Merge branch 'main' into refresh_ai_rules

Author: hcourdent

docs/advanced/1_self_host/index.mdx

@@ -219,7 +219,7 @@ The official Windmill docker-compose enables PID namespace isolation by default:
 
 For additional security, you can enable NSJAIL sandboxing:
 
-- **NSJAIL sandboxing** - Provides filesystem and resource isolation (requires using a `-nsjail` tagged image and setting `DISABLE_NSJAIL=false`)
+- **NSJAIL sandboxing** - Provides filesystem and resource isolation (set `DISABLE_NSJAIL=false` to enable)
 
 #### Windows workers
 

docs/advanced/security_isolation/index.mdx

@@ -7,7 +7,7 @@ Windmill provides multiple layers of process isolation to protect your infrastru
 Windmill workers execute user-provided code in various languages. To protect the worker process and the underlying infrastructure, Windmill implements multiple isolation strategies:
 
 1. **PID Namespace Isolation** - Process memory and environment protection (disabled by default, requires configuration)
-2. **NSJAIL Sandboxing** - Filesystem, network, and resource isolation (optional, requires special image)
+2. **NSJAIL Sandboxing** - Filesystem, network, and resource isolation (optional)
 3. **Agent Workers** - Workers without direct database access, communicating via the API
 4. **Worker Groups** - Logical separation of workers that can be used to run workers on separate clusters with different network/resource access
 
@@ -203,7 +203,7 @@ This approach is particularly useful when:
 
 Agent workers can be combined with PID namespace isolation or NSJAIL for defense-in-depth.
 
-## NSJAIL sandboxing (ee only)
+## NSJAIL sandboxing
 
 ### What is NSJAIL?
 
@@ -216,28 +216,15 @@ Agent workers can be combined with PID namespace isolation or NSJAIL for defense
 
 ### When is NSJAIL used?
 
-NSJAIL is **disabled by default** because:
-
-- The default Windmill images do not include the nsjail binary
-- It requires using a special `-nsjail` tagged image
+NSJAIL is **disabled by default**. All Windmill images include the nsjail binary, so no special image is required.
 
 ### Enabling NSJAIL
 
-NSJAIL sandboxing is an EE only feature. If you are on CE, use PID namespace isolation.
-
-To use NSJAIL sandboxing, you need both:
-
-1. **Use the nsjail image** - Switch to an image with nsjail pre-installed:
-
-   ```yaml
-   # In docker-compose.yml or your deployment config
-   image: ghcr.io/windmill-labs/windmill-ee-nsjail
-   ```
+To enable NSJAIL sandboxing, set the environment variable:
 
-2. **Enable NSJAIL** - Set the environment variable:
-   ```bash
-   DISABLE_NSJAIL=false
-   ```
+```bash
+DISABLE_NSJAIL=false
+```
 
 **When to enable NSJAIL:**
 
@@ -302,8 +289,6 @@ windmill_worker:
 ### NSJAIL sandboxing (maximum security)
 
 ```yaml
-# Use the nsjail image
-image: ghcr.io/windmill-labs/windmill-ee-nsjail
 environment:
   - DISABLE_NSJAIL=false
 ```

docs/core_concepts/47_environment_variables/index.mdx

@@ -25,7 +25,7 @@ You can use them in a Script by clicking on "+Context Var":
 | SLEEP_QUEUE               | 50                     | The number of ms to sleep in between the last check for new jobs in the DB. It is multiplied by NUM_WORKERS such that in average, for one worker instance, there is one pull every SLEEP_QUEUE ms. | Worker                |
 | KEEP_JOB_DIR              | false                  | Keep the job directory after the job is done. Useful for debugging.                                                                                                                                | Worker                |
 | ENABLE_UNSHARE_PID        | false (true in docker-compose) | Enable PID namespace isolation to protect process memory and environment variables. Linux only. See [Security and Process Isolation](/docs/advanced/security_isolation)                   | Worker                |
-| DISABLE_NSJAIL            | true                   | NSJAIL sandboxing status. Default `true` means NSJAIL is **disabled**. Set to `false` to enable NSJAIL (requires `-nsjail` image). See [Security and Process Isolation](/docs/advanced/security_isolation) | Worker                |
+| DISABLE_NSJAIL            | true                   | NSJAIL sandboxing status. Default `true` means NSJAIL is **disabled**. Set to `false` to enable NSJAIL. See [Security and Process Isolation](/docs/advanced/security_isolation) | Worker                |
 | UNSHARE_ISOLATION_FLAGS   | --user --map-root-user --pid --fork --mount-proc | Customize unshare isolation flags when ENABLE_UNSHARE_PID is true. See [Security and Process Isolation](/docs/advanced/security_isolation)                                    | Worker                |
 | UNSHARE_TINI_PATH         | tini                   | Path to tini binary for PID 1 signal handling in unshare namespaces. Ensures correct OOM exit codes. See [Security and Process Isolation](/docs/advanced/security_isolation)  | Worker                |
 | LICENSE_KEY (EE only)     | None                   | License key checked at startup for the Enterprise Edition of Windmill                                                                                                                              | Worker                |

docs/core_concepts/9_worker_groups/index.mdx

@@ -482,7 +482,7 @@ Windmill workers provide multiple layers of process isolation to protect your in
 Windmill supports two primary isolation mechanisms that can be used independently or together:
 
 1. **PID namespace isolation** (enabled by default in docker-compose) - Protects process memory and environment variables
-2. **NSJAIL sandboxing** (optional, requires special image) - Provides filesystem, network, and resource isolation
+2. **NSJAIL sandboxing** (optional) - Provides filesystem, network, and resource isolation
 
 ### Environment variables
 
@@ -491,7 +491,7 @@ Configure worker isolation through these environment variables:
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `ENABLE_UNSHARE_PID` | `false` (true in docker-compose) | Enable PID namespace isolation using Linux unshare |
-| `DISABLE_NSJAIL` | `true` | Enable NSJAIL sandboxing (requires `-nsjail` image, set to `false` to enable) |
+| `DISABLE_NSJAIL` | `true` | Enable NSJAIL sandboxing (set to `false` to enable) |
 | `UNSHARE_ISOLATION_FLAGS` | `--user --map-root-user --pid --fork --mount-proc` | Customize unshare isolation flags |
 
 ### Default configuration

docs/integrations/teams.mdx

@@ -402,6 +402,30 @@ Instance-wide critical alerts are only visible to users with the [superadmin](..
 	/>
 </div>
 
+## Troubleshooting
+
+### "The bot is not part of the conversation roster" error
+
+This error occurs when Windmill tries to send a message to a Teams channel but the Bot Framework rejects the request. Common causes:
+
+1. **Channel moderation rules**: If the Teams channel has posting restrictions (channel moderation enabled), the bot may not be allowed to post. Check your Teams channel settings and either:
+   - Disable channel moderation
+   - Add the Windmill bot to the list of users allowed to post
+
+2. **Bot not installed in the team**: The Windmill Teams app must be installed in the team where you want to send messages. Verify the app appears in the team's "Apps" section.
+
+3. **Bot ID mismatch** (self-hosted): For self-hosted instances, ensure your Azure AD App Registration client ID matches:
+   - The Microsoft App ID in your Azure Bot Service
+   - The `botId` in your Teams app manifest
+
+### Messages not being delivered
+
+If the bot appears to be connected but messages aren't being delivered, check the service URL region. The default service URL is for the Americas region. If your Teams tenant is in a different region, set the `TEAMS_SERVICE_URL` environment variable:
+   - Americas: `https://smba.trafficmanager.net/amer/` (default)
+   - EMEA: `https://smba.trafficmanager.net/emea/`
+   - APAC: `https://smba.trafficmanager.net/apac/`
+   - US Government (GCC): `https://smba.infra.gcc.teams.microsoft.com/`
+
 <!-- Links -->
 
 [hub-teams]: https://hub.windmill.dev/integrations/teams