refactor(repo): Add temporal standalone mode

README.md

@@ -80,7 +80,7 @@ Our documentation website is the best place to find comprehensive information, t
 | 🧠 **[Memory & Context](./docs/content/docs/core/memory/overview.mdx)**             | Managing agent memory and conversation context   |
 | 🔌 **[MCP Integration](./docs/content/docs/core/mcp/overview.mdx)**                 | Model Context Protocol for external tool servers |
 | 📡 **[Signal System](./docs/content/docs/core/signals/overview.mdx)**               | Event-driven communication between components    |
-| 🚀 **[Deployment](./docs/content/docs/core/deployment/docker.mdx)**                 | Deploy Compozy to production environments        |
+| 🚀 **[Deployment](./docs/content/docs/deployment/docker.mdx)**                      | Deploy Compozy to production environments        |
 | 💻 **[CLI Reference](./docs/content/docs/cli/overview.mdx)**                        | Command-line interface reference                 |
 | 📋 **[Schema Definition](./docs/content/docs/schema/project.mdx)**                  | YAML schema definitions for all components       |
 | 🔌 **[API Reference](./docs/content/docs/api/overview.mdx)**                        | REST API for programmatic access                 |

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Accepted Risks
+
+### AWS SDK for Go (github.com/aws/aws-sdk-go v1.55.6)
+
+- Advisories: GO-2022-0635, GO-2022-0646 (AWS S3 Crypto client-side encryption flaws)
+- Impact Scope: affects packages `s3crypto`/`s3/encryption`; Compozy does not invoke these modules.
+- Mitigation: storage interactions rely on server-side encryption; no client-side encryption helpers are linked into binaries.
+- Verification: `rg "s3crypto" -n` and `rg "s3/encryption" -n` return no matches in the repository (checked 2025-10-27).
+- Action: continue monitoring upstream advisories; upgrade or disable the dependency if future releases require the S3 Crypto helpers.

ai-docs/reviews-pr-305/issues/011-issue.md

@@ -0,0 +1,49 @@
+# Issue 11 - Review Thread Comment
+
+**File:** `examples/temporal-standalone/integration-testing/tests/integration_test.go:44`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_🧹 Nitpick_ | _🔵 Trivial_
+
+**Option: wrap Start with a short timeout.**
+
+Even with StartTimeout in cfg, a context deadline guards against unexpected hangs. 
+
+```diff
+-	require.NoError(t, srv.Start(ctx))
++	startCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
++	defer cancel()
++	require.NoError(t, srv.Start(startCtx))
+```
+
+<details>
+<summary>🤖 Prompt for AI Agents</summary>
+
+```
+In examples/temporal-standalone/integration-testing/tests/integration_test.go
+around lines 35 to 44, wrap the call to srv.Start(ctx) in a short
+context.WithTimeout to guard against hangs even if cfg has StartTimeout; create
+a new ctxStart, defer cancel() and call require.NoError(t, srv.Start(ctxStart)),
+keeping the existing cleanup Stop(ctx) unchanged so Stop uses the original test
+context.
+```
+
+</details>
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez74`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez74
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/012-issue.md

@@ -0,0 +1,64 @@
+# Issue 12 - Review Thread Comment
+
+**File:** `go.mod:126`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_🧹 Nitpick_ | _🔵 Trivial_
+
+**Document accepted AWS S3 Crypto SDK vulns outside go.mod.**
+
+Acceptance note is fine, but prefer moving rationale to SECURITY.md (or a tracking issue) rather than comments in go.mod. Keep the module line clean.
+
+<details>
+<summary>🧰 Tools</summary>
+
+<details>
+<summary>🪛 OSV Scanner (2.2.3)</summary>
+
+[LOW] 126-126: github.com/aws/aws-sdk-go 1.55.6: In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
+
+(GO-2022-0635)
+
+---
+
+[LOW] 126-126: github.com/aws/aws-sdk-go 1.55.6: CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
+
+(GO-2022-0646)
+
+</details>
+
+</details>
+
+<details>
+<summary>🤖 Prompt for AI Agents</summary>
+
+```
+In go.mod around lines 124 to 126, the acceptance rationale for AWS S3 Crypto
+SDK vulnerabilities is embedded as comments in the module file; move that
+rationale into SECURITY.md (or a tracked GitHub issue) and reference it from
+go.mod if needed. Remove the comment block from go.mod so the file only contains
+the module dependency line, create or update SECURITY.md with the full
+explanation (including grep verification, vuln IDs GO-2022-0635/GO-2022-0646,
+and justification), and optionally add a one-line comment in go.mod pointing to
+SECURITY.md or the issue number for traceability.
+```
+
+</details>
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez7-`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez7-
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/013-issue.md

@@ -0,0 +1,64 @@
+# Issue 13 - Review Thread Comment
+
+**File:** `pkg/config/loader.go:447`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_🛠️ Refactor suggestion_ | _🟠 Major_
+
+**Replace remaining 65535 literals with maxTCPPort; unify messages.**
+
+Use the defined maxTCPPort for range checks and format error messages with %d to avoid magic numbers and keep a single source of truth.
+
+Apply:
+
+```diff
+-	if standalone.FrontendPort < 1 || standalone.FrontendPort > maxTCPPort {
+-		return fmt.Errorf("temporal.standalone.frontend_port must be between 1 and 65535")
++	if standalone.FrontendPort < 1 || standalone.FrontendPort > maxTCPPort {
++		return fmt.Errorf("temporal.standalone.frontend_port must be between 1 and %d", maxTCPPort)
+ 	}
+@@
+-		if standalone.UIPort < 1 || standalone.UIPort > maxTCPPort {
+-			return fmt.Errorf("temporal.standalone.ui_port must be between 1 and 65535 when enable_ui is true")
++		if standalone.UIPort < 1 || standalone.UIPort > maxTCPPort {
++			return fmt.Errorf("temporal.standalone.ui_port must be between 1 and %d when enable_ui is true", maxTCPPort)
+ 		}
+@@
+-	} else if standalone.UIPort != 0 && (standalone.UIPort < 1 || standalone.UIPort > 65535) {
+-		return fmt.Errorf("temporal.standalone.ui_port must be between 1 and 65535 when set")
++	} else if standalone.UIPort != 0 && (standalone.UIPort < 1 || standalone.UIPort > maxTCPPort) {
++		return fmt.Errorf("temporal.standalone.ui_port must be between 1 and %d when set", maxTCPPort)
+ 	}
+```
+
+And in validateTCPPort:
+
+```diff
+-	if port < 1 || port > 65535 {
+-		return fmt.Errorf("%s must be between 1 and 65535, got: %d", fieldName, port)
++	if port < 1 || port > maxTCPPort {
++		return fmt.Errorf("%s must be between 1 and %d, got: %d", fieldName, maxTCPPort, port)
+ 	}
+```
+As per coding guidelines.
+
+
+Also applies to: 594-604
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez8F`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez8F
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/014-issue.md

@@ -0,0 +1,52 @@
+# Issue 14 - Review Thread Comment
+
+**File:** `test/integration/temporal/mode_switching_test.go:45`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_⚠️ Potential issue_ | _🟠 Major_
+
+**Ensure cleanup of the standalone server.**
+
+Register t.Cleanup right after start to avoid leaks on failures.
+
+Apply:
+
+```diff
+- server := startStandaloneServer(ctx, t, embeddedCfg)
++ server := startStandaloneServer(ctx, t, embeddedCfg)
++ t.Cleanup(func() {
++     stopTemporalServer(ctx, t, server)
++ })
+```
+
+<details>
+<summary>🤖 Prompt for AI Agents</summary>
+
+```
+In test/integration/temporal/mode_switching_test.go around lines 39 to 45, you
+start a standalone server but don’t register cleanup immediately; add t.Cleanup
+right after server := startStandaloneServer(...) to ensure the server is stopped
+on test exit (e.g. t.Cleanup(func() { server.Stop() }) or server.Close()
+depending on the server API), so the server is always torn down even if the test
+fails before later cleanup.
+```
+
+</details>
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez8L`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez8L
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/015-issue.md

@@ -0,0 +1,51 @@
+# Issue 15 - Review Thread Comment
+
+**File:** `test/integration/temporal/persistence_test.go:50`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_⚠️ Potential issue_ | _🟠 Major_
+
+**Add cleanup for restarted server to prevent leaks.**
+
+The restarted server isn’t stopped; add a cleanup to avoid dangling listeners/locks during CI. 
+
+
+```diff
+-	restarted := startStandaloneServer(restartCtx, t, restartCfg)
++	restarted := startStandaloneServer(restartCtx, t, restartCfg)
++	t.Cleanup(func() {
++		stopTemporalServer(restartCtx, t, restarted)
++	})
+```
+
+<details>
+<summary>🤖 Prompt for AI Agents</summary>
+
+```
+In test/integration/temporal/persistence_test.go around lines 39 to 50, the
+restarted server started with startStandaloneServer is not being stopped; add a
+cleanup to avoid leaking resources by registering t.Cleanup(func() {
+restarted.Stop() }) immediately after creating restarted (or call the
+appropriate shutdown method if the server type uses a different name, e.g.,
+Close or Shutdown) so the server is stopped when the test finishes.
+```
+
+</details>
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez8N`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez8N
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/016-issue.md

@@ -0,0 +1,30 @@
+# Issue 16 - Review Thread Comment
+
+**File:** `test/integration/temporal/standalone_test.go:119`
+**Date:** 2025-10-27 13:58:52 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_⚠️ Potential issue_ | _🟡 Minor_
+
+**Consider subtest pattern per project guidelines.**
+
+Project tests should use t.Run("Should ...", ...) subtests. These top-level tests can keep their structure but wrap main assertions in subtests for consistency.
+
+As per coding guidelines.
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez8S`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez8S
+```
+
+---
+*Generated from PR review - CodeRabbit AI*

ai-docs/reviews-pr-305/issues/017-issue.md

@@ -0,0 +1,45 @@
+# Issue 17 - Review Thread Comment
+
+**File:** `test/integration/temporal/standalone_test.go:207`
+**Date:** 2025-10-27 13:58:53 America/Sao_Paulo
+**Status:** - [x] RESOLVED
+
+## Body
+
+_🧹 Nitpick_ | _🔵 Trivial_
+
+**Unused helper function.**
+
+describeWorkflow is not used. Remove it or use it in TestStandaloneWorkflowExecution to reduce dead code.
+
+<details>
+<summary>🤖 Prompt for AI Agents</summary>
+
+```
+In test/integration/temporal/standalone_test.go around lines 193 to 207, the
+helper function describeWorkflow is unused; either remove it or invoke it from
+TestStandaloneWorkflowExecution. To fix, search for the
+TestStandaloneWorkflowExecution function and, if a workflow description is
+needed there, replace the current direct DescribeWorkflowExecution call (or add
+a call) to use describeWorkflow(ctx, t, address, namespace, workflowID, runID)
+and remove any duplicate client dial/close logic to avoid resource leaks;
+otherwise delete the describeWorkflow function and its tests imports if no
+longer referenced.
+```
+
+</details>
+
+<!-- fingerprinting:phantom:medusa:chinchilla -->
+
+<!-- This is an auto-generated comment by CodeRabbit -->
+
+## Resolve
+
+Thread ID: `PRRT_kwDOOlCPts5fez8U`
+
+```bash
+gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -F id=PRRT_kwDOOlCPts5fez8U
+```
+
+---
+*Generated from PR review - CodeRabbit AI*