From 2dc2c2fe84fad14fd79dd93473854e5d88e5ee89 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 09:47:42 -0700
Subject: [PATCH 01/15] Data vault ARN

---
 apps/backend/.env                                     |  1 +
 packages/stack-shared/package.json                    |  1 +
 .../stack-shared/src/helpers/vault/server-side.ts     | 11 ++++++++---
 packages/stack-shared/src/schema-fields.ts            |  4 ++--
 pnpm-lock.yaml                                        |  3 +++
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apps/backend/.env b/apps/backend/.env
index 6be4449b2..5dc658214 100644
--- a/apps/backend/.env
+++ b/apps/backend/.env
@@ -63,6 +63,7 @@ STACK_AWS_REGION=
 STACK_AWS_KMS_ENDPOINT=
 STACK_AWS_ACCESS_KEY_ID=
 STACK_AWS_SECRET_ACCESS_KEY=
+STACK_AWS_VERCEL_OIDC_ROLE_ARN=
 
 
 
diff --git a/packages/stack-shared/package.json b/packages/stack-shared/package.json
index 15744a257..e265ae44e 100644
--- a/packages/stack-shared/package.json
+++ b/packages/stack-shared/package.json
@@ -56,6 +56,7 @@
     "@aws-sdk/client-kms": "^3.876.0",
     "@opentelemetry/api": "^1.9.0",
     "@simplewebauthn/browser": "^11.0.0",
+    "@vercel/functions": "^2.0.0",
     "async-mutex": "^0.5.0",
     "bcryptjs": "^3.0.2",
     "crc": "^4.3.2",
diff --git a/packages/stack-shared/src/helpers/vault/server-side.ts b/packages/stack-shared/src/helpers/vault/server-side.ts
index 9185eecef..a1f0b3221 100644
--- a/packages/stack-shared/src/helpers/vault/server-side.ts
+++ b/packages/stack-shared/src/helpers/vault/server-side.ts
@@ -6,19 +6,24 @@ import {
   GenerateDataKeyCommand,
   KMSClient
 } from "@aws-sdk/client-kms";
+import { awsCredentialsProvider } from '@vercel/functions/oidc';
 import { decodeBase64, encodeBase64 } from "../../utils/bytes";
 import { decrypt, encrypt } from "../../utils/crypto";
 import { getEnvVariable } from "../../utils/env";
 import { Result } from "../../utils/results";
 
+
 function getKmsClient() {
+  const roleArn = getEnvVariable("STACK_AWS_VERCEL_OIDC_ROLE_ARN", "");
   return new KMSClient({
     region: getEnvVariable("STACK_AWS_REGION"),
     endpoint: getEnvVariable("STACK_AWS_KMS_ENDPOINT"),
-    credentials: {
+    credentials: roleArn ? awsCredentialsProvider({
+      roleArn,
+    }) : {
       accessKeyId: getEnvVariable("STACK_AWS_ACCESS_KEY_ID"),
-      secretAccessKey: getEnvVariable("STACK_AWS_SECRET_ACCESS_KEY")
-    }
+      secretAccessKey: getEnvVariable("STACK_AWS_SECRET_ACCESS_KEY"),
+    },
   });
 }
 
diff --git a/packages/stack-shared/src/schema-fields.ts b/packages/stack-shared/src/schema-fields.ts
index dae1d7e95..63bb5b08e 100644
--- a/packages/stack-shared/src/schema-fields.ts
+++ b/packages/stack-shared/src/schema-fields.ts
@@ -1,7 +1,7 @@
 import * as yup from "yup";
 import { KnownErrors } from ".";
 import { isBase64 } from "./utils/bytes";
-import { type Currency, type MoneyAmount, SUPPORTED_CURRENCIES } from "./utils/currency-constants";
+import { SUPPORTED_CURRENCIES, type Currency, type MoneyAmount } from "./utils/currency-constants";
 import { DayInterval, Interval } from "./utils/dates";
 import { StackAssertionError, throwErr } from "./utils/errors";
 import { decodeBasicAuthorizationHeader } from "./utils/http";
@@ -423,7 +423,7 @@ export const dayIntervalOrNeverSchema = yupUnion(dayIntervalSchema.defined(), yu
  * This schema is useful for fields where the user can specify the ID, such as price IDs. It is particularly common
  * for IDs in the config schema.
  */
-export const userSpecifiedIdSchema = (idName: `${string}Id`) => yupString().matches(/^[a-zA-Z_][a-zA-Z0-9_-]*$/, `${idName} must start with a letter or underscore and contain only letters, numbers, underscores, and hyphens`);
+export const userSpecifiedIdSchema = (idName: `${string}Id`) => yupString().max(63).matches(/^[a-zA-Z_][a-zA-Z0-9_-]*$/, `${idName} must start with a letter or underscore and contain only letters, numbers, underscores, and hyphens`);
 export const moneyAmountSchema = (currency: Currency) => yupString<MoneyAmount>().test('money-amount', 'Invalid money amount', (value, context) => {
   if (value == null) return true;
   const regex = /^([0-9]+)(\.([0-9]+))?$/;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 98e0efa5d..2ac74354d 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1461,6 +1461,9 @@ importers:
       '@types/react-dom':
         specifier: ^18.2.0
         version: 18.3.1
+      '@vercel/functions':
+        specifier: ^2.0.0
+        version: 2.0.0(@aws-sdk/credential-provider-web-identity@3.876.0)
       async-mutex:
         specifier: ^0.5.0
         version: 0.5.0

From 68a44c05fab61ba5e5267356715c690afcb7bab5 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 10:10:17 -0700
Subject: [PATCH 02/15] Higher workflow test timeouts

---
 apps/e2e/tests/backend/workflows.test.ts | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 186abe5bc..e243e114e 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -87,6 +87,8 @@ test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
       },
     ]
   `);
+}, {
+  timeout: 40_000,
 });
 
 test("onSignUp workflow sends email for server-created user", async ({ expect }) => {
@@ -128,6 +130,8 @@ test("onSignUp workflow sends email for server-created user", async ({ expect })
       },
     ]
   `);
+}, {
+  timeout: 40_000,
 });
 
 test("disabled workflows do not trigger", async ({ expect }) => {
@@ -207,6 +211,8 @@ test("compile/runtime errors in one workflow don't block others", async ({ expec
       },
     ]
   `);
+}, {
+  timeout: 40_000,
 });
 
 test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ expect }) => {
@@ -229,7 +235,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId: anonUserId } = await Auth.Anonymous.signUp();
 
   // ensure marker not present yet
-  await wait(12_000);
+  await wait(16_000);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
   expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
 
@@ -237,12 +243,12 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId } = await Auth.Password.signUpWithEmail({ password: "password" });
   expect(userId).toEqual(anonUserId);
 
-  await wait(12_000);
+  await wait(16_000);
   const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me2.body.is_anonymous).toBe(false);
   expect(me2.body.server_metadata?.[markerKey]).toBe(me2.body.primary_email);
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });
 
 test("workflow source changes take effect for subsequent sign-ups", async ({ expect }) => {
@@ -263,7 +269,7 @@ test("workflow source changes take effect for subsequent sign-ups", async ({ exp
   });
   await bumpEmailAddress({ unindexed: true });
   await Auth.Password.signUpWithEmail({ password: "password" });
-  await wait(12_000);
+  await wait(16_000);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me1.body.server_metadata?.[markerKey]).toBe("v1");
 
@@ -281,9 +287,9 @@ test("workflow source changes take effect for subsequent sign-ups", async ({ exp
   });
   await bumpEmailAddress({ unindexed: true });
   await Auth.Password.signUpWithEmail({ password: "password" });
-  await wait(12_000);
+  await wait(16_000);
   const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me2.body.server_metadata?.[markerKey]).toBe("v2");
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });

From 0482a078808ce8023a188df1c762e5ac55381f8a Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 10:33:10 -0700
Subject: [PATCH 03/15] Better workflow tests

---
 apps/backend/src/prisma-client.tsx       | 18 ++++++++++++------
 apps/e2e/tests/backend/workflows.test.ts | 15 ++++++++++++---
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/apps/backend/src/prisma-client.tsx b/apps/backend/src/prisma-client.tsx
index 7b138ae38..bfe1f6fba 100644
--- a/apps/backend/src/prisma-client.tsx
+++ b/apps/backend/src/prisma-client.tsx
@@ -125,6 +125,16 @@ export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaC
   // serializable transactions are currently off by default, later we may turn them on
   const enableSerializable = options.level === "serializable";
 
+  const isRetryablePrismaError = (e: unknown) => {
+    if (e instanceof Prisma.PrismaClientKnownRequestError) {
+      return [
+        "P2028", // Serializable/repeatable read conflict
+        "P2034", // Transaction already closed (eg. timeout)
+      ];
+    }
+    return false;
+  };
+
   return await traceSpan('Prisma transaction', async (span) => {
     const res = await Result.retry(async (attemptIndex) => {
       return await traceSpan(`transaction attempt #${attemptIndex}`, async (attemptSpan) => {
@@ -140,7 +150,7 @@ export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaC
                 // to other (nested) transactions failing
                 // however, we make an exception for "Transaction already closed", as those are (annoyingly) thrown on
                 // the actual query, not the $transaction function itself
-                if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2028") { // Transaction already closed
+                if (isRetryablePrismaError(e)) {
                   throw new TransactionErrorThatShouldBeRetried(e);
                 }
                 throw new TransactionErrorThatShouldNotBeRetried(e);
@@ -165,11 +175,7 @@ export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaC
             if (e instanceof TransactionErrorThatShouldNotBeRetried) {
               throw e.cause;
             }
-            if ([
-              "Transaction failed due to a write conflict or a deadlock. Please retry your transaction",
-              "Transaction already closed: A commit cannot be executed on an expired transaction. The timeout for this transaction",
-            ].some(s => e instanceof Prisma.PrismaClientKnownRequestError && e.message.includes(s))) {
-              // transaction timeout, retry
+            if (isRetryablePrismaError(e)) {
               return Result.error(e);
             }
             throw e;
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index e243e114e..2bcd2dc25 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -37,6 +37,15 @@ async function waitForMailboxSubject(mailbox: Mailbox, subject: string) {
   throw new Error(`Message with subject ${subject} not found after 10 tries`);
 }
 
+async function waitForServerMetadataNotNull(userId: string, key: string) {
+  for (let i = 0; i < 10; i++) {
+    const user = await niceBackendFetch(`/api/v1/users/${userId}`, { accessType: "server" });
+    if (user.body.server_metadata?.[key]) return;
+    await wait(1_000);
+  }
+  throw new Error(`Server metadata for user ${userId} with key ${key} not found after 10 tries`);
+}
+
 test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
   await Project.createAndSwitch();
   const mailbox = await bumpEmailAddress({ unindexed: true });
@@ -243,7 +252,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId } = await Auth.Password.signUpWithEmail({ password: "password" });
   expect(userId).toEqual(anonUserId);
 
-  await wait(16_000);
+  await waitForServerMetadataNotNull(anonUserId, markerKey);
   const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me2.body.is_anonymous).toBe(false);
   expect(me2.body.server_metadata?.[markerKey]).toBe(me2.body.primary_email);
@@ -269,7 +278,7 @@ test("workflow source changes take effect for subsequent sign-ups", async ({ exp
   });
   await bumpEmailAddress({ unindexed: true });
   await Auth.Password.signUpWithEmail({ password: "password" });
-  await wait(16_000);
+  await waitForServerMetadataNotNull("me", markerKey);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me1.body.server_metadata?.[markerKey]).toBe("v1");
 
@@ -287,7 +296,7 @@ test("workflow source changes take effect for subsequent sign-ups", async ({ exp
   });
   await bumpEmailAddress({ unindexed: true });
   await Auth.Password.signUpWithEmail({ password: "password" });
-  await wait(16_000);
+  await waitForServerMetadataNotNull("me", markerKey);
   const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me2.body.server_metadata?.[markerKey]).toBe("v2");
 }, {

From faf79e5a9e5fa8ad608e7d5634339743a55d06f0 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 10:44:52 -0700
Subject: [PATCH 04/15] Speed up Vitest

---
 vitest.shared.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vitest.shared.ts b/vitest.shared.ts
index aa89c7ba6..866efcaa6 100644
--- a/vitest.shared.ts
+++ b/vitest.shared.ts
@@ -4,6 +4,8 @@ import { defineConfig } from 'vitest/config';
 export default defineConfig({
   plugins: [tsconfigPaths() as any],
   test: {
+    pool: 'threads',
+    maxWorkers: 8,
     include: ['**/*.test.{js,ts,jsx,tsx}'],
     includeSource: ['**/*.{js,ts,jsx,tsx}'],
   },

From 7387f029c0ef423b82a689a37f9e1c8f363f9df3 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 13:31:40 -0700
Subject: [PATCH 05/15] Workflow queue

---
 .vscode/settings.json                         |   1 +
 apps/backend/.env                             |   5 +
 apps/backend/.env.development                 |   6 +
 apps/backend/package.json                     |   1 +
 apps/backend/prisma/schema.prisma             |   1 +
 .../internal/trigger/run-scheduled/route.tsx  |  41 +++++
 apps/backend/src/lib/upstash.tsx              |  35 ++++
 apps/backend/src/lib/workflows.tsx            | 169 +++++++++++-------
 .../new-project/page-client.tsx               |   5 +-
 .../workflows/[workflowId]/page.tsx           |  19 ++
 .../projects/[projectId]/workflows/page.tsx   |   8 +-
 apps/dev-launchpad/public/index.html          |   3 +
 apps/e2e/tests/backend/workflows.test.ts      |  12 +-
 docker/dependencies/docker.compose.yaml       |  14 +-
 pnpm-lock.yaml                                |  23 +++
 15 files changed, 267 insertions(+), 76 deletions(-)
 create mode 100644 apps/backend/src/app/api/latest/internal/trigger/run-scheduled/route.tsx
 create mode 100644 apps/backend/src/lib/upstash.tsx

diff --git a/.vscode/settings.json b/.vscode/settings.json
index eda6e4f46..9d0b243f8 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -76,6 +76,7 @@
     "Proxied",
     "psql",
     "qrcode",
+    "QSTASH",
     "quetzallabs",
     "rehype",
     "reqs",
diff --git a/apps/backend/.env b/apps/backend/.env
index 5dc658214..c824e0988 100644
--- a/apps/backend/.env
+++ b/apps/backend/.env
@@ -65,6 +65,11 @@ STACK_AWS_ACCESS_KEY_ID=
 STACK_AWS_SECRET_ACCESS_KEY=
 STACK_AWS_VERCEL_OIDC_ROLE_ARN=
 
+# Upstash configuration
+STACK_QSTASH_URL=
+STACK_QSTASH_TOKEN=
+STACK_QSTASH_CURRENT_SIGNING_KEY=
+STACK_QSTASH_NEXT_SIGNING_KEY=
 
 
 # Misc, optional
diff --git a/apps/backend/.env.development b/apps/backend/.env.development
index bebe26f78..42fd65b02 100644
--- a/apps/backend/.env.development
+++ b/apps/backend/.env.development
@@ -62,3 +62,9 @@ STACK_AWS_REGION=us-east-1
 STACK_AWS_KMS_ENDPOINT=http://localhost:8124
 STACK_AWS_ACCESS_KEY_ID=test
 STACK_AWS_SECRET_ACCESS_KEY=test
+
+# Upstash defaults to one of the pre-build test users of the local emulator
+STACK_QSTASH_URL=http://localhost:8125
+STACK_QSTASH_TOKEN=eyJVc2VySUQiOiJkZWZhdWx0VXNlciIsIlBhc3N3b3JkIjoiZGVmYXVsdFBhc3N3b3JkIn0=
+STACK_QSTASH_CURRENT_SIGNING_KEY=sig_7kYjw48mhY7kAjqNGcy6cr29RJ6r
+STACK_QSTASH_NEXT_SIGNING_KEY=sig_5ZB6DVzB1wjE8S6rZ7eenA8Pdnhs
diff --git a/apps/backend/package.json b/apps/backend/package.json
index 882c49dd3..4da345b09 100644
--- a/apps/backend/package.json
+++ b/apps/backend/package.json
@@ -64,6 +64,7 @@
     "@sentry/nextjs": "^8.40.0",
     "@simplewebauthn/server": "^11.0.0",
     "@stackframe/stack-shared": "workspace:*",
+    "@upstash/qstash": "^2.8.2",
     "@vercel/functions": "^2.0.0",
     "@vercel/otel": "^1.10.4",
     "ai": "^4.3.17",
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
index 374da8a1c..67b5bdc86 100644
--- a/apps/backend/prisma/schema.prisma
+++ b/apps/backend/prisma/schema.prisma
@@ -810,6 +810,7 @@ model WorkflowTrigger {
 
   // the following fields determine the state of the trigger:
   // - scheduledAt && !compiledWorkflowId && !output && !error: the trigger is scheduled to be executed
+  // - !scheduledAt && !compiledWorkflowId: the trigger was scheduled, but its workflow subsequently deleted. The trigger never ran
   // - !scheduledAt && compiledWorkflowId && !output && !error: the trigger is currently executing
   // - !scheduledAt && compiledWorkflowId && output && !error: the trigger has successfully completed execution
   // - !scheduledAt && compiledWorkflowId && !output && error: the trigger has failed execution
diff --git a/apps/backend/src/app/api/latest/internal/trigger/run-scheduled/route.tsx b/apps/backend/src/app/api/latest/internal/trigger/run-scheduled/route.tsx
new file mode 100644
index 000000000..281f0a429
--- /dev/null
+++ b/apps/backend/src/app/api/latest/internal/trigger/run-scheduled/route.tsx
@@ -0,0 +1,41 @@
+import { getTenancy } from "@/lib/tenancies";
+import { ensureUpstashSignature } from "@/lib/upstash";
+import { triggerScheduledWorkflows } from "@/lib/workflows";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+  },
+  request: yupObject({
+    headers: yupObject({
+      "upstash-signature": yupTuple([yupString().defined()]).defined(),
+    }).defined(),
+    body: yupObject({
+      tenancyId: yupString().defined(),
+    }).defined(),
+    method: yupString().oneOf(["POST"]).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["success"]).defined(),
+  }),
+  handler: async (req, fullReq) => {
+    await ensureUpstashSignature(fullReq);
+
+    const tenancy = await getTenancy(req.body.tenancyId);
+    if (!tenancy) {
+      throw new StackAssertionError(`Tenancy not found for scheduled trigger`, { tenancyId: req.body.tenancyId });
+    }
+
+    await triggerScheduledWorkflows(tenancy);
+
+    return {
+      statusCode: 200,
+      bodyType: "success",
+    } as const;
+  },
+});
+
diff --git a/apps/backend/src/lib/upstash.tsx b/apps/backend/src/lib/upstash.tsx
new file mode 100644
index 000000000..9744ce7fc
--- /dev/null
+++ b/apps/backend/src/lib/upstash.tsx
@@ -0,0 +1,35 @@
+import { SmartRequest } from "@/route-handlers/smart-request";
+import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+import { Client, Receiver } from "@upstash/qstash";
+
+export const upstash = new Client({
+  baseUrl: getEnvVariable("STACK_QSTASH_URL", ""),
+  token: getEnvVariable("STACK_QSTASH_TOKEN", ""),
+});
+
+export const upstashReceiver = new Receiver({
+  currentSigningKey: getEnvVariable("STACK_QSTASH_CURRENT_SIGNING_KEY", ""),
+  nextSigningKey: getEnvVariable("STACK_QSTASH_NEXT_SIGNING_KEY", ""),
+});
+
+export async function ensureUpstashSignature(fullReq: SmartRequest): Promise<void> {
+  const upstashSignature = fullReq.headers["upstash-signature"]?.[0];
+  if (!upstashSignature) {
+    throw new StatusError(400, "upstash-signature header is required");
+  }
+
+  const url = new URL(fullReq.url);
+  if ((getNodeEnvironment().includes("development") || getNodeEnvironment().includes("test")) && url.hostname === "localhost") {
+    url.hostname = "host.docker.internal";
+  }
+
+  const isValid = await upstashReceiver.verify({
+    signature: upstashSignature,
+    url: url.toString(),
+    body: new TextDecoder().decode(fullReq.bodyBuffer),
+  });
+  if (!isValid) {
+    throw new StatusError(400, "Invalid Upstash signature");
+  }
+}
diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index de084ef89..655947fad 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -13,6 +13,7 @@ import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
 import { Freestyle } from "./freestyle";
 import { Tenancy } from "./tenancies";
+import { upstash } from "./upstash";
 
 const externalPackages = {
   '@stackframe/stack': 'latest',
@@ -431,74 +432,119 @@ async function createScheduledTrigger(tenancy: Tenancy, workflowId: string, trig
       },
     },
   });
+
+  await upstash.publishJSON({
+    url: new URL(`/api/v1/internal/trigger/run-scheduled`, getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal")).toString(),
+    body: {
+      tenancyId: tenancy.id,
+    },
+    notBefore: Math.floor(scheduledAt.getTime() / 1000),
+  });
+
   return dbTrigger;
 }
 
-async function triggerWorkflow(tenancy: Tenancy, compiledWorkflow: CompiledWorkflow, triggerId: string): Promise<Result<void, string>> {
-  if (compiledWorkflow.compiledCode === null) {
-    return Result.error(`Workflow ${compiledWorkflow.id} failed to compile: ${compiledWorkflow.compileError}`);
-  }
-
+export async function triggerScheduledWorkflows(tenancy: Tenancy) {
   const prisma = await getPrismaClientForTenancy(tenancy);
-  const trigger = await prisma.workflowTrigger.update({
-    where: {
-      tenancyId_id: {
-        tenancyId: tenancy.id,
-        id: triggerId,
-      },
-    },
-    data: {
-      compiledWorkflowId: compiledWorkflow.id,
-      scheduledAt: null,
-      output: Prisma.DbNull,
-      error: Prisma.DbNull,
-    },
-  });
+  const compiledWorkflows = await compileAndGetEnabledWorkflows(tenancy);
 
-  const res = await triggerWorkflowRaw(tenancy, compiledWorkflow.compiledCode, trigger.triggerData as WorkflowTrigger);
-  if (res.status === "error") {
-    console.log(`Compiled workflow failed to process trigger: ${res.error}`, { trigger, compiledWorkflowId: compiledWorkflow.id, res });
-  } else {
-    if (res.data && typeof res.data === "object" && "scheduledCallback" in res.data && res.data.scheduledCallback && typeof res.data.scheduledCallback === "object") {
-      const scheduledCallback: any = res.data.scheduledCallback;
-      const callbackId = `${scheduledCallback.callbackId}`;
-      const scheduleAt = new Date(scheduledCallback.scheduleAtMillis);
-      const callbackData = scheduledCallback.data;
-      await createScheduledTrigger(
-        tenancy,
-        compiledWorkflow.id,
-        {
-          type: "callback",
-          callbackId,
-          data: callbackData,
-          scheduledAtMillis: scheduleAt.getTime(),
-          callerTriggerId: triggerId,
-          executionId: trigger.executionId,
+  const toTrigger = await retryTransaction(prisma, async (tx) => {
+    const triggers = await tx.workflowTrigger.findMany({
+      where: {
+        tenancyId: tenancy.id,
+        scheduledAt: { lt: new Date(Date.now() + 5_000) },
+      },
+      include: {
+        execution: true,
+      },
+      orderBy: {
+        scheduledAt: "asc",
+      },
+      // let's take multiple triggers so we can catch up on the backlog, in case some triggers never went through (eg. if the queue was down)
+      // however, to prevent deadlocks as we are doing multiple writes in this transaction, we randomize it (so there's
+      // a chance that we only take one trigger, which would never deadlock)
+      take: Math.floor(1 + Math.random() * 3),
+    });
+    const toTrigger = [];
+    for (const trigger of triggers) {
+      const compiledWorkflow = compiledWorkflows.get(trigger.execution.workflowId);
+      const updatedTrigger = await tx.workflowTrigger.update({
+        where: {
+          tenancyId_id: {
+            tenancyId: tenancy.id,
+            id: trigger.id,
+          },
         },
-        scheduleAt
-      );
+        data: {
+          scheduledAt: null,
+          compiledWorkflowId: compiledWorkflow?.id ?? null,
+          output: Prisma.DbNull,
+          error: Prisma.DbNull,
+        },
+        include: {
+          execution: true,
+        },
+      });
+
+      if (compiledWorkflow) {
+        toTrigger.push(updatedTrigger);
+      } else {
+        // the workflow was deleted; we don't run the trigger, but we still mark it in the DB
+      }
     }
-  }
-  await prisma.workflowTrigger.update({
-    where: {
-      tenancyId_id: {
-        tenancyId: tenancy.id,
-        id: triggerId,
-      },
-    },
-    data: {
-      ...res.status === "ok" ? {
-        output: res.data as any,
-      } : {
-        error: res.error,
-      },
-    },
-  });
-  return Result.ok(undefined);
-}
+    return toTrigger;
+  }, { level: "serializable" });
 
-export async function triggerScheduledCallbacks(tenancy: Tenancy) {
+  await allPromisesAndWaitUntilEach(toTrigger.map(async (trigger) => {
+    const compiledWorkflow = compiledWorkflows.get(trigger.execution.workflowId) ?? throwErr(`Compiled workflow ${trigger.execution.workflowId} not found in trigger execution; this should not happen because we should've already checked for this in the transaction!`);
+    if (compiledWorkflow.compiledCode === null) {
+      return Result.error(`Workflow ${compiledWorkflow.id} failed to compile: ${compiledWorkflow.compileError}`);
+    }
 
+    const res = await triggerWorkflowRaw(tenancy, compiledWorkflow.compiledCode, trigger.triggerData as WorkflowTrigger);
+    if (res.status === "error") {
+      // This is probably fine and just a user error, but let's log it regardless
+      console.log(`Compiled workflow failed to process trigger: ${res.error}`, { trigger, compiledWorkflowId: compiledWorkflow.id, res });
+    } else {
+      if (res.data && typeof res.data === "object" && "scheduledCallback" in res.data && res.data.scheduledCallback && typeof res.data.scheduledCallback === "object") {
+        const scheduledCallback: any = res.data.scheduledCallback;
+        const callbackId = `${scheduledCallback.callbackId}`;
+        const scheduleAt = new Date(scheduledCallback.scheduleAtMillis);
+        const callbackData = scheduledCallback.data;
+        await createScheduledTrigger(
+          tenancy,
+          compiledWorkflow.id,
+          {
+            type: "callback",
+            callbackId,
+            data: callbackData,
+            scheduledAtMillis: scheduleAt.getTime(),
+            callerTriggerId: trigger.id,
+            executionId: trigger.executionId,
+          },
+          scheduleAt
+        );
+      }
+    }
+
+    const prisma = await getPrismaClientForTenancy(tenancy);
+    await prisma.workflowTrigger.update({
+      where: {
+        tenancyId_id: {
+          tenancyId: tenancy.id,
+          id: trigger.id,
+        },
+      },
+      data: {
+        ...res.status === "ok" ? {
+          output: res.data as any,
+        } : {
+          error: res.error,
+        },
+      },
+    });
+    return Result.ok(undefined);
+  }));
 }
 
 export async function triggerWorkflows(tenancy: Tenancy, trigger: WorkflowTrigger & { type: WorkflowRegisteredTriggerType }) {
@@ -507,9 +553,8 @@ export async function triggerWorkflows(tenancy: Tenancy, trigger: WorkflowTrigge
     const promises = [...compiledWorkflows]
       .filter(([_, compiledWorkflow]) => compiledWorkflow.registeredTriggers.includes(trigger.type))
       .map(async ([workflowId, compiledWorkflow]) => {
-        const dbTrigger = await createScheduledTrigger(tenancy, workflowId, trigger, new Date());
-        await triggerWorkflow(tenancy, compiledWorkflow, dbTrigger.id);
+        await createScheduledTrigger(tenancy, workflowId, trigger, new Date());
       });
-    await Promise.all(promises);
+    await allPromisesAndWaitUntilEach(promises);
   });
 }
diff --git a/apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client.tsx b/apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client.tsx
index ca8309c6a..175c4d0ba 100644
--- a/apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client.tsx
@@ -5,7 +5,7 @@ import { yupResolver } from "@hookform/resolvers/yup";
 import { AuthPage, TeamSwitcher, useUser } from "@stackframe/stack";
 import { allProviders } from "@stackframe/stack-shared/dist/utils/oauth";
 import { runAsynchronouslyWithAlert, wait } from "@stackframe/stack-shared/dist/utils/promises";
-import { BrowserFrame, Button, Form, FormControl, FormField, FormItem, FormMessage, Label, Separator, Typography } from "@stackframe/stack-ui";
+import { BrowserFrame, Button, Form, FormControl, FormField, FormItem, FormMessage, Separator, Typography } from "@stackframe/stack-ui";
 import { useSearchParams } from "next/navigation";
 import { useState } from "react";
 import { useForm } from "react-hook-form";
@@ -47,7 +47,7 @@ export default function PageClient() {
       credentialEnabled: form.watch("signInMethods").includes("credential"),
       magicLinkEnabled: form.watch("signInMethods").includes("magicLink"),
       passkeyEnabled: form.watch("signInMethods").includes("passkey"),
-      oauthProviders: form.watch('signInMethods').filter((method) => ["google", "github", "microsoft", "spotify"].includes(method)).map(provider => ({ id: provider, type: 'shared' })),
+      oauthProviders: form.watch('signInMethods').filter((method) => ["google", "github", "microsoft"].includes(method)).map(provider => ({ id: provider, type: 'shared' })),
     }
   };
 
@@ -133,7 +133,6 @@ export default function PageClient() {
                   { value: "google", label: "Google" },
                   { value: "github", label: "GitHub" },
                   { value: "microsoft", label: "Microsoft" },
-                  { value: "spotify", label: "Spotify" },
                 ]}
                 info="More sign-in methods are available on the dashboard later."
               />
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx
index 885058b24..9ae82b2e8 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx
@@ -22,6 +22,7 @@ export default function WorkflowDetailPage() {
   const workflow = workflowId in availableWorkflows ? availableWorkflows[workflowId] : undefined;
   const [workflowContent, setWorkflowContent] = useState("");
   const [isLoading, setIsLoading] = useState(false);
+  const [isToggling, setIsToggling] = useState(false);
 
   useEffect(() => {
     if (workflow && workflow.tsSource) {
@@ -47,6 +48,21 @@ export default function WorkflowDetailPage() {
     router.push(`/projects/${projectId}/workflows`);
   };
 
+  const handleToggleEnabled = async () => {
+    if (!workflow) return;
+    setIsToggling(true);
+    try {
+      await project.updateConfig({
+        [`workflows.availableWorkflows.${workflowId}.enabled`]: !workflow.enabled,
+      });
+      toast({ title: workflow.enabled ? "Workflow disabled" : "Workflow enabled" });
+    } catch (error) {
+      toast({ title: "Failed to toggle workflow", variant: "destructive" });
+    } finally {
+      setIsToggling(false);
+    }
+  };
+
   if (workflow === undefined) {
     return (
       <PageLayout title="Workflow Not Found">
@@ -70,6 +86,9 @@ export default function WorkflowDetailPage() {
             <ArrowLeft className="h-4 w-4 mr-2" />
             Back
           </Button>
+          <Button onClick={handleToggleEnabled} size="sm" variant={workflow.enabled ? "outline" : "default"} disabled={isToggling}>
+            {workflow.enabled ? "Disable" : "Enable"}
+          </Button>
           <Button onClick={handleSave} size="sm" disabled={isLoading}>
             <Save className="h-4 w-4 mr-2" />
             {isLoading ? "Saving..." : "Save"}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx
index 754576ebd..7ff62172b 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx
@@ -69,7 +69,7 @@ function CreateWorkflowDialog({
 }: {
   open: boolean,
   onOpenChange: (open: boolean) => void,
-  onSave: (id: string, displayName: string, tsSource: string) => Promise<void>,
+  onSave: (id: string, displayName: string, tsSource: string, enabled: boolean) => Promise<void>,
 }) {
   const [displayName, setDisplayName] = useState("");
   const [isSubmitting, setIsSubmitting] = useState(false);
@@ -95,7 +95,7 @@ function CreateWorkflowDialog({
         registerCallback("in-7-days", async (data) => {
           await stackApp.sendEmail({ userIds: [data.userId], subject: "Welcome to the app!", html: "<p>Example email</p>" });
         });
-      `);
+      `, false);
       onOpenChange(false);
       setDisplayName("");
     } finally {
@@ -151,12 +151,12 @@ export default function WorkflowsPage() {
     setShowCreateDialog(true);
   };
 
-  const handleSaveWorkflow = async (id: string, displayName: string, tsSource: string) => {
+  const handleSaveWorkflow = async (id: string, displayName: string, tsSource: string, enabled: boolean) => {
     await project.updateConfig({
       [`workflows.availableWorkflows.${id}`]: {
         displayName,
         tsSource,
-        enabled: true
+        enabled,
       }
     });
     toast({ title: "Workflow created successfully" });
diff --git a/apps/dev-launchpad/public/index.html b/apps/dev-launchpad/public/index.html
index e7fe3ef53..d959fb85f 100644
--- a/apps/dev-launchpad/public/index.html
+++ b/apps/dev-launchpad/public/index.html
@@ -119,6 +119,9 @@
       <li>
         8124: LocalStack Gateway (AWS mock)
       </li>
+      <li>
+        8125: QStash mock
+      </li>
       <li>
         8150-8199: Reserved for LocalStack (external services)
       </li>
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 2bcd2dc25..3b62bd304 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -28,22 +28,22 @@ async function configureEmailAndWorkflow(workflowId: string, tsSource: string, e
 }
 
 async function waitForMailboxSubject(mailbox: Mailbox, subject: string) {
-  for (let i = 0; i < 10; i++) {
+  for (let i = 0; i < 15; i++) {
     const messages = await mailbox.fetchMessages();
     const message = messages.find((m) => m.subject === subject);
     if (message) return;
     await wait(1_000);
   }
-  throw new Error(`Message with subject ${subject} not found after 10 tries`);
+  throw new Error(`Message with subject ${subject} not found after 15 tries`);
 }
 
 async function waitForServerMetadataNotNull(userId: string, key: string) {
-  for (let i = 0; i < 10; i++) {
+  for (let i = 0; i < 15; i++) {
     const user = await niceBackendFetch(`/api/v1/users/${userId}`, { accessType: "server" });
     if (user.body.server_metadata?.[key]) return;
     await wait(1_000);
   }
-  throw new Error(`Server metadata for user ${userId} with key ${key} not found after 10 tries`);
+  throw new Error(`Server metadata for user ${userId} with key ${key} not found after 15 tries`);
 }
 
 test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
@@ -156,7 +156,7 @@ test("disabled workflows do not trigger", async ({ expect }) => {
 
   await Auth.Password.signUpWithEmail({ password: "password" });
 
-  await wait(12_000);
+  await wait(18_000);
 
   expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
     [
@@ -244,7 +244,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId: anonUserId } = await Auth.Anonymous.signUp();
 
   // ensure marker not present yet
-  await wait(16_000);
+  await wait(18_000);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
   expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
 
diff --git a/docker/dependencies/docker.compose.yaml b/docker/dependencies/docker.compose.yaml
index a66276bae..f7e5c225a 100644
--- a/docker/dependencies/docker.compose.yaml
+++ b/docker/dependencies/docker.compose.yaml
@@ -177,7 +177,7 @@ services:
     ports:
       - "8122:8080"       # POST http://localhost:8119/execute/v1/script
     extra_hosts:
-      - "host.docker.internal:host-gateway"  # noop on Docker Desktop/Orbstack enables host.docker.internal on Linux
+      - "host.docker.internal:host-gateway"  # noop on Docker Desktop/Orbstack, enables host.docker.internal on Linux
     environment:
       DENO_DIR: /deno-cache
       HOST_ON_HOST: host.docker.internal
@@ -193,6 +193,18 @@ services:
     environment:
       - STRIPE_API_KEY=sk_test_1234567890
 
+  # ================= QStash =================
+
+  qstash:
+    image: public.ecr.aws/upstash/qstash:latest
+    ports:
+      - 8125:8080
+    command: qstash dev
+    extra_hosts:
+      - "host.docker.internal:host-gateway"  # noop on Docker Desktop/Orbstack, enables host.docker.internal on Linux
+    environment:
+      HOST_ON_HOST: host.docker.internal
+
 
 # ================= volumes =================
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 2ac74354d..d9b8f2912 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -177,6 +177,9 @@ importers:
       '@stackframe/stack-shared':
         specifier: workspace:*
         version: link:../../packages/stack-shared
+      '@upstash/qstash':
+        specifier: ^2.8.2
+        version: 2.8.2
       '@vercel/functions':
         specifier: ^2.0.0
         version: 2.0.0(@aws-sdk/credential-provider-web-identity@3.876.0)
@@ -7860,6 +7863,9 @@ packages:
   '@ungap/structured-clone@1.3.0':
     resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
 
+  '@upstash/qstash@2.8.2':
+    resolution: {integrity: sha512-gQMCs2YXmRJWGh28t3fsWuPTzGgVFVRBd4o5QeWM9l3HW8TMNwt1qzv5wtzzSlG7hv1ylEy/PQCznkxGcAwTfw==}
+
   '@urql/core@5.2.0':
     resolution: {integrity: sha512-/n0ieD0mvvDnVAXEQgX/7qJiVcvYvNkOHeBvkwtylfjydar123caCXcl58PXFY11oU1oquJocVXHxLAbtv4x1A==}
 
@@ -9112,6 +9118,9 @@ packages:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
 
+  crypto-js@4.2.0:
+    resolution: {integrity: sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==}
+
   crypto-random-string@2.0.0:
     resolution: {integrity: sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==}
     engines: {node: '>=8'}
@@ -12362,6 +12371,10 @@ packages:
   nested-error-stacks@2.0.1:
     resolution: {integrity: sha512-SrQrok4CATudVzBS7coSz26QRSmlK9TzzoFbeKfcPBUFPjcQM9Rqvr/DlJkOrwI/0KcgvMub1n1g5Jt9EgRn4A==}
 
+  neverthrow@7.2.0:
+    resolution: {integrity: sha512-iGBUfFB7yPczHHtA8dksKTJ9E8TESNTAx1UQWW6TzMF280vo9jdPYpLUXrMN1BCkPdHFdNG3fxOt2CUad8KhAw==}
+    engines: {node: '>=18'}
+
   next-intl@3.19.1:
     resolution: {integrity: sha512-KlJSomzbB5dNkWBIiSIRaoy5zqwLgHNV5Zw0ULhkHjNnPN7aLFFv2G+VOQKle630sNH2JiKc9nsmi6PM1GdkhA==}
     peerDependencies:
@@ -23542,6 +23555,12 @@ snapshots:
 
   '@ungap/structured-clone@1.3.0': {}
 
+  '@upstash/qstash@2.8.2':
+    dependencies:
+      crypto-js: 4.2.0
+      jose: 5.6.3
+      neverthrow: 7.2.0
+
   '@urql/core@5.2.0':
     dependencies:
       '@0no-co/graphql.web': 1.1.2
@@ -25036,6 +25055,8 @@ snapshots:
       shebang-command: 2.0.0
       which: 2.0.2
 
+  crypto-js@4.2.0: {}
+
   crypto-random-string@2.0.0: {}
 
   css-select@5.1.0:
@@ -29471,6 +29492,8 @@ snapshots:
 
   nested-error-stacks@2.0.1: {}
 
+  neverthrow@7.2.0: {}
+
   next-intl@3.19.1(next@14.2.5(@babel/core@7.26.0)(@opentelemetry/api@1.9.0)(react-dom@18.3.1(react@18.2.0))(react@18.2.0))(react@18.3.1):
     dependencies:
       '@formatjs/intl-localematcher': 0.5.4

From 41b7d7095b3434dec9c9c2cc7e55d998b724124f Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 14:07:27 -0700
Subject: [PATCH 06/15] Add workflow queue test

---
 apps/backend/src/lib/workflows.tsx       |  2 +-
 apps/e2e/tests/backend/workflows.test.ts | 73 +++++++++++++++++++++---
 2 files changed, 67 insertions(+), 8 deletions(-)

diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index 655947fad..1817c1cbf 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -83,7 +83,7 @@ export async function compileWorkflowSource(source: string): Promise<Result<stri
           if (!callbackFunc) {
             throw new Error(\`Callback \${callbackId} not found. Was it maybe deleted from the workflow?\`);
           }
-          return callbackFunc(JSON.parse(data.dataJson));
+          return callbackFunc(data);
         });
         let scheduledCallback = undefined;
         globalThis.scheduleCallback = ({ callbackId, data, scheduleAt }) => {
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 3b62bd304..3b1a0485a 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -27,23 +27,25 @@ async function configureEmailAndWorkflow(workflowId: string, tsSource: string, e
   });
 }
 
+const waitRetries = 15;
+
 async function waitForMailboxSubject(mailbox: Mailbox, subject: string) {
-  for (let i = 0; i < 15; i++) {
+  for (let i = 0; i < waitRetries; i++) {
     const messages = await mailbox.fetchMessages();
     const message = messages.find((m) => m.subject === subject);
     if (message) return;
     await wait(1_000);
   }
-  throw new Error(`Message with subject ${subject} not found after 15 tries`);
+  throw new Error(`Message with subject ${subject} not found after ${waitRetries} tries`);
 }
 
 async function waitForServerMetadataNotNull(userId: string, key: string) {
-  for (let i = 0; i < 15; i++) {
+  for (let i = 0; i < waitRetries; i++) {
     const user = await niceBackendFetch(`/api/v1/users/${userId}`, { accessType: "server" });
     if (user.body.server_metadata?.[key]) return;
     await wait(1_000);
   }
-  throw new Error(`Server metadata for user ${userId} with key ${key} not found after 15 tries`);
+  throw new Error(`Server metadata for user ${userId} with key ${key} not found after ${waitRetries} tries`);
 }
 
 test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
@@ -54,8 +56,10 @@ test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
   await configureEmailAndWorkflow("wf-email", `
     onSignUp(async (user) => {
       await stackApp.sendEmail({ userIds: [user.id], subject: ${JSON.stringify(subject)}, html: "<p>hi</p>" });
+
+      // schedule a callback as an example (we don't actually test whether it executed successfully)
       return scheduleCallback({
-        scheduleAt: new Date(Date.now() + 120_000),
+        scheduleAt: new Date(Date.now() + 7_000),
         data: { "example": "data" },
         callbackId: "my-callback",
       });
@@ -100,6 +104,61 @@ test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
   timeout: 40_000,
 });
 
+test("onSignUp workflow can schedule callbacks", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const mailbox = await bumpEmailAddress({ unindexed: true });
+  const subject = `WF client signup ${crypto.randomUUID()}`;
+
+  await configureEmailAndWorkflow("wf-email", `
+    onSignUp(async (user) => {
+      return scheduleCallback({
+        scheduleAt: new Date(Date.now() + 7_000),
+        data: { "userId": user.id },
+        callbackId: "my-callback",
+      });
+    });
+
+    registerCallback("my-callback", async (data) => {
+      await stackApp.sendEmail({ userIds: [data.userId], subject: ${JSON.stringify(subject)}, html: "<p>hi</p>" });
+    });
+  `);
+
+  await Auth.Password.signUpWithEmail({ password: "password" });
+
+  // since we wait for the callback, add some extra time
+  await wait(10_000);
+  await waitForMailboxSubject(mailbox, subject);
+
+  expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
+    [
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+          "text": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "Verify your email at New Project",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "<!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\" \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"><html dir=\\"ltr\\" lang=\\"en\\"><head><meta content=\\"text/html; charset=UTF-8\\" http-equiv=\\"Content-Type\\"/><meta name=\\"x-apple-disable-message-reformatting\\"/></head><body style=\\"background-color:rgb(250,251,251);font-family:ui-sans-serif, system-ui, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;;font-size:1rem;line-height:1.5rem\\"><!--$--><table align=\\"center\\" width=\\"100%\\" border=\\"0\\" cellPadding=\\"0\\" cellSpacing=\\"0\\" role=\\"presentation\\" style=\\"background-color:rgb(255,255,255);padding:45px;border-radius:0.5rem;max-width:37.5em\\"><tbody><tr style=\\"width:100%\\"><td><div><p>hi</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>",
+          "text": "hi",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "WF client signup <stripped UUID>",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+    ]
+  `);
+}, {
+  timeout: 40_000,
+});
+
 test("onSignUp workflow sends email for server-created user", async ({ expect }) => {
   await Project.createAndSwitch();
   await InternalApiKey.createAndSetProjectKeys();
@@ -156,7 +215,7 @@ test("disabled workflows do not trigger", async ({ expect }) => {
 
   await Auth.Password.signUpWithEmail({ password: "password" });
 
-  await wait(18_000);
+  await wait(25_000);
 
   expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
     [
@@ -244,7 +303,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId: anonUserId } = await Auth.Anonymous.signUp();
 
   // ensure marker not present yet
-  await wait(18_000);
+  await wait(25_000);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
   expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
 

From 11f64f51645513615bd5dbda67dd602709c32e63 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 14:16:20 -0700
Subject: [PATCH 07/15] Better data-vault redirect

---
 .../(main)/(protected)/projects/[projectId]/data-vault/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx
index 6d4c3aaaa..7335b2318 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx
@@ -1,5 +1,5 @@
 import { redirect } from "next/navigation";
 
 export default function Page() {
-  redirect("stores");
+  redirect("./data-vault/stores");
 }

From 6c6f171e1c19f0677b6ec395379078f86f36971b Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 14:52:46 -0700
Subject: [PATCH 08/15] Fix tests

---
 apps/e2e/tests/backend/workflows.test.ts | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 3b1a0485a..cd2355142 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -27,7 +27,7 @@ async function configureEmailAndWorkflow(workflowId: string, tsSource: string, e
   });
 }
 
-const waitRetries = 15;
+const waitRetries = 25;
 
 async function waitForMailboxSubject(mailbox: Mailbox, subject: string) {
   for (let i = 0; i < waitRetries; i++) {
@@ -101,7 +101,7 @@ test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
     ]
   `);
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });
 
 test("onSignUp workflow can schedule callbacks", async ({ expect }) => {
@@ -156,7 +156,7 @@ test("onSignUp workflow can schedule callbacks", async ({ expect }) => {
     ]
   `);
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });
 
 test("onSignUp workflow sends email for server-created user", async ({ expect }) => {
@@ -199,7 +199,7 @@ test("onSignUp workflow sends email for server-created user", async ({ expect })
     ]
   `);
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });
 
 test("disabled workflows do not trigger", async ({ expect }) => {
@@ -215,7 +215,7 @@ test("disabled workflows do not trigger", async ({ expect }) => {
 
   await Auth.Password.signUpWithEmail({ password: "password" });
 
-  await wait(25_000);
+  await wait(waitRetries * 1_000 * 1.3);
 
   expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
     [
@@ -280,7 +280,7 @@ test("compile/runtime errors in one workflow don't block others", async ({ expec
     ]
   `);
 }, {
-  timeout: 40_000,
+  timeout: 60_000,
 });
 
 test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ expect }) => {
@@ -303,7 +303,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   const { userId: anonUserId } = await Auth.Anonymous.signUp();
 
   // ensure marker not present yet
-  await wait(25_000);
+  await wait(waitRetries * 1_000 * 1.3);
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
   expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
 
@@ -316,7 +316,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
   expect(me2.body.is_anonymous).toBe(false);
   expect(me2.body.server_metadata?.[markerKey]).toBe(me2.body.primary_email);
 }, {
-  timeout: 60_000,
+  timeout: 90_000,
 });
 
 test("workflow source changes take effect for subsequent sign-ups", async ({ expect }) => {
@@ -359,5 +359,5 @@ test("workflow source changes take effect for subsequent sign-ups", async ({ exp
   const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
   expect(me2.body.server_metadata?.[markerKey]).toBe("v2");
 }, {
-  timeout: 60_000,
+  timeout: 90_000,
 });

From 3991b1051be629e160c7ecba5d882e7f4bda3bce Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 15:02:27 -0700
Subject: [PATCH 09/15] Initialize ESBuild early when compiling workflows

---
 apps/backend/src/lib/workflows.tsx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index 1817c1cbf..02fa54f08 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -7,7 +7,7 @@ import { encodeBase64 } from "@stackframe/stack-shared/dist/utils/bytes";
 import { generateSecureRandomString, hash } from "@stackframe/stack-shared/dist/utils/crypto";
 import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, captureError, errorToNiceString, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
-import { bundleJavaScript } from "@stackframe/stack-shared/dist/utils/esbuild";
+import { bundleJavaScript, initializeEsbuild } from "@stackframe/stack-shared/dist/utils/esbuild";
 import { runAsynchronously, timeout, wait } from "@stackframe/stack-shared/dist/utils/promises";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
@@ -230,6 +230,9 @@ import.meta.vitest?.test("compileWorkflow", async ({ expect }) => {
 });
 
 async function compileAndGetEnabledWorkflows(tenancy: Tenancy): Promise<Map<string, CompiledWorkflow>> {
+  // initialize ESBuild early so it doesn't count towards the 10s compilation timeout later
+  await initializeEsbuild();
+
   const compilationVersion = 1;
   const enabledWorkflows = new Map(await Promise.all(Object.entries(tenancy.config.workflows.availableWorkflows)
     .filter(([_, workflow]) => workflow.enabled)
@@ -334,7 +337,6 @@ async function compileAndGetEnabledWorkflows(tenancy: Tenancy): Promise<Map<stri
             },
           },
         });
-        console.log(`Compiled workflow ${workflowId}`);
       } finally {
         await prisma.currentlyCompilingWorkflow.delete({
           where: {

From 83d4ab27cab81bfec084a498cfc3bd3c6b9ade3f Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 15:21:55 -0700
Subject: [PATCH 10/15] Increase workflow compilation timeout

---
 apps/backend/src/lib/workflows.tsx        |  7 ++++---
 apps/e2e/tests/backend/backend-helpers.ts | 12 ++++++++++++
 apps/e2e/tests/backend/workflows.test.ts  |  2 ++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index 02fa54f08..e1e302f37 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -165,9 +165,10 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
         compiledCode: compiledCodeResult.data,
         registeredTriggers: registeredTriggers,
       });
-    }, 10_000);
+    }, 30_000);
 
     if (res.status === "error") {
+      console.warn(`Timed out compiling workflow ${workflowId} after ${res.error.ms}ms`, { res });
       return Result.error({ compileError: `Timed out compiling workflow ${workflowId} after ${res.error.ms}ms` });
     }
     return res.data;
@@ -354,11 +355,11 @@ async function compileAndGetEnabledWorkflows(tenancy: Tenancy): Promise<Map<stri
     const { count } = await prisma.currentlyCompilingWorkflow.deleteMany({
       where: {
         tenancyId: tenancy.id,
-        startedCompilingAt: { lt: new Date(Date.now() - 20_000) },
+        startedCompilingAt: { lt: new Date(Date.now() - 40_000) },
       },
     });
     if (count > 0) {
-      captureError("workflows-compile-timeout", new StackAssertionError(`Deleted ${count} currently compiling workflows that were compiling for more than 20 seconds; this probably indicates a bug in the workflow compilation code`));
+      captureError("workflows-compile-timeout", new StackAssertionError(`Deleted ${count} currently compiling workflows that were compiling for more than 40 seconds; this probably indicates a bug in the workflow compilation code (as they should time out after 30 seconds)`));
     }
 
     await wait(1000);
diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index 743ad2ebe..154b0c2d1 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -203,6 +203,18 @@ export namespace Auth {
     }
   }
 
+  export async function refreshAccessToken() {
+    const response = await niceBackendFetch("/api/v1/auth/sessions/current/refresh", { method: "POST", accessType: "client" });
+    if (response.status !== 200) {
+      throw new StackAssertionError("Expected session to be valid, but was actually invalid.", { response });
+    }
+    backendContext.set({ userAuth: { accessToken: response.body.access_token, refreshToken: response.body.refresh_token } });
+    await ensureParsableAccessToken();
+    return {
+      refreshAccessTokenResponse: response,
+    };
+  }
+
   /**
    * Valid session & valid access token: OK
    * Valid session & invalid access token: OK
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index cd2355142..7b4d11dd4 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -216,6 +216,7 @@ test("disabled workflows do not trigger", async ({ expect }) => {
   await Auth.Password.signUpWithEmail({ password: "password" });
 
   await wait(waitRetries * 1_000 * 1.3);
+  await Auth.refreshAccessToken();
 
   expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
     [
@@ -304,6 +305,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
 
   // ensure marker not present yet
   await wait(waitRetries * 1_000 * 1.3);
+  await Auth.refreshAccessToken();
   const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
   expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
 

From 6fb57257d83b6533a6d2a7e938290964cb135beb Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 15:26:23 -0700
Subject: [PATCH 11/15] Fix more tests

---
 apps/e2e/tests/backend/backend-helpers.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index 154b0c2d1..b94e63bec 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -204,10 +204,12 @@ export namespace Auth {
   }
 
   export async function refreshAccessToken() {
-    const response = await niceBackendFetch("/api/v1/auth/sessions/current/refresh", { method: "POST", accessType: "client" });
-    if (response.status !== 200) {
-      throw new StackAssertionError("Expected session to be valid, but was actually invalid.", { response });
-    }
+    const response = await niceBackendFetch("/api/v1/auth/sessions/current/refresh", {
+      method: "POST",
+      accessType: "client",
+      headers: { "x-stack-access-token": "" },
+    });
+    expect(response).toMatchInlineSnapshot();
     backendContext.set({ userAuth: { accessToken: response.body.access_token, refreshToken: response.body.refresh_token } });
     await ensureParsableAccessToken();
     return {

From 656e738af9abbbeaf426c279c4fc292bf518b563 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 15:30:37 -0700
Subject: [PATCH 12/15] More

---
 apps/e2e/tests/backend/backend-helpers.ts | 28 +++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index b94e63bec..066fac459 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -108,12 +108,17 @@ export async function niceBackendFetch(url: string | URL, options?: Omit<NiceReq
   accessType?: null | "client" | "server" | "admin",
   body?: unknown,
   headers?: Record<string, string | undefined>,
+  userAuth?: {
+    accessToken?: string,
+    refreshToken?: string,
+  },
 }): Promise<NiceResponse> {
-  const { body, headers, accessType, ...otherOptions } = options ?? {};
+  const { body, headers, accessType, userAuth: userAuthOverride, ...otherOptions } = options ?? {};
   if (typeof body === "object") {
     expectSnakeCase(body, "req.body");
   }
-  const { projectKeys, userAuth } = backendContext.value;
+  const projectKeys = backendContext.value.projectKeys;
+  const userAuth = userAuthOverride ?? backendContext.value.userAuth;
   const fullUrl = new URL(url, STACK_BACKEND_BASE_URL);
   if (fullUrl.origin !== new URL(STACK_BACKEND_BASE_URL).origin) throw new StackAssertionError(`Invalid niceBackendFetch origin: ${fullUrl.origin}`);
   if (fullUrl.protocol !== new URL(STACK_BACKEND_BASE_URL).protocol) throw new StackAssertionError(`Invalid niceBackendFetch protocol: ${fullUrl.protocol}`);
@@ -207,9 +212,24 @@ export namespace Auth {
     const response = await niceBackendFetch("/api/v1/auth/sessions/current/refresh", {
       method: "POST",
       accessType: "client",
-      headers: { "x-stack-access-token": "" },
+      userAuth: {
+        refreshToken: backendContext.value.userAuth?.refreshToken,
+      },
     });
-    expect(response).toMatchInlineSnapshot();
+    expect(response).toMatchInlineSnapshot(`
+      NiceResponse {
+        "status": 401,
+        "body": {
+          "code": "ADMIN_ACCESS_TOKEN_EXPIRED",
+          "details": { "expired_at_millis": 1756938402000 },
+          "error": "Admin access token has expired. Please refresh it and try again. (The access token expired at 2025-09-03T22:26:42.000Z.)",
+        },
+        "headers": Headers {
+          "x-stack-known-error": "ADMIN_ACCESS_TOKEN_EXPIRED",
+          <some fields may have been hidden>,
+        },
+      }
+    `);
     backendContext.set({ userAuth: { accessToken: response.body.access_token, refreshToken: response.body.refresh_token } });
     await ensureParsableAccessToken();
     return {

From 599f418da01530fb44334a4b7050c16cd708ca78 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Wed, 3 Sep 2025 15:56:20 -0700
Subject: [PATCH 13/15] Final tests fix

---
 apps/backend/src/lib/workflows.tsx        | 86 +++++++++++++----------
 apps/e2e/tests/backend/backend-helpers.ts | 14 +---
 apps/e2e/tests/backend/workflows.test.ts  |  6 ++
 3 files changed, 57 insertions(+), 49 deletions(-)

diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index e1e302f37..227d2516f 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -139,17 +139,23 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
     }
     const workflow = tenancy.config.workflows.availableWorkflows[workflowId];
     const res = await timeout(async () => {
+      console.log(`Compiling workflow ${workflowId}...`);
       const compiledCodeResult = await compileWorkflowSource(workflow.tsSource);
       if (compiledCodeResult.status === "error") {
         return Result.error({ compileError: `Failed to compile workflow: ${compiledCodeResult.error}` });
       }
 
+      console.log(`Compiled workflow source for ${workflowId}, running compilation trigger...`, { compiledCodeResult });
+
       const compileTriggerResult = await triggerWorkflowRaw(tenancy, compiledCodeResult.data, {
         type: "compile",
       });
       if (compileTriggerResult.status === "error") {
         return Result.error({ compileError: `Failed to initialize workflow: ${compileTriggerResult.error}` });
       }
+
+      console.log(`Compilation trigger result:`, { compileTriggerResult });
+
       const compileTriggerOutputResult = compileTriggerResult.data;
       if (typeof compileTriggerOutputResult !== "object" || !compileTriggerOutputResult || !("triggerOutput" in compileTriggerOutputResult)) {
         captureError("workflows-compile-trigger-output", new StackAssertionError(`Failed to parse compile trigger output`, { compileTriggerOutputResult }));
@@ -161,6 +167,8 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
         return Result.error({ compileError: `Failed to parse compile trigger output, should be array of strings` });
       }
 
+      console.log(`Workflow ${workflowId} compiled successfully, returning result...`, { registeredTriggers, compiledCodeResult });
+
       return Result.ok({
         compiledCode: compiledCodeResult.data,
         registeredTriggers: registeredTriggers,
@@ -369,46 +377,48 @@ async function compileAndGetEnabledWorkflows(tenancy: Tenancy): Promise<Map<stri
 }
 
 async function triggerWorkflowRaw(tenancy: Tenancy, compiledWorkflowCode: string, trigger: WorkflowTrigger): Promise<Result<unknown, string>> {
-  const workflowToken = generateSecureRandomString();
-  const workflowTriggerToken = await globalPrismaClient.workflowTriggerToken.create({
-    data: {
-      expiresAt: new Date(Date.now() + 1000 * 35),
-      tenancyId: tenancy.id,
-      tokenHash: await hashWorkflowTriggerToken(workflowToken),
-    },
-  });
-
-  const tokenRefreshInterval = setInterval(() => {
-    runAsynchronously(async () => {
-      await globalPrismaClient.workflowTriggerToken.update({
-        where: {
-          tenancyId_id: {
-            tenancyId: tenancy.id,
-            id: workflowTriggerToken.id,
-          },
-        },
-        data: { expiresAt: new Date(Date.now() + 1000 * 35) },
-      });
-    });
-  }, 10_000);
-
-  try {
-    const freestyle = new Freestyle();
-    const freestyleRes = await freestyle.executeScript(compiledWorkflowCode, {
-      envVars: {
-        STACK_WORKFLOW_TRIGGER_DATA: JSON.stringify(trigger),
-        NEXT_PUBLIC_STACK_PROJECT_ID: tenancy.project.id,
-        NEXT_PUBLIC_STACK_API_URL: getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal"),  // the replace is a hardcoded hack for the Freestyle mock server
-        NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY: "<placeholder publishable client key; the actual auth happens with the workflow token>",
-        STACK_SECRET_SERVER_KEY: "<placeholder secret server key; the actual auth happens with the workflow token>",
-        STACK_WORKFLOW_TOKEN_SECRET: workflowToken,
+  return await traceSpan({ description: `triggerWorkflowRaw ${trigger.type}` }, async () => {
+    const workflowToken = generateSecureRandomString();
+    const workflowTriggerToken = await globalPrismaClient.workflowTriggerToken.create({
+      data: {
+        expiresAt: new Date(Date.now() + 1000 * 35),
+        tenancyId: tenancy.id,
+        tokenHash: await hashWorkflowTriggerToken(workflowToken),
       },
-      nodeModules: Object.fromEntries(Object.entries(externalPackages).map(([packageName, version]) => [packageName, version])),
     });
-    return Result.map(freestyleRes, (data) => data.result);
-  } finally {
-    clearInterval(tokenRefreshInterval);
-  }
+
+    const tokenRefreshInterval = setInterval(() => {
+      runAsynchronously(async () => {
+        await globalPrismaClient.workflowTriggerToken.update({
+          where: {
+            tenancyId_id: {
+              tenancyId: tenancy.id,
+              id: workflowTriggerToken.id,
+            },
+          },
+          data: { expiresAt: new Date(Date.now() + 1000 * 35) },
+        });
+      });
+    }, 10_000);
+
+    try {
+      const freestyle = new Freestyle();
+      const freestyleRes = await freestyle.executeScript(compiledWorkflowCode, {
+        envVars: {
+          STACK_WORKFLOW_TRIGGER_DATA: JSON.stringify(trigger),
+          NEXT_PUBLIC_STACK_PROJECT_ID: tenancy.project.id,
+          NEXT_PUBLIC_STACK_API_URL: getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal"),  // the replace is a hardcoded hack for the Freestyle mock server
+          NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY: "<placeholder publishable client key; the actual auth happens with the workflow token>",
+          STACK_SECRET_SERVER_KEY: "<placeholder secret server key; the actual auth happens with the workflow token>",
+          STACK_WORKFLOW_TOKEN_SECRET: workflowToken,
+        },
+        nodeModules: Object.fromEntries(Object.entries(externalPackages).map(([packageName, version]) => [packageName, version])),
+      });
+      return Result.map(freestyleRes, (data) => data.result);
+    } finally {
+      clearInterval(tokenRefreshInterval);
+    }
+  });
 }
 
 async function createScheduledTrigger(tenancy: Tenancy, workflowId: string, trigger: WorkflowTrigger, scheduledAt: Date) {
diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index 066fac459..88085031d 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -218,20 +218,12 @@ export namespace Auth {
     });
     expect(response).toMatchInlineSnapshot(`
       NiceResponse {
-        "status": 401,
-        "body": {
-          "code": "ADMIN_ACCESS_TOKEN_EXPIRED",
-          "details": { "expired_at_millis": 1756938402000 },
-          "error": "Admin access token has expired. Please refresh it and try again. (The access token expired at 2025-09-03T22:26:42.000Z.)",
-        },
-        "headers": Headers {
-          "x-stack-known-error": "ADMIN_ACCESS_TOKEN_EXPIRED",
-          <some fields may have been hidden>,
-        },
+        "status": 200,
+        "body": { "access_token": <stripped field 'access_token'> },
+        "headers": Headers { <some fields may have been hidden> },
       }
     `);
     backendContext.set({ userAuth: { accessToken: response.body.access_token, refreshToken: response.body.refresh_token } });
-    await ensureParsableAccessToken();
     return {
       refreshAccessTokenResponse: response,
     };
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 7b4d11dd4..93316ed7d 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -50,6 +50,7 @@ async function waitForServerMetadataNotNull(userId: string, key: string) {
 
 test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const mailbox = await bumpEmailAddress({ unindexed: true });
   const subject = `WF client signup ${crypto.randomUUID()}`;
 
@@ -106,6 +107,7 @@ test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
 
 test("onSignUp workflow can schedule callbacks", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const mailbox = await bumpEmailAddress({ unindexed: true });
   const subject = `WF client signup ${crypto.randomUUID()}`;
 
@@ -204,6 +206,7 @@ test("onSignUp workflow sends email for server-created user", async ({ expect })
 
 test("disabled workflows do not trigger", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const mailbox = await bumpEmailAddress({ unindexed: true });
   const subject = `WF disabled ${crypto.randomUUID()}`;
 
@@ -237,6 +240,7 @@ test("disabled workflows do not trigger", async ({ expect }) => {
 
 test("compile/runtime errors in one workflow don't block others", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const mailbox = await bumpEmailAddress({ unindexed: true });
   const subject = `WF ok ${crypto.randomUUID()}`;
 
@@ -286,6 +290,7 @@ test("compile/runtime errors in one workflow don't block others", async ({ expec
 
 test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const markerKey = `wfMarker-${crypto.randomUUID()}`;
 
   await Project.updateConfig({
@@ -323,6 +328,7 @@ test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ e
 
 test("workflow source changes take effect for subsequent sign-ups", async ({ expect }) => {
   await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
   const markerKey = `versionMarker-${crypto.randomUUID()}`;
 
   // v1

From 8424c4d624095a2510a0743217ed39ed88a97681 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Thu, 4 Sep 2025 02:50:06 -0700
Subject: [PATCH 14/15] More fixes

---
 apps/backend/src/lib/workflows.tsx            | 25 ++++---
 apps/e2e/tests/backend/workflows.test.ts      |  2 +
 .../src/interface/client-interface.ts         |  4 +-
 packages/stack-shared/src/utils/esbuild.tsx   | 65 +++++++++++++++++++
 4 files changed, 86 insertions(+), 10 deletions(-)

diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
index 227d2516f..33848f1a6 100644
--- a/apps/backend/src/lib/workflows.tsx
+++ b/apps/backend/src/lib/workflows.tsx
@@ -15,9 +15,7 @@ import { Freestyle } from "./freestyle";
 import { Tenancy } from "./tenancies";
 import { upstash } from "./upstash";
 
-const externalPackages = {
-  '@stackframe/stack': 'latest',
-};
+const externalPackages: Record<string, string> = {};
 
 type WorkflowRegisteredTriggerType = "sign-up";
 
@@ -56,7 +54,9 @@ export async function compileWorkflowSource(source: string): Promise<Result<stri
   const bundleResult = await bundleJavaScript({
     "/source.tsx": source,
     "/entry.js": `
-      import { StackServerApp } from '@stackframe/stack';
+      import { StackServerApp } from 'https://esm.sh/@stackframe/js@2.8.36?target=es2021&standalone';
+
+      globalThis.navigator.onLine = true;
 
       export default async () => {
         globalThis.stackApp = new StackServerApp({
@@ -125,6 +125,7 @@ export async function compileWorkflowSource(source: string): Promise<Result<stri
   }, {
     format: 'esm',
     keepAsImports: Object.keys(externalPackages),
+    allowHttpImports: true,
   });
   if (bundleResult.status === "error") {
     return Result.error(bundleResult.error);
@@ -145,7 +146,7 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
         return Result.error({ compileError: `Failed to compile workflow: ${compiledCodeResult.error}` });
       }
 
-      console.log(`Compiled workflow source for ${workflowId}, running compilation trigger...`, { compiledCodeResult });
+      console.log(`Compiled workflow source for ${workflowId}, running compilation trigger...`, { compiledCodeLength: compiledCodeResult.data.length });
 
       const compileTriggerResult = await triggerWorkflowRaw(tenancy, compiledCodeResult.data, {
         type: "compile",
@@ -154,7 +155,7 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
         return Result.error({ compileError: `Failed to initialize workflow: ${compileTriggerResult.error}` });
       }
 
-      console.log(`Compilation trigger result:`, { compileTriggerResult });
+      console.log(`Compilation trigger completed!`);
 
       const compileTriggerOutputResult = compileTriggerResult.data;
       if (typeof compileTriggerOutputResult !== "object" || !compileTriggerOutputResult || !("triggerOutput" in compileTriggerOutputResult)) {
@@ -167,7 +168,7 @@ async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Re
         return Result.error({ compileError: `Failed to parse compile trigger output, should be array of strings` });
       }
 
-      console.log(`Workflow ${workflowId} compiled successfully, returning result...`, { registeredTriggers, compiledCodeResult });
+      console.log(`Workflow ${workflowId} compiled successfully, returning result...`, { registeredTriggers });
 
       return Result.ok({
         compiledCode: compiledCodeResult.data,
@@ -403,16 +404,24 @@ async function triggerWorkflowRaw(tenancy: Tenancy, compiledWorkflowCode: string
 
     try {
       const freestyle = new Freestyle();
+      const apiUrl = new URL("/", getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal"));
       const freestyleRes = await freestyle.executeScript(compiledWorkflowCode, {
         envVars: {
           STACK_WORKFLOW_TRIGGER_DATA: JSON.stringify(trigger),
           NEXT_PUBLIC_STACK_PROJECT_ID: tenancy.project.id,
-          NEXT_PUBLIC_STACK_API_URL: getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal"),  // the replace is a hardcoded hack for the Freestyle mock server
+          NEXT_PUBLIC_STACK_API_URL: apiUrl.toString(),
           NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY: "<placeholder publishable client key; the actual auth happens with the workflow token>",
           STACK_SECRET_SERVER_KEY: "<placeholder secret server key; the actual auth happens with the workflow token>",
           STACK_WORKFLOW_TOKEN_SECRET: workflowToken,
         },
         nodeModules: Object.fromEntries(Object.entries(externalPackages).map(([packageName, version]) => [packageName, version])),
+        networkPermissions: [
+          {
+            action: "allow",
+            behavior: "exact",
+            query: apiUrl.host,
+          },
+        ],
       });
       return Result.map(freestyleRes, (data) => data.result);
     } finally {
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
index 93316ed7d..53e1dfd6f 100644
--- a/apps/e2e/tests/backend/workflows.test.ts
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -236,6 +236,8 @@ test("disabled workflows do not trigger", async ({ expect }) => {
       },
     ]
   `);
+}, {
+  timeout: 90_000,
 });
 
 test("compile/runtime errors in one workflow don't block others", async ({ expect }) => {
diff --git a/packages/stack-shared/src/interface/client-interface.ts b/packages/stack-shared/src/interface/client-interface.ts
index 3bc7b0bf6..ba6f2f8a2 100644
--- a/packages/stack-shared/src/interface/client-interface.ts
+++ b/packages/stack-shared/src/interface/client-interface.ts
@@ -125,8 +125,8 @@ export class StackClientInterface {
 
     // try to diagnose the error for the user
     if (retriedResult.status === "error") {
-      if (globalVar.navigator && !globalVar.navigator.onLine) {
-        throw new Error("You are offline. Please check your internet connection and try again. (window.navigator.onLine is falsy)", { cause: retriedResult.error });
+      if (globalVar.navigator && globalVar.navigator.onLine === false) {
+        throw new Error("You are offline. Please check your internet connection and try again. (window.navigator.onLine is false)", { cause: retriedResult.error });
       }
       throw await this._createNetworkError(retriedResult.error, session, requestType);
     }
diff --git a/packages/stack-shared/src/utils/esbuild.tsx b/packages/stack-shared/src/utils/esbuild.tsx
index 0a08a6b3c..3baf11efe 100644
--- a/packages/stack-shared/src/utils/esbuild.tsx
+++ b/packages/stack-shared/src/utils/esbuild.tsx
@@ -35,12 +35,15 @@ export async function bundleJavaScript(sourceFiles: Record<string, string> & { '
   externalPackages?: Record<string, string>,
   keepAsImports?: string[],
   sourcemap?: false | 'inline',
+  allowHttpImports?: boolean,
 } = {}): Promise<Result<string, string>> {
   await initializeEsbuild();
 
   const sourceFilesMap = new Map(Object.entries(sourceFiles));
   const externalPackagesMap = new Map(Object.entries(options.externalPackages ?? {}));
   const keepAsImports = options.keepAsImports ?? [];
+  
+  const httpImportCache = new Map<string, { contents: string; loader: esbuild.Loader; resolveDir: string }>();
 
   const extToLoader: Map<string, esbuild.Loader> = new Map([
     ['tsx', 'tsx'],
@@ -63,6 +66,68 @@ export async function bundleJavaScript(sourceFiles: Record<string, string> & { '
       sourcemap: options.sourcemap ?? 'inline',
       external: keepAsImports,
       plugins: [
+        ...options.allowHttpImports ? [{
+          name: "esm-sh-only",
+          setup(build: esbuild.PluginBuild) {
+            // Handle absolute URLs and relative imports from esm.sh modules.
+            build.onResolve({ filter: /.*/ }, (args) => {
+              // Only touch absolute http(s) specifiers or children of our own namespace
+              const isHttp = args.path.startsWith("http://") || args.path.startsWith("https://");
+              const fromEsmNs = args.namespace === "esm-sh";
+      
+              if (!isHttp && !fromEsmNs) return null; // Let other plugins handle bare/relative/local
+      
+              // Resolve relative URLs inside esm.sh-fetched modules
+              const url = new URL(args.path, fromEsmNs ? args.importer : undefined);
+      
+              if (url.protocol !== "https:" || url.host !== "esm.sh") {
+                throw new Error(`Blocked non-esm.sh URL import: ${url.href}`);
+              }
+      
+              return { path: url.href, namespace: "esm-sh" };
+            });
+      
+            build.onLoad({ filter: /.*/, namespace: "esm-sh" }, async (args) => {
+              if (httpImportCache.has(args.path)) return httpImportCache.get(args.path)!;
+      
+              const res = await fetch(args.path, { redirect: "follow" });
+              if (!res.ok) throw new Error(`Fetch ${res.status} ${res.statusText} for ${args.path}`);
+              const finalUrl = new URL(res.url);
+              // Defensive: follow shouldn’t leave esm.sh, but re-check.
+              if (finalUrl.host !== "esm.sh") {
+                throw new Error(`Redirect escaped esm.sh: ${finalUrl.href}`);
+              }
+      
+              const ct = (res.headers.get("content-type") || "").toLowerCase();
+              let loader: esbuild.Loader =
+                ct.includes("css") ? "css" :
+                ct.includes("json") ? "json" :
+                ct.includes("typescript") ? "ts" :
+                ct.includes("jsx") ? "jsx" :
+                ct.includes("tsx") ? "tsx" :
+                "js";
+      
+              // Fallback by extension (esm.sh sometimes omits CT)
+              const p = finalUrl.pathname;
+              if (p.endsWith(".css")) loader = "css";
+              else if (p.endsWith(".json")) loader = "json";
+              else if (p.endsWith(".ts")) loader = "ts";
+              else if (p.endsWith(".tsx")) loader = "tsx";
+              else if (p.endsWith(".jsx")) loader = "jsx";
+      
+              const contents = await res.text();
+              const result = {
+                contents,
+                loader,
+                // Ensures relative imports inside that module resolve against the file’s URL
+                resolveDir: new URL(".", finalUrl.href).toString(),
+                watchFiles: [finalUrl.href],
+              };
+              httpImportCache.set(args.path, result);
+              return result;
+            });
+          },
+        } as esbuild.Plugin] : [],
         {
           name: 'replace-packages-with-globals',
           setup(build) {

From 663a0184cf7a37e3eb1fc4002b2c7730eda9f0f7 Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Thu, 4 Sep 2025 03:19:53 -0700
Subject: [PATCH 15/15] Fix lint errors

---
 packages/stack-shared/src/utils/esbuild.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/stack-shared/src/utils/esbuild.tsx b/packages/stack-shared/src/utils/esbuild.tsx
index 3baf11efe..c5b829c06 100644
--- a/packages/stack-shared/src/utils/esbuild.tsx
+++ b/packages/stack-shared/src/utils/esbuild.tsx
@@ -42,7 +42,7 @@ export async function bundleJavaScript(sourceFiles: Record<string, string> & { '
   const sourceFilesMap = new Map(Object.entries(sourceFiles));
   const externalPackagesMap = new Map(Object.entries(options.externalPackages ?? {}));
   const keepAsImports = options.keepAsImports ?? [];
-  
+
   const httpImportCache = new Map<string, { contents: string; loader: esbuild.Loader; resolveDir: string }>();
 
   const extToLoader: Map<string, esbuild.Loader> = new Map([