101000002_core_tables.sql
 # ... etc
 ```
 ## Database Setup
 ### Prerequisites
 1. PostgreSQL 14 or later installed
 2. Create the database:
 ```bash
 createdb attune
 ```
 3. Set environment variable:
 ```bash
 export DATABASE_URL="postgresql://postgres:postgres@localhost:5432/attune"
 ```
 ### Initial Setup
 ```bash
 # Navigate to workspace root
 cd /path/to/attune
 # Run migrations
 sqlx migrate run
 # Verify tables were created
 psql -U postgres -d attune -c "\dt attune.*"
 ```
 ## Schema Overview
 The Attune schema includes 22 tables organized into logical groups:
 ### Core Tables (Migration 2)
 - **pack**: Automation component bundles
 - **runtime**: Execution environments (Python, Node.js, containers)
 - **worker**: Execution workers
 - **identity**: Users and service accounts
 - **permission_set**: Permission groups (like roles)
 - **permission_assignment**: Identity-permission links (many-to-many)
 - **policy**: Execution policies (rate limiting, concurrency)
 - **key**: Secure configuration and secrets storage
 ### Event System (Migration 3)
 - **trigger**: Event type definitions
 - **sensor**: Event monitors that watch for triggers
 - **event**: Event instances (trigger firings)
 - **enforcement**: Rule activation instances
 ### Execution System (Migration 4)
 - **action**: Executable operations (can be workflows)
 - **rule**: Trigger-to-action automation logic
 - **execution**: Action execution instances (supports workflows)
 - **inquiry**: Human-in-the-loop interactions (approvals, inputs)
 - **workflow_definition**: YAML-based workflow definitions (composable action graphs)
 - **workflow_execution**: Runtime state tracking for workflow executions
 - **workflow_task_execution**: Individual task executions within workflows
 ### Supporting Tables (Migration 5)
 - **notification**: Real-time system notifications (uses PostgreSQL LISTEN/NOTIFY)
 - **artifact**: Execution outputs (files, logs, progress data)
 - **queue_stats**: Real-time execution queue statistics for FIFO ordering
 ## Key Features
 ### Automatic Timestamps
 All tables include `created` and `updated` timestamps that are automatically managed by the `update_updated_column()` trigger function.
 ### Reference Preservation
 Tables use both ID foreign keys and `*_ref` text columns. The ref columns preserve string references even when the referenced entity is deleted, maintaining complete audit trails.
 ### Soft Deletes
 Foreign keys strategically use:
 - `ON DELETE CASCADE` - For dependent data that should be removed
 - `ON DELETE SET NULL` - To preserve historical records while breaking the link
 ### Validation Constraints
 - **Reference format validation** - Lowercase, specific patterns (e.g., `pack.name`)
 - **Semantic version validation** - For pack versions
 - **Ownership validation** - Custom trigger for key table ownership rules
 - **Range checks** - Port numbers, positive thresholds, etc.
 ### Performance Optimization
 - **B-tree indexes** - On frequently queried columns (IDs, refs, status, timestamps)
 - **Partial indexes** - For filtered queries (e.g., `enabled = TRUE`)
 - **GIN indexes** - On JSONB and array columns for fast containment queries
 - **Composite indexes** - For common multi-column query patterns
 ### PostgreSQL Features
 - **JSONB** - Flexible schema storage for configurations, payloads, results
 - **Array types** - Multi-value fields (tags, parameters, dependencies)
 - **Custom enum types** - Constrained string values with type safety
 - **Triggers** - Data validation, timestamp management, notifications
 - **pg_notify** - Real-time notifications via PostgreSQL's LISTEN/NOTIFY
 ## Service Role
 The migrations create a `svc_attune` role with appropriate permissions. **Change the password in production:**
 ```sql
 ALTER ROLE svc_attune WITH PASSWORD 'secure_password_here';
 ```
 The default password is `attune_service_password` (only for development).
 ## Rollback Strategy
 ### Complete Reset
 To completely reset the database:
 ```bash
 # Drop and recreate
 dropdb attune
 createdb attune
 sqlx migrate run
 ```
 Or drop just the schema:
 ```sql
 psql -U postgres -d attune -c "DROP SCHEMA attune CASCADE;"
 ```
 Then re-run migrations.
 ### Individual Migration Revert
 With SQLx CLI:
 ```bash
 sqlx migrate revert
 ```
 Or manually remove from tracking:
 ```sql
 DELETE FROM _sqlx_migrations WHERE version = 20250101000001;
 ```
 ## Best Practices
 1. **Never edit existing migrations** - Create new migrations to modify schema
 2. **Test migrations** - Always test on a copy of production data first
 3. **Backup before migrating** - Backup production database before applying migrations
 4. **Review changes** - Review all migrations before applying to production
 5. **Version control** - Keep migrations in version control (they are!)
 6. **Document changes** - Add comments to complex migrations
 ## Development Workflow
 1. Create new migration file with timestamp:
   ```bash
   touch migrations/$(date +%Y%m%d%H%M%S)_description.sql
   ```
 2. Write migration SQL (follow existing patterns)
 3. Test migration:
   ```bash
   sqlx migrate run
   ```
 4. Verify changes:
   ```bash
   psql -U postgres -d attune
   \d+ attune.table_name
   ```
 5. Commit to version control
 ## Production Deployment
 1. **Backup** production database
 2. **Review** all pending migrations
 3. **Test** migrations on staging environment with production data copy
 4. **Schedule** maintenance window if needed
 5. **Apply** migrations:
   ```bash
   sqlx migrate run
   ```
 6. **Verify** application functionality
 7. **Monitor** for errors in logs
 ## Troubleshooting
 ### Migration already applied
 If you need to re-run a migration:
 ```bash
 # Remove from migration tracking (SQLx)
 psql -U postgres -d attune -c "DELETE FROM _sqlx_migrations WHERE version = 20250101000001;"
 # Then re-run
 sqlx migrate run
 ```
 ### Permission denied
 Ensure the PostgreSQL user has sufficient permissions:
 ```sql
 GRANT ALL PRIVILEGES ON DATABASE attune TO postgres;
 GRANT ALL PRIVILEGES ON SCHEMA attune TO postgres;
 ```
 ### Connection refused
 Check PostgreSQL is running:
 ```bash
 # Linux/macOS
 pg_ctl status
 sudo systemctl status postgresql
 # Check if listening
 psql -U postgres -c "SELECT version();"
 ```
 ### Foreign key constraint violations
 Ensure migrations run in correct order. The consolidated migrations handle forward references correctly:
 - Migration 2 creates tables with forward references (commented as such)
 - Migration 3 and 4 add the foreign key constraints back
 ## Schema Diagram
 ```
 ┌─────────────┐
 │    pack     │◄──┐
 └─────────────┘   │
       ▲          │
       │          │
 ┌──────┴──────────┴──────┐
 │ runtime │ trigger │ ... │  (Core entities reference pack)
 └─────────┴─────────┴─────┘
       ▲          ▲
       │          │
 ┌──────┴──────┐  │
 │   sensor    │──┘  (Sensors reference both runtime and trigger)
 └─────────────┘
       │
       ▼
 ┌─────────────┐     ┌──────────────┐
 │    event    │────►│ enforcement  │  (Events trigger enforcements)
 └─────────────┘     └──────────────┘
                           │
                           ▼
                    ┌──────────────┐
                    │  execution   │  (Enforcements create executions)
                    └──────────────┘
 ```
 ## Workflow Orchestration
 Migration 4 includes comprehensive workflow orchestration support:
 - **workflow_definition**: Stores parsed YAML workflow definitions with tasks, variables, and transitions
 - **workflow_execution**: Tracks runtime state including current/completed/failed tasks and variables
 - **workflow_task_execution**: Individual task execution tracking with retry and timeout support
 - **Action table extensions**: `is_workflow` and `workflow_def` columns link actions to workflows
 - **Helper views**: Three views for querying workflow state (summary, task detail, action links)
 ## Queue Statistics
 Migration 5 includes the queue_stats table for execution ordering:
 - Tracks per-action queue length, active executions, and concurrency limits
 - Enables FIFO queue management with database persistence
 - Supports monitoring and API visibility of execution queues
 ## Additional Resources
 - [SQLx Documentation](https://github.com/launchbadge/sqlx)
 - [PostgreSQL Documentation](https://www.postgresql.org/docs/)
 - [Attune Architecture Documentation](../docs/architecture.md)
 - [Attune Data Model Documentation](../docs/data-model.md)
--- a/docker/distributable/packs/core/DEPENDENCIES.md
+++ b/docker/distributable/packs/core/DEPENDENCIES.md
@@ -0,0 +1,270 @@
 # Core Pack Dependencies
 **Philosophy:** The core pack has **zero runtime dependencies** beyond standard system utilities.
 ## Why Zero Dependencies?
 1. **Portability:** Works in any environment with standard Unix utilities
 2. **Reliability:** No version conflicts, no package installation failures
 3. **Security:** Minimal attack surface, no third-party library vulnerabilities
 4. **Performance:** Fast startup, no runtime initialization overhead
 5. **Simplicity:** Easy to audit, test, and maintain
 ## Required System Utilities
 All core pack actions rely only on utilities available in standard Linux/Unix environments:
 | Utility | Purpose | Used By |
 |---------|---------|---------|
 | `bash` | Shell scripting | All shell actions |
 | `jq` | JSON parsing/generation | All actions (parameter handling) |
 | `curl` | HTTP client | `http_request.sh` |
 | Standard Unix tools | Text processing, file operations | Various actions |
 These utilities are:
 - ✅ Pre-installed in all Attune worker containers
 - ✅ Standard across Linux distributions
 - ✅ Stable, well-tested, and widely used
 - ✅ Available via package managers if needed
 ## No Runtime Dependencies
 The core pack **does not require:**
 - ❌ Python interpreter or packages
 - ❌ Node.js runtime or npm modules
 - ❌ Ruby, Perl, or other scripting languages
 - ❌ Third-party libraries or frameworks
 - ❌ Package installations at runtime
 ## Action Implementation Guidelines
 ### ✅ Preferred Approaches
 **Use bash + standard utilities:**
 ```bash
 #!/bin/bash
 # Read params with jq
 INPUT=$(cat)
 PARAM=$(echo "$INPUT" | jq -r '.param // "default"')
 # Process with standard tools
 RESULT=$(echo "$PARAM" | tr '[:lower:]' '[:upper:]')
 # Output with jq
 jq -n --arg result "$RESULT" '{result: $result}'
 ```
 **Use curl for HTTP:**
 ```bash
 # Make HTTP requests with curl
 curl -s -X POST "$URL" \
    -H "Content-Type: application/json" \
    -d '{"key": "value"}'
 ```
 **Use jq for JSON processing:**
 ```bash
 # Parse JSON responses
 echo "$RESPONSE" | jq '.data.items[] | .name'
 # Generate JSON output
 jq -n \
    --arg status "success" \
    --argjson count 42 \
    '{status: $status, count: $count}'
 ```
 ### ❌ Avoid
 **Don't add runtime dependencies:**
 ```bash
 # ❌ DON'T DO THIS
 pip install requests
 python3 script.py
 # ❌ DON'T DO THIS
 npm install axios
 node script.js
 # ❌ DON'T DO THIS
 gem install httparty
 ruby script.rb
 ```
 **Don't use language-specific features:**
 ```python
 # ❌ DON'T DO THIS in core pack
 #!/usr/bin/env python3
 import requests  # External dependency!
 response = requests.get(url)
 ```
 Instead, use bash + curl:
 ```bash
 # ✅ DO THIS in core pack
 #!/bin/bash
 response=$(curl -s "$url")
 ```
 ## When Runtime Dependencies Are Acceptable
 For **custom packs** (not core pack), runtime dependencies are fine:
 - ✅ Pack-specific Python libraries (installed in pack virtualenv)
 - ✅ Pack-specific npm modules (installed in pack node_modules)
 - ✅ Language runtimes (Python, Node.js) for complex logic
 - ✅ Specialized tools for specific integrations
 The core pack serves as a foundation with zero dependencies. Custom packs can have dependencies managed via:
 - `requirements.txt` for Python packages
 - `package.json` for Node.js modules
 - Pack runtime environments (isolated per pack)
 ## Migration from Runtime Dependencies
 If an action currently uses a runtime dependency, consider:
 1. **Can it be done with bash + standard utilities?**
   - Yes → Rewrite in bash
   - No → Consider if it belongs in core pack
 2. **Is the functionality complex?**
   - Simple HTTP/JSON → Use curl + jq
   - Complex API client → Move to custom pack
 3. **Is it a specialized integration?**
   - Yes → Move to integration-specific pack
   - No → Keep in core pack with bash implementation
 ### Example: http_request Migration
 **Before (Python with dependency):**
 ```python
 #!/usr/bin/env python3
 import requests  # ❌ External dependency
 response = requests.get(url, headers=headers)
 print(response.json())
 ```
 **After (Bash with standard utilities):**
 ```bash
 #!/bin/bash
 # ✅ No dependencies beyond curl + jq
 response=$(curl -s -H "Authorization: Bearer $TOKEN" "$URL")
 echo "$response" | jq '.'
 ```
 ## Testing Without Dependencies
 Core pack actions can be tested anywhere with standard utilities:
 ```bash
 # Local testing (no installation needed)
 echo '{"param": "value"}' | ./action.sh
 # Docker testing (minimal base image)
 docker run --rm -i alpine:latest sh -c '
    apk add --no-cache bash jq curl &&
    /bin/bash < action.sh
 '
 # CI/CD testing (standard tools available)
 ./action.sh < test-params.json
 ```
 ## Benefits Realized
 ### For Developers
 - No dependency management overhead
 - Immediate action execution (no runtime setup)
 - Easy to test locally
 - Simple to audit and debug
 ### For Operators
 - No version conflicts between packs
 - No package installation failures
 - Faster container startup
 - Smaller container images
 ### For Security
 - Minimal attack surface
 - No third-party library vulnerabilities
 - Easier to audit (standard tools only)
 - No supply chain risks
 ### For Performance
 - Fast action startup (no runtime initialization)
 - Low memory footprint
 - No package loading overhead
 - Efficient resource usage
 ## Standard Utility Reference
 ### jq (JSON Processing)
 ```bash
 # Parse input
 VALUE=$(echo "$JSON" | jq -r '.key')
 # Generate output
 jq -n --arg val "$VALUE" '{result: $val}'
 # Transform data
 echo "$JSON" | jq '.items[] | select(.active)'
 ```
 ### curl (HTTP Client)
 ```bash
 # GET request
 curl -s "$URL"
 # POST with JSON
 curl -s -X POST "$URL" \
    -H "Content-Type: application/json" \
    -d '{"key": "value"}'
 # With authentication
 curl -s -H "Authorization: Bearer $TOKEN" "$URL"
 ```
 ### Standard Text Tools
 ```bash
 # grep - Pattern matching
 echo "$TEXT" | grep "pattern"
 # sed - Text transformation
 echo "$TEXT" | sed 's/old/new/g'
 # awk - Text processing
 echo "$TEXT" | awk '{print $1}'
 # tr - Character translation
 echo "$TEXT" | tr '[:lower:]' '[:upper:]'
 ```
 ## Future Considerations
 The core pack will:
 - ✅ Continue to have zero runtime dependencies
 - ✅ Use only standard Unix utilities
 - ✅ Serve as a reference implementation
 - ✅ Provide foundational actions for workflows
 Custom packs may:
 - ✅ Have runtime dependencies (Python, Node.js, etc.)
 - ✅ Use specialized libraries for integrations
 - ✅ Require specific tools or SDKs
 - ✅ Manage dependencies via pack environments
 ## Summary
 **Core Pack = Zero Dependencies + Standard Utilities**
 This philosophy ensures the core pack is:
 - Portable across all environments
 - Reliable without version conflicts
 - Secure with minimal attack surface
 - Performant with fast startup
 - Simple to test and maintain
 For actions requiring runtime dependencies, create custom packs with proper dependency management via `requirements.txt`, `package.json`, or similar mechanisms.
--- a/docker/distributable/packs/core/README.md
+++ b/docker/distributable/packs/core/README.md
@@ -0,0 +1,361 @@
 # Attune Core Pack
 The **Core Pack** is the foundational system pack for Attune, providing essential automation components including timer triggers, HTTP utilities, and basic shell actions.
 ## Overview
 The core pack is automatically installed with Attune and provides the building blocks for creating automation workflows. It includes:
 - **Timer Triggers**: Interval-based, cron-based, and one-shot datetime timers
 - **HTTP Actions**: Make HTTP requests to external APIs
 - **Shell Actions**: Execute basic shell commands (echo, sleep, noop)
 - **Built-in Sensors**: System sensors for monitoring time-based events
 ## Components
 ### Actions
 #### `core.echo`
 Outputs a message to stdout.
 **Parameters:**
 - `message` (string, required): Message to echo
 - `uppercase` (boolean, optional): Convert message to uppercase
 **Example:**
 ```yaml
 action: core.echo
 parameters:
  message: "Hello, Attune!"
  uppercase: false
 ```
 ---
 #### `core.sleep`
 Pauses execution for a specified duration.
 **Parameters:**
 - `seconds` (integer, required): Number of seconds to sleep (0-3600)
 - `message` (string, optional): Optional message to display before sleeping
 **Example:**
 ```yaml
 action: core.sleep
 parameters:
  seconds: 30
  message: "Waiting 30 seconds..."
 ```
 ---
 #### `core.noop`
 Does nothing - useful for testing and placeholder workflows.
 **Parameters:**
 - `message` (string, optional): Optional message to log
 - `exit_code` (integer, optional): Exit code to return (default: 0)
 **Example:**
 ```yaml
 action: core.noop
 parameters:
  message: "Testing workflow structure"
 ```
 ---
 #### `core.http_request`
 Make HTTP requests to external APIs with full control over headers, authentication, and request body.
 **Parameters:**
 - `url` (string, required): URL to send the request to
 - `method` (string, optional): HTTP method (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)
 - `headers` (object, optional): HTTP headers as key-value pairs
 - `body` (string, optional): Request body for POST/PUT/PATCH
 - `json_body` (object, optional): JSON request body (alternative to `body`)
 - `query_params` (object, optional): URL query parameters
 - `timeout` (integer, optional): Request timeout in seconds (default: 30)
 - `verify_ssl` (boolean, optional): Verify SSL certificates (default: true)
 - `auth_type` (string, optional): Authentication type (none, basic, bearer)
 - `auth_username` (string, optional): Username for basic auth
 - `auth_password` (string, secret, optional): Password for basic auth
 - `auth_token` (string, secret, optional): Bearer token
 - `follow_redirects` (boolean, optional): Follow HTTP redirects (default: true)
 - `max_redirects` (integer, optional): Maximum redirects to follow (default: 10)
 **Output:**
 - `status_code` (integer): HTTP status code
 - `headers` (object): Response headers
 - `body` (string): Response body as text
 - `json` (object): Parsed JSON response (if applicable)
 - `elapsed_ms` (integer): Request duration in milliseconds
 - `url` (string): Final URL after redirects
 - `success` (boolean): Whether request was successful (2xx status)
 **Example:**
 ```yaml
 action: core.http_request
 parameters:
  url: "https://api.example.com/users"
  method: "POST"
  json_body:
    name: "John Doe"
    email: "john@example.com"
  headers:
    Content-Type: "application/json"
  auth_type: "bearer"
  auth_token: "${secret:api_token}"
 ```
 ---
 ### Triggers
 #### `core.intervaltimer`
 Fires at regular intervals based on time unit and interval.
 **Parameters:**
 - `unit` (string, required): Time unit (seconds, minutes, hours)
 - `interval` (integer, required): Number of time units between triggers
 **Payload:**
 - `type`: "interval"
 - `interval_seconds`: Total interval in seconds
 - `fired_at`: ISO 8601 timestamp
 - `execution_count`: Number of times fired
 - `sensor_ref`: Reference to the sensor
 **Example:**
 ```yaml
 trigger: core.intervaltimer
 config:
  unit: "minutes"
  interval: 5
 ```
 ---
 #### `core.crontimer`
 Fires based on cron schedule expressions.
 **Parameters:**
 - `expression` (string, required): Cron expression (6 fields: second minute hour day month weekday)
 - `timezone` (string, optional): Timezone (default: UTC)
 - `description` (string, optional): Human-readable schedule description
 **Payload:**
 - `type`: "cron"
 - `fired_at`: ISO 8601 timestamp
 - `scheduled_at`: When trigger was scheduled to fire
 - `expression`: The cron expression
 - `timezone`: Timezone used
 - `next_fire_at`: Next scheduled fire time
 - `execution_count`: Number of times fired
 - `sensor_ref`: Reference to the sensor
 **Cron Format:**
 ```
 ┌───────── second (0-59)
 │ ┌─────── minute (0-59)
 │ │ ┌───── hour (0-23)
 │ │ │ ┌─── day of month (1-31)
 │ │ │ │ ┌─ month (1-12)
 │ │ │ │ │ ┌ day of week (0-6, 0=Sunday)
 │ │ │ │ │ │
 * * * * * *
 ```
 **Examples:**
 - `0 0 * * * *` - Every hour
 - `0 0 0 * * *` - Every day at midnight
 - `0 */15 * * * *` - Every 15 minutes
 - `0 30 8 * * 1-5` - 8:30 AM on weekdays
 ---
 #### `core.datetimetimer`
 Fires once at a specific date and time.
 **Parameters:**
 - `fire_at` (string, required): ISO 8601 timestamp when timer should fire
 - `timezone` (string, optional): Timezone (default: UTC)
 - `description` (string, optional): Human-readable description
 **Payload:**
 - `type`: "one_shot"
 - `fire_at`: Scheduled fire time
 - `fired_at`: Actual fire time
 - `timezone`: Timezone used
 - `delay_ms`: Delay between scheduled and actual fire time
 - `sensor_ref`: Reference to the sensor
 **Example:**
 ```yaml
 trigger: core.datetimetimer
 config:
  fire_at: "2024-12-31T23:59:59Z"
  description: "New Year's countdown"
 ```
 ---
 ### Sensors
 #### `core.interval_timer_sensor`
 Built-in sensor that monitors time and fires interval timer triggers.
 **Configuration:**
 - `check_interval_seconds` (integer, optional): How often to check triggers (default: 1)
 This sensor automatically runs as part of the Attune sensor service and manages all interval timer trigger instances.
 ---
 ## Configuration
 The core pack supports the following configuration options:
 ```yaml
 # config.yaml
 packs:
  core:
    max_action_timeout: 300        # Maximum action timeout in seconds
    enable_debug_logging: false    # Enable debug logging
 ```
 ## Dependencies
 ### Python Dependencies
 - `requests>=2.28.0` - For HTTP request action
 - `croniter>=1.4.0` - For cron timer parsing (future)
 ### Runtime Dependencies
 - Shell (bash/sh) - For shell-based actions
 - Python 3.8+ - For Python-based actions and sensors
 ## Installation
 The core pack is automatically installed with Attune. No manual installation is required.
 To verify the core pack is loaded:
 ```bash
 # Using CLI
 attune pack list | grep core
 # Using API
 curl http://localhost:8080/api/v1/packs/core
 ```
 ## Usage Examples
 ### Example 1: Echo Every 10 Seconds
 Create a rule that echoes "Hello, World!" every 10 seconds:
 ```yaml
 ref: core.hello_world_rule
 trigger: core.intervaltimer
 trigger_config:
  unit: "seconds"
  interval: 10
 action: core.echo
 action_params:
  message: "Hello, World!"
  uppercase: false
 ```
 ### Example 2: HTTP Health Check Every 5 Minutes
 Monitor an API endpoint every 5 minutes:
 ```yaml
 ref: core.health_check_rule
 trigger: core.intervaltimer
 trigger_config:
  unit: "minutes"
  interval: 5
 action: core.http_request
 action_params:
  url: "https://api.example.com/health"
  method: "GET"
  timeout: 10
 ```
 ### Example 3: Daily Report at Midnight
 Generate a report every day at midnight:
 ```yaml
 ref: core.daily_report_rule
 trigger: core.crontimer
 trigger_config:
  expression: "0 0 0 * * *"
  timezone: "UTC"
  description: "Daily at midnight"
 action: core.http_request
 action_params:
  url: "https://api.example.com/reports/generate"
  method: "POST"
 ```
 ### Example 4: One-Time Reminder
 Set a one-time reminder for a specific date and time:
 ```yaml
 ref: core.meeting_reminder
 trigger: core.datetimetimer
 trigger_config:
  fire_at: "2024-06-15T14:00:00Z"
  description: "Team meeting reminder"
 action: core.echo
 action_params:
  message: "Team meeting starts in 15 minutes!"
 ```
 ## Development
 ### Adding New Actions
 1. Create action metadata file: `actions/<action_name>.yaml`
 2. Create action implementation: `actions/<action_name>.sh` or `actions/<action_name>.py`
 3. Make script executable: `chmod +x actions/<action_name>.sh`
 4. Update pack manifest if needed
 5. Test the action
 ### Testing Actions Locally
 Test actions directly by setting environment variables:
 ```bash
 # Test echo action
 export ATTUNE_ACTION_MESSAGE="Test message"
 export ATTUNE_ACTION_UPPERCASE=true
 ./actions/echo.sh
 # Test HTTP request action
 export ATTUNE_ACTION_URL="https://httpbin.org/get"
 export ATTUNE_ACTION_METHOD="GET"
 python3 actions/http_request.py
 ```
 ## Contributing
 The core pack is part of the Attune project. Contributions are welcome!
 1. Follow the existing code style and structure
 2. Add tests for new actions/sensors
 3. Update documentation
 4. Submit a pull request
 ## License
 The core pack is licensed under the same license as Attune.
 ## Support
 - Documentation: https://docs.attune.io/packs/core
 - Issues: https://github.com/attune-io/attune/issues
 - Discussions: https://github.com/attune-io/attune/discussions
--- a/docker/distributable/packs/core/SETUP.md
+++ b/docker/distributable/packs/core/SETUP.md
@@ -0,0 +1,305 @@
 # Core Pack Setup Guide
 This guide explains how to set up and load the Attune core pack into your database.
 ## Overview
 The **core pack** is Attune's built-in system pack that provides essential automation components including:
 - **Timer Triggers**: Interval-based, cron-based, and datetime triggers
 - **Basic Actions**: Echo, sleep, noop, and HTTP request actions
 - **Built-in Sensors**: Interval timer sensor for time-based automation
 The core pack must be loaded into the database before it can be used in rules and workflows.
 ## Prerequisites
 Before loading the core pack, ensure:
 1. **PostgreSQL is running** and accessible
 2. **Database migrations are applied**: `sqlx migrate run`
 3. **Python 3.8+** is installed (for the loader script)
 4. **Required Python packages** are installed:
   ```bash
   pip install psycopg2-binary pyyaml
   ```
 ## Loading Methods
 ### Method 1: Python Loader Script (Recommended)
 The Python loader script reads the pack YAML files and creates database entries automatically.
 **Usage:**
 ```bash
 # From the project root
 python3 scripts/load_core_pack.py
 # With custom database URL
 python3 scripts/load_core_pack.py --database-url "postgresql://user:pass@localhost:5432/attune"
 # With custom pack directory
 python3 scripts/load_core_pack.py --pack-dir ./packs
 ```
 **What it does:**
 - Reads `pack.yaml` for pack metadata
 - Loads all trigger definitions from `triggers/*.yaml`
 - Loads all action definitions from `actions/*.yaml`
 - Loads all sensor definitions from `sensors/*.yaml`
 - Creates or updates database entries (idempotent)
 - Uses transactions (all-or-nothing)
 **Output:**
 ```
 ============================================================
 Core Pack Loader
 ============================================================
 → Loading pack metadata...
 ✓ Pack 'core' loaded (ID: 1)
 → Loading triggers...
  ✓ Trigger 'core.intervaltimer' (ID: 1)
  ✓ Trigger 'core.crontimer' (ID: 2)
  ✓ Trigger 'core.datetimetimer' (ID: 3)
 → Loading actions...
  ✓ Action 'core.echo' (ID: 1)
  ✓ Action 'core.sleep' (ID: 2)
  ✓ Action 'core.noop' (ID: 3)
  ✓ Action 'core.http_request' (ID: 4)
 → Loading sensors...
  ✓ Sensor 'core.interval_timer_sensor' (ID: 1)
 ============================================================
 ✓ Core pack loaded successfully!
 ============================================================
  Pack ID: 1
  Triggers: 3
  Actions: 4
  Sensors: 1
 ```
 ### Method 2: SQL Seed Script
 For simpler setups or CI/CD, you can use the SQL seed script directly.
 **Usage:**
 ```bash
 psql $DATABASE_URL -f scripts/seed_core_pack.sql
 ```
 **Note:** The SQL script may not include all pack metadata and is less flexible than the Python loader.
 ### Method 3: CLI (Future)
 Once the CLI pack management commands are fully implemented:
 ```bash
 attune pack register ./packs/core
 ```
 ## Verification
 After loading, verify the core pack is available:
 ### Using CLI
 ```bash
 # List all packs
 attune pack list
 # Show core pack details
 attune pack show core
 # List core pack actions
 attune action list --pack core
 # List core pack triggers
 attune trigger list --pack core
 ```
 ### Using API
 ```bash
 # Get pack info
 curl http://localhost:8080/api/v1/packs/core | jq
 # List actions
 curl http://localhost:8080/api/v1/packs/core/actions | jq
 # List triggers
 curl http://localhost:8080/api/v1/packs/core/triggers | jq
 ```
 ### Using Database
 ```sql
 -- Check pack exists
 SELECT * FROM attune.pack WHERE ref = 'core';
 -- Count components
 SELECT 
    (SELECT COUNT(*) FROM attune.trigger WHERE pack_ref = 'core') as triggers,
    (SELECT COUNT(*) FROM attune.action WHERE pack_ref = 'core') as actions,
    (SELECT COUNT(*) FROM attune.sensor WHERE pack_ref = 'core') as sensors;
 ```
 ## Testing the Core Pack
 ### 1. Test Actions Directly
 Test actions using environment variables:
 ```bash
 # Test echo action
 export ATTUNE_ACTION_MESSAGE="Hello, Attune!"
 export ATTUNE_ACTION_UPPERCASE=false
 ./packs/core/actions/echo.sh
 # Test sleep action
 export ATTUNE_ACTION_SECONDS=2
 export ATTUNE_ACTION_MESSAGE="Sleeping..."
 ./packs/core/actions/sleep.sh
 # Test HTTP request action
 export ATTUNE_ACTION_URL="https://httpbin.org/get"
 export ATTUNE_ACTION_METHOD="GET"
 python3 packs/core/actions/http_request.py
 ```
 ### 2. Run Pack Test Suite
 ```bash
 # Run comprehensive test suite
 ./packs/core/test_core_pack.sh
 ```
 ### 3. Create a Test Rule
 Create a simple rule to test the core pack integration:
 ```bash
 # Create a rule that echoes every 10 seconds
 attune rule create \
  --name "test_timer_echo" \
  --trigger "core.intervaltimer" \
  --trigger-config '{"unit":"seconds","interval":10}' \
  --action "core.echo" \
  --action-params '{"message":"Timer triggered!"}' \
  --enabled
 ```
 ## Updating the Core Pack
 To update the core pack after making changes:
 1. Edit the relevant YAML files in `packs/core/`
 2. Re-run the loader script:
   ```bash
   python3 scripts/load_core_pack.py
   ```
 3. The loader will update existing entries (upsert)
 ## Troubleshooting
 ### "Failed to connect to database"
 - Verify PostgreSQL is running: `pg_isready`
 - Check `DATABASE_URL` environment variable
 - Test connection: `psql $DATABASE_URL -c "SELECT 1"`
 ### "pack.yaml not found"
 - Ensure you're running from the project root
 - Check the `--pack-dir` argument points to the correct directory
 - Verify `packs/core/pack.yaml` exists
 ### "ModuleNotFoundError: No module named 'psycopg2'"
 ```bash
 pip install psycopg2-binary pyyaml
 ```
 ### "Pack loaded but not visible in API"
 - Restart the API service to reload pack data
 - Check pack is enabled: `SELECT enabled FROM attune.pack WHERE ref = 'core'`
 ### Actions not executing
 - Verify action scripts are executable: `chmod +x packs/core/actions/*.sh`
 - Check worker service is running and can access the packs directory
 - Verify runtime configuration is correct
 ## Development Workflow
 When developing new core pack components:
 1. **Add new action:**
   - Create `actions/new_action.yaml` with metadata
   - Create `actions/new_action.sh` (or `.py`) with implementation
   - Make script executable: `chmod +x actions/new_action.sh`
   - Test locally: `export ATTUNE_ACTION_*=... && ./actions/new_action.sh`
   - Load into database: `python3 scripts/load_core_pack.py`
 2. **Add new trigger:**
   - Create `triggers/new_trigger.yaml` with metadata
   - Load into database: `python3 scripts/load_core_pack.py`
   - Create sensor if needed
 3. **Add new sensor:**
   - Create `sensors/new_sensor.yaml` with metadata
   - Create `sensors/new_sensor.py` with implementation
   - Load into database: `python3 scripts/load_core_pack.py`
   - Restart sensor service
 ## Environment Variables
 The loader script supports the following environment variables:
 - `DATABASE_URL` - PostgreSQL connection string
  - Default: `postgresql://postgres:postgres@localhost:5432/attune`
  - Example: `postgresql://user:pass@db.example.com:5432/attune`
 - `ATTUNE_PACKS_DIR` - Base directory for packs
  - Default: `./packs`
  - Example: `/opt/attune/packs`
 ## CI/CD Integration
 For automated deployments:
 ```yaml
 # Example GitHub Actions workflow
 - name: Load Core Pack
  run: |
    python3 scripts/load_core_pack.py \
      --database-url "${{ secrets.DATABASE_URL }}"
  env:
    DATABASE_URL: ${{ secrets.DATABASE_URL }}
 ```
 ## Next Steps
 After loading the core pack:
 1. **Create your first rule** using core triggers and actions
 2. **Enable sensors** to start generating events
 3. **Monitor executions** via the API or Web UI
 4. **Explore pack documentation** in `README.md`
 ## Additional Resources
 - **Pack README**: `packs/core/README.md` - Comprehensive component documentation
 - **Testing Guide**: `packs/core/TESTING.md` - Testing procedures
 - **API Documentation**: `docs/api-packs.md` - Pack management API
 - **Action Development**: `docs/action-development.md` - Creating custom actions
 ## Support
 If you encounter issues:
 1. Check this troubleshooting section
 2. Review logs from services (api, executor, worker, sensor)
 3. Verify database state with SQL queries
 4. File an issue with detailed error messages and logs
 ---
 **Last Updated:** 2025-01-20  
 **Core Pack Version:** 1.0.0
--- a/docker/distributable/packs/core/TESTING.md
+++ b/docker/distributable/packs/core/TESTING.md
@@ -0,0 +1,410 @@
 # Core Pack Testing Guide
 Quick reference for testing core pack actions and sensors locally.
 ---
 ## Prerequisites
 ```bash
 # Ensure scripts are executable
 chmod +x packs/core/actions/*.sh
 chmod +x packs/core/actions/*.py
 chmod +x packs/core/sensors/*.py
 # Install Python dependencies
 pip install requests>=2.28.0
 ```
 ---
 ## Testing Actions
 Actions receive parameters via environment variables prefixed with `ATTUNE_ACTION_`.
 ### Test `core.echo`
 ```bash
 # Basic echo
 export ATTUNE_ACTION_MESSAGE="Hello, Attune!"
 ./packs/core/actions/echo.sh
 # With uppercase conversion
 export ATTUNE_ACTION_MESSAGE="test message"
 export ATTUNE_ACTION_UPPERCASE=true
 ./packs/core/actions/echo.sh
 ```
 **Expected Output:**
 ```
 Hello, Attune!
 TEST MESSAGE
 ```
 ---
 ### Test `core.sleep`
 ```bash
 # Sleep for 2 seconds
 export ATTUNE_ACTION_SECONDS=2
 export ATTUNE_ACTION_MESSAGE="Sleeping..."
 time ./packs/core/actions/sleep.sh
 ```
 **Expected Output:**
 ```
 Sleeping...
 Slept for 2 seconds
 real    0m2.004s
 ```
 ---
 ### Test `core.noop`
 ```bash
 # No operation with message
 export ATTUNE_ACTION_MESSAGE="Testing noop"
 ./packs/core/actions/noop.sh
 # With custom exit code
 export ATTUNE_ACTION_EXIT_CODE=0
 ./packs/core/actions/noop.sh
 echo "Exit code: $?"
 ```
 **Expected Output:**
 ```
 [NOOP] Testing noop
 No operation completed successfully
 Exit code: 0
 ```
 ---
 ### Test `core.http_request`
 ```bash
 # Simple GET request
 export ATTUNE_ACTION_URL="https://httpbin.org/get"
 export ATTUNE_ACTION_METHOD="GET"
 python3 ./packs/core/actions/http_request.py
 # POST with JSON body
 export ATTUNE_ACTION_URL="https://httpbin.org/post"
 export ATTUNE_ACTION_METHOD="POST"
 export ATTUNE_ACTION_JSON_BODY='{"name": "test", "value": 123}'
 python3 ./packs/core/actions/http_request.py
 # With custom headers
 export ATTUNE_ACTION_URL="https://httpbin.org/headers"
 export ATTUNE_ACTION_METHOD="GET"
 export ATTUNE_ACTION_HEADERS='{"X-Custom-Header": "test-value"}'
 python3 ./packs/core/actions/http_request.py
 # With query parameters
 export ATTUNE_ACTION_URL="https://httpbin.org/get"
 export ATTUNE_ACTION_METHOD="GET"
 export ATTUNE_ACTION_QUERY_PARAMS='{"foo": "bar", "page": "1"}'
 python3 ./packs/core/actions/http_request.py
 # With timeout
 export ATTUNE_ACTION_URL="https://httpbin.org/delay/5"
 export ATTUNE_ACTION_METHOD="GET"
 export ATTUNE_ACTION_TIMEOUT=2
 python3 ./packs/core/actions/http_request.py
 ```
 **Expected Output:**
 ```json
 {
  "status_code": 200,
  "headers": {
    "Content-Type": "application/json",
    ...
  },
  "body": "...",
  "json": {
    "args": {},
    "headers": {...},
    ...
  },
  "elapsed_ms": 234,
  "url": "https://httpbin.org/get",
  "success": true
 }
 ```
 ---
 ## Testing Sensors
 Sensors receive configuration via environment variables prefixed with `ATTUNE_SENSOR_`.
 ### Test `core.interval_timer_sensor`
 ```bash
 # Create test trigger instances JSON
 export ATTUNE_SENSOR_TRIGGERS='[
  {
    "id": 1,
    "ref": "core.intervaltimer",
    "config": {
      "unit": "seconds",
      "interval": 5
    }
  }
 ]'
 # Run sensor (will output events every 5 seconds)
 python3 ./packs/core/sensors/interval_timer_sensor.py
 ```
 **Expected Output:**
 ```
 Interval Timer Sensor started (check_interval=1s)
 {"type": "interval", "interval_seconds": 5, "fired_at": "2024-01-20T12:00:00Z", "execution_count": 1, "sensor_ref": "core.interval_timer_sensor", "trigger_instance_id": 1, "trigger_ref": "core.intervaltimer"}
 {"type": "interval", "interval_seconds": 5, "fired_at": "2024-01-20T12:00:05Z", "execution_count": 2, "sensor_ref": "core.interval_timer_sensor", "trigger_instance_id": 1, "trigger_ref": "core.intervaltimer"}
 ...
 ```
 Press `Ctrl+C` to stop the sensor.
 ---
 ## Testing with Multiple Trigger Instances
 ```bash
 # Test multiple timers
 export ATTUNE_SENSOR_TRIGGERS='[
  {
    "id": 1,
    "ref": "core.intervaltimer",
    "config": {"unit": "seconds", "interval": 3}
  },
  {
    "id": 2,
    "ref": "core.intervaltimer",
    "config": {"unit": "seconds", "interval": 5}
  },
  {
    "id": 3,
    "ref": "core.intervaltimer",
    "config": {"unit": "seconds", "interval": 10}
  }
 ]'
 python3 ./packs/core/sensors/interval_timer_sensor.py
 ```
 You should see events firing at different intervals (3s, 5s, 10s).
 ---
 ## Validation Tests
 ### Validate YAML Schemas
 ```bash
 # Install yamllint (optional)
 pip install yamllint
 # Validate all YAML files
 yamllint packs/core/**/*.yaml
 ```
 ### Validate JSON Schemas
 ```bash
 # Check parameter schemas are valid JSON Schema
 cat packs/core/actions/http_request.yaml | grep -A 50 "parameters:" | python3 -c "
 import sys, yaml, json
 data = yaml.safe_load(sys.stdin)
 print(json.dumps(data, indent=2))
 "
 ```
 ---
 ## Error Testing
 ### Test Invalid Parameters
 ```bash
 # Invalid seconds value for sleep
 export ATTUNE_ACTION_SECONDS=-1
 ./packs/core/actions/sleep.sh
 # Expected: ERROR: seconds must be between 0 and 3600
 # Invalid exit code for noop
 export ATTUNE_ACTION_EXIT_CODE=999
 ./packs/core/actions/noop.sh
 # Expected: ERROR: exit_code must be between 0 and 255
 # Missing required parameter for HTTP request
 unset ATTUNE_ACTION_URL
 python3 ./packs/core/actions/http_request.py
 # Expected: ERROR: Required parameter 'url' not provided
 ```
 ---
 ## Performance Testing
 ### Measure Action Execution Time
 ```bash
 # Echo action
 time for i in {1..100}; do
  export ATTUNE_ACTION_MESSAGE="Test $i"
  ./packs/core/actions/echo.sh > /dev/null
 done
 # HTTP request action
 time for i in {1..10}; do
  export ATTUNE_ACTION_URL="https://httpbin.org/get"
  python3 ./packs/core/actions/http_request.py > /dev/null
 done
 ```
 ---
 ## Integration Testing (with Attune Services)
 ### Prerequisites
 ```bash
 # Start Attune services
 docker-compose up -d postgres rabbitmq redis
 # Run migrations
 sqlx migrate run
 # Load core pack (future)
 # attune pack load packs/core
 ```
 ### Test Action Execution via API
 ```bash
 # Create execution manually
 curl -X POST http://localhost:8080/api/v1/executions \
  -H "Content-Type: application/json" \
  -d '{
    "action_ref": "core.echo",
    "parameters": {
      "message": "API test",
      "uppercase": true
    }
  }'
 # Check execution status
 curl http://localhost:8080/api/v1/executions/{execution_id}
 ```
 ### Test Sensor via Sensor Service
 ```bash
 # Start sensor service (future)
 # cargo run --bin attune-sensor
 # Check events created
 curl http://localhost:8080/api/v1/events?limit=10
 ```
 ---
 ## Troubleshooting
 ### Action Not Executing
 ```bash
 # Check file permissions
 ls -la packs/core/actions/
 # Ensure scripts are executable
 chmod +x packs/core/actions/*.sh
 chmod +x packs/core/actions/*.py
 ```
 ### Python Import Errors
 ```bash
 # Install required packages
 pip install requests>=2.28.0
 # Verify Python version
 python3 --version  # Should be 3.8+
 ```
 ### Environment Variables Not Working
 ```bash
 # Print all ATTUNE_* environment variables
 env | grep ATTUNE_
 # Test with explicit export
 export ATTUNE_ACTION_MESSAGE="test"
 echo $ATTUNE_ACTION_MESSAGE
 ```
 ---
 ## Automated Test Script
 Create a test script `test_core_pack.sh`:
 ```bash
 #!/bin/bash
 set -e
 echo "Testing Core Pack Actions..."
 # Test echo
 echo "→ Testing core.echo..."
 export ATTUNE_ACTION_MESSAGE="Test"
 ./packs/core/actions/echo.sh > /dev/null
 echo "✓ core.echo passed"
 # Test sleep
 echo "→ Testing core.sleep..."
 export ATTUNE_ACTION_SECONDS=1
 ./packs/core/actions/sleep.sh > /dev/null
 echo "✓ core.sleep passed"
 # Test noop
 echo "→ Testing core.noop..."
 export ATTUNE_ACTION_MESSAGE="test"
 ./packs/core/actions/noop.sh > /dev/null
 echo "✓ core.noop passed"
 # Test HTTP request
 echo "→ Testing core.http_request..."
 export ATTUNE_ACTION_URL="https://httpbin.org/get"
 export ATTUNE_ACTION_METHOD="GET"
 python3 ./packs/core/actions/http_request.py > /dev/null
 echo "✓ core.http_request passed"
 echo ""
 echo "All tests passed! ✓"
 ```
 Run with:
 ```bash
 chmod +x test_core_pack.sh
 ./test_core_pack.sh
 ```
 ---
 ## Next Steps
 1. Implement pack loader to register components in database
 2. Update worker service to execute actions from filesystem
 3. Update sensor service to run sensors from filesystem
 4. Add comprehensive integration tests
 5. Create CLI commands for pack management
 See `docs/core-pack-integration.md` for implementation details.
--- a/docker/distributable/packs/core/actions/README.md
+++ b/docker/distributable/packs/core/actions/README.md
@@ -0,0 +1,362 @@
 # Core Pack Actions
 ## Overview
 All actions in the core pack are implemented as **pure POSIX shell scripts** with **zero external dependencies** (except `curl` for HTTP actions). This design ensures maximum portability and minimal runtime requirements.
 **Key Principles:**
 - **POSIX shell only** - No bash-specific features, works everywhere
 - **DOTENV parameter format** - Simple key=value format, no JSON parsing needed
 - **No jq/yq/Python/Node.js** - Core pack depends only on standard POSIX utilities
 - **Stdin parameter delivery** - Secure, never exposed in process list
 - **Explicit output formats** - text, json, or yaml
 ## Parameter Delivery Method
 **All actions use stdin with DOTENV format:**
 - Parameters read from **stdin** in `key=value` format
 - Use `parameter_delivery: stdin` and `parameter_format: dotenv` in YAML
 - Stdin is closed after delivery; scripts read until EOF
 - **DO NOT** use environment variables for parameters
 **Example DOTENV input:**
 ```
 message="Hello World"
 seconds=5
 enabled=true
 ```
 ## Output Format
 **All actions must specify an `output_format`:**
 - `text` - Plain text output (stored as-is, no parsing)
 - `json` - JSON structured data (parsed into JSONB field)
 - `yaml` - YAML structured data (parsed into JSONB field)
 **Output schema:**
 - Only applicable for `json` and `yaml` formats
 - Describes the structure of data written to stdout
 - **Should NOT include** stdout/stderr/exit_code (captured automatically)
 ## Environment Variables
 ### Standard Environment Variables (Provided by Worker)
 The worker automatically provides these environment variables to all action executions:
 | Variable | Description | Always Present |
 |----------|-------------|----------------|
 | `ATTUNE_ACTION` | Action ref (e.g., `core.http_request`) | ✅ Yes |
 | `ATTUNE_EXEC_ID` | Execution database ID | ✅ Yes |
 | `ATTUNE_API_TOKEN` | Execution-scoped API token | ✅ Yes |
 | `ATTUNE_RULE` | Rule ref that triggered execution | ❌ Only if from rule |
 | `ATTUNE_TRIGGER` | Trigger ref that caused enforcement | ❌ Only if from trigger |
 **Use cases:**
 - Logging with execution context
 - Calling Attune API (using `ATTUNE_API_TOKEN`)
 - Conditional logic based on rule/trigger
 - Creating child executions
 - Accessing secrets via API
 ### Custom Environment Variables (Optional)
 Custom environment variables can be set via `execution.env_vars` field for:
 - **Debug/logging controls** (e.g., `DEBUG=1`, `LOG_LEVEL=debug`)
 - **Runtime configuration** (e.g., custom paths, feature flags)
 Environment variables should **NEVER** be used for:
 - Action parameters (use stdin DOTENV instead)
 - Secrets or credentials (use `ATTUNE_API_TOKEN` to fetch from key vault)
 - User-provided data (use stdin parameters)
 ## Implementation Pattern
 ### POSIX Shell Actions (Standard Pattern)
 All core pack actions follow this pattern:
 ```sh
 #!/bin/sh
 # Action Name - Core Pack
 # Brief description
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables with defaults
 param1=""
 param2="default_value"
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes if present
    case "$value" in
        \"*\") value="${value#\"}"; value="${value%\"}" ;;
        \'*\') value="${value#\'}"; value="${value%\'}" ;;
    esac
    # Process parameters
    case "$key" in
        param1) param1="$value" ;;
        param2) param2="$value" ;;
    esac
 done
 # Validate required parameters
 if [ -z "$param1" ]; then
    echo "ERROR: param1 is required" >&2
    exit 1
 fi
 # Action logic
 echo "Processing: $param1"
 exit 0
 ```
 ### Boolean Normalization
 ```sh
 case "$bool_param" in
    true|True|TRUE|yes|Yes|YES|1) bool_param="true" ;;
    *) bool_param="false" ;;
 esac
 ```
 ### Numeric Validation
 ```sh
 case "$number" in
    ''|*[!0-9]*)
        echo "ERROR: must be a number" >&2
        exit 1
        ;;
 esac
 ```
 ## Core Pack Actions
 ### Simple Actions
 1. **echo.sh** - Outputs a message (reference implementation)
 2. **sleep.sh** - Pauses execution for a specified duration
 3. **noop.sh** - Does nothing (useful for testing and placeholder workflows)
 ### HTTP Action
 4. **http_request.sh** - Makes HTTP requests with full feature support:
   - Multiple HTTP methods (GET, POST, PUT, PATCH, DELETE, etc.)
   - Custom headers and query parameters
   - Authentication (basic, bearer token)
   - SSL verification control
   - Redirect following
   - JSON output with parsed response
 ### Pack Management Actions (API Wrappers)
 These actions wrap Attune API endpoints for pack management:
 5. **download_packs.sh** - Downloads packs from git/HTTP/registry
 6. **build_pack_envs.sh** - Builds runtime environments for packs
 7. **register_packs.sh** - Registers packs in the database
 8. **get_pack_dependencies.sh** - Analyzes pack dependencies
 All API wrappers:
 - Accept parameters via DOTENV format
 - Build JSON request bodies manually (no jq)
 - Make authenticated API calls with curl
 - Extract response data using simple sed patterns
 - Return structured JSON output
 ## Testing Actions Locally
 Test actions by echoing DOTENV format to stdin:
 ```bash
 # Test echo action
 printf 'message="Hello World"\n' | ./echo.sh
 # Test with empty parameters
 printf '' | ./echo.sh
 # Test sleep action
 printf 'seconds=2\nmessage="Sleeping..."\n' | ./sleep.sh
 # Test http_request action
 printf 'url="https://api.github.com"\nmethod="GET"\n' | ./http_request.sh
 # Test with file input
 cat params.dotenv | ./echo.sh
 ```
 ## YAML Configuration Example
 ```yaml
 ref: core.example_action
 label: "Example Action"
 description: "Example action demonstrating DOTENV format"
 enabled: true
 runner_type: shell
 entry_point: example.sh
 # IMPORTANT: Use DOTENV format for POSIX shell compatibility
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: text, json, or yaml
 output_format: text
 parameters:
  type: object
  properties:
    message:
      type: string
      description: "Message to output"
      default: ""
    count:
      type: integer
      description: "Number of times to repeat"
      default: 1
  required:
    - message
 ```
 ## Dependencies
 **Core pack has ZERO runtime dependencies:**
 ✅ **Required (universally available):**
 - POSIX-compliant shell (`/bin/sh`)
 - `curl` (for HTTP actions only)
 - Standard POSIX utilities: `sed`, `mktemp`, `cat`, `printf`, `sleep`
 ❌ **NOT Required:**
 - `jq` - Eliminated (was used for JSON parsing)
 - `yq` - Never used
 - Python - Not used in core pack actions
 - Node.js - Not used in core pack actions
 - bash - Scripts are POSIX-compliant
 - Any other external tools or libraries
 This makes the core pack **maximally portable** and suitable for minimal containers (Alpine, distroless, etc.).
 ## Security Benefits
 1. **No process exposure** - Parameters never appear in `ps`, `/proc/<pid>/environ`
 2. **Secure by default** - All actions use stdin, no special configuration needed
 3. **Clear separation** - Action parameters vs. environment configuration
 4. **Audit friendly** - All sensitive data flows through stdin, not environment
 5. **Minimal attack surface** - No external dependencies to exploit
 ## Best Practices
 ### Parameters
 1. **Always use stdin with DOTENV format** for action parameters
 2. **Handle quoted values** - Remove both single and double quotes
 3. **Provide sensible defaults** - Use empty string, 0, false as appropriate
 4. **Validate required params** - Exit with error if truly required parameters missing
 5. **Mark secrets** - Use `secret: true` in YAML for sensitive parameters
 6. **Never use env vars for parameters** - Parameters come from stdin only
 ### Environment Variables
 1. **Use standard ATTUNE_* variables** - Worker provides execution context
 2. **Access API with ATTUNE_API_TOKEN** - Execution-scoped authentication
 3. **Log with context** - Include `ATTUNE_ACTION` and `ATTUNE_EXEC_ID` in logs
 4. **Never log ATTUNE_API_TOKEN** - Security sensitive
 5. **Use env vars for runtime config only** - Not for user data or parameters
 ### Output Format
 1. **Specify output_format** - Always set to "text", "json", or "yaml"
 2. **Use text for simple output** - Messages, logs, unstructured data
 3. **Use json for structured data** - API responses, complex results
 4. **Define schema for structured output** - Only for json/yaml formats
 5. **Use stderr for diagnostics** - Error messages go to stderr, not stdout
 6. **Return proper exit codes** - 0 for success, non-zero for failure
 ### Shell Script Best Practices
 1. **Use `#!/bin/sh`** - POSIX shell, not bash
 2. **Use `set -e`** - Exit on error
 3. **Quote all variables** - `"$var"` not `$var`
 4. **Use `case` not `if`** - More portable for pattern matching
 5. **Clean up temp files** - Use trap handlers
 6. **Avoid bash-isms** - No `[[`, `${var^^}`, `=~`, arrays, etc.
 ## Execution Metadata (Automatic)
 The following are **automatically captured** by the worker and should **NOT** be included in output schemas:
 - `stdout` - Raw standard output (captured as-is)
 - `stderr` - Standard error output (written to log file)
 - `exit_code` - Process exit code (0 = success)
 - `duration_ms` - Execution duration in milliseconds
 These are execution system concerns, not action output concerns.
 ## Example: Complete Action
 ```sh
 #!/bin/sh
 # Example Action - Core Pack
 # Demonstrates DOTENV parameter parsing and environment variable usage
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 set -e
 # Log execution start
 echo "[$ATTUNE_ACTION] [Exec: $ATTUNE_EXEC_ID] Starting" >&2
 # Initialize variables
 url=""
 timeout="30"
 # Read DOTENV parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    case "$value" in
        \"*\") value="${value#\"}"; value="${value%\"}" ;;
    esac
    case "$key" in
        url) url="$value" ;;
        timeout) timeout="$value" ;;
    esac
 done
 # Validate
 if [ -z "$url" ]; then
    echo "ERROR: url is required" >&2
    exit 1
 fi
 # Execute
 echo "Fetching: $url" >&2
 result=$(curl -s --max-time "$timeout" "$url")
 # Output
 echo "$result"
 echo "[$ATTUNE_ACTION] [Exec: $ATTUNE_EXEC_ID] Completed" >&2
 exit 0
 ```
 ## Further Documentation
 - **Pattern Reference:** `docs/QUICKREF-dotenv-shell-actions.md`
 - **Pack Structure:** `docs/pack-structure.md`
 - **Example Actions:**
  - `echo.sh` - Simplest reference implementation
  - `http_request.sh` - Complex action with full HTTP client
  - `register_packs.sh` - API wrapper with JSON construction
--- a/docker/distributable/packs/core/actions/build_pack_envs.sh
+++ b/docker/distributable/packs/core/actions/build_pack_envs.sh
@@ -0,0 +1,215 @@
 #!/bin/sh
 # Build Pack Environments Action - Core Pack
 # API Wrapper for POST /api/v1/packs/build-envs
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 pack_paths=""
 packs_base_dir="/opt/attune/packs"
 python_version="3.11"
 nodejs_version="20"
 skip_python="false"
 skip_nodejs="false"
 force_rebuild="false"
 timeout="600"
 api_url="http://localhost:8080"
 api_token=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes if present (both single and double)
    case "$value" in
        \"*\")
            value="${value#\"}"
            value="${value%\"}"
            ;;
        \'*\')
            value="${value#\'}"
            value="${value%\'}"
            ;;
    esac
    # Process parameters
    case "$key" in
        pack_paths)
            pack_paths="$value"
            ;;
        packs_base_dir)
            packs_base_dir="$value"
            ;;
        python_version)
            python_version="$value"
            ;;
        nodejs_version)
            nodejs_version="$value"
            ;;
        skip_python)
            skip_python="$value"
            ;;
        skip_nodejs)
            skip_nodejs="$value"
            ;;
        force_rebuild)
            force_rebuild="$value"
            ;;
        timeout)
            timeout="$value"
            ;;
        api_url)
            api_url="$value"
            ;;
        api_token)
            api_token="$value"
            ;;
    esac
 done
 # Validate required parameters
 if [ -z "$pack_paths" ]; then
    printf '{"built_environments":[],"failed_environments":[],"summary":{"total_packs":0,"success_count":0,"failure_count":0,"python_envs_built":0,"nodejs_envs_built":0,"total_duration_ms":0}}\n'
    exit 1
 fi
 # Normalize booleans
 case "$skip_python" in
    true|True|TRUE|yes|Yes|YES|1) skip_python="true" ;;
    *) skip_python="false" ;;
 esac
 case "$skip_nodejs" in
    true|True|TRUE|yes|Yes|YES|1) skip_nodejs="true" ;;
    *) skip_nodejs="false" ;;
 esac
 case "$force_rebuild" in
    true|True|TRUE|yes|Yes|YES|1) force_rebuild="true" ;;
    *) force_rebuild="false" ;;
 esac
 # Validate timeout is numeric
 case "$timeout" in
    ''|*[!0-9]*)
        timeout="600"
        ;;
 esac
 # Escape values for JSON
 pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
 packs_base_dir_escaped=$(printf '%s' "$packs_base_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
 python_version_escaped=$(printf '%s' "$python_version" | sed 's/\\/\\\\/g; s/"/\\"/g')
 nodejs_version_escaped=$(printf '%s' "$nodejs_version" | sed 's/\\/\\\\/g; s/"/\\"/g')
 # Build JSON request body
 request_body=$(cat <<EOF
 {
  "pack_paths": $pack_paths_escaped,
  "packs_base_dir": "$packs_base_dir_escaped",
  "python_version": "$python_version_escaped",
  "nodejs_version": "$nodejs_version_escaped",
  "skip_python": $skip_python,
  "skip_nodejs": $skip_nodejs,
  "force_rebuild": $force_rebuild,
  "timeout": $timeout
 }
 EOF
 )
 # Create temp files for curl
 temp_response=$(mktemp)
 temp_headers=$(mktemp)
 cleanup() {
    rm -f "$temp_response" "$temp_headers"
 }
 trap cleanup EXIT
 # Calculate curl timeout (request timeout + buffer)
 curl_timeout=$((timeout + 30))
 # Make API call
 http_code=$(curl -X POST \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
    -d "$request_body" \
    -s \
    -w "%{http_code}" \
    -o "$temp_response" \
    --max-time "$curl_timeout" \
    --connect-timeout 10 \
    "${api_url}/api/v1/packs/build-envs" 2>/dev/null || echo "000")
 # Check HTTP status
 if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
    # Success - extract data field from API response
    response_body=$(cat "$temp_response")
    # Try to extract .data field using simple text processing
    # If response contains "data" field, extract it; otherwise use whole response
    case "$response_body" in
        *'"data":'*)
            # Extract content after "data": up to the closing brace
            # This is a simple extraction - assumes well-formed JSON
            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
            if [ -n "$data_content" ]; then
                printf '%s\n' "$data_content"
            else
                cat "$temp_response"
            fi
            ;;
        *)
            cat "$temp_response"
            ;;
    esac
    exit 0
 else
    # Error response - try to extract error message
    error_msg="API request failed"
    if [ -s "$temp_response" ]; then
        # Try to extract error or message field
        response_content=$(cat "$temp_response")
        case "$response_content" in
            *'"error":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
            *'"message":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
        esac
    fi
    # Escape error message for JSON
    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
    cat <<EOF
 {
  "built_environments": [],
  "failed_environments": [{
    "pack_ref": "api",
    "pack_path": "",
    "runtime": "unknown",
    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
  }],
  "summary": {
    "total_packs": 0,
    "success_count": 0,
    "failure_count": 1,
    "python_envs_built": 0,
    "nodejs_envs_built": 0,
    "total_duration_ms": 0
  }
 }
 EOF
    exit 1
 fi
--- a/docker/distributable/packs/core/actions/build_pack_envs.yaml
+++ b/docker/distributable/packs/core/actions/build_pack_envs.yaml
@@ -0,0 +1,160 @@
 # Build Pack Environments Action
 # Creates runtime environments and installs dependencies for packs
 ref: core.build_pack_envs
 label: "Build Pack Environments"
 description: "Build runtime environments for packs and install declared dependencies (Python requirements.txt, Node.js package.json)"
 enabled: true
 runner_type: shell
 entry_point: build_pack_envs.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: json (structured data parsing enabled)
 output_format: json
 # Action parameters schema (StackStorm-style with inline required/secret)
 parameters:
  pack_paths:
    type: array
    description: "List of pack directory paths to build environments for"
    required: true
    items:
      type: string
    minItems: 1
  packs_base_dir:
    type: string
    description: "Base directory where packs are installed"
    default: "/opt/attune/packs"
  python_version:
    type: string
    description: "Python version to use for virtualenvs"
    default: "3.11"
  nodejs_version:
    type: string
    description: "Node.js version to use"
    default: "20"
  skip_python:
    type: boolean
    description: "Skip building Python environments"
    default: false
  skip_nodejs:
    type: boolean
    description: "Skip building Node.js environments"
    default: false
  force_rebuild:
    type: boolean
    description: "Force rebuild of existing environments"
    default: false
  timeout:
    type: integer
    description: "Timeout in seconds for building each environment"
    default: 600
    minimum: 60
    maximum: 3600
 # Output schema: describes the JSON structure written to stdout
 # Note: stdout/stderr/exit_code are captured automatically by the execution system
 output_schema:
  built_environments:
    type: array
    description: "List of successfully built environments"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        pack_path:
          type: string
          description: "Pack directory path"
        environments:
          type: object
          description: "Built environments for this pack"
          properties:
            python:
              type: object
              description: "Python environment details"
              properties:
                virtualenv_path:
                  type: string
                  description: "Path to Python virtualenv"
                requirements_installed:
                  type: boolean
                  description: "Whether requirements.txt was installed"
                package_count:
                  type: integer
                  description: "Number of packages installed"
                python_version:
                  type: string
                  description: "Python version used"
            nodejs:
              type: object
              description: "Node.js environment details"
              properties:
                node_modules_path:
                  type: string
                  description: "Path to node_modules directory"
                dependencies_installed:
                  type: boolean
                  description: "Whether package.json was installed"
                package_count:
                  type: integer
                  description: "Number of packages installed"
                nodejs_version:
                  type: string
                  description: "Node.js version used"
        duration_ms:
          type: integer
          description: "Time taken to build environments in milliseconds"
  failed_environments:
    type: array
    description: "List of packs where environment build failed"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        pack_path:
          type: string
          description: "Pack directory path"
        runtime:
          type: string
          description: "Runtime that failed (python or nodejs)"
        error:
          type: string
          description: "Error message"
  summary:
    type: object
    description: "Summary of environment build process"
    properties:
      total_packs:
        type: integer
        description: "Total number of packs processed"
      success_count:
        type: integer
        description: "Number of packs with successful builds"
      failure_count:
        type: integer
        description: "Number of packs with failed builds"
      python_envs_built:
        type: integer
        description: "Number of Python environments built"
      nodejs_envs_built:
        type: integer
        description: "Number of Node.js environments built"
      total_duration_ms:
        type: integer
        description: "Total time taken for all builds in milliseconds"
 # Tags for categorization
 tags:
  - pack
  - environment
  - dependencies
  - python
  - nodejs
  - installation
--- a/docker/distributable/packs/core/actions/download_packs.sh
+++ b/docker/distributable/packs/core/actions/download_packs.sh
@@ -0,0 +1,201 @@
 #!/bin/sh
 # Download Packs Action - Core Pack
 # API Wrapper for POST /api/v1/packs/download
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 packs=""
 destination_dir=""
 registry_url="https://registry.attune.io/index.json"
 ref_spec=""
 timeout="300"
 verify_ssl="true"
 api_url="http://localhost:8080"
 api_token=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes if present (both single and double)
    case "$value" in
        \"*\")
            value="${value#\"}"
            value="${value%\"}"
            ;;
        \'*\')
            value="${value#\'}"
            value="${value%\'}"
            ;;
    esac
    # Process parameters
    case "$key" in
        packs)
            packs="$value"
            ;;
        destination_dir)
            destination_dir="$value"
            ;;
        registry_url)
            registry_url="$value"
            ;;
        ref_spec)
            ref_spec="$value"
            ;;
        timeout)
            timeout="$value"
            ;;
        verify_ssl)
            verify_ssl="$value"
            ;;
        api_url)
            api_url="$value"
            ;;
        api_token)
            api_token="$value"
            ;;
    esac
 done
 # Validate required parameters
 if [ -z "$destination_dir" ]; then
    printf '{"downloaded_packs":[],"failed_packs":[{"source":"input","error":"destination_dir is required"}],"total_count":0,"success_count":0,"failure_count":1}\n'
    exit 1
 fi
 # Normalize boolean
 case "$verify_ssl" in
    true|True|TRUE|yes|Yes|YES|1) verify_ssl="true" ;;
    *) verify_ssl="false" ;;
 esac
 # Validate timeout is numeric
 case "$timeout" in
    ''|*[!0-9]*)
        timeout="300"
        ;;
 esac
 # Escape values for JSON
 packs_escaped=$(printf '%s' "$packs" | sed 's/\\/\\\\/g; s/"/\\"/g')
 destination_dir_escaped=$(printf '%s' "$destination_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
 registry_url_escaped=$(printf '%s' "$registry_url" | sed 's/\\/\\\\/g; s/"/\\"/g')
 # Build JSON request body
 if [ -n "$ref_spec" ]; then
    ref_spec_escaped=$(printf '%s' "$ref_spec" | sed 's/\\/\\\\/g; s/"/\\"/g')
    request_body=$(cat <<EOF
 {
  "packs": $packs_escaped,
  "destination_dir": "$destination_dir_escaped",
  "registry_url": "$registry_url_escaped",
  "ref_spec": "$ref_spec_escaped",
  "timeout": $timeout,
  "verify_ssl": $verify_ssl
 }
 EOF
 )
 else
    request_body=$(cat <<EOF
 {
  "packs": $packs_escaped,
  "destination_dir": "$destination_dir_escaped",
  "registry_url": "$registry_url_escaped",
  "timeout": $timeout,
  "verify_ssl": $verify_ssl
 }
 EOF
 )
 fi
 # Create temp files for curl
 temp_response=$(mktemp)
 temp_headers=$(mktemp)
 cleanup() {
    rm -f "$temp_response" "$temp_headers"
 }
 trap cleanup EXIT
 # Calculate curl timeout (request timeout + buffer)
 curl_timeout=$((timeout + 30))
 # Make API call
 http_code=$(curl -X POST \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
    -d "$request_body" \
    -s \
    -w "%{http_code}" \
    -o "$temp_response" \
    --max-time "$curl_timeout" \
    --connect-timeout 10 \
    "${api_url}/api/v1/packs/download" 2>/dev/null || echo "000")
 # Check HTTP status
 if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
    # Success - extract data field from API response
    response_body=$(cat "$temp_response")
    # Try to extract .data field using simple text processing
    # If response contains "data" field, extract it; otherwise use whole response
    case "$response_body" in
        *'"data":'*)
            # Extract content after "data": up to the closing brace
            # This is a simple extraction - assumes well-formed JSON
            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
            if [ -n "$data_content" ]; then
                printf '%s\n' "$data_content"
            else
                cat "$temp_response"
            fi
            ;;
        *)
            cat "$temp_response"
            ;;
    esac
    exit 0
 else
    # Error response - try to extract error message
    error_msg="API request failed"
    if [ -s "$temp_response" ]; then
        # Try to extract error or message field
        response_content=$(cat "$temp_response")
        case "$response_content" in
            *'"error":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
            *'"message":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
        esac
    fi
    # Escape error message for JSON
    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
    cat <<EOF
 {
  "downloaded_packs": [],
  "failed_packs": [{
    "source": "api",
    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
  }],
  "total_count": 0,
  "success_count": 0,
  "failure_count": 1
 }
 EOF
    exit 1
 fi
--- a/docker/distributable/packs/core/actions/download_packs.yaml
+++ b/docker/distributable/packs/core/actions/download_packs.yaml
@@ -0,0 +1,115 @@
 # Download Packs Action
 # Downloads packs from various sources (git repositories, HTTP archives, or pack registry)
 ref: core.download_packs
 label: "Download Packs"
 description: "Download packs from git repositories, HTTP archives, or pack registry to a temporary directory"
 enabled: true
 runner_type: shell
 entry_point: download_packs.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: json (structured data parsing enabled)
 output_format: json
 # Action parameters schema (StackStorm-style with inline required/secret)
 parameters:
  packs:
    type: array
    description: "List of packs to download (git URLs, HTTP URLs, or pack refs)"
    items:
      type: string
    minItems: 1
    required: true
  destination_dir:
    type: string
    description: "Destination directory for downloaded packs"
    required: true
  registry_url:
    type: string
    description: "Pack registry URL for resolving pack refs (optional)"
    default: "https://registry.attune.io/index.json"
  ref_spec:
    type: string
    description: "Git reference to checkout (branch, tag, or commit) - applies to all git URLs"
  timeout:
    type: integer
    description: "Download timeout in seconds per pack"
    default: 300
    minimum: 10
    maximum: 3600
  verify_ssl:
    type: boolean
    description: "Verify SSL certificates for HTTPS downloads"
    default: true
  api_url:
    type: string
    description: "Attune API URL for making registry lookups"
    default: "http://localhost:8080"
 # Output schema: describes the JSON structure written to stdout
 # Note: stdout/stderr/exit_code are captured automatically by the execution system
 output_schema:
  downloaded_packs:
    type: array
    description: "List of successfully downloaded packs"
    items:
      type: object
      properties:
        source:
          type: string
          description: "Original pack source (URL or ref)"
        source_type:
          type: string
          description: "Type of source"
          enum:
            - git
            - http
            - registry
        pack_path:
          type: string
          description: "Local filesystem path to downloaded pack"
        pack_ref:
          type: string
          description: "Pack reference (from pack.yaml)"
        pack_version:
          type: string
          description: "Pack version (from pack.yaml)"
        git_commit:
          type: string
          description: "Git commit hash (for git sources)"
        checksum:
          type: string
          description: "Directory checksum"
  failed_packs:
    type: array
    description: "List of packs that failed to download"
    items:
      type: object
      properties:
        source:
          type: string
          description: "Pack source that failed"
        error:
          type: string
          description: "Error message"
  total_count:
    type: integer
    description: "Total number of packs requested"
  success_count:
    type: integer
    description: "Number of packs successfully downloaded"
  failure_count:
    type: integer
    description: "Number of packs that failed"
 # Tags for categorization
 tags:
  - pack
  - download
  - git
  - installation
  - registry
--- a/docker/distributable/packs/core/actions/echo.sh
+++ b/docker/distributable/packs/core/actions/echo.sh
@@ -0,0 +1,38 @@
 #!/bin/sh
 # Echo Action - Core Pack
 # Outputs a message to stdout
 #
 # This script uses pure POSIX shell without external dependencies like jq or yq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize message variable
 message=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    case "$line" in
        message=*)
            # Extract value after message=
            message="${line#message=}"
            # Remove quotes if present (both single and double)
            case "$message" in
                \"*\")
                    message="${message#\"}"
                    message="${message%\"}"
                    ;;
                \'*\')
                    message="${message#\'}"
                    message="${message%\'}"
                    ;;
            esac
            ;;
    esac
 done
 # Echo the message (even if empty)
 echo -n "$message"
 # Exit successfully
 exit 0
--- a/docker/distributable/packs/core/actions/echo.yaml
+++ b/docker/distributable/packs/core/actions/echo.yaml
@@ -0,0 +1,35 @@
 # Echo Action
 # Outputs a message to stdout
 ref: core.echo
 label: "Echo"
 description: "Echo a message to stdout"
 enabled: true
 # Runner type determines how the action is executed
 runner_type: shell
 # Entry point is the shell command or script to execute
 entry_point: echo.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: text (no structured data parsing)
 output_format: text
 # Action parameters schema (StackStorm-style: inline required/secret per parameter)
 parameters:
  message:
    type: string
    description: "Message to echo (empty string if not provided)"
 # Output schema: not applicable for text output format
 # The action outputs plain text to stdout
 # Tags for categorization
 tags:
  - utility
  - testing
  - debug
--- a/docker/distributable/packs/core/actions/get_pack_dependencies.sh
+++ b/docker/distributable/packs/core/actions/get_pack_dependencies.sh
@@ -0,0 +1,154 @@
 #!/bin/sh
 # Get Pack Dependencies Action - Core Pack
 # API Wrapper for POST /api/v1/packs/dependencies
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 pack_paths=""
 skip_validation="false"
 api_url="http://localhost:8080"
 api_token=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes if present (both single and double)
    case "$value" in
        \"*\")
            value="${value#\"}"
            value="${value%\"}"
            ;;
        \'*\')
            value="${value#\'}"
            value="${value%\'}"
            ;;
    esac
    # Process parameters
    case "$key" in
        pack_paths)
            pack_paths="$value"
            ;;
        skip_validation)
            skip_validation="$value"
            ;;
        api_url)
            api_url="$value"
            ;;
        api_token)
            api_token="$value"
            ;;
    esac
 done
 # Validate required parameters
 if [ -z "$pack_paths" ]; then
    printf '{"dependencies":[],"runtime_requirements":{},"missing_dependencies":[],"analyzed_packs":[],"errors":[{"pack_path":"input","error":"No pack paths provided"}]}\n'
    exit 1
 fi
 # Normalize boolean
 case "$skip_validation" in
    true|True|TRUE|yes|Yes|YES|1) skip_validation="true" ;;
    *) skip_validation="false" ;;
 esac
 # Build JSON request body (escape pack_paths value for JSON)
 pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
 request_body=$(cat <<EOF
 {
  "pack_paths": $pack_paths_escaped,
  "skip_validation": $skip_validation
 }
 EOF
 )
 # Create temp files for curl
 temp_response=$(mktemp)
 temp_headers=$(mktemp)
 cleanup() {
    rm -f "$temp_response" "$temp_headers"
 }
 trap cleanup EXIT
 # Make API call
 http_code=$(curl -X POST \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
    -d "$request_body" \
    -s \
    -w "%{http_code}" \
    -o "$temp_response" \
    --max-time 60 \
    --connect-timeout 10 \
    "${api_url}/api/v1/packs/dependencies" 2>/dev/null || echo "000")
 # Check HTTP status
 if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
    # Success - extract data field from API response
    response_body=$(cat "$temp_response")
    # Try to extract .data field using simple text processing
    # If response contains "data" field, extract it; otherwise use whole response
    case "$response_body" in
        *'"data":'*)
            # Extract content after "data": up to the closing brace
            # This is a simple extraction - assumes well-formed JSON
            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
            if [ -n "$data_content" ]; then
                printf '%s\n' "$data_content"
            else
                cat "$temp_response"
            fi
            ;;
        *)
            cat "$temp_response"
            ;;
    esac
    exit 0
 else
    # Error response - try to extract error message
    error_msg="API request failed"
    if [ -s "$temp_response" ]; then
        # Try to extract error or message field
        response_content=$(cat "$temp_response")
        case "$response_content" in
            *'"error":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
            *'"message":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
        esac
    fi
    # Escape error message for JSON
    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
    cat <<EOF
 {
  "dependencies": [],
  "runtime_requirements": {},
  "missing_dependencies": [],
  "analyzed_packs": [],
  "errors": [{
    "pack_path": "api",
    "error": "API call failed (HTTP $http_code): $error_msg_escaped"
  }]
 }
 EOF
    exit 1
 fi
--- a/docker/distributable/packs/core/actions/get_pack_dependencies.yaml
+++ b/docker/distributable/packs/core/actions/get_pack_dependencies.yaml
@@ -0,0 +1,137 @@
 # Get Pack Dependencies Action
 # Parses pack.yaml files to identify pack and runtime dependencies
 ref: core.get_pack_dependencies
 label: "Get Pack Dependencies"
 description: "Parse pack.yaml files to extract pack dependencies and runtime requirements"
 enabled: true
 runner_type: shell
 entry_point: get_pack_dependencies.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: json (structured data parsing enabled)
 output_format: json
 # Action parameters schema (StackStorm-style with inline required/secret)
 parameters:
  pack_paths:
    type: array
    description: "List of pack directory paths to analyze"
    items:
      type: string
    minItems: 1
    required: true
  skip_validation:
    type: boolean
    description: "Skip validation of pack.yaml schema"
    default: false
  api_url:
    type: string
    description: "Attune API URL for checking installed packs"
    default: "http://localhost:8080"
 # Output schema: describes the JSON structure written to stdout
 # Note: stdout/stderr/exit_code are captured automatically by the execution system
 output_schema:
  dependencies:
    type: array
    description: "List of pack dependencies that need to be installed"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference (e.g., 'core', 'slack')"
        version_spec:
          type: string
          description: "Version specification (e.g., '>=1.0.0', '^2.1.0')"
        required_by:
          type: string
          description: "Pack that requires this dependency"
        already_installed:
          type: boolean
          description: "Whether this dependency is already installed"
  runtime_requirements:
    type: object
    description: "Runtime environment requirements by pack"
    additionalProperties:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        python:
          type: object
          description: "Python runtime requirements"
          properties:
            version:
              type: string
              description: "Python version requirement"
            requirements_file:
              type: string
              description: "Path to requirements.txt"
        nodejs:
          type: object
          description: "Node.js runtime requirements"
          properties:
            version:
              type: string
              description: "Node.js version requirement"
            package_file:
              type: string
              description: "Path to package.json"
  missing_dependencies:
    type: array
    description: "Pack dependencies that are not yet installed"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        version_spec:
          type: string
          description: "Version specification"
        required_by:
          type: string
          description: "Pack that requires this dependency"
  analyzed_packs:
    type: array
    description: "List of packs that were analyzed"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        pack_path:
          type: string
          description: "Path to pack directory"
        has_dependencies:
          type: boolean
          description: "Whether pack has dependencies"
        dependency_count:
          type: integer
          description: "Number of dependencies"
  errors:
    type: array
    description: "Errors encountered during analysis"
    items:
      type: object
      properties:
        pack_path:
          type: string
          description: "Pack path where error occurred"
        error:
          type: string
          description: "Error message"
 # Tags for categorization
 tags:
  - pack
  - dependencies
  - validation
  - installation
--- a/docker/distributable/packs/core/actions/http_request.sh
+++ b/docker/distributable/packs/core/actions/http_request.sh
@@ -0,0 +1,268 @@
 #!/bin/sh
 # HTTP Request Action - Core Pack
 # Make HTTP requests to external APIs using curl
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 url=""
 method="GET"
 body=""
 json_body=""
 timeout="30"
 verify_ssl="true"
 auth_type="none"
 auth_username=""
 auth_password=""
 auth_token=""
 follow_redirects="true"
 max_redirects="10"
 # Temporary files
 headers_file=$(mktemp)
 query_params_file=$(mktemp)
 body_file=""
 temp_headers=$(mktemp)
 curl_output=$(mktemp)
 write_out_file=$(mktemp)
 cleanup() {
    local exit_code=$?
    rm -f "$headers_file" "$query_params_file" "$temp_headers" "$curl_output" "$write_out_file"
    [ -n "$body_file" ] && [ -f "$body_file" ] && rm -f "$body_file"
    return "$exit_code"
 }
 trap cleanup EXIT
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes
    case "$value" in
        \"*\") value="${value#\"}"; value="${value%\"}" ;;
        \'*\') value="${value#\'}"; value="${value%\'}" ;;
    esac
    # Process parameters
    case "$key" in
        url) url="$value" ;;
        method) method="$value" ;;
        body) body="$value" ;;
        json_body) json_body="$value" ;;
        timeout) timeout="$value" ;;
        verify_ssl) verify_ssl="$value" ;;
        auth_type) auth_type="$value" ;;
        auth_username) auth_username="$value" ;;
        auth_password) auth_password="$value" ;;
        auth_token) auth_token="$value" ;;
        follow_redirects) follow_redirects="$value" ;;
        max_redirects) max_redirects="$value" ;;
        headers.*)
            printf '%s: %s\n' "${key#headers.}" "$value" >> "$headers_file"
            ;;
        query_params.*)
            printf '%s=%s\n' "${key#query_params.}" "$value" >> "$query_params_file"
            ;;
    esac
 done
 # Validate required
 if [ -z "$url" ]; then
    printf '{"status_code":0,"headers":{},"body":"","json":null,"elapsed_ms":0,"url":"","success":false,"error":"url parameter is required"}\n'
    exit 1
 fi
 # Normalize method
 method=$(printf '%s' "$method" | tr '[:lower:]' '[:upper:]')
 # URL encode helper
 url_encode() {
    printf '%s' "$1" | sed 's/ /%20/g; s/!/%21/g; s/"/%22/g; s/#/%23/g; s/\$/%24/g; s/&/%26/g; s/'\''/%27/g'
 }
 # Build URL with query params
 final_url="$url"
 if [ -s "$query_params_file" ]; then
    query_string=""
    while IFS='=' read -r param_name param_value; do
        [ -z "$param_name" ] && continue
        encoded=$(url_encode "$param_value")
        [ -z "$query_string" ] && query_string="${param_name}=${encoded}" || query_string="${query_string}&${param_name}=${encoded}"
    done < "$query_params_file"
    if [ -n "$query_string" ]; then
        case "$final_url" in
            *\?*) final_url="${final_url}&${query_string}" ;;
            *) final_url="${final_url}?${query_string}" ;;
        esac
    fi
 fi
 # Prepare body
 if [ -n "$json_body" ]; then
    body_file=$(mktemp)
    printf '%s' "$json_body" > "$body_file"
 elif [ -n "$body" ]; then
    body_file=$(mktemp)
    printf '%s' "$body" > "$body_file"
 fi
 # Build curl args file (avoid shell escaping issues)
 curl_args=$(mktemp)
 {
    printf -- '-X\n%s\n' "$method"
    printf -- '-s\n'
    # Use @file for -w to avoid xargs escape interpretation issues
    # curl's @file mode requires literal \n (two chars) not actual newlines
    printf '\\n%%{http_code}\\n%%{url_effective}\\n' > "$write_out_file"
    printf -- '-w\n@%s\n' "$write_out_file"
    printf -- '--max-time\n%s\n' "$timeout"
    printf -- '--connect-timeout\n10\n'
    printf -- '--dump-header\n%s\n' "$temp_headers"
    [ "$verify_ssl" = "false" ] && printf -- '-k\n'
    if [ "$follow_redirects" = "true" ]; then
        printf -- '-L\n'
        printf -- '--max-redirs\n%s\n' "$max_redirects"
    fi
    if [ -s "$headers_file" ]; then
        while IFS= read -r h; do
            [ -n "$h" ] && printf -- '-H\n%s\n' "$h"
        done < "$headers_file"
    fi
    case "$auth_type" in
        basic)
            [ -n "$auth_username" ] && printf -- '-u\n%s:%s\n' "$auth_username" "$auth_password"
            ;;
        bearer)
            [ -n "$auth_token" ] && printf -- '-H\nAuthorization: Bearer %s\n' "$auth_token"
            ;;
    esac
    if [ -n "$body_file" ] && [ -f "$body_file" ]; then
        [ -n "$json_body" ] && printf -- '-H\nContent-Type: application/json\n'
        printf -- '-d\n@%s\n' "$body_file"
    fi
    printf -- '%s\n' "$final_url"
 } > "$curl_args"
 # Execute curl
 start_time=$(date +%s%3N 2>/dev/null || echo $(($(date +%s) * 1000)))
 set +e
 xargs -a "$curl_args" curl > "$curl_output" 2>&1
 curl_exit_code=$?
 set -e
 rm -f "$curl_args"
 end_time=$(date +%s%3N 2>/dev/null || echo $(($(date +%s) * 1000)))
 elapsed_ms=$((end_time - start_time))
 # Parse output
 response=$(cat "$curl_output")
 total_lines=$(printf '%s\n' "$response" | wc -l)
 body_lines=$((total_lines - 2))
 if [ "$body_lines" -gt 0 ]; then
    body_output=$(printf '%s\n' "$response" | head -n "$body_lines")
 else
    body_output=""
 fi
 http_code=$(printf '%s\n' "$response" | tail -n 2 | head -n 1 | tr -d '\r\n ')
 effective_url=$(printf '%s\n' "$response" | tail -n 1 | tr -d '\r\n')
 case "$http_code" in
    ''|*[!0-9]*) http_code=0 ;;
 esac
 # Handle errors
 if [ "$curl_exit_code" -ne 0 ]; then
    error_msg="curl error code $curl_exit_code"
    case $curl_exit_code in
        6) error_msg="Could not resolve host" ;;
        7) error_msg="Failed to connect to host" ;;
        28) error_msg="Request timeout" ;;
        35) error_msg="SSL/TLS connection error" ;;
        52) error_msg="Empty reply from server" ;;
        56) error_msg="Failure receiving network data" ;;
    esac
    error_msg=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
    printf '{"status_code":0,"headers":{},"body":"","json":null,"elapsed_ms":%d,"url":"%s","success":false,"error":"%s"}\n' \
        "$elapsed_ms" "$final_url" "$error_msg"
    exit 1
 fi
 # Parse headers
 headers_json="{"
 first_header=true
 if [ -f "$temp_headers" ]; then
    while IFS= read -r line; do
        case "$line" in HTTP/*|'') continue ;; esac
        header_name="${line%%:*}"
        header_value="${line#*:}"
        [ "$header_name" = "$line" ] && continue
        header_value=$(printf '%s' "$header_value" | sed 's/^ *//; s/ *$//; s/\r$//; s/\\/\\\\/g; s/"/\\"/g')
        header_name=$(printf '%s' "$header_name" | sed 's/\\/\\\\/g; s/"/\\"/g')
        if [ "$first_header" = true ]; then
            headers_json="${headers_json}\"${header_name}\":\"${header_value}\""
            first_header=false
        else
            headers_json="${headers_json},\"${header_name}\":\"${header_value}\""
        fi
    done < "$temp_headers"
 fi
 headers_json="${headers_json}}"
 # Success check
 success="false"
 [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ] && success="true"
 # Escape body
 body_escaped=$(printf '%s' "$body_output" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g' | awk '{printf "%s\\n", $0}' | sed 's/\\n$//')
 # Detect JSON
 json_parsed="null"
 if [ -n "$body_output" ]; then
    first_char=$(printf '%s' "$body_output" | sed 's/^[[:space:]]*//' | head -c 1)
    last_char=$(printf '%s' "$body_output" | sed 's/[[:space:]]*$//' | tail -c 1)
    case "$first_char" in
        '{'|'[')
            case "$last_char" in
                '}'|']')
                    # Compact multi-line JSON to single line to avoid breaking
                    # the worker's last-line JSON parser. In valid JSON, literal
                    # newlines only appear as whitespace outside strings (inside
                    # strings they must be escaped as \n), so tr is safe here.
                    json_parsed=$(printf '%s' "$body_output" | tr '\n' ' ' | tr '\r' ' ')
                    ;;
            esac
            ;;
    esac
 fi
 # Output
 if [ "$json_parsed" = "null" ]; then
    printf '{"status_code":%d,"headers":%s,"body":"%s","json":null,"elapsed_ms":%d,"url":"%s","success":%s}\n' \
        "$http_code" "$headers_json" "$body_escaped" "$elapsed_ms" "$effective_url" "$success"
 else
    printf '{"status_code":%d,"headers":%s,"body":"%s","json":%s,"elapsed_ms":%d,"url":"%s","success":%s}\n' \
        "$http_code" "$headers_json" "$body_escaped" "$json_parsed" "$elapsed_ms" "$effective_url" "$success"
 fi
 exit 0
--- a/docker/distributable/packs/core/actions/http_request.yaml
+++ b/docker/distributable/packs/core/actions/http_request.yaml
@@ -0,0 +1,126 @@
 # HTTP Request Action
 # Make HTTP requests to external APIs
 ref: core.http_request
 label: "HTTP Request"
 description: "Make HTTP requests to external APIs with support for various methods, headers, and authentication"
 enabled: true
 # Runner type determines how the action is executed
 runner_type: shell
 # Entry point is the bash script to execute
 entry_point: http_request.sh
 # Parameter delivery configuration (for security)
 # Use stdin + DOTENV for secure parameter passing (credentials won't appear in process list)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: json (structured data parsing enabled)
 output_format: json
 # Action parameters schema (StackStorm-style with inline required/secret)
 parameters:
  url:
    type: string
    description: "URL to send the request to"
    required: true
  method:
    type: string
    description: "HTTP method to use"
    default: "GET"
    enum:
      - GET
      - POST
      - PUT
      - PATCH
      - DELETE
      - HEAD
      - OPTIONS
  headers:
    type: object
    description: "HTTP headers to include in the request"
    default: {}
  body:
    type: string
    description: "Request body (for POST, PUT, PATCH methods)"
  json_body:
    type: object
    description: "JSON request body (alternative to body parameter)"
  query_params:
    type: object
    description: "URL query parameters as key-value pairs"
    default: {}
  timeout:
    type: integer
    description: "Request timeout in seconds"
    default: 30
    minimum: 1
    maximum: 300
  verify_ssl:
    type: boolean
    description: "Verify SSL certificates"
    default: true
  auth_type:
    type: string
    description: "Authentication type"
    enum:
      - none
      - basic
      - bearer
  auth_username:
    type: string
    description: "Username for basic authentication"
  auth_password:
    type: string
    description: "Password for basic authentication"
    secret: true
  auth_token:
    type: string
    description: "Bearer token for bearer authentication"
    secret: true
  follow_redirects:
    type: boolean
    description: "Follow HTTP redirects"
    default: true
  max_redirects:
    type: integer
    description: "Maximum number of redirects to follow"
    default: 10
 # Output schema: describes the JSON structure written to stdout
 # Note: stdout/stderr/exit_code are captured automatically by the execution system
 output_schema:
  status_code:
    type: integer
    description: "HTTP status code"
  headers:
    type: object
    description: "Response headers"
  body:
    type: string
    description: "Response body as text"
  json:
    type: object
    description: "Parsed JSON response (if applicable, null otherwise)"
  elapsed_ms:
    type: integer
    description: "Request duration in milliseconds"
  url:
    type: string
    description: "Final URL after redirects"
  success:
    type: boolean
    description: "Whether the request was successful (2xx status code)"
  error:
    type: string
    description: "Error message if request failed (only present on failure)"
 # Tags for categorization
 tags:
  - http
  - api
  - web
  - utility
  - integration
--- a/docker/distributable/packs/core/actions/noop.sh
+++ b/docker/distributable/packs/core/actions/noop.sh
@@ -0,0 +1,73 @@
 #!/bin/sh
 # No Operation Action - Core Pack
 # Does nothing - useful for testing and placeholder workflows
 #
 # This script uses pure POSIX shell without external dependencies like jq or yq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 message=""
 exit_code="0"
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    case "$line" in
        message=*)
            # Extract value after message=
            message="${line#message=}"
            # Remove quotes if present (both single and double)
            case "$message" in
                \"*\")
                    message="${message#\"}"
                    message="${message%\"}"
                    ;;
                \'*\')
                    message="${message#\'}"
                    message="${message%\'}"
                    ;;
            esac
            ;;
        exit_code=*)
            # Extract value after exit_code=
            exit_code="${line#exit_code=}"
            # Remove quotes if present
            case "$exit_code" in
                \"*\")
                    exit_code="${exit_code#\"}"
                    exit_code="${exit_code%\"}"
                    ;;
                \'*\')
                    exit_code="${exit_code#\'}"
                    exit_code="${exit_code%\'}"
                    ;;
            esac
            ;;
    esac
 done
 # Validate exit code parameter (must be numeric)
 case "$exit_code" in
    ''|*[!0-9]*)
        echo "ERROR: exit_code must be a positive integer" >&2
        exit 1
        ;;
 esac
 # Validate exit code range (0-255)
 if [ "$exit_code" -lt 0 ] || [ "$exit_code" -gt 255 ]; then
    echo "ERROR: exit_code must be between 0 and 255" >&2
    exit 1
 fi
 # Log message if provided
 if [ -n "$message" ]; then
    echo "[NOOP] $message"
 fi
 # Output result
 echo "No operation completed successfully"
 # Exit with specified code
 exit "$exit_code"
--- a/docker/distributable/packs/core/actions/noop.yaml
+++ b/docker/distributable/packs/core/actions/noop.yaml
@@ -0,0 +1,42 @@
 # No Operation Action
 # Does nothing - useful for testing and placeholder workflows
 ref: core.noop
 label: "No-Op"
 description: "Does nothing - useful for testing and placeholder workflows"
 enabled: true
 # Runner type determines how the action is executed
 runner_type: shell
 # Entry point is the shell command or script to execute
 entry_point: noop.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: text (no structured data parsing)
 output_format: text
 # Action parameters schema (StackStorm-style inline format)
 parameters:
  message:
    type: string
    description: "Optional message to log (for debugging)"
  exit_code:
    type: integer
    description: "Exit code to return (default: 0 for success)"
    default: 0
    minimum: 0
    maximum: 255
 # Output schema: not applicable for text output format
 # The action outputs plain text to stdout
 # Tags for categorization
 tags:
  - utility
  - testing
  - placeholder
  - noop
--- a/docker/distributable/packs/core/actions/register_packs.sh
+++ b/docker/distributable/packs/core/actions/register_packs.sh
@@ -0,0 +1,187 @@
 #!/bin/sh
 # Register Packs Action - Core Pack
 # API Wrapper for POST /api/v1/packs/register-batch
 #
 # This script uses pure POSIX shell without external dependencies like jq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 pack_paths=""
 packs_base_dir="/opt/attune/packs"
 skip_validation="false"
 skip_tests="false"
 force="false"
 api_url="http://localhost:8080"
 api_token=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    [ -z "$line" ] && continue
    key="${line%%=*}"
    value="${line#*=}"
    # Remove quotes if present (both single and double)
    case "$value" in
        \"*\")
            value="${value#\"}"
            value="${value%\"}"
            ;;
        \'*\')
            value="${value#\'}"
            value="${value%\'}"
            ;;
    esac
    # Process parameters
    case "$key" in
        pack_paths)
            pack_paths="$value"
            ;;
        packs_base_dir)
            packs_base_dir="$value"
            ;;
        skip_validation)
            skip_validation="$value"
            ;;
        skip_tests)
            skip_tests="$value"
            ;;
        force)
            force="$value"
            ;;
        api_url)
            api_url="$value"
            ;;
        api_token)
            api_token="$value"
            ;;
    esac
 done
 # Validate required parameters
 if [ -z "$pack_paths" ]; then
    printf '{"registered_packs":[],"failed_packs":[{"pack_ref":"input","pack_path":"","error":"No pack paths provided","error_stage":"input_validation"}],"summary":{"total_packs":0,"success_count":0,"failure_count":1,"total_components":0,"duration_ms":0}}\n'
    exit 1
 fi
 # Normalize booleans
 case "$skip_validation" in
    true|True|TRUE|yes|Yes|YES|1) skip_validation="true" ;;
    *) skip_validation="false" ;;
 esac
 case "$skip_tests" in
    true|True|TRUE|yes|Yes|YES|1) skip_tests="true" ;;
    *) skip_tests="false" ;;
 esac
 case "$force" in
    true|True|TRUE|yes|Yes|YES|1) force="true" ;;
    *) force="false" ;;
 esac
 # Escape values for JSON
 pack_paths_escaped=$(printf '%s' "$pack_paths" | sed 's/\\/\\\\/g; s/"/\\"/g')
 packs_base_dir_escaped=$(printf '%s' "$packs_base_dir" | sed 's/\\/\\\\/g; s/"/\\"/g')
 # Build JSON request body
 request_body=$(cat <<EOF
 {
  "pack_paths": $pack_paths_escaped,
  "packs_base_dir": "$packs_base_dir_escaped",
  "skip_validation": $skip_validation,
  "skip_tests": $skip_tests,
  "force": $force
 }
 EOF
 )
 # Create temp files for curl
 temp_response=$(mktemp)
 temp_headers=$(mktemp)
 cleanup() {
    rm -f "$temp_response" "$temp_headers"
 }
 trap cleanup EXIT
 # Make API call
 http_code=$(curl -X POST \
    -H "Content-Type: application/json" \
    -H "Accept: application/json" \
    ${api_token:+-H "Authorization: Bearer ${api_token}"} \
    -d "$request_body" \
    -s \
    -w "%{http_code}" \
    -o "$temp_response" \
    --max-time 300 \
    --connect-timeout 10 \
    "${api_url}/api/v1/packs/register-batch" 2>/dev/null || echo "000")
 # Check HTTP status
 if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
    # Success - extract data field from API response
    response_body=$(cat "$temp_response")
    # Try to extract .data field using simple text processing
    # If response contains "data" field, extract it; otherwise use whole response
    case "$response_body" in
        *'"data":'*)
            # Extract content after "data": up to the closing brace
            # This is a simple extraction - assumes well-formed JSON
            data_content=$(printf '%s' "$response_body" | sed -n 's/.*"data":\s*\(.*\)}/\1/p')
            if [ -n "$data_content" ]; then
                printf '%s\n' "$data_content"
            else
                cat "$temp_response"
            fi
            ;;
        *)
            cat "$temp_response"
            ;;
    esac
    exit 0
 else
    # Error response - try to extract error message
    error_msg="API request failed"
    if [ -s "$temp_response" ]; then
        # Try to extract error or message field
        response_content=$(cat "$temp_response")
        case "$response_content" in
            *'"error":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"error":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
            *'"message":'*)
                error_msg=$(printf '%s' "$response_content" | sed -n 's/.*"message":\s*"\([^"]*\)".*/\1/p')
                [ -z "$error_msg" ] && error_msg="API request failed"
                ;;
        esac
    fi
    # Escape error message for JSON
    error_msg_escaped=$(printf '%s' "$error_msg" | sed 's/\\/\\\\/g; s/"/\\"/g')
    cat <<EOF
 {
  "registered_packs": [],
  "failed_packs": [{
    "pack_ref": "api",
    "pack_path": "",
    "error": "API call failed (HTTP $http_code): $error_msg_escaped",
    "error_stage": "api_call"
  }],
  "summary": {
    "total_packs": 0,
    "success_count": 0,
    "failure_count": 1,
    "total_components": 0,
    "duration_ms": 0
  }
 }
 EOF
    exit 1
 fi
--- a/docker/distributable/packs/core/actions/register_packs.yaml
+++ b/docker/distributable/packs/core/actions/register_packs.yaml
@@ -0,0 +1,187 @@
 # Register Packs Action
 # Validates pack structure and loads components into database
 ref: core.register_packs
 label: "Register Packs"
 description: "Register packs by validating schemas, loading components into database, and copying to permanent storage"
 enabled: true
 runner_type: shell
 entry_point: register_packs.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: json (structured data parsing enabled)
 output_format: json
 # Action parameters schema (StackStorm-style with inline required/secret)
 parameters:
  pack_paths:
    type: array
    description: "List of pack directory paths to register"
    items:
      type: string
    minItems: 1
    required: true
  packs_base_dir:
    type: string
    description: "Base directory where packs are permanently stored"
    default: "/opt/attune/packs"
  skip_validation:
    type: boolean
    description: "Skip schema validation of pack components"
    default: false
  skip_tests:
    type: boolean
    description: "Skip running pack tests before registration"
    default: false
  force:
    type: boolean
    description: "Force registration even if pack already exists (will replace)"
    default: false
  api_url:
    type: string
    description: "Attune API URL for registration calls"
    default: "http://localhost:8080"
  api_token:
    type: string
    description: "API authentication token"
    secret: true
 # Output schema: describes the JSON structure written to stdout
 # Note: stdout/stderr/exit_code are captured automatically by the execution system
 output_schema:
  registered_packs:
    type: array
    description: "List of successfully registered packs"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        pack_id:
          type: integer
          description: "Database ID of registered pack"
        pack_version:
          type: string
          description: "Pack version"
        storage_path:
          type: string
          description: "Permanent storage path"
        components_registered:
          type: object
          description: "Count of registered components by type"
          properties:
            actions:
              type: integer
              description: "Number of actions registered"
            sensors:
              type: integer
              description: "Number of sensors registered"
            triggers:
              type: integer
              description: "Number of triggers registered"
            rules:
              type: integer
              description: "Number of rules registered"
            workflows:
              type: integer
              description: "Number of workflows registered"
            policies:
              type: integer
              description: "Number of policies registered"
        test_result:
          type: object
          description: "Pack test results (if tests were run)"
          properties:
            status:
              type: string
              description: "Test status"
              enum:
                - passed
                - failed
                - skipped
            total_tests:
              type: integer
              description: "Total number of tests"
            passed:
              type: integer
              description: "Number of passed tests"
            failed:
              type: integer
              description: "Number of failed tests"
        validation_results:
          type: object
          description: "Component validation results"
          properties:
            valid:
              type: boolean
              description: "Whether all components are valid"
            errors:
              type: array
              description: "Validation errors found"
              items:
                type: object
                properties:
                  component_type:
                    type: string
                    description: "Type of component"
                  component_file:
                    type: string
                    description: "File with validation error"
                  error:
                    type: string
                    description: "Error message"
  failed_packs:
    type: array
    description: "List of packs that failed to register"
    items:
      type: object
      properties:
        pack_ref:
          type: string
          description: "Pack reference"
        pack_path:
          type: string
          description: "Pack directory path"
        error:
          type: string
          description: "Error message"
        error_stage:
          type: string
          description: "Stage where error occurred"
          enum:
            - validation
            - testing
            - database_registration
            - file_copy
            - api_call
  summary:
    type: object
    description: "Summary of registration process"
    properties:
      total_packs:
        type: integer
        description: "Total number of packs processed"
      success_count:
        type: integer
        description: "Number of successfully registered packs"
      failure_count:
        type: integer
        description: "Number of failed registrations"
      total_components:
        type: integer
        description: "Total number of components registered"
      duration_ms:
        type: integer
        description: "Total registration time in milliseconds"
 # Tags for categorization
 tags:
  - pack
  - registration
  - validation
  - installation
  - database
--- a/docker/distributable/packs/core/actions/sleep.sh
+++ b/docker/distributable/packs/core/actions/sleep.sh
@@ -0,0 +1,76 @@
 #!/bin/sh
 # Sleep Action - Core Pack
 # Pauses execution for a specified duration
 #
 # This script uses pure POSIX shell without external dependencies like jq or yq.
 # It reads parameters in DOTENV format from stdin until EOF.
 set -e
 # Initialize variables
 seconds="1"
 message=""
 # Read DOTENV-formatted parameters from stdin until EOF
 while IFS= read -r line; do
    case "$line" in
        seconds=*)
            # Extract value after seconds=
            seconds="${line#seconds=}"
            # Remove quotes if present (both single and double)
            case "$seconds" in
                \"*\")
                    seconds="${seconds#\"}"
                    seconds="${seconds%\"}"
                    ;;
                \'*\')
                    seconds="${seconds#\'}"
                    seconds="${seconds%\'}"
                    ;;
            esac
            ;;
        message=*)
            # Extract value after message=
            message="${line#message=}"
            # Remove quotes if present
            case "$message" in
                \"*\")
                    message="${message#\"}"
                    message="${message%\"}"
                    ;;
                \'*\')
                    message="${message#\'}"
                    message="${message%\'}"
                    ;;
            esac
            ;;
    esac
 done
 # Validate seconds parameter (must be numeric)
 case "$seconds" in
    ''|*[!0-9]*)
        echo "ERROR: seconds must be a positive integer" >&2
        exit 1
        ;;
 esac
 # Validate seconds range (0-3600)
 if [ "$seconds" -lt 0 ] || [ "$seconds" -gt 3600 ]; then
    echo "ERROR: seconds must be between 0 and 3600" >&2
    exit 1
 fi
 # Display message if provided
 if [ -n "$message" ]; then
    echo "$message"
 fi
 # Sleep for the specified duration
 sleep "$seconds"
 # Output result
 echo "Slept for $seconds seconds"
 # Exit successfully
 exit 0
--- a/docker/distributable/packs/core/actions/sleep.yaml
+++ b/docker/distributable/packs/core/actions/sleep.yaml
@@ -0,0 +1,43 @@
 # Sleep Action
 # Pauses execution for a specified duration
 ref: core.sleep
 label: "Sleep"
 description: "Sleep for a specified number of seconds"
 enabled: true
 # Runner type determines how the action is executed
 runner_type: shell
 # Entry point is the shell command or script to execute
 entry_point: sleep.sh
 # Parameter delivery: stdin for secure parameter passing (no env vars)
 parameter_delivery: stdin
 parameter_format: dotenv
 # Output format: text (no structured data parsing)
 output_format: text
 # Action parameters (StackStorm-style with inline required/secret)
 parameters:
  seconds:
    type: integer
    description: "Number of seconds to sleep"
    required: true
    default: 1
    minimum: 0
    maximum: 3600
  message:
    type: string
    description: "Optional message to display before sleeping"
 # Output schema: not applicable for text output format
 # The action outputs plain text to stdout
 # Tags for categorization
 tags:
  - utility
  - testing
  - delay
  - timing
--- a/docker/distributable/packs/core/pack.yaml
+++ b/docker/distributable/packs/core/pack.yaml
@@ -0,0 +1,97 @@
 # Attune Core Pack
 # Built-in core functionality including timers, utilities, and basic actions
 ref: core
 label: "Core Pack"
 description: "Built-in core functionality including timer triggers, HTTP utilities, and basic shell actions"
 version: "1.0.0"
 author: "Attune Team"
 email: "core@attune.io"
 # Pack is a system pack (shipped with Attune)
 system: true
 # Pack configuration schema (StackStorm-style flat format)
 conf_schema:
  max_action_timeout:
    type: integer
    description: "Maximum timeout for action execution in seconds"
    default: 300
    minimum: 1
    maximum: 3600
  enable_debug_logging:
    type: boolean
    description: "Enable debug logging for core pack actions"
    default: false
 # Default pack configuration
 config:
  max_action_timeout: 300
  enable_debug_logging: false
 # Pack metadata
 meta:
  category: "system"
  keywords:
    - "core"
    - "utilities"
    - "timers"
    - "http"
    - "shell"
  # Python dependencies for Python-based actions
  python_dependencies:
    - "requests>=2.28.0"
    - "croniter>=1.4.0"
  # Documentation
  documentation_url: "https://docs.attune.io/packs/core"
  repository_url: "https://github.com/attune-io/attune"
 # Pack tags for discovery
 tags:
  - core
  - system
  - utilities
  - timers
 # Runtime dependencies
 runtime_deps:
  - shell
  - native
 # Enabled by default
 enabled: true
 # Pack Testing Configuration
 testing:
  # Enable testing during installation
  enabled: true
  # Test discovery method
  discovery:
    method: "directory"
    path: "tests"
  # Test runners by runtime type
  runners:
    shell:
      type: "script"
      entry_point: "tests/run_tests.sh"
      timeout: 60
      result_format: "simple"
    python:
      type: "unittest"
      entry_point: "tests/test_actions.py"
      timeout: 120
      result_format: "simple"
  # Test result expectations
  result_path: "tests/results/"
  # Minimum passing criteria (100% tests must pass)
  min_pass_rate: 1.0
  # Block installation if tests fail
  on_failure: "block"
--- a/docker/distributable/packs/core/permission_sets/admin.yaml
+++ b/docker/distributable/packs/core/permission_sets/admin.yaml
@@ -0,0 +1,28 @@
 ref: core.admin
 label: Admin
 description: Full administrative access across Attune resources.
 grants:
  - resource: packs
    actions: [read, create, update, delete]
  - resource: actions
    actions: [read, create, update, delete, execute]
  - resource: rules
    actions: [read, create, update, delete]
  - resource: triggers
    actions: [read, create, update, delete]
  - resource: executions
    actions: [read, update, cancel]
  - resource: events
    actions: [read]
  - resource: enforcements
    actions: [read]
  - resource: inquiries
    actions: [read, create, update, delete, respond]
  - resource: keys
    actions: [read, create, update, delete, decrypt]
  - resource: artifacts
    actions: [read, create, update, delete]
  - resource: identities
    actions: [read, create, update, delete]
  - resource: permissions
    actions: [read, create, update, delete, manage]
--- a/docker/distributable/packs/core/permission_sets/editor.yaml
+++ b/docker/distributable/packs/core/permission_sets/editor.yaml
@@ -0,0 +1,18 @@
 ref: core.editor
 label: Editor
 description: Create and update operational resources without full administrative control.
 grants:
  - resource: packs
    actions: [read, create, update]
  - resource: actions
    actions: [read, create, update, execute]
  - resource: rules
    actions: [read, create, update]
  - resource: triggers
    actions: [read]
  - resource: executions
    actions: [read, cancel]
  - resource: keys
    actions: [read, update, decrypt]
  - resource: artifacts
    actions: [read]
--- a/docker/distributable/packs/core/permission_sets/executor.yaml
+++ b/docker/distributable/packs/core/permission_sets/executor.yaml
@@ -0,0 +1,18 @@
 ref: core.executor
 label: Executor
 description: Read operational metadata and trigger executions without changing system definitions.
 grants:
  - resource: packs
    actions: [read]
  - resource: actions
    actions: [read, execute]
  - resource: rules
    actions: [read]
  - resource: triggers
    actions: [read]
  - resource: executions
    actions: [read]
  - resource: keys
    actions: [read]
  - resource: artifacts
    actions: [read]
--- a/docker/distributable/packs/core/permission_sets/viewer.yaml
+++ b/docker/distributable/packs/core/permission_sets/viewer.yaml
@@ -0,0 +1,18 @@
 ref: core.viewer
 label: Viewer
 description: Read-only access to operational metadata and execution visibility.
 grants:
  - resource: packs
    actions: [read]
  - resource: actions
    actions: [read]
  - resource: rules
    actions: [read]
  - resource: triggers
    actions: [read]
  - resource: executions
    actions: [read]
  - resource: keys
    actions: [read]
  - resource: artifacts
    actions: [read]
--- a/docker/distributable/packs/core/runtimes/README.md
+++ b/docker/distributable/packs/core/runtimes/README.md
@@ -0,0 +1,60 @@
 # Core Pack Runtime Metadata
 This directory contains runtime metadata YAML files for the core pack. Each file defines a runtime environment that can be used to execute actions and sensors.
 ## File Structure
 Each runtime YAML file contains only the fields that are stored in the database:
 - `ref` - Unique runtime reference (format: pack.name)
 - `pack_ref` - Pack this runtime belongs to
 - `name` - Human-readable runtime name
 - `description` - Brief description of the runtime
 - `distributions` - Runtime verification and capability metadata (JSONB)
 - `installation` - Installation requirements and metadata (JSONB)
 - `execution_config` - Interpreter, environment, dependency, and execution-time env var metadata
 ## `execution_config.env_vars`
 Runtime authors can declare execution-time environment variables in a purely declarative way.
 String values replace the variable entirely:
 ```yaml
 env_vars:
  NODE_PATH: "{env_dir}/node_modules"
 ```
 Object values support merge semantics against an existing value already present in the execution environment:
 ```yaml
 env_vars:
  PYTHONPATH:
    operation: prepend
    value: "{pack_dir}/lib"
    separator: ":"
 ```
 Supported operations:
 - `set` - Replace the variable with the resolved value
 - `prepend` - Add the resolved value before the existing value
 - `append` - Add the resolved value after the existing value
 Supported template variables:
 - `{pack_dir}`
 - `{env_dir}`
 - `{interpreter}`
 - `{manifest_path}`
 ## Available Runtimes
 - **python.yaml** - Python 3 runtime for actions and sensors
 - **nodejs.yaml** - Node.js runtime for JavaScript-based actions and sensors
 - **shell.yaml** - Shell (bash/sh) runtime - always available
 - **native.yaml** - Native compiled runtime (Rust, Go, C, etc.) - executes binaries directly without an interpreter
 ## Loading
 Runtime metadata files are loaded by the pack loading system and inserted into the `runtime` table in the database.
--- a/docker/distributable/packs/core/runtimes/go.yaml
+++ b/docker/distributable/packs/core/runtimes/go.yaml
@@ -0,0 +1,48 @@
 ref: core.go
 pack_ref: core
 name: Go
 aliases: [go, golang]
 description: Go runtime for compiling and running Go scripts and programs
 distributions:
  verification:
    commands:
      - binary: go
        args:
          - "version"
        exit_code: 0
        pattern: "go\\d+\\."
        priority: 1
  min_version: "1.18"
  recommended_version: "1.22"
 installation:
  package_managers:
    - apt
    - snap
    - brew
  module_support: true
 execution_config:
  interpreter:
    binary: go
    args:
      - "run"
    file_extension: ".go"
  environment:
    env_type: gopath
    dir_name: gopath
    create_command:
      - sh
      - "-c"
      - "mkdir -p {env_dir}"
    interpreter_path: null
  dependencies:
    manifest_file: go.mod
    install_command:
      - sh
      - "-c"
      - "cd {pack_dir} && GOPATH={env_dir} go mod download 2>/dev/null || true"
  env_vars:
    GOPATH: "{env_dir}"
    GOMODCACHE: "{env_dir}/pkg/mod"
--- a/docker/distributable/packs/core/runtimes/java.yaml
+++ b/docker/distributable/packs/core/runtimes/java.yaml
@@ -0,0 +1,31 @@
 ref: core.java
 pack_ref: core
 name: Java
 aliases: [java, jdk, openjdk]
 description: Java runtime for executing Java programs and scripts
 distributions:
  verification:
    commands:
      - binary: java
        args:
          - "-version"
        exit_code: 0
        pattern: "version \"\\d+"
        priority: 1
  min_version: "11"
  recommended_version: "21"
 installation:
  interpreters:
    - java
    - javac
  package_managers:
    - maven
    - gradle
 execution_config:
  interpreter:
    binary: java
    args: []
    file_extension: ".java"
--- a/docker/distributable/packs/core/runtimes/native.yaml
+++ b/docker/distributable/packs/core/runtimes/native.yaml
@@ -0,0 +1,21 @@
 ref: core.native
 pack_ref: core
 name: Native
 aliases: [native, builtin, standalone]
 description: Native compiled runtime (Rust, Go, C, etc.) - executes binaries directly without an interpreter
 distributions:
  verification:
    always_available: true
    check_required: false
  languages:
    - rust
    - go
    - c
    - c++
 installation:
  build_required: false
  system_native: true
 execution_config: {}
--- a/docker/distributable/packs/core/runtimes/nodejs.yaml
+++ b/docker/distributable/packs/core/runtimes/nodejs.yaml
@@ -0,0 +1,180 @@
 ref: core.nodejs
 pack_ref: core
 name: Node.js
 aliases: [node, nodejs, "node.js"]
 description: Node.js runtime for JavaScript-based actions and sensors
 distributions:
  verification:
    commands:
      - binary: node
        args:
          - "--version"
        exit_code: 0
        pattern: "v\\d+\\.\\d+\\.\\d+"
        priority: 1
  min_version: "16.0.0"
  recommended_version: "20.0.0"
 installation:
  package_managers:
    - npm
    - yarn
    - pnpm
  module_support: true
 execution_config:
  interpreter:
    binary: node
    args: []
    file_extension: ".js"
  environment:
    env_type: node_modules
    dir_name: node_modules
    create_command:
      - sh
      - "-c"
      - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
    interpreter_path: null
  dependencies:
    manifest_file: package.json
    install_command:
      - npm
      - install
      - "--prefix"
      - "{env_dir}"
  env_vars:
    NODE_PATH: "{env_dir}/node_modules"
 # Version-specific execution configurations.
 # Each entry describes how to invoke a particular Node.js version.
 # The worker uses these when an action declares a runtime_version constraint
 # (e.g., runtime_version: ">=20"). The highest available version satisfying
 # the constraint is selected, and its execution_config replaces the parent's.
 versions:
  - version: "18"
    distributions:
      verification:
        commands:
          - binary: node18
            args:
              - "--version"
            exit_code: 0
            pattern: "v18\\."
            priority: 1
          - binary: node
            args:
              - "--version"
            exit_code: 0
            pattern: "v18\\."
            priority: 2
    execution_config:
      interpreter:
        binary: node18
        args: []
        file_extension: ".js"
      environment:
        env_type: node_modules
        dir_name: node_modules
        create_command:
          - sh
          - "-c"
          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
        interpreter_path: null
      dependencies:
        manifest_file: package.json
        install_command:
          - npm
          - install
          - "--prefix"
          - "{env_dir}"
      env_vars:
        NODE_PATH: "{env_dir}/node_modules"
    meta:
      lts_codename: "hydrogen"
      eol: "2025-04-30"
  - version: "20"
    is_default: true
    distributions:
      verification:
        commands:
          - binary: node20
            args:
              - "--version"
            exit_code: 0
            pattern: "v20\\."
            priority: 1
          - binary: node
            args:
              - "--version"
            exit_code: 0
            pattern: "v20\\."
            priority: 2
    execution_config:
      interpreter:
        binary: node20
        args: []
        file_extension: ".js"
      environment:
        env_type: node_modules
        dir_name: node_modules
        create_command:
          - sh
          - "-c"
          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
        interpreter_path: null
      dependencies:
        manifest_file: package.json
        install_command:
          - npm
          - install
          - "--prefix"
          - "{env_dir}"
      env_vars:
        NODE_PATH: "{env_dir}/node_modules"
    meta:
      lts_codename: "iron"
      eol: "2026-04-30"
  - version: "22"
    distributions:
      verification:
        commands:
          - binary: node22
            args:
              - "--version"
            exit_code: 0
            pattern: "v22\\."
            priority: 1
          - binary: node
            args:
              - "--version"
            exit_code: 0
            pattern: "v22\\."
            priority: 2
    execution_config:
      interpreter:
        binary: node22
        args: []
        file_extension: ".js"
      environment:
        env_type: node_modules
        dir_name: node_modules
        create_command:
          - sh
          - "-c"
          - "mkdir -p {env_dir} && cp {manifest_path} {env_dir}/ 2>/dev/null || true"
        interpreter_path: null
      dependencies:
        manifest_file: package.json
        install_command:
          - npm
          - install
          - "--prefix"
          - "{env_dir}"
      env_vars:
        NODE_PATH: "{env_dir}/node_modules"
    meta:
      lts_codename: "jod"
      eol: "2027-04-30"
--- a/docker/distributable/packs/core/runtimes/perl.yaml
+++ b/docker/distributable/packs/core/runtimes/perl.yaml
@@ -0,0 +1,47 @@
 ref: core.perl
 pack_ref: core
 name: Perl
 aliases: [perl, perl5]
 description: Perl runtime for script execution with optional CPAN dependency management
 distributions:
  verification:
    commands:
      - binary: perl
        args:
          - "--version"
        exit_code: 0
        pattern: "perl.*v\\d+\\."
        priority: 1
  min_version: "5.20"
  recommended_version: "5.38"
 installation:
  package_managers:
    - cpanm
    - cpan
  interpreters:
    - perl
 execution_config:
  interpreter:
    binary: perl
    args: []
    file_extension: ".pl"
  environment:
    env_type: local_lib
    dir_name: perl5
    create_command:
      - sh
      - "-c"
      - "mkdir -p {env_dir}/lib/perl5"
    interpreter_path: null
  dependencies:
    manifest_file: cpanfile
    install_command:
      - sh
      - "-c"
      - "cd {pack_dir} && PERL5LIB={env_dir}/lib/perl5 PERL_LOCAL_LIB_ROOT={env_dir} cpanm --local-lib {env_dir} --installdeps --quiet . 2>/dev/null || true"
  env_vars:
    PERL5LIB: "{env_dir}/lib/perl5"
    PERL_LOCAL_LIB_ROOT: "{env_dir}"
--- a/docker/distributable/packs/core/runtimes/python.yaml
+++ b/docker/distributable/packs/core/runtimes/python.yaml
@@ -0,0 +1,191 @@
 ref: core.python
 pack_ref: core
 name: Python
 aliases: [python, python3]
 description: Python 3 runtime for actions and sensors with automatic environment management
 distributions:
  verification:
    commands:
      - binary: python3
        args:
          - "--version"
        exit_code: 0
        pattern: "Python 3\\."
        priority: 1
      - binary: python
        args:
          - "--version"
        exit_code: 0
        pattern: "Python 3\\."
        priority: 2
  min_version: "3.8"
  recommended_version: "3.12"
 installation:
  package_managers:
    - pip
    - pipenv
    - poetry
  virtual_env_support: true
 execution_config:
  interpreter:
    binary: python3
    args:
      - "-u"
    file_extension: ".py"
  environment:
    env_type: virtualenv
    dir_name: ".venv"
    create_command:
      - python3
      - "-m"
      - venv
      - "--copies"
      - "{env_dir}"
    interpreter_path: "{env_dir}/bin/python3"
  dependencies:
    manifest_file: requirements.txt
    install_command:
      - "{interpreter}"
      - "-m"
      - pip
      - install
      - "-r"
      - "{manifest_path}"
  env_vars:
    PYTHONPATH:
      operation: prepend
      value: "{pack_dir}/lib"
      separator: ":"
 # Version-specific execution configurations.
 # Each entry describes how to invoke a particular Python version.
 # The worker uses these when an action declares a runtime_version constraint
 # (e.g., runtime_version: ">=3.12"). The highest available version satisfying
 # the constraint is selected, and its execution_config replaces the parent's.
 versions:
  - version: "3.11"
    distributions:
      verification:
        commands:
          - binary: python3.11
            args:
              - "--version"
            exit_code: 0
            pattern: "Python 3\\.11\\."
            priority: 1
    execution_config:
      interpreter:
        binary: python3.11
        args:
          - "-u"
        file_extension: ".py"
      environment:
        env_type: virtualenv
        dir_name: ".venv"
        create_command:
          - python3.11
          - "-m"
          - venv
          - "--copies"
          - "{env_dir}"
        interpreter_path: "{env_dir}/bin/python3.11"
      dependencies:
        manifest_file: requirements.txt
        install_command:
          - "{interpreter}"
          - "-m"
          - pip
          - install
          - "-r"
          - "{manifest_path}"
      env_vars:
        PYTHONPATH:
          operation: prepend
          value: "{pack_dir}/lib"
          separator: ":"
  - version: "3.12"
    is_default: true
    distributions:
      verification:
        commands:
          - binary: python3.12
            args:
              - "--version"
            exit_code: 0
            pattern: "Python 3\\.12\\."
            priority: 1
    execution_config:
      interpreter:
        binary: python3.12
        args:
          - "-u"
        file_extension: ".py"
      environment:
        env_type: virtualenv
        dir_name: ".venv"
        create_command:
          - python3.12
          - "-m"
          - venv
          - "--copies"
          - "{env_dir}"
        interpreter_path: "{env_dir}/bin/python3.12"
      dependencies:
        manifest_file: requirements.txt
        install_command:
          - "{interpreter}"
          - "-m"
          - pip
          - install
          - "-r"
          - "{manifest_path}"
      env_vars:
        PYTHONPATH:
          operation: prepend
          value: "{pack_dir}/lib"
          separator: ":"
  - version: "3.13"
    distributions:
      verification:
        commands:
          - binary: python3.13
            args:
              - "--version"
            exit_code: 0
            pattern: "Python 3\\.13\\."
            priority: 1
    execution_config:
      interpreter:
        binary: python3.13
        args:
          - "-u"
        file_extension: ".py"
      environment:
        env_type: virtualenv
        dir_name: ".venv"
        create_command:
          - python3.13
          - "-m"
          - venv
          - "--copies"
          - "{env_dir}"
        interpreter_path: "{env_dir}/bin/python3.13"
      dependencies:
        manifest_file: requirements.txt
        install_command:
          - "{interpreter}"
          - "-m"
          - pip
          - install
          - "-r"
          - "{manifest_path}"
      env_vars:
        PYTHONPATH:
          operation: prepend
          value: "{pack_dir}/lib"
          separator: ":"
--- a/docker/distributable/packs/core/runtimes/r.yaml
+++ b/docker/distributable/packs/core/runtimes/r.yaml
@@ -0,0 +1,48 @@
 ref: core.r
 pack_ref: core
 name: R
 aliases: [r, rscript]
 description: R runtime for statistical computing and data analysis scripts
 distributions:
  verification:
    commands:
      - binary: Rscript
        args:
          - "--version"
        exit_code: 0
        pattern: "\\d+\\.\\d+\\.\\d+"
        priority: 1
  min_version: "4.0.0"
  recommended_version: "4.4.0"
 installation:
  package_managers:
    - install.packages
    - renv
  interpreters:
    - Rscript
    - R
 execution_config:
  interpreter:
    binary: Rscript
    args:
      - "--vanilla"
    file_extension: ".R"
  environment:
    env_type: renv
    dir_name: renv
    create_command:
      - sh
      - "-c"
      - "mkdir -p {env_dir}/library"
    interpreter_path: null
  dependencies:
    manifest_file: renv.lock
    install_command:
      - sh
      - "-c"
      - 'cd {pack_dir} && R_LIBS_USER={env_dir}/library Rscript -e "if (file.exists(''renv.lock'')) renv::restore(library=''{env_dir}/library'', prompt=FALSE)" 2>/dev/null || true'
  env_vars:
    R_LIBS_USER: "{env_dir}/library"
--- a/docker/distributable/packs/core/runtimes/ruby.yaml
+++ b/docker/distributable/packs/core/runtimes/ruby.yaml
@@ -0,0 +1,49 @@
 ref: core.ruby
 pack_ref: core
 name: Ruby
 aliases: [ruby, rb]
 description: Ruby runtime for script execution with automatic gem environment management
 distributions:
  verification:
    commands:
      - binary: ruby
        args:
          - "--version"
        exit_code: 0
        pattern: "ruby \\d+\\."
        priority: 1
  min_version: "2.7"
  recommended_version: "3.2"
 installation:
  package_managers:
    - gem
    - bundler
  interpreters:
    - ruby
  portable: false
 execution_config:
  interpreter:
    binary: ruby
    args: []
    file_extension: ".rb"
  environment:
    env_type: gem_home
    dir_name: gems
    create_command:
      - sh
      - "-c"
      - "mkdir -p {env_dir}/gems"
    interpreter_path: null
  dependencies:
    manifest_file: Gemfile
    install_command:
      - sh
      - "-c"
      - "cd {pack_dir} && GEM_HOME={env_dir}/gems GEM_PATH={env_dir}/gems bundle install --quiet 2>/dev/null || true"
  env_vars:
    GEM_HOME: "{env_dir}/gems"
    GEM_PATH: "{env_dir}/gems"
    BUNDLE_PATH: "{env_dir}/gems"
--- a/docker/distributable/packs/core/runtimes/shell.yaml
+++ b/docker/distributable/packs/core/runtimes/shell.yaml
@@ -0,0 +1,39 @@
 ref: core.shell
 pack_ref: core
 name: Shell
 aliases: [shell, bash, sh]
 description: Shell (bash/sh) runtime for script execution - always available
 distributions:
  verification:
    commands:
      - binary: sh
        args:
          - "--version"
        exit_code: 0
        optional: true
        priority: 1
      - binary: bash
        args:
          - "--version"
        exit_code: 0
        optional: true
        priority: 2
    always_available: true
 installation:
  interpreters:
    - sh
    - bash
    - dash
  portable: true
 execution_config:
  interpreter:
    binary: "/bin/bash"
    args: []
    file_extension: ".sh"
  inline_execution:
    strategy: temp_file
    extension: ".sh"
    inject_shell_helpers: true
--- a/docker/distributable/packs/core/sensors/attune-core-timer-sensor
+++ b/docker/distributable/packs/core/sensors/attune-core-timer-sensor
--- a/docker/distributable/packs/core/sensors/interval_timer_sensor.yaml
+++ b/docker/distributable/packs/core/sensors/interval_timer_sensor.yaml
@@ -0,0 +1,85 @@
 # Timer Sensor
 # Monitors time and fires all timer trigger types
 ref: core.interval_timer_sensor
 label: "Interval Timer Sensor"
 description: "Built-in sensor that monitors time and fires timer triggers (interval, cron, and one-shot datetime)"
 enabled: true
 # Sensor runner type
 runner_type: native
 # Entry point for sensor execution
 entry_point: attune-core-timer-sensor
 # Trigger types this sensor monitors
 trigger_types:
  - core.intervaltimer
  - core.crontimer
  - core.datetimetimer
 # Sensor configuration schema (StackStorm-style flat format)
 parameters:
  check_interval_seconds:
    type: integer
    description: "How often to check if triggers should fire (in seconds)"
    default: 1
    minimum: 1
    maximum: 60
 # Poll interval (how often the sensor checks for events)
 poll_interval: 1
 # Tags for categorization
 tags:
  - timer
  - interval
  - system
  - builtin
 # Metadata
 meta:
  builtin: true
  system: true
  description: |
    The timer sensor is a built-in system sensor that monitors all timer-based
    triggers and fires events according to their schedules. It supports three
    timer types:
    1. Interval timers: Fire at regular intervals (seconds, minutes, hours, days)
    2. Cron timers: Fire based on cron schedule expressions (e.g., "0 0 * * * *")
    3. DateTime timers: Fire once at a specific date and time (one-shot)
    This sensor uses tokio-cron-scheduler for efficient async scheduling and
    runs continuously as part of the Attune sensor service.
 # Documentation
 examples:
  - description: "Interval timer - fires every 10 seconds"
    trigger_type: core.intervaltimer
    trigger_config:
      unit: "seconds"
      interval: 10
  - description: "Interval timer - fire every 5 minutes"
    trigger_type: core.intervaltimer
    trigger_config:
      unit: "minutes"
      interval: 5
  - description: "Cron timer - fire every hour on the hour"
    trigger_type: core.crontimer
    trigger_config:
      expression: "0 0 * * * *"
  - description: "Cron timer - fire every weekday at 9 AM"
    trigger_type: core.crontimer
    trigger_config:
      expression: "0 0 9 * * 1-5"
      timezone: "UTC"
  - description: "DateTime timer - fire once at specific time"
    trigger_type: core.datetimetimer
    trigger_config:
      fire_at: "2024-12-31T23:59:59Z"
      timezone: "UTC"
--- a/docker/distributable/packs/core/test_core_pack.sh
+++ b/docker/distributable/packs/core/test_core_pack.sh
@@ -0,0 +1,193 @@
 #!/bin/bash
 # Automated test script for Core Pack
 # Tests all actions to ensure they work correctly
 set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ACTIONS_DIR="$SCRIPT_DIR/actions"
 # Colors for output
 GREEN='\033[0;32m'
 RED='\033[0;31m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # Test counters
 TESTS_RUN=0
 TESTS_PASSED=0
 TESTS_FAILED=0
 # Function to print test result
 test_result() {
    TESTS_RUN=$((TESTS_RUN + 1))
    if [ $? -eq 0 ]; then
        echo -e "${GREEN}✓${NC} $1"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗${NC} $1"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Function to run a test
 run_test() {
    local test_name="$1"
    shift
    echo -n "  Testing: $test_name... "
    if "$@" > /dev/null 2>&1; then
        echo -e "${GREEN}✓${NC}"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗${NC}"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    TESTS_RUN=$((TESTS_RUN + 1))
 }
 echo "========================================="
 echo "Core Pack Test Suite"
 echo "========================================="
 echo ""
 # Check if actions directory exists
 if [ ! -d "$ACTIONS_DIR" ]; then
    echo -e "${RED}ERROR:${NC} Actions directory not found at $ACTIONS_DIR"
    exit 1
 fi
 # Check if scripts are executable
 echo "→ Checking script permissions..."
 for script in "$ACTIONS_DIR"/*.sh "$ACTIONS_DIR"/*.py; do
    if [ -f "$script" ] && [ ! -x "$script" ]; then
        echo -e "${YELLOW}WARNING:${NC} $script is not executable, fixing..."
        chmod +x "$script"
    fi
 done
 echo -e "${GREEN}✓${NC} All scripts have correct permissions"
 echo ""
 # Test core.echo
 echo "→ Testing core.echo..."
 export ATTUNE_ACTION_MESSAGE="Test message"
 export ATTUNE_ACTION_UPPERCASE=false
 run_test "basic echo" "$ACTIONS_DIR/echo.sh"
 export ATTUNE_ACTION_MESSAGE="test uppercase"
 export ATTUNE_ACTION_UPPERCASE=true
 OUTPUT=$("$ACTIONS_DIR/echo.sh")
 if [ "$OUTPUT" = "TEST UPPERCASE" ]; then
    echo -e "  Testing: uppercase conversion... ${GREEN}✓${NC}"
    TESTS_PASSED=$((TESTS_PASSED + 1))
 else
    echo -e "  Testing: uppercase conversion... ${RED}✗${NC} (expected 'TEST UPPERCASE', got '$OUTPUT')"
    TESTS_FAILED=$((TESTS_FAILED + 1))
 fi
 TESTS_RUN=$((TESTS_RUN + 1))
 unset ATTUNE_ACTION_MESSAGE ATTUNE_ACTION_UPPERCASE
 echo ""
 # Test core.sleep
 echo "→ Testing core.sleep..."
 export ATTUNE_ACTION_SECONDS=1
 export ATTUNE_ACTION_MESSAGE="Sleeping..."
 run_test "basic sleep (1 second)" "$ACTIONS_DIR/sleep.sh"
 # Test invalid seconds
 export ATTUNE_ACTION_SECONDS=-1
 if "$ACTIONS_DIR/sleep.sh" > /dev/null 2>&1; then
    echo -e "  Testing: invalid seconds validation... ${RED}✗${NC} (should have failed)"
    TESTS_FAILED=$((TESTS_FAILED + 1))
 else
    echo -e "  Testing: invalid seconds validation... ${GREEN}✓${NC}"
    TESTS_PASSED=$((TESTS_PASSED + 1))
 fi
 TESTS_RUN=$((TESTS_RUN + 1))
 unset ATTUNE_ACTION_SECONDS ATTUNE_ACTION_MESSAGE
 echo ""
 # Test core.noop
 echo "→ Testing core.noop..."
 export ATTUNE_ACTION_MESSAGE="Test noop"
 export ATTUNE_ACTION_EXIT_CODE=0
 run_test "basic noop with exit 0" "$ACTIONS_DIR/noop.sh"
 export ATTUNE_ACTION_EXIT_CODE=1
 if "$ACTIONS_DIR/noop.sh" > /dev/null 2>&1; then
    echo -e "  Testing: custom exit code (1)... ${RED}✗${NC} (should have exited with 1)"
    TESTS_FAILED=$((TESTS_FAILED + 1))
 else
    EXIT_CODE=$?
    if [ $EXIT_CODE -eq 1 ]; then
        echo -e "  Testing: custom exit code (1)... ${GREEN}✓${NC}"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "  Testing: custom exit code (1)... ${RED}✗${NC} (exit code was $EXIT_CODE, expected 1)"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 fi
 TESTS_RUN=$((TESTS_RUN + 1))
 unset ATTUNE_ACTION_MESSAGE ATTUNE_ACTION_EXIT_CODE
 echo ""
 # Test core.http_request (requires Python and requests library)
 echo "→ Testing core.http_request..."
 # Check if Python is available
 if ! command -v python3 &> /dev/null; then
    echo -e "${YELLOW}WARNING:${NC} Python 3 not found, skipping HTTP request tests"
 else
    # Check if requests library is installed
    if python3 -c "import requests" 2>/dev/null; then
        export ATTUNE_ACTION_URL="https://httpbin.org/get"
        export ATTUNE_ACTION_METHOD="GET"
        export ATTUNE_ACTION_TIMEOUT=10
        run_test "basic GET request" python3 "$ACTIONS_DIR/http_request.py"
        export ATTUNE_ACTION_URL="https://httpbin.org/post"
        export ATTUNE_ACTION_METHOD="POST"
        export ATTUNE_ACTION_JSON_BODY='{"test": "data"}'
        run_test "POST with JSON body" python3 "$ACTIONS_DIR/http_request.py"
        # Test missing required parameter
        unset ATTUNE_ACTION_URL
        if python3 "$ACTIONS_DIR/http_request.py" > /dev/null 2>&1; then
            echo -e "  Testing: missing URL validation... ${RED}✗${NC} (should have failed)"
            TESTS_FAILED=$((TESTS_FAILED + 1))
        else
            echo -e "  Testing: missing URL validation... ${GREEN}✓${NC}"
            TESTS_PASSED=$((TESTS_PASSED + 1))
        fi
        TESTS_RUN=$((TESTS_RUN + 1))
        unset ATTUNE_ACTION_URL ATTUNE_ACTION_METHOD ATTUNE_ACTION_JSON_BODY ATTUNE_ACTION_TIMEOUT
    else
        echo -e "${YELLOW}WARNING:${NC} Python requests library not found, skipping HTTP tests"
        echo "  Install with: pip install requests>=2.28.0"
    fi
 fi
 echo ""
 # Summary
 echo "========================================="
 echo "Test Results"
 echo "========================================="
 echo "Total tests run:    $TESTS_RUN"
 echo -e "Tests passed:       ${GREEN}$TESTS_PASSED${NC}"
 if [ $TESTS_FAILED -gt 0 ]; then
    echo -e "Tests failed:       ${RED}$TESTS_FAILED${NC}"
 else
    echo -e "Tests failed:       ${GREEN}$TESTS_FAILED${NC}"
 fi
 echo ""
 if [ $TESTS_FAILED -eq 0 ]; then
    echo -e "${GREEN}✓ All tests passed!${NC}"
    exit 0
 else
    echo -e "${RED}✗ Some tests failed${NC}"
    exit 1
 fi
--- a/docker/distributable/packs/core/tests/README.md
+++ b/docker/distributable/packs/core/tests/README.md
@@ -0,0 +1,348 @@
 # Core Pack Unit Tests
 This directory contains comprehensive unit tests for the Attune Core Pack actions.
 > **Note**: These tests can be run manually (as documented below) or programmatically during pack installation via the Pack Testing Framework. See [`docs/pack-testing-framework.md`](../../../docs/pack-testing-framework.md) for details on automatic test execution during pack installation.
 ## Overview
 The test suite validates that all core pack actions work correctly with:
 - Valid inputs
 - Invalid inputs (error handling)
 - Edge cases
 - Default values
 - Various parameter combinations
 ## Test Files
 - **`run_tests.sh`** - Bash-based test runner with colored output
 - **`test_actions.py`** - Python unittest/pytest suite for comprehensive testing
 - **`README.md`** - This file
 ## Running Tests
 ### Quick Test (Bash Runner)
 ```bash
 cd packs/core/tests
 chmod +x run_tests.sh
 ./run_tests.sh
 ```
 **Features:**
 - Color-coded output (green = pass, red = fail)
 - Fast execution
 - No dependencies beyond bash and python3
 - Tests all actions automatically
 - Validates YAML schemas
 - Checks file permissions
 ### Comprehensive Tests (Python)
 ```bash
 cd packs/core/tests
 # Using unittest
 python3 test_actions.py
 # Using pytest (recommended)
 pytest test_actions.py -v
 # Run specific test class
 pytest test_actions.py::TestEchoAction -v
 # Run specific test
 pytest test_actions.py::TestEchoAction::test_basic_echo -v
 ```
 **Features:**
 - Structured test cases with setUp/tearDown
 - Detailed assertions and error messages
 - Subtest support for parameterized tests
 - Better integration with CI/CD
 - Test discovery and filtering
 ## Prerequisites
 ### Required
 - Bash (for shell action tests)
 - Python 3.8+ (for Python action tests)
 ### Optional
 - `pytest` for better test output: `pip install pytest`
 - `PyYAML` for YAML validation: `pip install pyyaml`
 - `requests` for HTTP tests: `pip install requests>=2.28.0`
 ## Test Coverage
 ### core.echo
 - ✅ Basic echo with custom message
 - ✅ Default message when none provided
 - ✅ Uppercase conversion (true/false)
 - ✅ Empty messages
 - ✅ Special characters
 - ✅ Multiline messages
 - ✅ Exit code validation
 **Total: 7 tests**
 ### core.noop
 - ✅ Basic no-op execution
 - ✅ Custom message logging
 - ✅ Exit code 0 (success)
 - ✅ Custom exit codes (1-255)
 - ✅ Invalid negative exit codes (error)
 - ✅ Invalid large exit codes (error)
 - ✅ Invalid non-numeric exit codes (error)
 - ✅ Maximum valid exit code (255)
 **Total: 8 tests**
 ### core.sleep
 - ✅ Basic sleep (1 second)
 - ✅ Zero seconds sleep
 - ✅ Custom message display
 - ✅ Default duration (1 second)
 - ✅ Multi-second sleep (timing validation)
 - ✅ Invalid negative seconds (error)
 - ✅ Invalid large seconds >3600 (error)
 - ✅ Invalid non-numeric seconds (error)
 **Total: 8 tests**
 ### core.http_request
 - ✅ Simple GET request
 - ✅ Missing required URL (error)
 - ✅ POST with JSON body
 - ✅ Custom headers
 - ✅ Query parameters
 - ✅ Timeout handling
 - ✅ 404 status code handling
 - ✅ Different HTTP methods (PUT, PATCH, DELETE, HEAD, OPTIONS)
 - ✅ Elapsed time reporting
 - ✅ Response parsing (JSON/text)
 **Total: 10+ tests**
 ### Additional Tests
 - ✅ File permissions (all scripts executable)
 - ✅ YAML schema validation
 - ✅ pack.yaml structure
 - ✅ Action YAML schemas
 **Total: 4+ tests**
 ## Test Results
 When all tests pass, you should see output like:
 ```
 ========================================
 Core Pack Unit Tests
 ========================================
 Testing core.echo
  [1] echo: basic message ... PASS
  [2] echo: default message ... PASS
  [3] echo: uppercase conversion ... PASS
  [4] echo: uppercase false ... PASS
  [5] echo: exit code 0 ... PASS
 Testing core.noop
  [6] noop: basic execution ... PASS
  [7] noop: with message ... PASS
  ...
 ========================================
 Test Results
 ========================================
 Total Tests:  37
 Passed:       37
 Failed:       0
 ✓ All tests passed!
 ```
 ## Adding New Tests
 ### Adding to Bash Test Runner
 Edit `run_tests.sh` and add new test cases:
 ```bash
 # Test new action
 echo -e "${BLUE}Testing core.my_action${NC}"
 check_output \
    "my_action: basic test" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_PARAM='value' ./my_action.sh" \
    "Expected output"
 run_test_expect_fail \
    "my_action: invalid input" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_PARAM='invalid' ./my_action.sh"
 ```
 ### Adding to Python Test Suite
 Add a new test class to `test_actions.py`:
 ```python
 class TestMyAction(CorePackTestCase):
    """Tests for core.my_action"""
    def test_basic_functionality(self):
        """Test basic functionality"""
        stdout, stderr, code = self.run_action(
            "my_action.sh",
            {"ATTUNE_ACTION_PARAM": "value"}
        )
        self.assertEqual(code, 0)
        self.assertIn("expected output", stdout)
    def test_error_handling(self):
        """Test error handling"""
        stdout, stderr, code = self.run_action(
            "my_action.sh",
            {"ATTUNE_ACTION_PARAM": "invalid"},
            expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
 ```
 ## Continuous Integration
 ### GitHub Actions Example
 ```yaml
 name: Core Pack Tests
 on: [push, pull_request]
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.10'
      - name: Install dependencies
        run: pip install pytest pyyaml requests
      - name: Run bash tests
        run: |
          cd packs/core/tests
          chmod +x run_tests.sh
          ./run_tests.sh
      - name: Run python tests
        run: |
          cd packs/core/tests
          pytest test_actions.py -v
 ```
 ## Troubleshooting
 ### Tests fail with "Permission denied"
 ```bash
 chmod +x packs/core/actions/*.sh
 chmod +x packs/core/actions/*.py
 ```
 ### Python import errors
 ```bash
 # Install required libraries
 pip install requests>=2.28.0 pyyaml
 ```
 ### HTTP tests timing out
 The `httpbin.org` service may be slow or unavailable. Try:
 - Increasing timeout in tests
 - Running tests again later
 - Using a local httpbin instance
 ### YAML validation fails
 Ensure PyYAML is installed:
 ```bash
 pip install pyyaml
 ```
 ## Best Practices
 1. **Test both success and failure cases** - Don't just test the happy path
 2. **Use descriptive test names** - Make it clear what each test validates
 3. **Test edge cases** - Empty strings, zero values, boundary conditions
 4. **Validate error messages** - Ensure helpful errors are returned
 5. **Keep tests fast** - Use minimal sleep times, short timeouts
 6. **Make tests independent** - Each test should work in isolation
 7. **Document expected behavior** - Add comments for complex tests
 ## Performance
 Expected test execution times:
 - **Bash runner**: ~15-30 seconds (with HTTP tests)
 - **Python suite**: ~20-40 seconds (with HTTP tests)
 - **Without HTTP tests**: ~5-10 seconds
 Slowest tests:
 - `core.sleep` timing validation tests (intentional delays)
 - `core.http_request` network requests
 ## Future Improvements
 - [ ] Add integration tests with Attune services
 - [ ] Add performance benchmarks
 - [ ] Test concurrent action execution
 - [ ] Mock HTTP requests for faster tests
 - [ ] Add property-based testing (hypothesis)
 - [ ] Test sensor functionality
 - [ ] Test trigger functionality
 - [ ] Add coverage reporting
 ## Programmatic Test Execution
 The Core Pack includes a `testing` section in `pack.yaml` that enables automatic test execution during pack installation:
 ```yaml
 testing:
  enabled: true
  runners:
    shell:
      entry_point: "tests/run_tests.sh"
      timeout: 60
    python:
      entry_point: "tests/test_actions.py"
      timeout: 120
  min_pass_rate: 1.0
  on_failure: "block"
 ```
 When installing the pack with `attune pack install`, these tests will run automatically to verify the pack works in the target environment.
 ## Resources
 - [Core Pack Documentation](../README.md)
 - [Testing Guide](../TESTING.md)
 - [Pack Testing Framework](../../../docs/pack-testing-framework.md) - Programmatic test execution
 - [Action Development Guide](../../../docs/action-development.md)
 - [Python unittest docs](https://docs.python.org/3/library/unittest.html)
 - [pytest docs](https://docs.pytest.org/)
 ---
 **Last Updated**: 2024-01-20  
 **Maintainer**: Attune Team
--- a/docker/distributable/packs/core/tests/TEST_RESULTS.md
+++ b/docker/distributable/packs/core/tests/TEST_RESULTS.md
@@ -0,0 +1,235 @@
 # Core Pack Unit Test Results
 **Date**: 2024-01-20  
 **Status**: ✅ ALL TESTS PASSING  
 **Total Tests**: 38 (Bash) + 38 (Python) = 76 tests
 ---
 ## Summary
 Comprehensive unit tests have been implemented for all core pack actions. Both bash-based and Python-based test suites are available and all tests are passing.
 ## Test Coverage by Action
 ### ✅ core.echo (7 tests)
 - Basic echo with custom message
 - Default message handling
 - Uppercase conversion (true/false)
 - Empty messages
 - Special characters
 - Multiline messages
 - Exit code validation
 ### ✅ core.noop (8 tests)
 - Basic no-op execution
 - Custom message logging
 - Exit code 0 (success)
 - Custom exit codes (1-255)
 - Invalid negative exit codes (error handling)
 - Invalid large exit codes (error handling)
 - Invalid non-numeric exit codes (error handling)
 - Maximum valid exit code (255)
 ### ✅ core.sleep (8 tests)
 - Basic sleep (1 second)
 - Zero seconds sleep
 - Custom message display
 - Default duration (1 second)
 - Multi-second sleep with timing validation
 - Invalid negative seconds (error handling)
 - Invalid large seconds >3600 (error handling)
 - Invalid non-numeric seconds (error handling)
 ### ✅ core.http_request (10 tests)
 - Simple GET request
 - Missing required URL (error handling)
 - POST with JSON body
 - Custom headers
 - Query parameters
 - Timeout handling
 - 404 status code handling
 - Different HTTP methods (PUT, PATCH, DELETE, HEAD, OPTIONS)
 - Elapsed time reporting
 - Response parsing (JSON/text)
 ### ✅ File Permissions (4 tests)
 - All action scripts are executable
 - Proper file permissions set
 ### ✅ YAML Validation (Optional)
 - pack.yaml structure validation
 - Action YAML schemas validation
 - (Skipped if PyYAML not installed)
 ---
 ## Test Execution
 ### Bash Test Runner
 ```bash
 cd packs/core/tests
 ./run_tests.sh
 ```
 **Results:**
 ```
 Total Tests:  36
 Passed:       36
 Failed:       0
 ✓ All tests passed!
 ```
 **Execution Time**: ~15-30 seconds (including HTTP tests)
 ### Python Test Suite
 ```bash
 cd packs/core/tests
 python3 test_actions.py
 ```
 **Results:**
 ```
 Ran 38 tests in 11.797s
 OK (skipped=2)
 ```
 **Execution Time**: ~12 seconds
 ---
 ## Test Features
 ### Error Handling Coverage
 ✅ Missing required parameters  
 ✅ Invalid parameter types  
 ✅ Out-of-range values  
 ✅ Negative values where inappropriate  
 ✅ Non-numeric values for numeric parameters  
 ✅ Empty values  
 ✅ Network timeouts  
 ✅ HTTP error responses  
 ### Positive Test Coverage
 ✅ Default parameter values  
 ✅ Minimum/maximum valid values  
 ✅ Various parameter combinations  
 ✅ Success paths  
 ✅ Output validation  
 ✅ Exit code verification  
 ✅ Timing validation (for sleep action)  
 ### Integration Tests
 ✅ Network requests (HTTP action)  
 ✅ File system operations  
 ✅ Environment variable parsing  
 ✅ Script execution  
 ---
 ## Fixed Issues
 ### Issue 1: SECONDS Variable Conflict
 **Problem**: The `sleep.sh` script used `SECONDS` as a variable name, which conflicts with bash's built-in `SECONDS` variable that tracks shell uptime.
 **Solution**: Renamed the variable to `SLEEP_SECONDS` to avoid the conflict.
 **Files Modified**: `packs/core/actions/sleep.sh`
 ---
 ## Test Infrastructure
 ### Test Files
 - `run_tests.sh` - Bash-based test runner (36 tests)
 - `test_actions.py` - Python unittest suite (38 tests)
 - `README.md` - Testing documentation
 - `TEST_RESULTS.md` - This file
 ### Dependencies
 **Required:**
 - bash
 - python3
 **Optional:**
 - `pytest` - Better test output
 - `PyYAML` - YAML validation
 - `requests` - HTTP action tests
 ### CI/CD Ready
 Both test suites are designed for continuous integration:
 - Non-zero exit codes on failure
 - Clear pass/fail reporting
 - Color-coded output (bash runner)
 - Structured test results (Python suite)
 - Optional dependency handling
 ---
 ## Test Maintenance
 ### Adding New Tests
 1. Add test cases to `run_tests.sh` for quick validation
 2. Add test methods to `test_actions.py` for comprehensive coverage
 3. Update this document with new test counts
 4. Run both test suites to verify
 ### When to Run Tests
 - ✅ Before committing changes to actions
 - ✅ After modifying action scripts
 - ✅ Before releasing new pack versions
 - ✅ In CI/CD pipelines
 - ✅ When troubleshooting action behavior
 ---
 ## Known Limitations
 1. **HTTP Tests**: Depend on external service (httpbin.org)
   - May fail if service is down
   - May be slow depending on network
   - Could be replaced with local mock server
 2. **Timing Tests**: Sleep action timing tests have tolerance
   - Allow for system scheduling delays
   - May be slower on heavily loaded systems
 3. **Optional Dependencies**: Some tests skipped if:
   - PyYAML not installed (YAML validation)
   - requests not installed (HTTP tests)
 ---
 ## Future Enhancements
 - [ ] Add sensor unit tests
 - [ ] Add trigger unit tests  
 - [ ] Mock HTTP requests for faster tests
 - [ ] Add performance benchmarks
 - [ ] Add concurrent execution tests
 - [ ] Add code coverage reporting
 - [ ] Add property-based testing (hypothesis)
 - [ ] Integration tests with Attune services
 ---
 ## Conclusion
 ✅ **All core pack actions are thoroughly tested and working correctly.**
 The test suite provides:
 - Comprehensive coverage of success and failure cases
 - Fast execution for rapid development feedback
 - Clear documentation of expected behavior
 - Confidence in core pack reliability
 Both bash and Python test runners are available for different use cases:
 - **Bash runner**: Quick, minimal dependencies, great for local development
 - **Python suite**: Structured, detailed, perfect for CI/CD and debugging
 ---
 **Maintained by**: Attune Team  
 **Last Updated**: 2024-01-20  
 **Next Review**: When new actions are added
--- a/docker/distributable/packs/core/tests/run_tests.sh
+++ b/docker/distributable/packs/core/tests/run_tests.sh
@@ -0,0 +1,393 @@
 #!/bin/bash
 # Core Pack Unit Test Runner
 # Runs all unit tests for core pack actions and reports results
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Test counters
 TOTAL_TESTS=0
 PASSED_TESTS=0
 FAILED_TESTS=0
 # Get script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PACK_DIR="$(dirname "$SCRIPT_DIR")"
 ACTIONS_DIR="$PACK_DIR/actions"
 # Test results array
 declare -a FAILED_TEST_NAMES
 echo -e "${BLUE}========================================${NC}"
 echo -e "${BLUE}Core Pack Unit Tests${NC}"
 echo -e "${BLUE}========================================${NC}"
 echo ""
 # Function to run a test
 run_test() {
    local test_name="$1"
    local test_command="$2"
    TOTAL_TESTS=$((TOTAL_TESTS + 1))
    echo -n "  [$TOTAL_TESTS] $test_name ... "
    if eval "$test_command" > /dev/null 2>&1; then
        echo -e "${GREEN}PASS${NC}"
        PASSED_TESTS=$((PASSED_TESTS + 1))
        return 0
    else
        echo -e "${RED}FAIL${NC}"
        FAILED_TESTS=$((FAILED_TESTS + 1))
        FAILED_TEST_NAMES+=("$test_name")
        return 1
    fi
 }
 # Function to run a test expecting failure
 run_test_expect_fail() {
    local test_name="$1"
    local test_command="$2"
    TOTAL_TESTS=$((TOTAL_TESTS + 1))
    echo -n "  [$TOTAL_TESTS] $test_name ... "
    if eval "$test_command" > /dev/null 2>&1; then
        echo -e "${RED}FAIL${NC} (expected failure but passed)"
        FAILED_TESTS=$((FAILED_TESTS + 1))
        FAILED_TEST_NAMES+=("$test_name")
        return 1
    else
        echo -e "${GREEN}PASS${NC} (failed as expected)"
        PASSED_TESTS=$((PASSED_TESTS + 1))
        return 0
    fi
 }
 # Function to check output contains text
 check_output() {
    local test_name="$1"
    local command="$2"
    local expected="$3"
    TOTAL_TESTS=$((TOTAL_TESTS + 1))
    echo -n "  [$TOTAL_TESTS] $test_name ... "
    local output=$(eval "$command" 2>&1)
    if echo "$output" | grep -q "$expected"; then
        echo -e "${GREEN}PASS${NC}"
        PASSED_TESTS=$((PASSED_TESTS + 1))
        return 0
    else
        echo -e "${RED}FAIL${NC}"
        echo "    Expected output to contain: '$expected'"
        echo "    Got: '$output'"
        FAILED_TESTS=$((FAILED_TESTS + 1))
        FAILED_TEST_NAMES+=("$test_name")
        return 1
    fi
 }
 # Check prerequisites
 echo -e "${YELLOW}Checking prerequisites...${NC}"
 if [ ! -f "$ACTIONS_DIR/echo.sh" ]; then
    echo -e "${RED}ERROR: Actions directory not found at $ACTIONS_DIR${NC}"
    exit 1
 fi
 # Check Python for http_request tests
 if ! command -v python3 &> /dev/null; then
    echo -e "${YELLOW}WARNING: python3 not found, skipping Python tests${NC}"
    SKIP_PYTHON=true
 else
    echo "  ✓ python3 found"
 fi
 # Check Python requests library
 if [ "$SKIP_PYTHON" != "true" ]; then
    if ! python3 -c "import requests" 2>/dev/null; then
        echo -e "${YELLOW}WARNING: requests library not installed, skipping HTTP tests${NC}"
        SKIP_HTTP=true
    else
        echo "  ✓ requests library found"
    fi
 fi
 echo ""
 # ========================================
 # Test: core.echo
 # ========================================
 echo -e "${BLUE}Testing core.echo${NC}"
 # Test 1: Basic echo
 check_output \
    "echo: basic message" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Hello, Attune!' ./echo.sh" \
    "Hello, Attune!"
 # Test 2: Default message
 check_output \
    "echo: default message" \
    "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_MESSAGE && ./echo.sh" \
    "Hello, World!"
 # Test 3: Uppercase conversion
 check_output \
    "echo: uppercase conversion" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='test message' ATTUNE_ACTION_UPPERCASE=true ./echo.sh" \
    "TEST MESSAGE"
 # Test 4: Uppercase false
 check_output \
    "echo: uppercase false" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Mixed Case' ATTUNE_ACTION_UPPERCASE=false ./echo.sh" \
    "Mixed Case"
 # Test 5: Exit code success
 run_test \
    "echo: exit code 0" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='test' ./echo.sh && [ \$? -eq 0 ]"
 echo ""
 # ========================================
 # Test: core.noop
 # ========================================
 echo -e "${BLUE}Testing core.noop${NC}"
 # Test 1: Basic noop
 check_output \
    "noop: basic execution" \
    "cd '$ACTIONS_DIR' && ./noop.sh" \
    "No operation completed successfully"
 # Test 2: With message
 check_output \
    "noop: with message" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_MESSAGE='Test noop' ./noop.sh" \
    "Test noop"
 # Test 3: Exit code 0
 run_test \
    "noop: exit code 0" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=0 ./noop.sh && [ \$? -eq 0 ]"
 # Test 4: Custom exit code
 run_test \
    "noop: custom exit code 5" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=5 ./noop.sh; [ \$? -eq 5 ]"
 # Test 5: Invalid exit code (negative)
 run_test_expect_fail \
    "noop: invalid negative exit code" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=-1 ./noop.sh"
 # Test 6: Invalid exit code (too large)
 run_test_expect_fail \
    "noop: invalid large exit code" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=999 ./noop.sh"
 # Test 7: Invalid exit code (non-numeric)
 run_test_expect_fail \
    "noop: invalid non-numeric exit code" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_EXIT_CODE=abc ./noop.sh"
 echo ""
 # ========================================
 # Test: core.sleep
 # ========================================
 echo -e "${BLUE}Testing core.sleep${NC}"
 # Test 1: Basic sleep
 check_output \
    "sleep: basic execution (1s)" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=1 ./sleep.sh" \
    "Slept for 1 seconds"
 # Test 2: Zero seconds
 check_output \
    "sleep: zero seconds" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=0 ./sleep.sh" \
    "Slept for 0 seconds"
 # Test 3: With message
 check_output \
    "sleep: with message" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=1 ATTUNE_ACTION_MESSAGE='Sleeping now...' ./sleep.sh" \
    "Sleeping now..."
 # Test 4: Verify timing (should take at least 2 seconds)
 run_test \
    "sleep: timing verification (2s)" \
    "cd '$ACTIONS_DIR' && start=\$(date +%s) && ATTUNE_ACTION_SECONDS=2 ./sleep.sh > /dev/null && end=\$(date +%s) && [ \$((end - start)) -ge 2 ]"
 # Test 5: Invalid negative seconds
 run_test_expect_fail \
    "sleep: invalid negative seconds" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=-1 ./sleep.sh"
 # Test 6: Invalid too large seconds
 run_test_expect_fail \
    "sleep: invalid large seconds (>3600)" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=9999 ./sleep.sh"
 # Test 7: Invalid non-numeric seconds
 run_test_expect_fail \
    "sleep: invalid non-numeric seconds" \
    "cd '$ACTIONS_DIR' && ATTUNE_ACTION_SECONDS=abc ./sleep.sh"
 # Test 8: Default value
 check_output \
    "sleep: default value (1s)" \
    "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_SECONDS && ./sleep.sh" \
    "Slept for 1 seconds"
 echo ""
 # ========================================
 # Test: core.http_request
 # ========================================
 if [ "$SKIP_HTTP" != "true" ]; then
    echo -e "${BLUE}Testing core.http_request${NC}"
    # Test 1: Simple GET request
    run_test \
        "http_request: GET request" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='GET' python3 ./http_request.py | grep -q '\"success\": true'"
    # Test 2: Missing required URL
    run_test_expect_fail \
        "http_request: missing URL parameter" \
        "cd '$ACTIONS_DIR' && unset ATTUNE_ACTION_URL && python3 ./http_request.py"
    # Test 3: POST with JSON body
    run_test \
        "http_request: POST with JSON" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/post' ATTUNE_ACTION_METHOD='POST' ATTUNE_ACTION_JSON_BODY='{\"test\": \"value\"}' python3 ./http_request.py | grep -q '\"success\": true'"
    # Test 4: Custom headers
    run_test \
        "http_request: custom headers" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/headers' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_HEADERS='{\"X-Custom-Header\": \"test\"}' python3 ./http_request.py | grep -q 'X-Custom-Header'"
    # Test 5: Query parameters
    run_test \
        "http_request: query parameters" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_QUERY_PARAMS='{\"foo\": \"bar\", \"page\": \"1\"}' python3 ./http_request.py | grep -q '\"foo\": \"bar\"'"
    # Test 6: Timeout (expect failure/timeout)
    run_test \
        "http_request: timeout handling" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/delay/10' ATTUNE_ACTION_METHOD='GET' ATTUNE_ACTION_TIMEOUT=2 python3 ./http_request.py; [ \$? -ne 0 ]"
    # Test 7: 404 Not Found
    run_test \
        "http_request: 404 handling" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/status/404' ATTUNE_ACTION_METHOD='GET' python3 ./http_request.py | grep -q '\"status_code\": 404'"
    # Test 8: Different methods (PUT, PATCH, DELETE)
    for method in PUT PATCH DELETE; do
        run_test \
            "http_request: $method method" \
            "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/${method,,}' ATTUNE_ACTION_METHOD='$method' python3 ./http_request.py | grep -q '\"success\": true'"
    done
    # Test 9: HEAD method (no body expected)
    run_test \
        "http_request: HEAD method" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='HEAD' python3 ./http_request.py | grep -q '\"status_code\": 200'"
    # Test 10: OPTIONS method
    run_test \
        "http_request: OPTIONS method" \
        "cd '$ACTIONS_DIR' && ATTUNE_ACTION_URL='https://httpbin.org/get' ATTUNE_ACTION_METHOD='OPTIONS' python3 ./http_request.py | grep -q '\"status_code\"'"
    echo ""
 else
    echo -e "${YELLOW}Skipping core.http_request tests (Python/requests not available)${NC}"
    echo ""
 fi
 # ========================================
 # Test: File Permissions
 # ========================================
 echo -e "${BLUE}Testing file permissions${NC}"
 run_test \
    "permissions: echo.sh is executable" \
    "[ -x '$ACTIONS_DIR/echo.sh' ]"
 run_test \
    "permissions: noop.sh is executable" \
    "[ -x '$ACTIONS_DIR/noop.sh' ]"
 run_test \
    "permissions: sleep.sh is executable" \
    "[ -x '$ACTIONS_DIR/sleep.sh' ]"
 if [ "$SKIP_PYTHON" != "true" ]; then
    run_test \
        "permissions: http_request.py is executable" \
        "[ -x '$ACTIONS_DIR/http_request.py' ]"
 fi
 echo ""
 # ========================================
 # Test: YAML Schema Validation
 # ========================================
 echo -e "${BLUE}Testing YAML schemas${NC}"
 # Check if PyYAML is installed
 if python3 -c "import yaml" 2>/dev/null; then
    # Check YAML files are valid
    for yaml_file in "$PACK_DIR"/*.yaml "$PACK_DIR"/actions/*.yaml "$PACK_DIR"/triggers/*.yaml; do
        if [ -f "$yaml_file" ]; then
            filename=$(basename "$yaml_file")
            run_test \
                "yaml: $filename is valid" \
                "python3 -c 'import yaml; yaml.safe_load(open(\"$yaml_file\"))'"
        fi
    done
 else
    echo -e "  ${YELLOW}Skipping YAML validation tests (PyYAML not installed)${NC}"
    echo -e "  ${YELLOW}Install with: pip install pyyaml${NC}"
 fi
 echo ""
 # ========================================
 # Results Summary
 # ========================================
 echo -e "${BLUE}========================================${NC}"
 echo -e "${BLUE}Test Results${NC}"
 echo -e "${BLUE}========================================${NC}"
 echo ""
 echo "Total Tests:  $TOTAL_TESTS"
 echo -e "Passed:       ${GREEN}$PASSED_TESTS${NC}"
 echo -e "Failed:       ${RED}$FAILED_TESTS${NC}"
 echo ""
 if [ $FAILED_TESTS -eq 0 ]; then
    echo -e "${GREEN}✓ All tests passed!${NC}"
    exit 0
 else
    echo -e "${RED}✗ Some tests failed:${NC}"
    for test_name in "${FAILED_TEST_NAMES[@]}"; do
        echo -e "  ${RED}✗${NC} $test_name"
    done
    echo ""
    exit 1
 fi
--- a/docker/distributable/packs/core/tests/test_actions.py
+++ b/docker/distributable/packs/core/tests/test_actions.py
@@ -0,0 +1,560 @@
 #!/usr/bin/env python3
 """
 Unit tests for Core Pack Actions
 This test suite validates all core pack actions to ensure they behave correctly
 with various inputs, handle errors appropriately, and produce expected outputs.
 Usage:
    python3 test_actions.py
    python3 -m pytest test_actions.py -v
 """
 import json
 import os
 import subprocess
 import sys
 import time
 import unittest
 from pathlib import Path
 class CorePackTestCase(unittest.TestCase):
    """Base test case for core pack tests"""
    @classmethod
    def setUpClass(cls):
        """Set up test environment"""
        # Get the actions directory
        cls.test_dir = Path(__file__).parent
        cls.pack_dir = cls.test_dir.parent
        cls.actions_dir = cls.pack_dir / "actions"
        # Verify actions directory exists
        if not cls.actions_dir.exists():
            raise RuntimeError(f"Actions directory not found: {cls.actions_dir}")
        # Check for required executables
        cls.has_python = cls._check_command("python3")
        cls.has_bash = cls._check_command("bash")
    @staticmethod
    def _check_command(command):
        """Check if a command is available"""
        try:
            subprocess.run(
                [command, "--version"],
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
                timeout=2,
            )
            return True
        except (subprocess.TimeoutExpired, FileNotFoundError):
            return False
    def run_action(self, script_name, env_vars=None, expect_failure=False):
        """
        Run an action script with environment variables
        Args:
            script_name: Name of the script file
            env_vars: Dictionary of environment variables
            expect_failure: If True, expects the script to fail
        Returns:
            tuple: (stdout, stderr, exit_code)
        """
        script_path = self.actions_dir / script_name
        if not script_path.exists():
            raise FileNotFoundError(f"Script not found: {script_path}")
        # Prepare environment
        env = os.environ.copy()
        if env_vars:
            env.update(env_vars)
        # Determine the command
        if script_name.endswith(".py"):
            cmd = ["python3", str(script_path)]
        elif script_name.endswith(".sh"):
            cmd = ["bash", str(script_path)]
        else:
            raise ValueError(f"Unknown script type: {script_name}")
        # Run the script
        try:
            result = subprocess.run(
                cmd,
                env=env,
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
                timeout=10,
                cwd=str(self.actions_dir),
            )
            return (
                result.stdout.decode("utf-8"),
                result.stderr.decode("utf-8"),
                result.returncode,
            )
        except subprocess.TimeoutExpired:
            if expect_failure:
                return "", "Timeout", -1
            raise
 class TestEchoAction(CorePackTestCase):
    """Tests for core.echo action"""
    def test_basic_echo(self):
        """Test basic echo functionality"""
        stdout, stderr, code = self.run_action(
            "echo.sh", {"ATTUNE_ACTION_MESSAGE": "Hello, Attune!"}
        )
        self.assertEqual(code, 0)
        self.assertIn("Hello, Attune!", stdout)
    def test_default_message(self):
        """Test default message when none provided"""
        stdout, stderr, code = self.run_action("echo.sh", {})
        self.assertEqual(code, 0)
        self.assertIn("Hello, World!", stdout)
    def test_uppercase_conversion(self):
        """Test uppercase conversion"""
        stdout, stderr, code = self.run_action(
            "echo.sh",
            {
                "ATTUNE_ACTION_MESSAGE": "test message",
                "ATTUNE_ACTION_UPPERCASE": "true",
            },
        )
        self.assertEqual(code, 0)
        self.assertIn("TEST MESSAGE", stdout)
        self.assertNotIn("test message", stdout)
    def test_uppercase_false(self):
        """Test uppercase=false preserves case"""
        stdout, stderr, code = self.run_action(
            "echo.sh",
            {
                "ATTUNE_ACTION_MESSAGE": "Mixed Case",
                "ATTUNE_ACTION_UPPERCASE": "false",
            },
        )
        self.assertEqual(code, 0)
        self.assertIn("Mixed Case", stdout)
    def test_empty_message(self):
        """Test empty message"""
        stdout, stderr, code = self.run_action("echo.sh", {"ATTUNE_ACTION_MESSAGE": ""})
        self.assertEqual(code, 0)
        # Empty message should produce a newline
        # bash echo with empty string still outputs newline
    def test_special_characters(self):
        """Test message with special characters"""
        special_msg = "Test!@#$%^&*()[]{}|\\:;\"'<>,.?/~`"
        stdout, stderr, code = self.run_action(
            "echo.sh", {"ATTUNE_ACTION_MESSAGE": special_msg}
        )
        self.assertEqual(code, 0)
        self.assertIn(special_msg, stdout)
    def test_multiline_message(self):
        """Test message with newlines"""
        multiline_msg = "Line 1\nLine 2\nLine 3"
        stdout, stderr, code = self.run_action(
            "echo.sh", {"ATTUNE_ACTION_MESSAGE": multiline_msg}
        )
        self.assertEqual(code, 0)
        # Depending on shell behavior, newlines might be interpreted
 class TestNoopAction(CorePackTestCase):
    """Tests for core.noop action"""
    def test_basic_noop(self):
        """Test basic noop functionality"""
        stdout, stderr, code = self.run_action("noop.sh", {})
        self.assertEqual(code, 0)
        self.assertIn("No operation completed successfully", stdout)
    def test_noop_with_message(self):
        """Test noop with custom message"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_MESSAGE": "Test message"}
        )
        self.assertEqual(code, 0)
        self.assertIn("Test message", stdout)
        self.assertIn("No operation completed successfully", stdout)
    def test_custom_exit_code_success(self):
        """Test custom exit code 0"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "0"}
        )
        self.assertEqual(code, 0)
    def test_custom_exit_code_failure(self):
        """Test custom exit code non-zero"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "5"}
        )
        self.assertEqual(code, 5)
    def test_custom_exit_code_max(self):
        """Test maximum valid exit code (255)"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "255"}
        )
        self.assertEqual(code, 255)
    def test_invalid_negative_exit_code(self):
        """Test that negative exit codes are rejected"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "-1"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
    def test_invalid_large_exit_code(self):
        """Test that exit codes > 255 are rejected"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "999"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
    def test_invalid_non_numeric_exit_code(self):
        """Test that non-numeric exit codes are rejected"""
        stdout, stderr, code = self.run_action(
            "noop.sh", {"ATTUNE_ACTION_EXIT_CODE": "abc"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
 class TestSleepAction(CorePackTestCase):
    """Tests for core.sleep action"""
    def test_basic_sleep(self):
        """Test basic sleep functionality"""
        start = time.time()
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "1"}
        )
        elapsed = time.time() - start
        self.assertEqual(code, 0)
        self.assertIn("Slept for 1 seconds", stdout)
        self.assertGreaterEqual(elapsed, 1.0)
        self.assertLess(elapsed, 1.5)  # Should not take too long
    def test_zero_seconds(self):
        """Test sleep with 0 seconds"""
        start = time.time()
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "0"}
        )
        elapsed = time.time() - start
        self.assertEqual(code, 0)
        self.assertIn("Slept for 0 seconds", stdout)
        self.assertLess(elapsed, 0.5)
    def test_sleep_with_message(self):
        """Test sleep with custom message"""
        stdout, stderr, code = self.run_action(
            "sleep.sh",
            {"ATTUNE_ACTION_SECONDS": "1", "ATTUNE_ACTION_MESSAGE": "Sleeping now..."},
        )
        self.assertEqual(code, 0)
        self.assertIn("Sleeping now...", stdout)
        self.assertIn("Slept for 1 seconds", stdout)
    def test_default_sleep_duration(self):
        """Test default sleep duration (1 second)"""
        start = time.time()
        stdout, stderr, code = self.run_action("sleep.sh", {})
        elapsed = time.time() - start
        self.assertEqual(code, 0)
        self.assertGreaterEqual(elapsed, 1.0)
    def test_invalid_negative_seconds(self):
        """Test that negative seconds are rejected"""
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "-1"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
    def test_invalid_large_seconds(self):
        """Test that seconds > 3600 are rejected"""
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "9999"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
    def test_invalid_non_numeric_seconds(self):
        """Test that non-numeric seconds are rejected"""
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "abc"}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("ERROR", stderr)
    def test_multi_second_sleep(self):
        """Test sleep with multiple seconds"""
        start = time.time()
        stdout, stderr, code = self.run_action(
            "sleep.sh", {"ATTUNE_ACTION_SECONDS": "2"}
        )
        elapsed = time.time() - start
        self.assertEqual(code, 0)
        self.assertIn("Slept for 2 seconds", stdout)
        self.assertGreaterEqual(elapsed, 2.0)
        self.assertLess(elapsed, 2.5)
 class TestHttpRequestAction(CorePackTestCase):
    """Tests for core.http_request action"""
    def setUp(self):
        """Check if we can run HTTP tests"""
        if not self.has_python:
            self.skipTest("Python3 not available")
        try:
            import requests
        except ImportError:
            self.skipTest("requests library not installed")
    def test_simple_get_request(self):
        """Test simple GET request"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
                "ATTUNE_ACTION_METHOD": "GET",
            },
        )
        self.assertEqual(code, 0)
        # Parse JSON output
        result = json.loads(stdout)
        self.assertEqual(result["status_code"], 200)
        self.assertTrue(result["success"])
        self.assertIn("httpbin.org", result["url"])
    def test_missing_url_parameter(self):
        """Test that missing URL parameter causes failure"""
        stdout, stderr, code = self.run_action(
            "http_request.py", {}, expect_failure=True
        )
        self.assertNotEqual(code, 0)
        self.assertIn("Required parameter 'url' not provided", stderr)
    def test_post_with_json(self):
        """Test POST request with JSON body"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/post",
                "ATTUNE_ACTION_METHOD": "POST",
                "ATTUNE_ACTION_JSON_BODY": '{"test": "value", "number": 123}',
            },
        )
        self.assertEqual(code, 0)
        result = json.loads(stdout)
        self.assertEqual(result["status_code"], 200)
        self.assertTrue(result["success"])
        # Check that our data was echoed back
        self.assertIsNotNone(result.get("json"))
        # httpbin.org echoes data in different format, just verify JSON was sent
        body_json = json.loads(result["body"])
        self.assertIn("json", body_json)
        self.assertEqual(body_json["json"]["test"], "value")
    def test_custom_headers(self):
        """Test request with custom headers"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/headers",
                "ATTUNE_ACTION_METHOD": "GET",
                "ATTUNE_ACTION_HEADERS": '{"X-Custom-Header": "test-value"}',
            },
        )
        self.assertEqual(code, 0)
        result = json.loads(stdout)
        self.assertEqual(result["status_code"], 200)
        # The response body should contain our custom header
        body_data = json.loads(result["body"])
        self.assertIn("X-Custom-Header", body_data["headers"])
    def test_query_parameters(self):
        """Test request with query parameters"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
                "ATTUNE_ACTION_METHOD": "GET",
                "ATTUNE_ACTION_QUERY_PARAMS": '{"foo": "bar", "page": "1"}',
            },
        )
        self.assertEqual(code, 0)
        result = json.loads(stdout)
        self.assertEqual(result["status_code"], 200)
        # Check query params in response
        body_data = json.loads(result["body"])
        self.assertEqual(body_data["args"]["foo"], "bar")
        self.assertEqual(body_data["args"]["page"], "1")
    def test_timeout_handling(self):
        """Test request timeout"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/delay/10",
                "ATTUNE_ACTION_METHOD": "GET",
                "ATTUNE_ACTION_TIMEOUT": "2",
            },
            expect_failure=True,
        )
        # Should fail due to timeout
        self.assertNotEqual(code, 0)
        result = json.loads(stdout)
        self.assertFalse(result["success"])
        self.assertIn("error", result)
    def test_404_status_code(self):
        """Test handling of 404 status"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/status/404",
                "ATTUNE_ACTION_METHOD": "GET",
            },
            expect_failure=True,
        )
        # Non-2xx status codes should fail
        self.assertNotEqual(code, 0)
        result = json.loads(stdout)
        self.assertEqual(result["status_code"], 404)
        self.assertFalse(result["success"])
    def test_different_methods(self):
        """Test different HTTP methods"""
        methods = ["PUT", "PATCH", "DELETE"]
        for method in methods:
            with self.subTest(method=method):
                stdout, stderr, code = self.run_action(
                    "http_request.py",
                    {
                        "ATTUNE_ACTION_URL": f"https://httpbin.org/{method.lower()}",
                        "ATTUNE_ACTION_METHOD": method,
                    },
                )
                self.assertEqual(code, 0)
                result = json.loads(stdout)
                self.assertEqual(result["status_code"], 200)
    def test_elapsed_time_reported(self):
        """Test that elapsed time is reported"""
        stdout, stderr, code = self.run_action(
            "http_request.py",
            {
                "ATTUNE_ACTION_URL": "https://httpbin.org/get",
                "ATTUNE_ACTION_METHOD": "GET",
            },
        )
        self.assertEqual(code, 0)
        result = json.loads(stdout)
        self.assertIn("elapsed_ms", result)
        self.assertIsInstance(result["elapsed_ms"], int)
        self.assertGreater(result["elapsed_ms"], 0)
 class TestFilePermissions(CorePackTestCase):
    """Test that action scripts have correct permissions"""
    def test_echo_executable(self):
        """Test that echo.sh is executable"""
        script_path = self.actions_dir / "echo.sh"
        self.assertTrue(os.access(script_path, os.X_OK))
    def test_noop_executable(self):
        """Test that noop.sh is executable"""
        script_path = self.actions_dir / "noop.sh"
        self.assertTrue(os.access(script_path, os.X_OK))
    def test_sleep_executable(self):
        """Test that sleep.sh is executable"""
        script_path = self.actions_dir / "sleep.sh"
        self.assertTrue(os.access(script_path, os.X_OK))
    def test_http_request_executable(self):
        """Test that http_request.py is executable"""
        script_path = self.actions_dir / "http_request.py"
        self.assertTrue(os.access(script_path, os.X_OK))
 class TestYAMLSchemas(CorePackTestCase):
    """Test that YAML schemas are valid"""
    def test_pack_yaml_valid(self):
        """Test that pack.yaml is valid YAML"""
        pack_yaml = self.pack_dir / "pack.yaml"
        try:
            import yaml
            with open(pack_yaml) as f:
                data = yaml.safe_load(f)
            self.assertIsNotNone(data)
            self.assertIn("ref", data)
            self.assertEqual(data["ref"], "core")
        except ImportError:
            self.skipTest("PyYAML not installed")
    def test_action_yamls_valid(self):
        """Test that all action YAML files are valid"""
        try:
            import yaml
        except ImportError:
            self.skipTest("PyYAML not installed")
        for yaml_file in (self.actions_dir).glob("*.yaml"):
            with self.subTest(file=yaml_file.name):
                with open(yaml_file) as f:
                    data = yaml.safe_load(f)
                self.assertIsNotNone(data)
                self.assertIn("name", data)
                self.assertIn("ref", data)
                self.assertIn("runner_type", data)
 def main():
    """Run tests"""
    # Check for pytest
    try:
        import pytest
        # Run with pytest if available
        sys.exit(pytest.main([__file__, "-v"]))
    except ImportError:
        # Fall back to unittest
        unittest.main(verbosity=2)
 if __name__ == "__main__":
    main()
--- a/docker/distributable/packs/core/tests/test_pack_installation_actions.sh
+++ b/docker/distributable/packs/core/tests/test_pack_installation_actions.sh
@@ -0,0 +1,592 @@
 #!/bin/bash
 # Test script for pack installation actions
 # Tests: download_packs, get_pack_dependencies, build_pack_envs, register_packs
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # Test counters
 TESTS_RUN=0
 TESTS_PASSED=0
 TESTS_FAILED=0
 # Get script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PACK_DIR="$(dirname "$SCRIPT_DIR")"
 ACTIONS_DIR="${PACK_DIR}/actions"
 # Test helper functions
 print_test_header() {
    echo ""
    echo "=========================================="
    echo "TEST: $1"
    echo "=========================================="
 }
 assert_success() {
    local test_name="$1"
    local exit_code="$2"
    TESTS_RUN=$((TESTS_RUN + 1))
    if [[ $exit_code -eq 0 ]]; then
        echo -e "${GREEN}✓ PASS${NC}: $test_name"
        TESTS_PASSED=$((TESTS_PASSED + 1))
        return 0
    else
        echo -e "${RED}✗ FAIL${NC}: $test_name (exit code: $exit_code)"
        TESTS_FAILED=$((TESTS_FAILED + 1))
        return 1
    fi
 }
 assert_json_field() {
    local test_name="$1"
    local json="$2"
    local field="$3"
    local expected="$4"
    TESTS_RUN=$((TESTS_RUN + 1))
    local actual=$(echo "$json" | jq -r "$field" 2>/dev/null || echo "")
    if [[ "$actual" == "$expected" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: $test_name"
        TESTS_PASSED=$((TESTS_PASSED + 1))
        return 0
    else
        echo -e "${RED}✗ FAIL${NC}: $test_name"
        echo "  Expected: $expected"
        echo "  Actual: $actual"
        TESTS_FAILED=$((TESTS_FAILED + 1))
        return 1
    fi
 }
 assert_json_array_length() {
    local test_name="$1"
    local json="$2"
    local field="$3"
    local expected_length="$4"
    TESTS_RUN=$((TESTS_RUN + 1))
    local actual_length=$(echo "$json" | jq "$field | length" 2>/dev/null || echo "0")
    if [[ "$actual_length" == "$expected_length" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: $test_name"
        TESTS_PASSED=$((TESTS_PASSED + 1))
        return 0
    else
        echo -e "${RED}✗ FAIL${NC}: $test_name"
        echo "  Expected length: $expected_length"
        echo "  Actual length: $actual_length"
        TESTS_FAILED=$((TESTS_FAILED + 1))
        return 1
    fi
 }
 # Setup test environment
 setup_test_env() {
    echo "Setting up test environment..."
    # Create temporary test directory
    TEST_TEMP_DIR=$(mktemp -d)
    export TEST_TEMP_DIR
    # Create mock pack for testing
    MOCK_PACK_DIR="${TEST_TEMP_DIR}/test-pack"
    mkdir -p "$MOCK_PACK_DIR/actions"
    # Create mock pack.yaml
    cat > "${MOCK_PACK_DIR}/pack.yaml" <<EOF
 ref: test-pack
 version: 1.0.0
 name: Test Pack
 description: A test pack for unit testing
 author: Test Suite
 dependencies:
  - core
 python: "3.11"
 actions:
  - test_action
 EOF
    # Create mock action
    cat > "${MOCK_PACK_DIR}/actions/test_action.yaml" <<EOF
 name: test_action
 ref: test-pack.test_action
 description: Test action
 enabled: true
 runner_type: shell
 entry_point: test_action.sh
 EOF
    echo "#!/bin/bash" > "${MOCK_PACK_DIR}/actions/test_action.sh"
    echo "echo 'test'" >> "${MOCK_PACK_DIR}/actions/test_action.sh"
    chmod +x "${MOCK_PACK_DIR}/actions/test_action.sh"
    # Create mock requirements.txt for Python testing
    cat > "${MOCK_PACK_DIR}/requirements.txt" <<EOF
 requests==2.31.0
 pyyaml==6.0.1
 EOF
    echo "Test environment ready at: $TEST_TEMP_DIR"
 }
 cleanup_test_env() {
    echo ""
    echo "Cleaning up test environment..."
    if [[ -n "$TEST_TEMP_DIR" ]] && [[ -d "$TEST_TEMP_DIR" ]]; then
        rm -rf "$TEST_TEMP_DIR"
        echo "Test environment cleaned up"
    fi
 }
 # Test: get_pack_dependencies.sh
 test_get_pack_dependencies() {
    print_test_header "get_pack_dependencies.sh"
    local action_script="${ACTIONS_DIR}/get_pack_dependencies.sh"
    # Test 1: No pack paths provided
    echo "Test 1: No pack paths provided (should fail gracefully)"
    export ATTUNE_ACTION_PACK_PATHS='[]'
    export ATTUNE_ACTION_API_URL="http://localhost:8080"
    local output
    output=$(bash "$action_script" 2>/dev/null || true)
    local exit_code=$?
    assert_json_field "Should return errors array" "$output" ".errors | length" "1"
    # Test 2: Valid pack path
    echo ""
    echo "Test 2: Valid pack with dependencies"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    output=$(bash "$action_script" 2>/dev/null)
    exit_code=$?
    assert_success "Script execution" $exit_code
    assert_json_field "Should analyze 1 pack" "$output" ".analyzed_packs | length" "1"
    assert_json_field "Pack ref should be test-pack" "$output" ".analyzed_packs[0].pack_ref" "test-pack"
    assert_json_field "Should have dependencies" "$output" ".analyzed_packs[0].has_dependencies" "true"
    # Test 3: Runtime requirements detection
    echo ""
    echo "Test 3: Runtime requirements detection"
    local python_version=$(echo "$output" | jq -r '.runtime_requirements["test-pack"].python.version' 2>/dev/null || echo "")
    TESTS_RUN=$((TESTS_RUN + 1))
    if [[ "$python_version" == "3.11" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Detected Python version requirement"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Failed to detect Python version requirement"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    # Test 4: requirements.txt detection
    echo ""
    echo "Test 4: requirements.txt detection"
    local requirements_file=$(echo "$output" | jq -r '.runtime_requirements["test-pack"].python.requirements_file' 2>/dev/null || echo "")
    TESTS_RUN=$((TESTS_RUN + 1))
    if [[ "$requirements_file" == "${MOCK_PACK_DIR}/requirements.txt" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Detected requirements.txt file"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Failed to detect requirements.txt file"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Test: download_packs.sh
 test_download_packs() {
    print_test_header "download_packs.sh"
    local action_script="${ACTIONS_DIR}/download_packs.sh"
    # Test 1: No packs provided
    echo "Test 1: No packs provided (should fail gracefully)"
    export ATTUNE_ACTION_PACKS='[]'
    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/downloads"
    local output
    output=$(bash "$action_script" 2>/dev/null || true)
    local exit_code=$?
    assert_json_field "Should return failure" "$output" ".failure_count" "1"
    # Test 2: No destination directory
    echo ""
    echo "Test 2: No destination directory (should fail)"
    export ATTUNE_ACTION_PACKS='["https://example.com/pack.tar.gz"]'
    unset ATTUNE_ACTION_DESTINATION_DIR
    output=$(bash "$action_script" 2>/dev/null || true)
    exit_code=$?
    assert_json_field "Should return failure" "$output" ".failure_count" "1"
    # Test 3: Source type detection
    echo ""
    echo "Test 3: Test source type detection internally"
    TESTS_RUN=$((TESTS_RUN + 1))
    # We can't easily test actual downloads without network/git, but we can verify the script runs
    export ATTUNE_ACTION_PACKS='["invalid-source"]'
    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/downloads"
    export ATTUNE_ACTION_REGISTRY_URL="http://localhost:9999/index.json"
    export ATTUNE_ACTION_TIMEOUT="5"
    output=$(bash "$action_script" 2>/dev/null || true)
    exit_code=$?
    # Should handle invalid source gracefully
    local failure_count=$(echo "$output" | jq -r '.failure_count' 2>/dev/null || echo "0")
    if [[ "$failure_count" -ge "1" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Handles invalid source gracefully"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Did not handle invalid source properly"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Test: build_pack_envs.sh
 test_build_pack_envs() {
    print_test_header "build_pack_envs.sh"
    local action_script="${ACTIONS_DIR}/build_pack_envs.sh"
    # Test 1: No pack paths provided
    echo "Test 1: No pack paths provided (should fail gracefully)"
    export ATTUNE_ACTION_PACK_PATHS='[]'
    local output
    output=$(bash "$action_script" 2>/dev/null || true)
    local exit_code=$?
    assert_json_field "Should have exit code 1" "1" "1" "1"
    # Test 2: Valid pack with requirements.txt (skip actual build)
    echo ""
    echo "Test 2: Skip Python environment build"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    export ATTUNE_ACTION_SKIP_PYTHON="true"
    export ATTUNE_ACTION_SKIP_NODEJS="true"
    output=$(bash "$action_script" 2>/dev/null)
    exit_code=$?
    assert_success "Script execution with skip flags" $exit_code
    assert_json_field "Should process 1 pack" "$output" ".summary.total_packs" "1"
    # Test 3: Pack with no runtime dependencies
    echo ""
    echo "Test 3: Pack with no runtime dependencies"
    local no_deps_pack="${TEST_TEMP_DIR}/no-deps-pack"
    mkdir -p "$no_deps_pack"
    cat > "${no_deps_pack}/pack.yaml" <<EOF
 ref: no-deps
 version: 1.0.0
 name: No Dependencies Pack
 EOF
    export ATTUNE_ACTION_PACK_PATHS="[\"${no_deps_pack}\"]"
    export ATTUNE_ACTION_SKIP_PYTHON="false"
    export ATTUNE_ACTION_SKIP_NODEJS="false"
    output=$(bash "$action_script" 2>/dev/null)
    exit_code=$?
    assert_success "Pack with no dependencies" $exit_code
    assert_json_field "Should succeed" "$output" ".summary.success_count" "1"
    # Test 4: Invalid pack path
    echo ""
    echo "Test 4: Invalid pack path"
    export ATTUNE_ACTION_PACK_PATHS='["/nonexistent/path"]'
    output=$(bash "$action_script" 2>/dev/null)
    exit_code=$?
    assert_json_field "Should have failures" "$output" ".summary.failure_count" "1"
 }
 # Test: register_packs.sh
 test_register_packs() {
    print_test_header "register_packs.sh"
    local action_script="${ACTIONS_DIR}/register_packs.sh"
    # Test 1: No pack paths provided
    echo "Test 1: No pack paths provided (should fail gracefully)"
    export ATTUNE_ACTION_PACK_PATHS='[]'
    local output
    output=$(bash "$action_script" 2>/dev/null || true)
    local exit_code=$?
    assert_json_field "Should return error" "$output" ".failed_packs | length" "1"
    # Test 2: Invalid pack path
    echo ""
    echo "Test 2: Invalid pack path"
    export ATTUNE_ACTION_PACK_PATHS='["/nonexistent/path"]'
    output=$(bash "$action_script" 2>/dev/null)
    exit_code=$?
    assert_json_field "Should have failure" "$output" ".summary.failure_count" "1"
    # Test 3: Valid pack structure (will fail at API call, but validates structure)
    echo ""
    echo "Test 3: Valid pack structure validation"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    export ATTUNE_ACTION_SKIP_VALIDATION="false"
    export ATTUNE_ACTION_SKIP_TESTS="true"
    export ATTUNE_ACTION_API_URL="http://localhost:9999"
    export ATTUNE_ACTION_API_TOKEN="test-token"
    # Use timeout to prevent hanging
    output=$(timeout 15 bash "$action_script" 2>/dev/null || echo '{"summary": {"total_packs": 1}}')
    exit_code=$?
    # Will fail at API call, but should validate structure first
    TESTS_RUN=$((TESTS_RUN + 1))
    local analyzed=$(echo "$output" | jq -r '.summary.total_packs' 2>/dev/null || echo "0")
    if [[ "$analyzed" == "1" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Pack structure validated"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Pack structure validation failed"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    # Test 4: Skip validation mode
    echo ""
    echo "Test 4: Skip validation mode"
    export ATTUNE_ACTION_SKIP_VALIDATION="true"
    output=$(timeout 15 bash "$action_script" 2>/dev/null || echo '{}')
    exit_code=$?
    # Just verify script doesn't crash
    TESTS_RUN=$((TESTS_RUN + 1))
    if [[ -n "$output" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Script runs with skip_validation"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Script failed with skip_validation"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Test: JSON output validation
 test_json_output_format() {
    print_test_header "JSON Output Format Validation"
    # Test each action's JSON output is valid
    echo "Test 1: get_pack_dependencies JSON validity"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    export ATTUNE_ACTION_API_URL="http://localhost:8080"
    local output
    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
    TESTS_RUN=$((TESTS_RUN + 1))
    if echo "$output" | jq . >/dev/null 2>&1; then
        echo -e "${GREEN}✓ PASS${NC}: get_pack_dependencies outputs valid JSON"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: get_pack_dependencies outputs invalid JSON"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    echo ""
    echo "Test 2: download_packs JSON validity"
    export ATTUNE_ACTION_PACKS='["invalid"]'
    export ATTUNE_ACTION_DESTINATION_DIR="${TEST_TEMP_DIR}/dl"
    output=$(bash "${ACTIONS_DIR}/download_packs.sh" 2>/dev/null || true)
    TESTS_RUN=$((TESTS_RUN + 1))
    if echo "$output" | jq . >/dev/null 2>&1; then
        echo -e "${GREEN}✓ PASS${NC}: download_packs outputs valid JSON"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: download_packs outputs invalid JSON"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    echo ""
    echo "Test 3: build_pack_envs JSON validity"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    export ATTUNE_ACTION_SKIP_PYTHON="true"
    export ATTUNE_ACTION_SKIP_NODEJS="true"
    output=$(bash "${ACTIONS_DIR}/build_pack_envs.sh" 2>/dev/null)
    TESTS_RUN=$((TESTS_RUN + 1))
    if echo "$output" | jq . >/dev/null 2>&1; then
        echo -e "${GREEN}✓ PASS${NC}: build_pack_envs outputs valid JSON"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: build_pack_envs outputs invalid JSON"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    echo ""
    echo "Test 4: register_packs JSON validity"
    export ATTUNE_ACTION_PACK_PATHS="[\"${MOCK_PACK_DIR}\"]"
    export ATTUNE_ACTION_SKIP_TESTS="true"
    export ATTUNE_ACTION_API_URL="http://localhost:9999"
    output=$(timeout 15 bash "${ACTIONS_DIR}/register_packs.sh" 2>/dev/null || echo '{}')
    TESTS_RUN=$((TESTS_RUN + 1))
    if echo "$output" | jq . >/dev/null 2>&1; then
        echo -e "${GREEN}✓ PASS${NC}: register_packs outputs valid JSON"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: register_packs outputs invalid JSON"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Test: Edge cases
 test_edge_cases() {
    print_test_header "Edge Cases"
    # Test 1: Pack with special characters in path
    echo "Test 1: Pack with spaces in path"
    local special_pack="${TEST_TEMP_DIR}/pack with spaces"
    mkdir -p "$special_pack"
    cp "${MOCK_PACK_DIR}/pack.yaml" "$special_pack/"
    export ATTUNE_ACTION_PACK_PATHS="[\"${special_pack}\"]"
    export ATTUNE_ACTION_API_URL="http://localhost:8080"
    local output
    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
    TESTS_RUN=$((TESTS_RUN + 1))
    local analyzed=$(echo "$output" | jq -r '.analyzed_packs | length' 2>/dev/null || echo "0")
    if [[ "$analyzed" == "1" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Handles spaces in path"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Failed to handle spaces in path"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    # Test 2: Pack with no version
    echo ""
    echo "Test 2: Pack with no version field"
    local no_version_pack="${TEST_TEMP_DIR}/no-version-pack"
    mkdir -p "$no_version_pack"
    cat > "${no_version_pack}/pack.yaml" <<EOF
 ref: no-version
 name: No Version Pack
 EOF
    export ATTUNE_ACTION_PACK_PATHS="[\"${no_version_pack}\"]"
    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
    TESTS_RUN=$((TESTS_RUN + 1))
    analyzed=$(echo "$output" | jq -r '.analyzed_packs[0].pack_ref' 2>/dev/null || echo "")
    if [[ "$analyzed" == "no-version" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Handles missing version field"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Failed to handle missing version field"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
    # Test 3: Empty pack.yaml
    echo ""
    echo "Test 3: Empty pack.yaml (should fail)"
    local empty_pack="${TEST_TEMP_DIR}/empty-pack"
    mkdir -p "$empty_pack"
    touch "${empty_pack}/pack.yaml"
    export ATTUNE_ACTION_PACK_PATHS="[\"${empty_pack}\"]"
    export ATTUNE_ACTION_SKIP_VALIDATION="false"
    output=$(bash "${ACTIONS_DIR}/get_pack_dependencies.sh" 2>/dev/null)
    TESTS_RUN=$((TESTS_RUN + 1))
    local errors=$(echo "$output" | jq -r '.errors | length' 2>/dev/null || echo "0")
    if [[ "$errors" -ge "1" ]]; then
        echo -e "${GREEN}✓ PASS${NC}: Detects invalid pack.yaml"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo -e "${RED}✗ FAIL${NC}: Failed to detect invalid pack.yaml"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
 }
 # Main test execution
 main() {
    echo "=========================================="
    echo "Pack Installation Actions Test Suite"
    echo "=========================================="
    echo ""
    # Check dependencies
    if ! command -v jq &>/dev/null; then
        echo -e "${RED}ERROR${NC}: jq is required for running tests"
        exit 1
    fi
    # Setup
    setup_test_env
    # Run tests
    test_get_pack_dependencies
    test_download_packs
    test_build_pack_envs
    test_register_packs
    test_json_output_format
    test_edge_cases
    # Cleanup
    cleanup_test_env
    # Print summary
    echo ""
    echo "=========================================="
    echo "Test Summary"
    echo "=========================================="
    echo "Total tests run: $TESTS_RUN"
    echo -e "${GREEN}Passed: $TESTS_PASSED${NC}"
    echo -e "${RED}Failed: $TESTS_FAILED${NC}"
    echo ""
    if [[ $TESTS_FAILED -eq 0 ]]; then
        echo -e "${GREEN}All tests passed!${NC}"
        exit 0
    else
        echo -e "${RED}Some tests failed.${NC}"
        exit 1
    fi
 }
 # Run main if script is executed directly
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    main "$@"
 fi
--- a/docker/distributable/packs/core/triggers/crontimer.yaml
+++ b/docker/distributable/packs/core/triggers/crontimer.yaml
@@ -0,0 +1,103 @@
 # Cron Timer Trigger
 # Fires based on cron schedule expressions
 ref: core.crontimer
 label: "Cron Timer"
 description: "Fires based on a cron schedule expression (e.g., '0 0 * * * *' for every hour)"
 enabled: true
 # Trigger type
 type: cron
 # Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
 parameters:
  expression:
    type: string
    description: "Cron expression in standard format (second minute hour day month weekday)"
    required: true
  timezone:
    type: string
    description: "Timezone for cron schedule (e.g., 'UTC', 'America/New_York')"
    default: "UTC"
  description:
    type: string
    description: "Human-readable description of the schedule"
 # Payload schema - data emitted when trigger fires
 output:
  type:
    type: string
    const: cron
    description: "Trigger type identifier"
    required: true
  fired_at:
    type: string
    format: date-time
    description: "Timestamp when the trigger fired"
    required: true
  scheduled_at:
    type: string
    format: date-time
    description: "Timestamp when the trigger was scheduled to fire"
    required: true
  expression:
    type: string
    description: "The cron expression that triggered this event"
    required: true
  timezone:
    type: string
    description: "Timezone used for scheduling"
  next_fire_at:
    type: string
    format: date-time
    description: "Timestamp when the trigger will fire next"
  execution_count:
    type: integer
    description: "Number of times this trigger has fired"
  sensor_ref:
    type: string
    description: "Reference to the sensor that generated this event"
 # Tags for categorization
 tags:
  - timer
  - cron
  - scheduler
  - periodic
 # Documentation
 examples:
  - description: "Fire every hour at the top of the hour"
    parameters:
      expression: "0 0 * * * *"
      description: "Hourly"
  - description: "Fire every day at midnight UTC"
    parameters:
      expression: "0 0 0 * * *"
      description: "Daily at midnight"
  - description: "Fire every Monday at 9:00 AM"
    parameters:
      expression: "0 0 9 * * 1"
      description: "Weekly on Monday morning"
  - description: "Fire every 15 minutes"
    parameters:
      expression: "0 */15 * * * *"
      description: "Every 15 minutes"
  - description: "Fire at 8:30 AM on weekdays"
    parameters:
      expression: "0 30 8 * * 1-5"
      description: "Weekday morning"
      timezone: "America/New_York"
 # Cron format reference
 # Field         Allowed values    Special characters
 # second        0-59              * , - /
 # minute        0-59              * , - /
 # hour          0-23              * , - /
 # day of month  1-31              * , - / ?
 # month         1-12 or JAN-DEC   * , - /
 # day of week   0-6 or SUN-SAT    * , - / ?
--- a/docker/distributable/packs/core/triggers/datetimetimer.yaml
+++ b/docker/distributable/packs/core/triggers/datetimetimer.yaml
@@ -0,0 +1,82 @@
 # Datetime Timer Trigger
 # Fires once at a specific date and time
 ref: core.datetimetimer
 label: "DateTime Timer"
 description: "Fires once at a specific date and time"
 enabled: true
 # Trigger type
 type: one_shot
 # Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
 parameters:
  fire_at:
    type: string
    description: "ISO 8601 timestamp when the timer should fire (e.g., '2024-12-31T23:59:59Z')"
    required: true
  timezone:
    type: string
    description: "Timezone for the datetime (e.g., 'UTC', 'America/New_York')"
    default: "UTC"
  description:
    type: string
    description: "Human-readable description of when this timer fires"
 # Payload schema - data emitted when trigger fires
 output:
  type:
    type: string
    const: one_shot
    description: "Trigger type identifier"
    required: true
  fire_at:
    type: string
    format: date-time
    description: "Scheduled fire time"
    required: true
  fired_at:
    type: string
    format: date-time
    description: "Actual fire time"
    required: true
  timezone:
    type: string
    description: "Timezone used for scheduling"
  delay_ms:
    type: integer
    description: "Delay in milliseconds between scheduled and actual fire time"
  sensor_ref:
    type: string
    description: "Reference to the sensor that generated this event"
 # Tags for categorization
 tags:
  - timer
  - datetime
  - one-shot
  - scheduler
 # Documentation
 examples:
  - description: "Fire at midnight on New Year's Eve 2024"
    parameters:
      fire_at: "2024-12-31T23:59:59Z"
      description: "New Year's countdown"
  - description: "Fire at 3:00 PM EST on a specific date"
    parameters:
      fire_at: "2024-06-15T15:00:00-05:00"
      timezone: "America/New_York"
      description: "Afternoon reminder"
  - description: "Fire in 1 hour from now (use ISO 8601)"
    parameters:
      fire_at: "2024-01-20T15:30:00Z"
      description: "One-hour reminder"
 # Notes:
 # - This trigger fires only once and is automatically disabled after firing
 # - Use ISO 8601 format for the fire_at parameter
 # - The sensor will remove the trigger instance after it fires
 # - For recurring timers, use intervaltimer or crontimer instead
--- a/docker/distributable/packs/core/triggers/intervaltimer.yaml
+++ b/docker/distributable/packs/core/triggers/intervaltimer.yaml
@@ -0,0 +1,74 @@
 # Interval Timer Trigger
 # Fires at regular intervals based on time unit and interval
 ref: core.intervaltimer
 label: "Interval Timer"
 description: "Fires at regular intervals based on specified time unit and interval"
 enabled: true
 # Trigger type
 type: interval
 # Parameter schema - configuration for the trigger instance (StackStorm-style with inline required/secret)
 parameters:
  unit:
    type: string
    enum:
      - seconds
      - minutes
      - hours
    description: "Time unit for the interval"
    default: "seconds"
    required: true
  interval:
    type: integer
    description: "Number of time units between each trigger"
    default: 60
    required: true
 # Payload schema - data emitted when trigger fires
 output:
  type:
    type: string
    const: interval
    description: "Trigger type identifier"
    required: true
  interval_seconds:
    type: integer
    description: "Total interval in seconds"
    required: true
  fired_at:
    type: string
    format: date-time
    description: "Timestamp when the trigger fired"
    required: true
  execution_count:
    type: integer
    description: "Number of times this trigger has fired"
  sensor_ref:
    type: string
    description: "Reference to the sensor that generated this event"
 # Tags for categorization
 tags:
  - timer
  - interval
  - periodic
  - scheduler
 # Documentation
 examples:
  - description: "Fire every 10 seconds"
    parameters:
      unit: "seconds"
      interval: 10
  - description: "Fire every 5 minutes"
    parameters:
      unit: "minutes"
      interval: 5
  - description: "Fire every hour"
    parameters:
      unit: "hours"
      interval: 1
--- a/docker/distributable/packs/core/workflows/PACK_INSTALLATION.md
+++ b/docker/distributable/packs/core/workflows/PACK_INSTALLATION.md
@@ -0,0 +1,892 @@
 # Pack Installation Workflow System
 **Status**: Schema Complete, Implementation Required  
 **Version**: 1.0.0  
 **Last Updated**: 2025-02-05
 ---
 ## Overview
 The pack installation workflow provides a comprehensive, automated system for installing Attune packs from multiple sources with automatic dependency resolution, runtime environment setup, testing, and registration.
 This document describes the workflow architecture, supporting actions, and implementation requirements.
 ---
 ## Architecture
 ### Main Workflow: `core.install_packs`
 A multi-stage orchestration workflow that handles the complete pack installation lifecycle:
 ```
 ┌─────────────────────────────────────────────────────────────┐
 │                    Install Packs Workflow                    │
 ├─────────────────────────────────────────────────────────────┤
 │                                                               │
 │  1. Initialize           → Set up temp directory             │
 │  2. Download Packs       → Fetch from git/HTTP/registry     │
 │  3. Check Results        → Validate downloads                │
 │  4. Get Dependencies     → Parse pack.yaml                   │
 │  5. Install Dependencies → Recursive installation            │
 │  6. Build Environments   → Python/Node.js setup              │
 │  7. Run Tests           → Verify functionality               │
 │  8. Register Packs      → Load into database                 │
 │  9. Cleanup             → Remove temp files                  │
 │                                                               │
 └─────────────────────────────────────────────────────────────┘
 ```
 ### Supporting Actions
 The workflow delegates specific tasks to five core actions:
 1. **`core.download_packs`** - Download from multiple sources
 2. **`core.get_pack_dependencies`** - Parse dependency information
 3. **`core.build_pack_envs`** - Create runtime environments
 4. **`core.run_pack_tests`** - Execute test suites
 5. **`core.register_packs`** - Load components into database
 ---
 ## Workflow Details
 ### Input Parameters
 ```yaml
 parameters:
  packs:
    type: array
    description: "List of packs to install"
    required: true
    examples:
      - ["https://github.com/attune/pack-slack.git"]
      - ["slack@1.0.0", "aws@2.1.0"]
      - ["https://example.com/packs/custom.tar.gz"]
  ref_spec:
    type: string
    description: "Git reference (branch/tag/commit)"
    optional: true
  skip_dependencies: boolean
  skip_tests: boolean
  skip_env_build: boolean
  force: boolean
  registry_url: string (default: https://registry.attune.io)
  packs_base_dir: string (default: /opt/attune/packs)
  api_url: string (default: http://localhost:8080)
  timeout: integer (default: 1800)
 ```
 ### Supported Pack Sources
 #### 1. Git Repositories
 ```yaml
 packs:
  - "https://github.com/attune/pack-slack.git"
  - "git@github.com:myorg/pack-internal.git"
 ref_spec: "v1.0.0"  # Optional: branch, tag, or commit
 ```
 **Features:**
 - HTTPS and SSH URLs supported
 - Shallow clones for efficiency
 - Specific ref checkout (branch/tag/commit)
 - Submodule support (if configured)
 #### 2. HTTP Archives
 ```yaml
 packs:
  - "https://example.com/packs/custom-pack.tar.gz"
  - "https://cdn.example.com/slack-pack.zip"
 ```
 **Supported formats:**
 - `.tar.gz` / `.tgz`
 - `.zip`
 #### 3. Pack Registry References
 ```yaml
 packs:
  - "slack@1.0.0"      # Specific version
  - "aws@^2.1.0"       # Semver range
  - "kubernetes"       # Latest version
 ```
 **Features:**
 - Automatic URL resolution from registry
 - Version constraint support
 - Centralized pack metadata
 ---
 ## Action Specifications
 ### 1. Download Packs (`core.download_packs`)
 **Purpose**: Download packs from various sources to a temporary directory.
 **Responsibilities:**
 - Detect source type (git/HTTP/registry)
 - Clone git repositories with optional ref checkout
 - Download and extract HTTP archives
 - Resolve pack registry references to download URLs
 - Locate and parse `pack.yaml` files
 - Calculate directory checksums
 - Return download metadata for downstream tasks
 **Input:**
 ```yaml
 packs: ["https://github.com/attune/pack-slack.git"]
 destination_dir: "/tmp/attune-pack-install-abc123"
 registry_url: "https://registry.attune.io/index.json"
 ref_spec: "v1.0.0"
 timeout: 300
 verify_ssl: true
 api_url: "http://localhost:8080"
 ```
 **Output:**
 ```json
 {
  "downloaded_packs": [
    {
      "source": "https://github.com/attune/pack-slack.git",
      "source_type": "git",
      "pack_path": "/tmp/attune-pack-install-abc123/slack",
      "pack_ref": "slack",
      "pack_version": "1.0.0",
      "git_commit": "a1b2c3d4e5",
      "checksum": "sha256:..."
    }
  ],
  "failed_packs": [],
  "total_count": 1,
  "success_count": 1,
  "failure_count": 0
 }
 ```
 **Implementation Notes:**
 - Should call API endpoint or implement git/HTTP logic directly
 - Must handle authentication (SSH keys for git, API tokens)
 - Must validate `pack.yaml` exists and is readable
 - Should support both root-level and `pack/` subdirectory structures
 ---
 ### 2. Get Pack Dependencies (`core.get_pack_dependencies`)
 **Purpose**: Parse `pack.yaml` files to identify pack and runtime dependencies.
 **Responsibilities:**
 - Read and parse `pack.yaml` files (YAML parsing)
 - Extract `dependencies` section (pack dependencies)
 - Extract `python` and `nodejs` runtime requirements
 - Check which pack dependencies are already installed
 - Identify `requirements.txt` and `package.json` files
 - Build list of missing dependencies for installation
 **Input:**
 ```yaml
 pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
 api_url: "http://localhost:8080"
 skip_validation: false
 ```
 **Output:**
 ```json
 {
  "dependencies": [
    {
      "pack_ref": "core",
      "version_spec": ">=1.0.0",
      "required_by": "slack",
      "already_installed": true
    }
  ],
  "runtime_requirements": {
    "slack": {
      "pack_ref": "slack",
      "python": {
        "version": ">=3.8",
        "requirements_file": "/tmp/.../slack/requirements.txt"
      }
    }
  },
  "missing_dependencies": [
    {
      "pack_ref": "http",
      "version_spec": "^1.0.0",
      "required_by": "slack"
    }
  ],
  "analyzed_packs": [
    {
      "pack_ref": "slack",
      "pack_path": "/tmp/.../slack",
      "has_dependencies": true,
      "dependency_count": 2
    }
  ],
  "errors": []
 }
 ```
 **Implementation Notes:**
 - Must parse YAML files (use `yq`, Python, or API call)
 - Should call `GET /api/v1/packs` to check installed packs
 - Must handle missing or malformed `pack.yaml` files gracefully
 - Should validate version specifications (semver)
 ---
 ### 3. Build Pack Environments (`core.build_pack_envs`)
 **Purpose**: Create runtime environments and install dependencies.
 **Responsibilities:**
 - Create Python virtualenvs for packs with Python dependencies
 - Install packages from `requirements.txt` using pip
 - Run `npm install` for packs with Node.js dependencies
 - Handle environment creation failures gracefully
 - Track installed package counts and build times
 - Support force rebuild of existing environments
 **Input:**
 ```yaml
 pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
 packs_base_dir: "/opt/attune/packs"
 python_version: "3.11"
 nodejs_version: "20"
 skip_python: false
 skip_nodejs: false
 force_rebuild: false
 timeout: 600
 ```
 **Output:**
 ```json
 {
  "built_environments": [
    {
      "pack_ref": "slack",
      "pack_path": "/tmp/.../slack",
      "environments": {
        "python": {
          "virtualenv_path": "/tmp/.../slack/virtualenv",
          "requirements_installed": true,
          "package_count": 15,
          "python_version": "3.11.2"
        }
      },
      "duration_ms": 45000
    }
  ],
  "failed_environments": [],
  "summary": {
    "total_packs": 1,
    "success_count": 1,
    "failure_count": 0,
    "python_envs_built": 1,
    "nodejs_envs_built": 0,
    "total_duration_ms": 45000
  }
 }
 ```
 **Implementation Notes:**
 - Python virtualenv creation: `python -m venv {pack_path}/virtualenv`
 - Pip install: `source virtualenv/bin/activate && pip install -r requirements.txt`
 - Node.js install: `npm install --production` in pack directory
 - Must handle timeouts and cleanup on failure
 - Should use containerized workers for isolation
 ---
 ### 4. Run Pack Tests (`core.run_pack_tests`)
 **Purpose**: Execute pack test suites to verify functionality.
 **Responsibilities:**
 - Detect test framework (pytest, unittest, npm test, shell scripts)
 - Execute tests in isolated environment
 - Capture test output and results
 - Return pass/fail status with details
 - Support parallel test execution
 - Handle test timeouts
 **Input:**
 ```yaml
 pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
 timeout: 300
 fail_on_error: false
 ```
 **Output:**
 ```json
 {
  "test_results": [
    {
      "pack_ref": "slack",
      "status": "passed",
      "total_tests": 25,
      "passed": 25,
      "failed": 0,
      "skipped": 0,
      "duration_ms": 12000,
      "output": "..."
    }
  ],
  "summary": {
    "total_packs": 1,
    "all_passed": true,
    "total_tests": 25,
    "total_passed": 25,
    "total_failed": 0
  }
 }
 ```
 **Implementation Notes:**
 - Check for `test` section in `pack.yaml`
 - Default test discovery: `tests/` directory
 - Python: Run pytest or unittest
 - Node.js: Run `npm test`
 - Shell: Execute `test.sh` scripts
 - Should capture stdout/stderr for debugging
 ---
 ### 5. Register Packs (`core.register_packs`)
 **Purpose**: Validate schemas, load components into database, copy to storage.
 **Responsibilities:**
 - Validate `pack.yaml` schema
 - Scan for component files (actions, sensors, triggers, rules, workflows, policies)
 - Validate each component schema
 - Call API endpoint to register pack in database
 - Copy pack files to permanent storage (`/opt/attune/packs/{pack_ref}/`)
 - Record installation metadata
 - Handle registration rollback on failure (atomic operation)
 **Input:**
 ```yaml
 pack_paths: ["/tmp/attune-pack-install-abc123/slack"]
 packs_base_dir: "/opt/attune/packs"
 skip_validation: false
 skip_tests: false
 force: false
 api_url: "http://localhost:8080"
 api_token: "jwt_token_here"
 ```
 **Output:**
 ```json
 {
  "registered_packs": [
    {
      "pack_ref": "slack",
      "pack_id": 42,
      "pack_version": "1.0.0",
      "storage_path": "/opt/attune/packs/slack",
      "components_registered": {
        "actions": 15,
        "sensors": 3,
        "triggers": 2,
        "rules": 5,
        "workflows": 2,
        "policies": 0
      },
      "test_result": {
        "status": "passed",
        "total_tests": 25,
        "passed": 25,
        "failed": 0
      },
      "validation_results": {
        "valid": true,
        "errors": []
      }
    }
  ],
  "failed_packs": [],
  "summary": {
    "total_packs": 1,
    "success_count": 1,
    "failure_count": 0,
    "total_components": 27,
    "duration_ms": 8000
  }
 }
 ```
 **Implementation Notes:**
 - **Primary approach**: Call `POST /api/v1/packs/register` endpoint
 - The API already implements:
  - Pack metadata validation
  - Component scanning and registration
  - Database record creation
  - File copying to permanent storage
  - Installation metadata tracking
 - This action should be a thin wrapper for API calls
 - Must handle authentication (JWT token)
 - Must implement proper error handling and retries
 - Should validate API response and extract relevant data
 **API Endpoint Reference:**
 ```
 POST /api/v1/packs/register
 Content-Type: application/json
 Authorization: Bearer {token}
 {
  "path": "/tmp/attune-pack-install-abc123/slack",
  "force": false,
  "skip_tests": false
 }
 Response:
 {
  "data": {
    "pack_id": 42,
    "pack": { ... },
    "test_result": { ... }
  }
 }
 ```
 ---
 ## Workflow Execution Flow
 ### Success Path
 ```
 1. Initialize
   ↓
 2. Download Packs
   ↓ (if any downloads succeeded)
 3. Check Results
   ↓ (if not skip_dependencies)
 4. Get Dependencies
   ↓ (if missing dependencies found)
 5. Install Dependencies (recursive call)
   ↓
 6. Build Environments
   ↓ (if not skip_tests)
 7. Run Tests
   ↓
 8. Register Packs
   ↓
 9. Cleanup Success
   ✓ Complete
 ```
 ### Failure Handling
 Each stage can fail and trigger cleanup:
 - **Download fails**: Go to cleanup_on_failure
 - **Dependency installation fails**: 
  - If `force=true`: Continue to build_environments
  - If `force=false`: Go to cleanup_on_failure
 - **Environment build fails**:
  - If `force=true` or `skip_env_build=true`: Continue
  - If `force=false`: Go to cleanup_on_failure
 - **Tests fail**:
  - If `force=true`: Continue to register_packs
  - If `force=false`: Go to cleanup_on_failure
 - **Registration fails**: Go to cleanup_on_failure
 ### Force Mode Behavior
 When `force: true`:
 - ✓ Continue even if downloads fail
 - ✓ Skip dependency validation failures
 - ✓ Skip environment build failures
 - ✓ Skip test failures
 - ✓ Override existing pack installations
 **Use Cases:**
 - Development and testing
 - Emergency deployments
 - Pack upgrades
 - Recovery from partial installations
 **Warning:** Force mode bypasses safety checks. Use cautiously in production.
 ---
 ## Recursive Dependency Resolution
 The workflow supports recursive dependency installation:
 ```
 install_packs(["slack"])
  ↓
  Depends on: ["core@>=1.0.0", "http@^1.0.0"]
  ↓
  install_packs(["http"])  # Recursive call
    ↓
    Depends on: ["core@>=1.0.0"]
    ↓
    core already installed ✓
  ✓
  http installed ✓
  ↓
 slack installed ✓
 ```
 **Features:**
 - Automatically detects and installs missing dependencies
 - Prevents circular dependencies (each pack registered once)
 - Respects version constraints (semver)
 - Installs dependencies depth-first
 - Tracks installed packs to avoid duplicates
 ---
 ## Error Handling
 ### Atomic Registration
 Pack registration is atomic - all components are registered or none:
 - ✓ Validates all component schemas first
 - ✓ Creates database transaction for registration
 - ✓ Rolls back on any component failure
 - ✓ Prevents partial pack installations
 ### Cleanup Strategy
 Temporary directories are always cleaned up:
 - **On success**: Remove temp directory after registration
 - **On failure**: Remove temp directory and report errors
 - **On timeout**: Cleanup triggered by workflow timeout handler
 ### Error Reporting
 Comprehensive error information returned:
 ```json
 {
  "failed_packs": [
    {
      "pack_path": "/tmp/.../custom-pack",
      "pack_ref": "custom",
      "error": "Schema validation failed: action 'do_thing' missing required field 'runner_type'",
      "error_stage": "validation"
    }
  ]
 }
 ```
 Error stages:
 - `validation` - Schema validation failed
 - `testing` - Pack tests failed
 - `database_registration` - Database operation failed
 - `file_copy` - File system operation failed
 - `api_call` - API request failed
 ---
 ## Implementation Status
 ### ✅ Complete
 - Workflow YAML schema (`install_packs.yaml`)
 - Action YAML schemas (5 actions)
 - Action placeholder scripts (.sh files)
 - Documentation
 - Error handling structure
 - Output schemas
 ### 🔄 Requires Implementation
 All action scripts currently return placeholder responses. Each needs proper implementation:
 #### 1. `download_packs.sh`
 **Implementation Options:**
 **Option A: API-based** (Recommended)
 - Create API endpoint: `POST /api/v1/packs/download`
 - Action calls API with pack list
 - API handles git/HTTP/registry logic
 - Returns download results to action
 **Option B: Direct implementation**
 - Implement git cloning logic in script
 - Implement HTTP download and extraction
 - Implement registry lookup and resolution
 - Handle all error cases
 **Recommendation**: Option A (API-based) keeps action scripts lean and centralizes pack handling logic in the API service.
 #### 2. `get_pack_dependencies.sh`
 **Implementation approach:**
 - Parse YAML files (use `yq` tool or Python script)
 - Extract dependencies from `pack.yaml`
 - Call `GET /api/v1/packs` to get installed packs
 - Compare and build missing dependencies list
 #### 3. `build_pack_envs.sh`
 **Implementation approach:**
 - For each pack with `requirements.txt`:
  ```bash
  python -m venv {pack_path}/virtualenv
  source {pack_path}/virtualenv/bin/activate
  pip install -r {pack_path}/requirements.txt
  ```
 - For each pack with `package.json`:
  ```bash
  cd {pack_path}
  npm install --production
  ```
 - Handle timeouts and errors
 - Use containerized workers for isolation
 #### 4. `run_pack_tests.sh`
 **Implementation approach:**
 - Already exists in core pack: `core.run_pack_tests`
 - May need minor updates for integration
 - Supports pytest, unittest, npm test
 #### 5. `register_packs.sh`
 **Implementation approach:**
 - Call existing API endpoint: `POST /api/v1/packs/register`
 - Send pack path and options
 - Parse API response
 - Handle authentication (JWT token from workflow context)
 **API Integration:**
 ```bash
 curl -X POST "$API_URL/api/v1/packs/register" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"path\": \"$pack_path\",
    \"force\": $FORCE,
    \"skip_tests\": $SKIP_TESTS
  }"
 ```
 ---
 ## Testing Strategy
 ### Unit Tests
 Test each action independently:
 ```bash
 # Test download_packs with mock git repo
 ./actions/download_packs.sh \
  ATTUNE_ACTION_PACKS='["https://github.com/test/pack-test.git"]' \
  ATTUNE_ACTION_DESTINATION_DIR=/tmp/test
 # Verify output structure
 jq '.downloaded_packs | length' output.json
 ```
 ### Integration Tests
 Test complete workflow:
 ```bash
 # Execute workflow via API
 curl -X POST "$API_URL/api/v1/workflows/execute" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow": "core.install_packs",
    "input": {
      "packs": ["https://github.com/attune/pack-test.git"],
      "skip_tests": false,
      "force": false
    }
  }'
 # Check execution status
 curl "$API_URL/api/v1/executions/$EXECUTION_ID"
 # Verify pack registered
 curl "$API_URL/api/v1/packs/test-pack"
 ```
 ### End-to-End Tests
 Test with real packs:
 1. Install core pack (already installed)
 2. Install pack with dependencies
 3. Install pack from HTTP archive
 4. Install pack from registry reference
 5. Test force mode reinstallation
 6. Test error handling (invalid pack)
 ---
 ## Usage Examples
 ### Example 1: Install Single Pack from Git
 ```yaml
 workflow: core.install_packs
 input:
  packs:
    - "https://github.com/attune/pack-slack.git"
  ref_spec: "v1.0.0"
  skip_dependencies: false
  skip_tests: false
  force: false
 ```
 ### Example 2: Install Multiple Packs from Registry
 ```yaml
 workflow: core.install_packs
 input:
  packs:
    - "slack@1.0.0"
    - "aws@^2.1.0"
    - "kubernetes@>=3.0.0"
  skip_dependencies: false
  skip_tests: false
 ```
 ### Example 3: Force Reinstall with Skip Tests
 ```yaml
 workflow: core.install_packs
 input:
  packs:
    - "https://github.com/myorg/pack-custom.git"
  ref_spec: "main"
  skip_dependencies: true
  skip_tests: true
  force: true
 ```
 ### Example 4: Install from HTTP Archive
 ```yaml
 workflow: core.install_packs
 input:
  packs:
    - "https://example.com/packs/custom-pack-1.0.0.tar.gz"
  skip_dependencies: false
  skip_tests: false
 ```
 ---
 ## Future Enhancements
 ### Phase 2 Features
 1. **Pack Upgrade Workflow**
   - Detect installed version
   - Download new version
   - Run migration scripts
   - Update in-place or side-by-side
 2. **Pack Uninstall Workflow**
   - Check for dependent packs
   - Remove from database
   - Remove from filesystem
   - Optional backup before removal
 3. **Pack Validation Workflow**
   - Validate without installing
   - Check dependencies
   - Run tests in isolated environment
   - Report validation results
 4. **Batch Operations**
   - Install all packs from registry
   - Upgrade all installed packs
   - Validate all installed packs
 ### Phase 3 Features
 1. **Registry Integration**
   - Automatic version discovery
   - Dependency resolution from registry
   - Pack popularity metrics
   - Security vulnerability scanning
 2. **Advanced Dependency Management**
   - Conflict detection
   - Version constraint solving
   - Dependency graphs
   - Optional dependencies
 3. **Rollback Support**
   - Snapshot before installation
   - Rollback on failure
   - Version history
   - Migration scripts
 4. **Performance Optimizations**
   - Parallel downloads
   - Cached dependencies
   - Incremental updates
   - Build caching
 ---
 ## Related Documentation
 - [Pack Structure](../../../docs/packs/pack-structure.md) - Pack directory format
 - [Pack Installation from Git](../../../docs/packs/pack-installation-git.md) - Git installation guide
 - [Pack Registry Specification](../../../docs/packs/pack-registry-spec.md) - Registry format
 - [Pack Testing Framework](../../../docs/packs/pack-testing-framework.md) - Testing packs
 - [API Documentation](../../../docs/api/api-packs.md) - Pack API endpoints
 ---
 ## Support
 For questions or issues:
 - GitHub Issues: https://github.com/attune-io/attune/issues
 - Documentation: https://docs.attune.io/workflows/pack-installation
 - Community: https://community.attune.io
 ---
 ## Changelog
 ### v1.0.0 (2025-02-05)
 - Initial workflow schema design
 - Five supporting action schemas
 - Comprehensive documentation
 - Placeholder implementation scripts
 - Error handling structure
 - Output schemas defined
 ### Next Steps
 1. Implement `download_packs.sh` (or create API endpoint)
 2. Implement `get_pack_dependencies.sh`
 3. Implement `build_pack_envs.sh`
 4. Update `run_pack_tests.sh` if needed
 5. Implement `register_packs.sh` (API wrapper)
 6. End-to-end testing
 7. Documentation updates based on testing
--- a/docker/distributable/packs/core/workflows/install_packs.yaml
+++ b/docker/distributable/packs/core/workflows/install_packs.yaml
@@ -0,0 +1,330 @@
 # Install Packs Workflow
 # Complete workflow for installing packs from multiple sources with dependency resolution
 name: install_packs
 ref: core.install_packs
 label: "Install Packs"
 description: "Install one or more packs from git repositories, HTTP archives, or pack registry with automatic dependency resolution"
 version: "1.0.0"
 # Input parameters (StackStorm-style with inline required/secret)
 parameters:
  packs:
    type: array
    description: "List of packs to install (git URLs, HTTP URLs, or pack refs like 'slack@1.0.0')"
    items:
      type: string
    minItems: 1
    required: true
  ref_spec:
    type: string
    description: "Git reference to checkout for git URLs (branch, tag, or commit)"
  skip_dependencies:
    type: boolean
    description: "Skip installing pack dependencies"
    default: false
  skip_tests:
    type: boolean
    description: "Skip running pack tests before registration"
    default: false
  skip_env_build:
    type: boolean
    description: "Skip building runtime environments (Python/Node.js)"
    default: false
  force:
    type: boolean
    description: "Force installation even if packs already exist or tests fail"
    default: false
  registry_url:
    type: string
    description: "Pack registry URL for resolving pack refs"
    default: "https://registry.attune.io/index.json"
  packs_base_dir:
    type: string
    description: "Base directory for permanent pack storage"
    default: "/opt/attune/packs"
  api_url:
    type: string
    description: "Attune API URL"
    default: "http://localhost:8080"
  timeout:
    type: integer
    description: "Timeout in seconds for the entire workflow"
    default: 1800
    minimum: 300
    maximum: 7200
 # Workflow variables
 vars:
  - temp_dir: null
  - downloaded_packs: []
  - missing_dependencies: []
  - installed_pack_refs: []
  - failed_packs: []
  - start_time: null
 # Workflow tasks
 tasks:
  # Task 1: Initialize workflow
  - name: initialize
    action: core.noop
    input:
      message: "Starting pack installation workflow"
    publish:
      - start_time: "{{ now() }}"
      - temp_dir: "/tmp/attune-pack-install-{{ uuid() }}"
    on_success: download_packs
  # Task 2: Download packs from specified sources
  - name: download_packs
    action: core.download_packs
    input:
      packs: "{{ parameters.packs }}"
      destination_dir: "{{ workflow.temp_dir }}"
      registry_url: "{{ parameters.registry_url }}"
      ref_spec: "{{ parameters.ref_spec }}"
      api_url: "{{ parameters.api_url }}"
      timeout: 300
      verify_ssl: true
    publish:
      - downloaded_packs: "{{ task.download_packs.result.downloaded_packs }}"
      - failed_packs: "{{ task.download_packs.result.failed_packs }}"
    on_success:
      - when: "{{ task.download_packs.result.success_count > 0 }}"
        do: check_download_results
    on_failure: cleanup_on_failure
  # Task 3: Check if any packs were successfully downloaded
  - name: check_download_results
    action: core.noop
    input:
      message: "Downloaded {{ task.download_packs.result.success_count }} pack(s)"
    on_success:
      - when: "{{ not parameters.skip_dependencies }}"
        do: get_dependencies
      - when: "{{ parameters.skip_dependencies }}"
        do: build_environments
  # Task 4: Get pack dependencies from pack.yaml files
  - name: get_dependencies
    action: core.get_pack_dependencies
    input:
      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
      api_url: "{{ parameters.api_url }}"
      skip_validation: false
    publish:
      - missing_dependencies: "{{ task.get_dependencies.result.missing_dependencies }}"
    on_success:
      - when: "{{ task.get_dependencies.result.missing_dependencies | length > 0 }}"
        do: install_dependencies
      - when: "{{ task.get_dependencies.result.missing_dependencies | length == 0 }}"
        do: build_environments
    on_failure: cleanup_on_failure
  # Task 5: Recursively install missing pack dependencies
  - name: install_dependencies
    action: core.install_packs
    input:
      packs: "{{ workflow.missing_dependencies | map(attribute='pack_ref') | list }}"
      skip_dependencies: false
      skip_tests: "{{ parameters.skip_tests }}"
      skip_env_build: "{{ parameters.skip_env_build }}"
      force: "{{ parameters.force }}"
      registry_url: "{{ parameters.registry_url }}"
      packs_base_dir: "{{ parameters.packs_base_dir }}"
      api_url: "{{ parameters.api_url }}"
      timeout: 900
    publish:
      - installed_pack_refs: "{{ task.install_dependencies.result.registered_packs | map(attribute='pack_ref') | list }}"
    on_success: build_environments
    on_failure:
      - when: "{{ parameters.force }}"
        do: build_environments
      - when: "{{ not parameters.force }}"
        do: cleanup_on_failure
  # Task 6: Build runtime environments (Python virtualenvs, npm install)
  - name: build_environments
    action: core.build_pack_envs
    input:
      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
      packs_base_dir: "{{ parameters.packs_base_dir }}"
      python_version: "3.11"
      nodejs_version: "20"
      skip_python: false
      skip_nodejs: false
      force_rebuild: "{{ parameters.force }}"
      timeout: 600
    on_success:
      - when: "{{ not parameters.skip_tests }}"
        do: run_tests
      - when: "{{ parameters.skip_tests }}"
        do: register_packs
    on_failure:
      - when: "{{ parameters.force or parameters.skip_env_build }}"
        do:
          - when: "{{ not parameters.skip_tests }}"
            next: run_tests
          - when: "{{ parameters.skip_tests }}"
            next: register_packs
      - when: "{{ not parameters.force and not parameters.skip_env_build }}"
        do: cleanup_on_failure
  # Task 7: Run pack tests to verify functionality
  - name: run_tests
    action: core.run_pack_tests
    input:
      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
      timeout: 300
      fail_on_error: false
    on_success: register_packs
    on_failure:
      - when: "{{ parameters.force }}"
        do: register_packs
      - when: "{{ not parameters.force }}"
        do: cleanup_on_failure
  # Task 8: Register packs in database and copy to permanent storage
  - name: register_packs
    action: core.register_packs
    input:
      pack_paths: "{{ workflow.downloaded_packs | map(attribute='pack_path') | list }}"
      packs_base_dir: "{{ parameters.packs_base_dir }}"
      skip_validation: false
      skip_tests: "{{ parameters.skip_tests }}"
      force: "{{ parameters.force }}"
      api_url: "{{ parameters.api_url }}"
    on_success: cleanup_success
    on_failure: cleanup_on_failure
  # Task 9: Cleanup temporary directory on success
  - name: cleanup_success
    action: core.noop
    input:
      message: "Pack installation completed successfully. Cleaning up temporary directory: {{ workflow.temp_dir }}"
    publish:
      - cleanup_status: "success"
  # Task 10: Cleanup temporary directory on failure
  - name: cleanup_on_failure
    action: core.noop
    input:
      message: "Pack installation failed. Cleaning up temporary directory: {{ workflow.temp_dir }}"
    publish:
      - cleanup_status: "failed"
 # Output schema
 output_schema:
  registered_packs:
    type: array
    description: "Successfully registered packs"
    items:
      type: object
      properties:
        pack_ref:
          type: string
        pack_id:
          type: integer
        pack_version:
          type: string
        storage_path:
          type: string
        components_count:
          type: integer
  failed_packs:
    type: array
    description: "Packs that failed to install"
    items:
      type: object
      properties:
        source:
          type: string
        error:
          type: string
        stage:
          type: string
  installed_dependencies:
    type: array
    description: "Pack dependencies that were installed"
    items:
      type: string
  summary:
    type: object
    description: "Installation summary"
    properties:
      total_requested:
        type: integer
      success_count:
        type: integer
      failure_count:
        type: integer
      dependencies_installed:
        type: integer
      duration_seconds:
        type: integer
 # Metadata
 metadata:
  description: |
    This workflow orchestrates the complete pack installation process:
    1. Download Packs: Downloads packs from git repositories, HTTP archives, or pack registry
    2. Get Dependencies: Analyzes pack.yaml files to identify dependencies
    3. Install Dependencies: Recursively installs missing pack dependencies
    4. Build Environments: Creates Python virtualenvs, installs requirements.txt and package.json deps
    5. Run Tests: Executes pack test suites (if present and not skipped)
    6. Register Packs: Loads pack components into database and copies to permanent storage
    The workflow supports:
    - Multiple pack sources (git URLs, HTTP archives, pack refs)
    - Automatic dependency resolution (recursive)
    - Runtime environment setup (Python, Node.js)
    - Pack testing before registration
    - Force mode to override validation failures
    - Comprehensive error handling and cleanup
  examples:
    - name: "Install pack from git repository"
      input:
        packs:
          - "https://github.com/attune/pack-slack.git"
        ref_spec: "v1.0.0"
        skip_dependencies: false
        skip_tests: false
        force: false
    - name: "Install multiple packs from registry"
      input:
        packs:
          - "slack@1.0.0"
          - "aws@2.1.0"
          - "kubernetes@3.0.0"
        skip_dependencies: false
        skip_tests: false
        force: false
    - name: "Install pack with force mode (skip validations)"
      input:
        packs:
          - "https://github.com/myorg/pack-custom.git"
        ref_spec: "main"
        skip_dependencies: true
        skip_tests: true
        force: true
    - name: "Install from HTTP archive"
      input:
        packs:
          - "https://example.com/packs/custom-pack.tar.gz"
        skip_dependencies: false
        skip_tests: false
        force: false
  tags:
    - pack
    - installation
    - workflow
    - automation
    - dependencies
    - git
    - registry
--- a/docker/distributable/scripts/load_core_pack.py
+++ b/docker/distributable/scripts/load_core_pack.py
@@ -0,0 +1,881 @@
 #!/usr/bin/env python3
 """
 Pack Loader for Attune
 This script loads a pack from the filesystem into the database.
 It reads pack.yaml, permission set definitions, action definitions, trigger
 definitions, and sensor definitions and creates all necessary database entries.
 Usage:
    python3 scripts/load_core_pack.py [--database-url URL] [--pack-dir DIR] [--pack-name NAME]
 Environment Variables:
    DATABASE_URL: PostgreSQL connection string (default: from config or localhost)
    ATTUNE_PACKS_DIR: Base directory for packs (default: ./packs)
 """
 import argparse
 import json
 import os
 import sys
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 import psycopg2
 import psycopg2.extras
 import yaml
 # Default configuration
 DEFAULT_DATABASE_URL = "postgresql://postgres:postgres@localhost:5432/attune"
 DEFAULT_PACKS_DIR = "./packs"
 def generate_label(name: str) -> str:
    """Generate a human-readable label from a name.
    Examples:
        'crontimer' -> 'Crontimer'
        'http_request' -> 'Http Request'
        'datetime_timer' -> 'Datetime Timer'
    """
    # Replace underscores with spaces and capitalize each word
    return " ".join(word.capitalize() for word in name.replace("_", " ").split())
 class PackLoader:
    """Loads a pack into the database"""
    def __init__(
        self, database_url: str, packs_dir: Path, pack_name: str, schema: str = "public"
    ):
        self.database_url = database_url
        self.packs_dir = packs_dir
        self.pack_name = pack_name
        self.pack_dir = packs_dir / pack_name
        self.schema = schema
        self.conn = None
        self.pack_id = None
        self.pack_ref = None
    def connect(self):
        """Connect to the database"""
        print(f"Connecting to database...")
        self.conn = psycopg2.connect(self.database_url)
        self.conn.autocommit = False
        # Set search_path to use the correct schema
        cursor = self.conn.cursor()
        cursor.execute(f"SET search_path TO {self.schema}, public")
        cursor.close()
        self.conn.commit()
        print(f"✓ Connected to database (schema: {self.schema})")
    def close(self):
        """Close database connection"""
        if self.conn:
            self.conn.close()
    def load_yaml(self, file_path: Path) -> Dict[str, Any]:
        """Load and parse YAML file"""
        with open(file_path, "r") as f:
            return yaml.safe_load(f)
    def upsert_pack(self) -> int:
        """Create or update the pack"""
        print("\n→ Loading pack metadata...")
        pack_yaml_path = self.pack_dir / "pack.yaml"
        if not pack_yaml_path.exists():
            raise FileNotFoundError(f"pack.yaml not found at {pack_yaml_path}")
        pack_data = self.load_yaml(pack_yaml_path)
        cursor = self.conn.cursor()
        # Prepare pack data
        ref = pack_data["ref"]
        self.pack_ref = ref
        label = pack_data["label"]
        description = pack_data.get("description", "")
        version = pack_data["version"]
        conf_schema = json.dumps(pack_data.get("conf_schema", {}))
        config = json.dumps(pack_data.get("config", {}))
        meta = json.dumps(pack_data.get("meta", {}))
        tags = pack_data.get("tags", [])
        runtime_deps = pack_data.get("runtime_deps", [])
        is_standard = pack_data.get("system", False)
        # Upsert pack
        cursor.execute(
            """
            INSERT INTO pack (
                ref, label, description, version,
                conf_schema, config, meta, tags, runtime_deps, is_standard
            )
            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
            ON CONFLICT (ref) DO UPDATE SET
                label = EXCLUDED.label,
                description = EXCLUDED.description,
                version = EXCLUDED.version,
                conf_schema = EXCLUDED.conf_schema,
                config = EXCLUDED.config,
                meta = EXCLUDED.meta,
                tags = EXCLUDED.tags,
                runtime_deps = EXCLUDED.runtime_deps,
                is_standard = EXCLUDED.is_standard,
                updated = NOW()
            RETURNING id
        """,
            (
                ref,
                label,
                description,
                version,
                conf_schema,
                config,
                meta,
                tags,
                runtime_deps,
                is_standard,
            ),
        )
        self.pack_id = cursor.fetchone()[0]
        cursor.close()
        print(f"✓ Pack '{ref}' loaded (ID: {self.pack_id})")
        return self.pack_id
    def upsert_permission_sets(self) -> Dict[str, int]:
        """Load permission set definitions from permission_sets/*.yaml."""
        print("\n→ Loading permission sets...")
        permission_sets_dir = self.pack_dir / "permission_sets"
        if not permission_sets_dir.exists():
            print("  No permission_sets directory found")
            return {}
        permission_set_ids = {}
        cursor = self.conn.cursor()
        for yaml_file in sorted(permission_sets_dir.glob("*.yaml")):
            permission_set_data = self.load_yaml(yaml_file)
            if not permission_set_data:
                continue
            ref = permission_set_data.get("ref")
            if not ref:
                print(
                    f"  ⚠ Permission set YAML {yaml_file.name} missing 'ref' field, skipping"
                )
                continue
            label = permission_set_data.get("label")
            description = permission_set_data.get("description")
            grants = permission_set_data.get("grants", [])
            if not isinstance(grants, list):
                print(
                    f"  ⚠ Permission set '{ref}' has non-array grants, skipping"
                )
                continue
            cursor.execute(
                """
                INSERT INTO permission_set (
                    ref, pack, pack_ref, label, description, grants
                )
                VALUES (%s, %s, %s, %s, %s, %s)
                ON CONFLICT (ref) DO UPDATE SET
                    label = EXCLUDED.label,
                    description = EXCLUDED.description,
                    grants = EXCLUDED.grants,
                    updated = NOW()
                RETURNING id
            """,
                (
                    ref,
                    self.pack_id,
                    self.pack_ref,
                    label,
                    description,
                    json.dumps(grants),
                ),
            )
            permission_set_id = cursor.fetchone()[0]
            permission_set_ids[ref] = permission_set_id
            print(f"  ✓ Permission set '{ref}' (ID: {permission_set_id})")
        cursor.close()
        return permission_set_ids
    def upsert_triggers(self) -> Dict[str, int]:
        """Load trigger definitions"""
        print("\n→ Loading triggers...")
        triggers_dir = self.pack_dir / "triggers"
        if not triggers_dir.exists():
            print("  No triggers directory found")
            return {}
        trigger_ids = {}
        cursor = self.conn.cursor()
        for yaml_file in sorted(triggers_dir.glob("*.yaml")):
            trigger_data = self.load_yaml(yaml_file)
            # Use ref from YAML (new format) or construct from name (old format)
            ref = trigger_data.get("ref")
            if not ref:
                # Fallback for old format - should not happen with new pack format
                ref = f"{self.pack_ref}.{trigger_data['name']}"
            # Extract name from ref for label generation
            name = ref.split(".")[-1] if "." in ref else ref
            label = trigger_data.get("label") or generate_label(name)
            description = trigger_data.get("description", "")
            enabled = trigger_data.get("enabled", True)
            param_schema = json.dumps(trigger_data.get("parameters", {}))
            out_schema = json.dumps(trigger_data.get("output", {}))
            cursor.execute(
                """
                INSERT INTO trigger (
                    ref, pack, pack_ref, label, description,
                    enabled, param_schema, out_schema, is_adhoc
                )
                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)
                ON CONFLICT (ref) DO UPDATE SET
                    label = EXCLUDED.label,
                    description = EXCLUDED.description,
                    enabled = EXCLUDED.enabled,
                    param_schema = EXCLUDED.param_schema,
                    out_schema = EXCLUDED.out_schema,
                    updated = NOW()
                RETURNING id
            """,
                (
                    ref,
                    self.pack_id,
                    self.pack_ref,
                    label,
                    description,
                    enabled,
                    param_schema,
                    out_schema,
                    False,  # Pack-installed triggers are not ad-hoc
                ),
            )
            trigger_id = cursor.fetchone()[0]
            trigger_ids[ref] = trigger_id
            print(f"  ✓ Trigger '{ref}' (ID: {trigger_id})")
        cursor.close()
        return trigger_ids
    def upsert_runtimes(self) -> Dict[str, int]:
        """Load runtime definitions from runtimes/*.yaml"""
        print("\n→ Loading runtimes...")
        runtimes_dir = self.pack_dir / "runtimes"
        if not runtimes_dir.exists():
            print("  No runtimes directory found")
            return {}
        runtime_ids = {}
        cursor = self.conn.cursor()
        for yaml_file in sorted(runtimes_dir.glob("*.yaml")):
            runtime_data = self.load_yaml(yaml_file)
            if not runtime_data:
                continue
            ref = runtime_data.get("ref")
            if not ref:
                print(
                    f"  ⚠ Runtime YAML {yaml_file.name} missing 'ref' field, skipping"
                )
                continue
            name = runtime_data.get("name", ref.split(".")[-1])
            description = runtime_data.get("description", "")
            aliases = [alias.lower() for alias in runtime_data.get("aliases", [])]
            distributions = json.dumps(runtime_data.get("distributions", {}))
            installation = json.dumps(runtime_data.get("installation", {}))
            execution_config = json.dumps(runtime_data.get("execution_config", {}))
            cursor.execute(
                """
                INSERT INTO runtime (
                    ref, pack, pack_ref, name, description,
                    aliases, distributions, installation, execution_config
                )
                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)
                ON CONFLICT (ref) DO UPDATE SET
                    name = EXCLUDED.name,
                    description = EXCLUDED.description,
                    aliases = EXCLUDED.aliases,
                    distributions = EXCLUDED.distributions,
                    installation = EXCLUDED.installation,
                    execution_config = EXCLUDED.execution_config,
                    updated = NOW()
                RETURNING id
            """,
                (
                    ref,
                    self.pack_id,
                    self.pack_ref,
                    name,
                    description,
                    aliases,
                    distributions,
                    installation,
                    execution_config,
                ),
            )
            runtime_id = cursor.fetchone()[0]
            runtime_ids[ref] = runtime_id
            # Also index by lowercase name for easy lookup by runner_type
            runtime_ids[name.lower()] = runtime_id
            for alias in aliases:
                runtime_ids[alias] = runtime_id
            print(f"  ✓ Runtime '{ref}' (ID: {runtime_id})")
        cursor.close()
        return runtime_ids
    def resolve_action_runtime(
        self, action_data: Dict, runtime_ids: Dict[str, int]
    ) -> Optional[int]:
        """Resolve the runtime ID for an action based on runner_type or entrypoint."""
        runner_type = action_data.get("runner_type", "").lower()
        if not runner_type:
            # Try to infer from entrypoint extension
            entrypoint = action_data.get("entry_point", "")
            if entrypoint.endswith(".py"):
                runner_type = "python"
            elif entrypoint.endswith(".js"):
                runner_type = "node.js"
            else:
                runner_type = "shell"
        # Map runner_type names to runtime refs/names
        lookup_keys = {
            "shell": ["shell", "core.shell"],
            "python": ["python", "core.python"],
            "python3": ["python", "core.python"],
            "node": ["node.js", "nodejs", "core.nodejs"],
            "nodejs": ["node.js", "nodejs", "core.nodejs"],
            "node.js": ["node.js", "nodejs", "core.nodejs"],
            "native": ["native", "core.native"],
        }
        keys_to_try = lookup_keys.get(runner_type, [runner_type])
        for key in keys_to_try:
            if key in runtime_ids:
                return runtime_ids[key]
        print(f"  ⚠ Could not resolve runtime for runner_type '{runner_type}'")
        return None
    def upsert_workflow_definition(
        self,
        cursor,
        workflow_file_path: str,
        action_ref: str,
        action_data: Dict[str, Any],
    ) -> Optional[int]:
        """Load a workflow definition file and upsert it in the database.
        When an action YAML contains a `workflow_file` field, this method reads
        the referenced workflow YAML, creates or updates the corresponding
        `workflow_definition` row, and returns its ID so the action can be linked
        via the `workflow_def` FK.
        The action YAML's `parameters` and `output` fields take precedence over
        the workflow file's own schemas (allowing the action to customise the
        exposed interface without touching the workflow graph).
        Args:
            cursor: Database cursor.
            workflow_file_path: Path to the workflow file relative to the
                ``actions/`` directory (e.g. ``workflows/deploy.workflow.yaml``).
            action_ref: The ref of the action that references this workflow.
            action_data: The parsed action YAML dict (used for schema overrides).
        Returns:
            The database ID of the workflow_definition row, or None on failure.
        """
        actions_dir = self.pack_dir / "actions"
        full_path = actions_dir / workflow_file_path
        if not full_path.exists():
            print(f"  ⚠ Workflow file '{workflow_file_path}' not found at {full_path}")
            return None
        try:
            workflow_data = self.load_yaml(full_path)
        except Exception as e:
            print(f"  ⚠ Failed to parse workflow file '{workflow_file_path}': {e}")
            return None
        # The action YAML is authoritative for action-level metadata.
        # Fall back to the workflow file's own values only when present
        # (standalone workflow files in workflows/ still carry them).
        workflow_ref = workflow_data.get("ref") or action_ref
        label = workflow_data.get("label") or action_data.get("label", "")
        description = workflow_data.get("description") or action_data.get(
            "description", ""
        )
        version = workflow_data.get("version", "1.0.0")
        tags = workflow_data.get("tags") or action_data.get("tags", [])
        # The action YAML is authoritative for param_schema / out_schema.
        # Fall back to the workflow file's own schemas only if the action
        # YAML doesn't define them.
        param_schema = action_data.get("parameters") or workflow_data.get("parameters")
        out_schema = action_data.get("output") or workflow_data.get("output")
        param_schema_json = json.dumps(param_schema) if param_schema else None
        out_schema_json = json.dumps(out_schema) if out_schema else None
        # Store the full workflow definition as JSON
        definition_json = json.dumps(workflow_data)
        tags_list = tags if isinstance(tags, list) else []
        cursor.execute(
            """
            INSERT INTO workflow_definition (
                ref, pack, pack_ref, label, description, version,
                param_schema, out_schema, definition, tags, enabled
            )
            VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
            ON CONFLICT (ref) DO UPDATE SET
                label = EXCLUDED.label,
                description = EXCLUDED.description,
                version = EXCLUDED.version,
                param_schema = EXCLUDED.param_schema,
                out_schema = EXCLUDED.out_schema,
                definition = EXCLUDED.definition,
                tags = EXCLUDED.tags,
                enabled = EXCLUDED.enabled,
                updated = NOW()
            RETURNING id
        """,
            (
                workflow_ref,
                self.pack_id,
                self.pack_ref,
                label,
                description,
                version,
                param_schema_json,
                out_schema_json,
                definition_json,
                tags_list,
                True,
            ),
        )
        workflow_def_id = cursor.fetchone()[0]
        print(f"    ✓ Workflow definition '{workflow_ref}' (ID: {workflow_def_id})")
        return workflow_def_id
    def upsert_actions(self, runtime_ids: Dict[str, int]) -> Dict[str, int]:
        """Load action definitions.
        When an action YAML contains a ``workflow_file`` field, the loader reads
        the referenced workflow definition, upserts a ``workflow_definition``
        record, and links the action to it via ``action.workflow_def``.  This
        allows the action YAML to control action-level metadata independently
        of the workflow graph, and lets multiple actions share a workflow file.
        """
        print("\n→ Loading actions...")
        actions_dir = self.pack_dir / "actions"
        if not actions_dir.exists():
            print("  No actions directory found")
            return {}
        action_ids = {}
        workflow_count = 0
        cursor = self.conn.cursor()
        for yaml_file in sorted(actions_dir.glob("*.yaml")):
            action_data = self.load_yaml(yaml_file)
            # Use ref from YAML (new format) or construct from name (old format)
            ref = action_data.get("ref")
            if not ref:
                # Fallback for old format - should not happen with new pack format
                ref = f"{self.pack_ref}.{action_data['name']}"
            # Extract name from ref for label generation and entrypoint detection
            name = ref.split(".")[-1] if "." in ref else ref
            label = action_data.get("label") or generate_label(name)
            description = action_data.get("description", "")
            # ── Workflow file handling ───────────────────────────────────
            workflow_file = action_data.get("workflow_file")
            workflow_def_id: Optional[int] = None
            if workflow_file:
                workflow_def_id = self.upsert_workflow_definition(
                    cursor, workflow_file, ref, action_data
                )
                if workflow_def_id is not None:
                    workflow_count += 1
            # For workflow actions the entrypoint is the workflow file path;
            # for regular actions it comes from entry_point in the YAML.
            if workflow_file:
                entrypoint = workflow_file
            else:
                entrypoint = action_data.get("entry_point", "")
                if not entrypoint:
                    # Try to find corresponding script file
                    for ext in [".sh", ".py"]:
                        script_path = actions_dir / f"{name}{ext}"
                        if script_path.exists():
                            entrypoint = str(script_path.relative_to(self.packs_dir))
                            break
            # Resolve runtime ID (workflow actions have no runtime)
            if workflow_file:
                runtime_id = None
            else:
                runtime_id = self.resolve_action_runtime(action_data, runtime_ids)
            param_schema = json.dumps(action_data.get("parameters", {}))
            out_schema = json.dumps(action_data.get("output", {}))
            # Parameter delivery and format (defaults: stdin + json for security)
            parameter_delivery = action_data.get("parameter_delivery", "stdin").lower()
            parameter_format = action_data.get("parameter_format", "json").lower()
            # Output format (defaults: text for no parsing)
            output_format = action_data.get("output_format", "text").lower()
            # Validate parameter delivery method (only stdin and file allowed)
            if parameter_delivery not in ["stdin", "file"]:
                print(
                    f"  ⚠ Invalid parameter_delivery '{parameter_delivery}' for '{ref}', defaulting to 'stdin'"
                )
                parameter_delivery = "stdin"
            # Validate parameter format
            if parameter_format not in ["dotenv", "json", "yaml"]:
                print(
                    f"  ⚠ Invalid parameter_format '{parameter_format}' for '{ref}', defaulting to 'json'"
                )
                parameter_format = "json"
            # Validate output format
            if output_format not in ["text", "json", "yaml", "jsonl"]:
                print(
                    f"  ⚠ Invalid output_format '{output_format}' for '{ref}', defaulting to 'text'"
                )
                output_format = "text"
            cursor.execute(
                """
                INSERT INTO action (
                    ref, pack, pack_ref, label, description,
                    entrypoint, runtime, param_schema, out_schema, is_adhoc,
                    parameter_delivery, parameter_format, output_format
                )
                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
                ON CONFLICT (ref) DO UPDATE SET
                    label = EXCLUDED.label,
                    description = EXCLUDED.description,
                    entrypoint = EXCLUDED.entrypoint,
                    param_schema = EXCLUDED.param_schema,
                    out_schema = EXCLUDED.out_schema,
                    parameter_delivery = EXCLUDED.parameter_delivery,
                    parameter_format = EXCLUDED.parameter_format,
                    output_format = EXCLUDED.output_format,
                    updated = NOW()
                RETURNING id
            """,
                (
                    ref,
                    self.pack_id,
                    self.pack_ref,
                    label,
                    description,
                    entrypoint,
                    runtime_id,
                    param_schema,
                    out_schema,
                    False,  # Pack-installed actions are not ad-hoc
                    parameter_delivery,
                    parameter_format,
                    output_format,
                ),
            )
            action_id = cursor.fetchone()[0]
            action_ids[ref] = action_id
            # Link action to workflow definition if present
            if workflow_def_id is not None:
                cursor.execute(
                    """
                    UPDATE action SET workflow_def = %s, updated = NOW()
                    WHERE id = %s
                """,
                    (workflow_def_id, action_id),
                )
                print(
                    f"  ✓ Action '{ref}' (ID: {action_id}) → workflow def {workflow_def_id}"
                )
            else:
                print(f"  ✓ Action '{ref}' (ID: {action_id})")
        cursor.close()
        if workflow_count > 0:
            print(f"  ({workflow_count} workflow definition(s) registered)")
        return action_ids
    def upsert_sensors(
        self, trigger_ids: Dict[str, int], runtime_ids: Dict[str, int]
    ) -> Dict[str, int]:
        """Load sensor definitions"""
        print("\n→ Loading sensors...")
        sensors_dir = self.pack_dir / "sensors"
        if not sensors_dir.exists():
            print("  No sensors directory found")
            return {}
        sensor_ids = {}
        cursor = self.conn.cursor()
        # Runtime name mapping: runner_type values to core runtime refs
        runner_type_to_ref = {
            "native": "core.native",
            "standalone": "core.native",
            "builtin": "core.native",
            "shell": "core.shell",
            "bash": "core.shell",
            "sh": "core.shell",
            "python": "core.python",
            "python3": "core.python",
            "node": "core.nodejs",
            "nodejs": "core.nodejs",
            "node.js": "core.nodejs",
        }
        for yaml_file in sorted(sensors_dir.glob("*.yaml")):
            sensor_data = self.load_yaml(yaml_file)
            # Use ref from YAML (new format) or construct from name (old format)
            ref = sensor_data.get("ref")
            if not ref:
                # Fallback for old format - should not happen with new pack format
                ref = f"{self.pack_ref}.{sensor_data['name']}"
            # Extract name from ref for label generation and entrypoint detection
            name = ref.split(".")[-1] if "." in ref else ref
            label = sensor_data.get("label") or generate_label(name)
            description = sensor_data.get("description", "")
            enabled = sensor_data.get("enabled", True)
            # Get trigger reference (handle both trigger_type and trigger_types)
            trigger_types = sensor_data.get("trigger_types", [])
            if not trigger_types:
                # Fallback to singular trigger_type
                trigger_type = sensor_data.get("trigger_type", "")
                trigger_types = [trigger_type] if trigger_type else []
            # Use the first trigger type (sensors currently support one trigger)
            trigger_ref = None
            trigger_id = None
            if trigger_types:
                # Check if it's already a full ref or just the type name
                first_trigger = trigger_types[0]
                if "." in first_trigger:
                    trigger_ref = first_trigger
                else:
                    trigger_ref = f"{self.pack_ref}.{first_trigger}"
                trigger_id = trigger_ids.get(trigger_ref)
            # Resolve sensor runtime from YAML runner_type field
            # Defaults to "native" (compiled binary, no interpreter)
            runner_type = sensor_data.get("runner_type", "native").lower()
            runtime_ref = runner_type_to_ref.get(runner_type, runner_type)
            # Look up runtime ID: try the mapped ref, then the raw runner_type
            sensor_runtime_id = runtime_ids.get(runtime_ref)
            if not sensor_runtime_id:
                # Try looking up by the short name (e.g., "python" key in runtime_ids)
                sensor_runtime_id = runtime_ids.get(runner_type)
            if not sensor_runtime_id:
                print(
                    f"  ⚠ No runtime found for runner_type '{runner_type}' (ref: {runtime_ref}), sensor will have no runtime"
                )
            # Determine entrypoint
            entry_point = sensor_data.get("entry_point", "")
            if not entry_point:
                for ext in [".py", ".sh"]:
                    script_path = sensors_dir / f"{name}{ext}"
                    if script_path.exists():
                        entry_point = str(script_path.relative_to(self.packs_dir))
                        break
            config = json.dumps(sensor_data.get("config", {}))
            cursor.execute(
                """
                INSERT INTO sensor (
                    ref, pack, pack_ref, label, description,
                    entrypoint, runtime, runtime_ref, trigger, trigger_ref,
                    enabled, config
                )
                VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
                ON CONFLICT (ref) DO UPDATE SET
                    label = EXCLUDED.label,
                    description = EXCLUDED.description,
                    entrypoint = EXCLUDED.entrypoint,
                    runtime = EXCLUDED.runtime,
                    runtime_ref = EXCLUDED.runtime_ref,
                    trigger = EXCLUDED.trigger,
                    trigger_ref = EXCLUDED.trigger_ref,
                    enabled = EXCLUDED.enabled,
                    config = EXCLUDED.config,
                    updated = NOW()
                RETURNING id
            """,
                (
                    ref,
                    self.pack_id,
                    self.pack_ref,
                    label,
                    description,
                    entry_point,
                    sensor_runtime_id,
                    runtime_ref,
                    trigger_id,
                    trigger_ref,
                    enabled,
                    config,
                ),
            )
            sensor_id = cursor.fetchone()[0]
            sensor_ids[ref] = sensor_id
            print(f"  ✓ Sensor '{ref}' (ID: {sensor_id})")
        cursor.close()
        return sensor_ids
    def load_pack(self):
        """Main loading process.
        Components are loaded in dependency order:
        1. Permission sets (no dependencies)
        2. Runtimes (no dependencies)
        3. Triggers (no dependencies)
        4. Actions (depend on runtime; workflow actions also create
           workflow_definition records)
        5. Sensors (depend on triggers and runtime)
        """
        print("=" * 60)
        print(f"Pack Loader - {self.pack_name}")
        print("=" * 60)
        if not self.pack_dir.exists():
            raise FileNotFoundError(f"Pack directory not found: {self.pack_dir}")
        try:
            self.connect()
            # Load pack metadata
            self.upsert_pack()
            # Load permission sets first (authorization metadata)
            permission_set_ids = self.upsert_permission_sets()
            # Load runtimes (actions and sensors depend on them)
            runtime_ids = self.upsert_runtimes()
            # Load triggers
            trigger_ids = self.upsert_triggers()
            # Load actions (with runtime resolution + workflow definitions)
            action_ids = self.upsert_actions(runtime_ids)
            # Load sensors
            sensor_ids = self.upsert_sensors(trigger_ids, runtime_ids)
            # Commit all changes
            self.conn.commit()
            print("\n" + "=" * 60)
            print(f"✓ Pack '{self.pack_name}' loaded successfully!")
            print("=" * 60)
            print(f"  Pack ID: {self.pack_id}")
            print(f"  Permission sets: {len(permission_set_ids)}")
            print(f"  Runtimes: {len(set(runtime_ids.values()))}")
            print(f"  Triggers: {len(trigger_ids)}")
            print(f"  Actions: {len(action_ids)}")
            print(f"  Sensors: {len(sensor_ids)}")
            print()
        except Exception as e:
            if self.conn:
                self.conn.rollback()
            print(f"\n✗ Error loading pack '{self.pack_name}': {e}")
            import traceback
            traceback.print_exc()
            sys.exit(1)
        finally:
            self.close()
 def main():
    parser = argparse.ArgumentParser(description="Load a pack into the Attune database")
    parser.add_argument(
        "--database-url",
        default=os.getenv("DATABASE_URL", DEFAULT_DATABASE_URL),
        help=f"PostgreSQL connection string (default: {DEFAULT_DATABASE_URL})",
    )
    parser.add_argument(
        "--pack-dir",
        type=Path,
        default=Path(os.getenv("ATTUNE_PACKS_DIR", DEFAULT_PACKS_DIR)),
        help=f"Base directory for packs (default: {DEFAULT_PACKS_DIR})",
    )
    parser.add_argument(
        "--pack-name",
        default="core",
        help="Name of the pack to load (default: core)",
    )
    parser.add_argument(
        "--schema",
        default=os.getenv("DB_SCHEMA", "public"),
        help="Database schema to use (default: public)",
    )
    parser.add_argument(
        "--dry-run",
        action="store_true",
        help="Print what would be done without making changes",
    )
    args = parser.parse_args()
    if args.dry_run:
        print("DRY RUN MODE: No changes will be made")
        print()
    loader = PackLoader(args.database_url, args.pack_dir, args.pack_name, args.schema)
    loader.load_pack()
 if __name__ == "__main__":
    main()
--- a/scripts/package-docker-dist.sh
+++ b/scripts/package-docker-dist.sh
@@ -0,0 +1,47 @@
 #!/usr/bin/env bash
 set -euo pipefail
 repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 bundle_dir="${1:-${repo_root}/docker/distributable}"
 archive_path="${2:-${repo_root}/artifacts/attune-docker-dist.tar.gz}"
 template_dir="${repo_root}/docker/distributable"
 bundle_dir="$(realpath -m "${bundle_dir}")"
 archive_path="$(realpath -m "${archive_path}")"
 template_dir="$(realpath -m "${template_dir}")"
 mkdir -p "${bundle_dir}/docker" "${bundle_dir}/migrations" "${bundle_dir}/packs" "${bundle_dir}/scripts"
 mkdir -p "$(dirname "${archive_path}")"
 copy_file() {
    local src="$1"
    local dst="$2"
    mkdir -p "$(dirname "${dst}")"
    cp "${src}" "${dst}"
 }
 # Keep the distributable compose file, README, and config as the maintained templates.
 if [ "${bundle_dir}" != "${template_dir}" ]; then
    copy_file "${template_dir}/docker-compose.yaml" "${bundle_dir}/docker-compose.yaml"
    copy_file "${template_dir}/README.md" "${bundle_dir}/README.md"
    copy_file "${template_dir}/config.docker.yaml" "${bundle_dir}/config.docker.yaml"
 fi
 copy_file "${repo_root}/docker/run-migrations.sh" "${bundle_dir}/docker/run-migrations.sh"
 copy_file "${repo_root}/docker/init-user.sh" "${bundle_dir}/docker/init-user.sh"
 copy_file "${repo_root}/docker/init-packs.sh" "${bundle_dir}/docker/init-packs.sh"
 copy_file "${repo_root}/docker/init-roles.sql" "${bundle_dir}/docker/init-roles.sql"
 copy_file "${repo_root}/docker/nginx.conf" "${bundle_dir}/docker/nginx.conf"
 copy_file "${repo_root}/docker/inject-env.sh" "${bundle_dir}/docker/inject-env.sh"
 copy_file "${repo_root}/scripts/load_core_pack.py" "${bundle_dir}/scripts/load_core_pack.py"
 rm -rf "${bundle_dir}/migrations" "${bundle_dir}/packs/core"
 mkdir -p "${bundle_dir}/migrations" "${bundle_dir}/packs"
 cp -R "${repo_root}/migrations/." "${bundle_dir}/migrations/"
 cp -R "${repo_root}/packs/core" "${bundle_dir}/packs/core"
 tar -C "$(dirname "${bundle_dir}")" -czf "${archive_path}" "$(basename "${bundle_dir}")"
 echo "Docker dist bundle refreshed at ${bundle_dir}"
 echo "Docker dist archive created at ${archive_path}"
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -3655,9 +3655,9 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "2.3.1",
+      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -4337,9 +4337,9 @@
      }
    },
    "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
+      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "peer": true,
@@ -4609,9 +4609,9 @@
      }
    },
    "node_modules/vite/node_modules/picomatch": {
-      "version": "4.0.3",
+      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "peer": true,