feat(agents): AI autopilot agents framework with cron scheduling and autofixer

.github/workflows/release.yml

@@ -99,6 +99,90 @@ jobs:
             temps-linux-amd64.tar.gz
             temps-linux-amd64.tar.gz.sha256
 
+  build-linux-arm64:
+    name: Build Linux ARM64
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cmake pkg-config libssl-dev protobuf-compiler
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: aarch64-unknown-linux-gnu
+
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          key: linux-arm64-release
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Cache Bun dependencies
+        uses: actions/cache@v4
+        with:
+          path: web/node_modules
+          key: ${{ runner.os }}-arm64-bun-${{ hashFiles('web/bun.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-arm64-bun-
+
+      - name: Install web dependencies
+        run: |
+          cd web
+          bun install
+
+      - name: Install wasm-pack and Build WASM
+        run: |
+          cargo install wasm-pack
+          cd crates/temps-captcha-wasm
+          bun run build
+
+      - name: Build release binary
+        run: cargo build --release --bin temps
+        env:
+          FORCE_WEB_BUILD: 1
+          CARGO_INCREMENTAL: 0
+          TEMPS_VERSION: ${{ github.ref_name }}
+
+      - name: Strip binary
+        run: strip target/release/temps
+
+      - name: Rename binary
+        run: cp target/release/temps temps
+
+      - name: Create tarball
+        run: |
+          tar -czf temps-linux-arm64.tar.gz temps
+          ls -lh temps-linux-arm64.tar.gz
+
+      - name: Generate checksum
+        run: |
+          sha256sum temps-linux-arm64.tar.gz > temps-linux-arm64.tar.gz.sha256
+          cat temps-linux-arm64.tar.gz.sha256
+
+      - name: Get binary info
+        run: |
+          file temps
+          ./temps --version || echo "Note: Binary may require runtime dependencies"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: temps-linux-arm64
+          path: |
+            temps-linux-arm64.tar.gz
+            temps-linux-arm64.tar.gz.sha256
+
   build-darwin-amd64:
     name: Build macOS AMD64
     runs-on: macos-15-intel
@@ -265,7 +349,7 @@ jobs:
 
   create-release:
     name: Create Release
-    needs: [build-linux-amd64, build-darwin-amd64, build-darwin-arm64]
+    needs: [build-linux-amd64, build-linux-arm64, build-darwin-amd64, build-darwin-arm64]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -282,6 +366,7 @@ jobs:
         run: |
           mkdir -p release
           cp artifacts/temps-linux-amd64/* release/
+          cp artifacts/temps-linux-arm64/* release/
           cp artifacts/temps-darwin-amd64/* release/
           cp artifacts/temps-darwin-arm64/* release/
           ls -lh release/
@@ -290,6 +375,7 @@ jobs:
         run: |
           cd release
           cat temps-linux-amd64.tar.gz.sha256 > checksums.txt
+          cat temps-linux-arm64.tar.gz.sha256 >> checksums.txt
           cat temps-darwin-amd64.tar.gz.sha256 >> checksums.txt
           cat temps-darwin-arm64.tar.gz.sha256 >> checksums.txt
           echo "Combined checksums:"
@@ -304,16 +390,19 @@ jobs:
         run: |
           VERSION="${GITHUB_REF#refs/tags/v}"
           SHA256_LINUX_AMD64=$(awk '{print $1}' release/temps-linux-amd64.tar.gz.sha256)
+          SHA256_LINUX_ARM64=$(awk '{print $1}' release/temps-linux-arm64.tar.gz.sha256)
           SHA256_DARWIN_AMD64=$(awk '{print $1}' release/temps-darwin-amd64.tar.gz.sha256)
           SHA256_DARWIN_ARM64=$(awk '{print $1}' release/temps-darwin-arm64.tar.gz.sha256)
 
           echo "Generating Homebrew formula for version $VERSION"
           echo "Linux AMD64 SHA256: $SHA256_LINUX_AMD64"
+          echo "Linux ARM64 SHA256: $SHA256_LINUX_ARM64"
           echo "macOS AMD64 SHA256: $SHA256_DARWIN_AMD64"
           echo "macOS ARM64 SHA256: $SHA256_DARWIN_ARM64"
 
           sed -e "s/{{VERSION}}/$VERSION/g" \
               -e "s/{{SHA256_LINUX_AMD64}}/$SHA256_LINUX_AMD64/g" \
+              -e "s/{{SHA256_LINUX_ARM64}}/$SHA256_LINUX_ARM64/g" \
               -e "s/{{SHA256_DARWIN_AMD64}}/$SHA256_DARWIN_AMD64/g" \
               -e "s/{{SHA256_DARWIN_ARM64}}/$SHA256_DARWIN_ARM64/g" \
               scripts/homebrew-formula.rb.template > release/temps.rb
@@ -367,6 +456,21 @@ jobs:
           temps --version
           ```
 
+          #### Linux ARM64
+          ```bash
+          # Download
+          curl -LO https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/temps-linux-arm64.tar.gz
+
+          # Extract
+          tar -xzf temps-linux-arm64.tar.gz
+
+          # Move to PATH
+          sudo mv temps /usr/local/bin/temps
+
+          # Verify
+          temps --version
+          ```
+
           #### macOS AMD64 (Intel)
           ```bash
           # Download
@@ -431,6 +535,8 @@ jobs:
             $PRERELEASE_FLAG \
             release/temps-linux-amd64.tar.gz \
             release/temps-linux-amd64.tar.gz.sha256 \
+            release/temps-linux-arm64.tar.gz \
+            release/temps-linux-arm64.tar.gz.sha256 \
             release/temps-darwin-amd64.tar.gz \
             release/temps-darwin-amd64.tar.gz.sha256 \
             release/temps-darwin-arm64.tar.gz \
@@ -446,17 +552,22 @@ jobs:
 
   build-and-push-docker:
     name: Build and Push Docker Image (${{ matrix.platform }})
-    needs: [build-linux-amd64, build-darwin-amd64, build-darwin-arm64]
-    runs-on: ubuntu-latest
+    needs: [build-linux-amd64, build-linux-arm64, build-darwin-amd64, build-darwin-arm64]
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
     strategy:
       matrix:
         include:
           - platform: linux/amd64
+            runner: ubuntu-latest
             artifact: temps-linux-amd64
             tarball: temps-linux-amd64.tar.gz
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            artifact: temps-linux-arm64
+            tarball: temps-linux-arm64.tar.gz
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -543,9 +654,11 @@ jobs:
       - name: Create and push manifest for latest
         run: |
           docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/temps:latest \
-            ghcr.io/${{ github.repository_owner }}/temps:latest-linux-amd64
+            ghcr.io/${{ github.repository_owner }}/temps:latest-linux-amd64 \
+            ghcr.io/${{ github.repository_owner }}/temps:latest-linux-arm64
 
       - name: Create and push manifest for version
         run: |
           docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/temps:${{ steps.version.outputs.version }} \
-            ghcr.io/${{ github.repository_owner }}/temps:${{ steps.version.outputs.version }}-linux-amd64
+            ghcr.io/${{ github.repository_owner }}/temps:${{ steps.version.outputs.version }}-linux-amd64 \
+            ghcr.io/${{ github.repository_owner }}/temps:${{ steps.version.outputs.version }}-linux-arm64

.github/workflows/rust-tests.yml

@@ -300,15 +300,36 @@ jobs:
     name: "Integration Tests (${{ matrix.group }})"
     runs-on: ubuntu-latest
     needs: [build-tests, unit-tests]
+    # 45 min covers the postgres-upgrades group worst-case
+    # (5 tests × ~6 min + pg17/pg18 image pulls on a cold runner).
+    # Other groups finish well under that.
+    timeout-minutes: 45
     strategy:
       fail-fast: false
       matrix:
         include:
           - group: docker-providers
-            # temps-providers with Docker tests enabled
+            # temps-providers with Docker tests enabled.
+            # NOTE: orchestrator_* tests run in a dedicated `postgres-upgrades`
+            # group below (serial, long timeout, real pg17→pg18 containers).
+            # Skip them here so this group stays fast and parallel-safe.
             command: >-
               cargo test --no-fail-fast --lib
               -p temps-providers --features docker-tests
+              --
+              --skip orchestrator_
+          - group: postgres-upgrades
+            # PostgreSQL major-version upgrade orchestrator integration tests.
+            # Each test pulls pg17 + pg18 images and runs a real dump/restore,
+            # so they're 2–6 min apiece and must not contend for Docker.
+            # --test-threads=1 guarantees serial execution.
+            command: >-
+              cargo test --no-fail-fast --lib
+              -p temps-providers --features docker-tests
+              orchestrator_
+              --
+              --nocapture
+              --test-threads=1
           - group: docker-deployments
             # Crates that use TestDatabase and/or Docker
             command: >-

.github/workflows/test-release.yml

@@ -24,17 +24,20 @@ jobs:
           mkdir -p release
 
           # Create dummy binaries
-          echo "fake linux binary" > release/temps-linux-amd64
+          echo "fake linux amd64 binary" > release/temps-linux-amd64
+          echo "fake linux arm64 binary" > release/temps-linux-arm64
           echo "fake darwin amd64 binary" > release/temps-darwin-amd64
           echo "fake darwin arm64 binary" > release/temps-darwin-arm64
 
           # Generate checksums
           sha256sum release/temps-linux-amd64 > release/temps-linux-amd64.sha256
+          sha256sum release/temps-linux-arm64 > release/temps-linux-arm64.sha256
           sha256sum release/temps-darwin-amd64 > release/temps-darwin-amd64.sha256
           sha256sum release/temps-darwin-arm64 > release/temps-darwin-arm64.sha256
 
           # Combined checksums
           cat release/temps-linux-amd64.sha256 > release/checksums.txt
+          cat release/temps-linux-arm64.sha256 >> release/checksums.txt
           cat release/temps-darwin-amd64.sha256 >> release/checksums.txt
           cat release/temps-darwin-arm64.sha256 >> release/checksums.txt
 
@@ -47,11 +50,13 @@ jobs:
         run: |
           VERSION="${GITHUB_REF#refs/tags/test-v}"
           SHA256_LINUX_AMD64=$(awk '{print $1}' release/temps-linux-amd64.sha256)
+          SHA256_LINUX_ARM64=$(awk '{print $1}' release/temps-linux-arm64.sha256)
           SHA256_DARWIN_AMD64=$(awk '{print $1}' release/temps-darwin-amd64.sha256)
           SHA256_DARWIN_ARM64=$(awk '{print $1}' release/temps-darwin-arm64.sha256)
 
           sed -e "s/{{VERSION}}/$VERSION/g" \
               -e "s/{{SHA256_LINUX_AMD64}}/$SHA256_LINUX_AMD64/g" \
+              -e "s/{{SHA256_LINUX_ARM64}}/$SHA256_LINUX_ARM64/g" \
               -e "s/{{SHA256_DARWIN_AMD64}}/$SHA256_DARWIN_AMD64/g" \
               -e "s/{{SHA256_DARWIN_ARM64}}/$SHA256_DARWIN_ARM64/g" \
               scripts/homebrew-formula.rb.template > release/temps.rb
@@ -83,6 +88,7 @@ jobs:
 
           ## Files Included
           - temps-linux-amd64 (dummy binary)
+          - temps-linux-arm64 (dummy binary)
           - temps-darwin-amd64 (dummy binary)
           - temps-darwin-arm64 (dummy binary)
           - install.sh (real install script)
@@ -105,6 +111,8 @@ jobs:
             --prerelease \
             release/temps-linux-amd64 \
             release/temps-linux-amd64.sha256 \
+            release/temps-linux-arm64 \
+            release/temps-linux-arm64.sha256 \
             release/temps-darwin-amd64 \
             release/temps-darwin-amd64.sha256 \
             release/temps-darwin-arm64 \

CHANGELOG.md

@@ -8,6 +8,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **AI Agents framework**: `temps-agents` crate introducing project-scoped AI agents that run Claude CLI or OpenAI Codex against your codebase; agents are configured per-project with a system prompt, max turns, and a choice of AI provider
+- **Autopilot cron scheduling**: agents can be scheduled with a cron expression (e.g. `0 * * * *`) so they run automatically — the `CronScheduler` service manages all active schedules and fires agent runs without manual intervention
+- **Autofixer**: agents integrated with error tracking — open an error group and trigger an AI-powered fix that creates a sandboxed agent run, streams the output, and surfaces a diff or summary in the UI
+- **Conversation continuation**: Claude CLI backend supports `--continue` to resume an existing conversation in the working directory, enabling multi-turn autopilot sessions that build on prior context
+- **Agent run history**: `agent_runs` and `agent_run_logs` tables track every run with status, stdout/stderr output, exit code, and timestamps; browsable from the Autopilot UI
+- **Autopilot UI page**: new Autopilot section per project showing run history, run detail with streamed logs, trigger button, and cron schedule configuration
+- **Autofixer panel**: dedicated side panel on the Error Group detail page showing autofixer run status and AI-generated fix output
 - **Email tracking analytics UI**: event timeline on email detail page showing individual open/click/bounce/delivery events with IP, user-agent, and metadata; new Analytics tab with delivery rate cards and global event log
 - **Global email events endpoint**: `GET /emails/events` lists tracking events across all emails with optional `email_id` and `event_type` filters; `GET /emails/events/stats` returns aggregated open/click/bounce rates
 - **Node SDK regenerated**: includes `tracked_html_body`, `track_opens`, `track_clicks`, `TrackingEventResponse`, `TrackedLinkResponse`, `EmailTrackingResponse` types and SDK functions
@@ -17,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Documentation for new pool environment variables in the environment variables reference
 - **Email tracking — tracked HTML storage**: new `tracked_html_body` column stores the final HTML sent to the provider (with tracking pixel and rewritten links), separate from the original `html_body` to avoid triggering fake opens in dashboard previews
 - **Email tracking — per-link click breakdown**: email detail page now shows each tracked link with its individual click count
+- **Link Project from service detail**: "Link Project" button on the Storage service detail page lets you link a project directly from the Linked Projects section via a searchable combobox
 
 ### Security
 - **Container exec tenant isolation**: `exec_command` and `container_terminal` handlers now verify the container belongs to the requested project/environment before allowing access, preventing cross-tenant container exec
@@ -30,9 +38,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump `next` across examples/fixtures to 15.3.3/16.2.2 (5 CVEs: disk cache growth, request smuggling, postponed buffering DoS, null origin CSRF bypass)
 - Bump `testcontainers` 0.27.1 → 0.27.2 / `astral-tokio-tar` 0.5.6 → 0.6.0 (insufficient PAX extension validation, dev-only)
 
+### Changed
+- **Audit Logs page redesign**: switched from card-per-row layout to a responsive table matching the rest of the app (filter bar in a card, type badge + icon per category, responsive `hidden md:/lg:table-cell` columns, skeleton loaders, proper empty state, and paginated footer)
+- **Audit operation labels**: added human-readable descriptions for the new `SKILL_*`, `MCP_*`, and `SECRET_*` operation types, and a `humanize()` fallback so any future operation type renders as "Something New" instead of "Performed unknown operation"
+
 ### Fixed
 - **CLI: `environments vars` subcommands ignored `--project` flag**: `get`, `set`, `delete`, `import`, `export` used `cmd.parent!.parent!.opts().project` (traversing to `environments` command level where `--project` isn't defined) instead of `cmd.parent!.opts().project` (the `vars` command where it is). This caused "Project undefined not found" errors. The `list` subcommand was not affected.
 - **CLI: `services env` crashed with "envVars is not iterable"**: the API endpoint `GET /external-services/{id}/projects/{project_id}/environment` returns `HashMap<String, String>` but the CLI expected `Array<EnvironmentVariableInfo>`. Added handling to convert the object response into the expected array format.
+- Storage "Create" button from empty state navigated to `/storage/create` (404) instead of `/settings/storage/create`
 - Email event timeline returned 404: UI fetched from `/emails/{id}/events` (unregistered plugin route) instead of `/emails/{id}/tracking/events`; also fixed event type mismatches (`open`/`click` vs `opened`/`clicked`) and added client-side pagination for flat array response
 - Gmail image proxy misidentified as "Firefox" in email tracking events; now shows "Gmail (Google Proxy)"
 - Email detail back button navigated to default Providers tab instead of Sent Emails tab

CLAUDE.md

@@ -19,6 +19,9 @@ Guidance for Claude Code when working with the Temps codebase.
 - Create markdown documentation files unless explicitly requested
 - Mark Docker tests with `#[ignore]` -- they MUST skip gracefully at runtime instead
 - Create error types with generic messages -- ALWAYS include IDs, names, and operation context
+- Expose internal dependencies via public accessors (e.g. `service.db()`) -- pass dependencies directly via constructor or AppState
+- Use `Option<T>` for dependencies that are required -- use `Arc<T>` and fail at startup if missing
+- Use `get_service` for required dependencies in plugins -- use `require_service` which fails fast with a clear error
 
 ### ALWAYS
 - Run `cargo check --lib` after every modification
@@ -35,6 +38,9 @@ Guidance for Claude Code when working with the Temps codebase.
 - Use `permission_guard!` macro for authorization in handlers
 - Add audit logging for all write operations (CREATE, UPDATE, DELETE)
 - Include contextual information (IDs, resource names, paths) in every error message
+- Give each component its own copy of shared dependencies (Arc clones) -- never share via accessor methods
+- Use `require_service` in plugins for dependencies the app can't function without
+- Let the user configure and control their setup -- show status, give instructions, don't do things silently on their behalf
 
 ---