whale-code 6.5.5 → 6.5.6

package/dist/server/handlers/workflows.js

@@ -7,986 +7,1683 @@
 // Step execution, inline chains, cron/schedule processing, event triggers,
 // webhook ingestion, circuit breakers, and all step-type executors live in
 // ./workflow-steps.ts.
+
 import { randomUUID } from "node:crypto";
 // Re-export everything from workflow-steps so existing imports from workflows.ts still work
-export { 
+export {
 // Injected executor setters
-setToolExecutor, setAgentExecutor, setTokenBroadcaster, setStepErrorBroadcaster, 
+setToolExecutor, setAgentExecutor, setTokenBroadcaster, setStepErrorBroadcaster,
 // Core engine
-processWorkflowSteps, processWaitingSteps, executeAndAdvance, executeInlineChain, 
+processWorkflowSteps, processWaitingSteps, executeAndAdvance, executeInlineChain,
 // Guest approval
-generateGuestApprovalUrl, verifyGuestApprovalSignature, 
+generateGuestApprovalUrl, verifyGuestApprovalSignature,
 // Schedule / timeout / events
-processScheduleTriggers, enforceWorkflowTimeouts, processEventTriggers, 
+processScheduleTriggers, enforceWorkflowTimeouts, processEventTriggers,
 // Resilience
-cleanupOrphanedSteps, processDlqRetries, 
+cleanupOrphanedSteps, processDlqRetries,
 // Webhook ingestion
-handleWebhookIngestion, 
+handleWebhookIngestion,
 // Worker pool management
-initWorkerPool, getPoolStats, shutdownPool, 
+initWorkerPool, getPoolStats, shutdownPool,
 // Cron parser (used by CRUD)
-getNextCronTime, 
+getNextCronTime,
 // Event journal (used by CRUD replay)
-logWorkflowEvent, 
+logWorkflowEvent
+// Types
+,
 // Run completion (used by CRUD start/cancel)
-completeWorkflowRun, } from "./workflow-steps.js";
-import { executeInlineChain, getNextCronTime, completeWorkflowRun, logWorkflowEvent, } from "./workflow-steps.js";
+completeWorkflowRun } from "./workflow-steps.js";
+import { executeInlineChain, getNextCronTime, completeWorkflowRun, logWorkflowEvent } from "./workflow-steps.js";
+
 // ============================================================================
 // CRUD HANDLER — MCP tool interface
 // ============================================================================
+
 export async function handleWorkflows(supabase, args, storeId) {
-    const action = args.action;
-    const sid = storeId;
-    switch (action) {
-        case "list": {
-            let q = supabase.from("workflows")
-                .select("id, name, description, icon, status, is_active, trigger_type, max_concurrent_runs, version, last_run_at, created_at, circuit_breaker_state")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.status)
-                q = q.eq("status", args.status);
-            if (args.trigger_type)
-                q = q.eq("trigger_type", args.trigger_type);
-            const { data, error } = await q.limit(args.limit || 50);
-            return error ? { success: false, error: error.message } : { success: true, data };
+  const action = args.action;
+  const sid = storeId;
+  switch (action) {
+    case "list":
+      {
+        let q = supabase.from("workflows").select("id, name, description, icon, status, is_active, trigger_type, max_concurrent_runs, version, last_run_at, created_at, circuit_breaker_state").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.status) q = q.eq("status", args.status);
+        if (args.trigger_type) q = q.eq("trigger_type", args.trigger_type);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 50);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "get":
+      {
+        const {
+          data: wf,
+          error
+        } = await supabase.from("workflows").select("*, workflow_steps(*)").eq("id", args.workflow_id).eq("store_id", sid).single();
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        const {
+          data: runs
+        } = await supabase.from("workflow_runs").select("id, status, trigger_type, started_at, completed_at, duration_ms, error_message, error_step_key").eq("workflow_id", args.workflow_id).order("created_at", {
+          ascending: false
+        }).limit(10);
+        return {
+          success: true,
+          data: {
+            ...wf,
+            recent_runs: runs || []
+          }
+        };
+      }
+    case "create":
+      {
+        // Compute next_run_at from cron expression — check both top-level and trigger_config
+        const tc = args.trigger_config;
+        const cronExpr = args.cron_expression || tc?.cron || tc?.cron_expression || null;
+        let nextRunAt = null;
+        if (cronExpr) {
+          const next = getNextCronTime(cronExpr);
+          if (!next) return {
+            success: false,
+            error: `Invalid cron expression: ${cronExpr}`
+          };
+          nextRunAt = next.toISOString();
         }
-        case "get": {
-            const { data: wf, error } = await supabase.from("workflows")
-                .select("*, workflow_steps(*)").eq("id", args.workflow_id).eq("store_id", sid).single();
-            if (error)
-                return { success: false, error: error.message };
-            const { data: runs } = await supabase.from("workflow_runs")
-                .select("id, status, trigger_type, started_at, completed_at, duration_ms, error_message, error_step_key")
-                .eq("workflow_id", args.workflow_id).order("created_at", { ascending: false }).limit(10);
-            return { success: true, data: { ...wf, recent_runs: runs || [] } };
+        // Auto-extract timezone from trigger_config if not top-level
+        const tz = args.timezone || tc?.timezone || "UTC";
+        const {
+          data,
+          error
+        } = await supabase.from("workflows").insert({
+          store_id: sid,
+          name: args.name,
+          description: args.description || null,
+          icon: args.icon || null,
+          status: args.status || "draft",
+          is_active: args.status === "active",
+          trigger_type: args.trigger_type || (cronExpr ? "schedule" : "manual"),
+          trigger_config: args.trigger_config || {},
+          max_concurrent_runs: args.max_concurrent_runs || 1,
+          max_run_duration_seconds: args.max_run_duration_seconds || 3600,
+          max_steps_per_run: args.max_steps_per_run || 50,
+          max_retries_per_step: args.max_retries_per_step || 3,
+          on_error_webhook_url: args.on_error_webhook_url || null,
+          on_error_email: args.on_error_email || null,
+          cron_expression: cronExpr,
+          next_run_at: nextRunAt,
+          timezone: tz,
+          multitask_strategy: args.multitask_strategy || "allow"
+        }).select().single();
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        if (Array.isArray(args.steps)) {
+          const steps = args.steps.map((s, i) => ({
+            workflow_id: data.id,
+            step_key: s.step_key,
+            step_type: s.step_type,
+            is_entry_point: s.is_entry_point ?? i === 0,
+            on_success: s.on_success || null,
+            on_failure: s.on_failure || null,
+            step_config: s.step_config || {},
+            max_retries: s.max_retries || 3,
+            retry_delay_seconds: s.retry_delay_seconds || 10,
+            timeout_seconds: s.timeout_seconds || 60,
+            input_schema: s.input_schema || null,
+            position_x: s.position_x || 0,
+            position_y: s.position_y || i * 100
+          }));
+          const {
+            error: stepsErr
+          } = await supabase.from("workflow_steps").insert(steps);
+          if (stepsErr) return {
+            success: false,
+            error: `Workflow created but steps failed: ${stepsErr.message}`
+          };
         }
-        case "create": {
-            // Compute next_run_at from cron expression — check both top-level and trigger_config
-            const tc = args.trigger_config;
-            const cronExpr = args.cron_expression
-                || tc?.cron || tc?.cron_expression || null;
-            let nextRunAt = null;
-            if (cronExpr) {
-                const next = getNextCronTime(cronExpr);
-                if (!next)
-                    return { success: false, error: `Invalid cron expression: ${cronExpr}` };
-                nextRunAt = next.toISOString();
-            }
-            // Auto-extract timezone from trigger_config if not top-level
-            const tz = args.timezone || tc?.timezone || "UTC";
-            const { data, error } = await supabase.from("workflows").insert({
-                store_id: sid,
-                name: args.name,
-                description: args.description || null,
-                icon: args.icon || null,
-                status: args.status || "draft",
-                is_active: args.status === "active",
-                trigger_type: args.trigger_type || (cronExpr ? "schedule" : "manual"),
-                trigger_config: args.trigger_config || {},
-                max_concurrent_runs: args.max_concurrent_runs || 1,
-                max_run_duration_seconds: args.max_run_duration_seconds || 3600,
-                max_steps_per_run: args.max_steps_per_run || 50,
-                max_retries_per_step: args.max_retries_per_step || 3,
-                on_error_webhook_url: args.on_error_webhook_url || null,
-                on_error_email: args.on_error_email || null,
-                cron_expression: cronExpr,
-                next_run_at: nextRunAt,
-                timezone: tz,
-                multitask_strategy: args.multitask_strategy || "allow",
-            }).select().single();
-            if (error)
-                return { success: false, error: error.message };
-            if (Array.isArray(args.steps)) {
-                const steps = args.steps.map((s, i) => ({
-                    workflow_id: data.id,
-                    step_key: s.step_key,
-                    step_type: s.step_type,
-                    is_entry_point: s.is_entry_point ?? (i === 0),
-                    on_success: s.on_success || null,
-                    on_failure: s.on_failure || null,
-                    step_config: s.step_config || {},
-                    max_retries: s.max_retries || 3,
-                    retry_delay_seconds: s.retry_delay_seconds || 10,
-                    timeout_seconds: s.timeout_seconds || 60,
-                    input_schema: s.input_schema || null,
-                    position_x: s.position_x || 0,
-                    position_y: s.position_y || i * 100,
-                }));
-                const { error: stepsErr } = await supabase.from("workflow_steps").insert(steps);
-                if (stepsErr)
-                    return { success: false, error: `Workflow created but steps failed: ${stepsErr.message}` };
-            }
-            return { success: true, data };
+        return {
+          success: true,
+          data
+        };
+      }
+    case "update":
+      {
+        const updates = {};
+        const allowed = ["name", "description", "icon", "status", "trigger_type", "trigger_config", "max_concurrent_runs", "max_run_duration_seconds", "max_steps_per_run", "max_retries_per_step", "on_error_webhook_url", "on_error_email", "multitask_strategy", "timezone"];
+        for (const k of allowed) {
+          if (args[k] !== undefined) updates[k] = args[k];
         }
-        case "update": {
-            const updates = {};
-            const allowed = ["name", "description", "icon", "status", "trigger_type", "trigger_config",
-                "max_concurrent_runs", "max_run_duration_seconds", "max_steps_per_run", "max_retries_per_step",
-                "on_error_webhook_url", "on_error_email", "multitask_strategy", "timezone"];
-            for (const k of allowed) {
-                if (args[k] !== undefined)
-                    updates[k] = args[k];
-            }
-            if (args.status !== undefined)
-                updates.is_active = args.status === "active";
-            // Handle cron_expression update — check both top-level and trigger_config
-            const utc = args.trigger_config;
-            const cronFromConfig = utc?.cron || utc?.cron_expression || null;
-            const cronExplicit = args.cron_expression !== undefined ? args.cron_expression : null;
-            const cronExpr = cronExplicit || cronFromConfig;
-            if (cronExpr !== null && (args.cron_expression !== undefined || cronFromConfig)) {
-                updates.cron_expression = cronExpr;
-                const next = getNextCronTime(cronExpr);
-                if (!next)
-                    return { success: false, error: `Invalid cron expression: ${cronExpr}` };
-                updates.next_run_at = next.toISOString();
-                // Auto-set trigger_type to schedule if cron is provided
-                if (!updates.trigger_type)
-                    updates.trigger_type = "schedule";
-                // Extract timezone from trigger_config if not top-level
-                if (!updates.timezone && utc?.timezone)
-                    updates.timezone = utc.timezone;
-            }
-            else if (args.cron_expression === null) {
-                // Explicitly clearing cron
-                updates.cron_expression = null;
-                updates.next_run_at = null;
-            }
-            const { data, error } = await supabase.from("workflows")
-                .update(updates).eq("id", args.workflow_id).eq("store_id", sid).select().maybeSingle();
-            if (error)
-                return { success: false, error: error.message };
-            if (!data)
-                return { success: false, error: "Workflow not found or store mismatch" };
-            return { success: true, data };
+        if (args.status !== undefined) updates.is_active = args.status === "active";
+
+        // Handle cron_expression update — check both top-level and trigger_config
+        const utc = args.trigger_config;
+        const cronFromConfig = utc?.cron || utc?.cron_expression || null;
+        const cronExplicit = args.cron_expression !== undefined ? args.cron_expression : null;
+        const cronExpr = cronExplicit || cronFromConfig;
+        if (cronExpr !== null && (args.cron_expression !== undefined || cronFromConfig)) {
+          updates.cron_expression = cronExpr;
+          const next = getNextCronTime(cronExpr);
+          if (!next) return {
+            success: false,
+            error: `Invalid cron expression: ${cronExpr}`
+          };
+          updates.next_run_at = next.toISOString();
+          // Auto-set trigger_type to schedule if cron is provided
+          if (!updates.trigger_type) updates.trigger_type = "schedule";
+          // Extract timezone from trigger_config if not top-level
+          if (!updates.timezone && utc?.timezone) updates.timezone = utc.timezone;
+        } else if (args.cron_expression === null) {
+          // Explicitly clearing cron
+          updates.cron_expression = null;
+          updates.next_run_at = null;
         }
-        case "delete": {
-            const { error } = await supabase.from("workflows").delete()
-                .eq("id", args.workflow_id).eq("store_id", sid);
-            return error ? { success: false, error: error.message } : { success: true, data: { deleted: true } };
+        const {
+          data,
+          error
+        } = await supabase.from("workflows").update(updates).eq("id", args.workflow_id).eq("store_id", sid).select().maybeSingle();
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        if (!data) return {
+          success: false,
+          error: "Workflow not found or store mismatch"
+        };
+        return {
+          success: true,
+          data
+        };
+      }
+    case "delete":
+      {
+        const {
+          error
+        } = await supabase.from("workflows").delete().eq("id", args.workflow_id).eq("store_id", sid);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            deleted: true
+          }
+        };
+      }
+    case "add_step":
+      {
+        // H9 FIX: Verify workflow belongs to this store before adding step
+        const {
+          data: wfCheck
+        } = await supabase.from("workflows").select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
+        if (!wfCheck) return {
+          success: false,
+          error: "Workflow not found in this store"
+        };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_steps").insert({
+          workflow_id: args.workflow_id,
+          step_key: args.step_key,
+          step_type: args.step_type,
+          is_entry_point: args.is_entry_point ?? false,
+          on_success: args.on_success || null,
+          on_failure: args.on_failure || null,
+          step_config: args.step_config || {},
+          max_retries: args.max_retries || 3,
+          timeout_seconds: args.timeout_seconds || 60,
+          input_schema: args.input_schema || null
+        }).select().single();
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "update_step":
+      {
+        // H9 FIX: Verify step belongs to a workflow owned by this store
+        const {
+          data: stepCheck
+        } = await supabase.from("workflow_steps").select("id, workflow_id, workflows!inner(store_id)").eq("id", args.step_id).single();
+        if (!stepCheck || stepCheck.workflows?.store_id !== sid) {
+          return {
+            success: false,
+            error: "Step not found in this store's workflows"
+          };
         }
-        case "add_step": {
-            // H9 FIX: Verify workflow belongs to this store before adding step
-            const { data: wfCheck } = await supabase.from("workflows")
-                .select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
-            if (!wfCheck)
-                return { success: false, error: "Workflow not found in this store" };
-            const { data, error } = await supabase.from("workflow_steps").insert({
-                workflow_id: args.workflow_id,
-                step_key: args.step_key, step_type: args.step_type,
-                is_entry_point: args.is_entry_point ?? false,
-                on_success: args.on_success || null, on_failure: args.on_failure || null,
-                step_config: args.step_config || {},
-                max_retries: args.max_retries || 3,
-                timeout_seconds: args.timeout_seconds || 60,
-                input_schema: args.input_schema || null,
-            }).select().single();
-            return error ? { success: false, error: error.message } : { success: true, data };
+        const su = {};
+        for (const k of ["step_key", "step_type", "is_entry_point", "on_success", "on_failure", "step_config", "max_retries", "retry_delay_seconds", "timeout_seconds", "input_schema", "position_x", "position_y"]) {
+          if (args[k] !== undefined) {
+            // Treat empty string as null for nullable fields (on_success, on_failure)
+            su[k] = args[k] === "" && (k === "on_success" || k === "on_failure") ? null : args[k];
+          }
         }
-        case "update_step": {
-            // H9 FIX: Verify step belongs to a workflow owned by this store
-            const { data: stepCheck } = await supabase.from("workflow_steps")
-                .select("id, workflow_id, workflows!inner(store_id)")
-                .eq("id", args.step_id).single();
-            if (!stepCheck || stepCheck.workflows?.store_id !== sid) {
-                return { success: false, error: "Step not found in this store's workflows" };
-            }
-            const su = {};
-            for (const k of ["step_key", "step_type", "is_entry_point", "on_success", "on_failure",
-                "step_config", "max_retries", "retry_delay_seconds", "timeout_seconds", "input_schema",
-                "position_x", "position_y"]) {
-                if (args[k] !== undefined) {
-                    // Treat empty string as null for nullable fields (on_success, on_failure)
-                    su[k] = (args[k] === "" && (k === "on_success" || k === "on_failure")) ? null : args[k];
-                }
-            }
-            const { data, error } = await supabase.from("workflow_steps")
-                .update(su).eq("id", args.step_id).select().single();
-            return error ? { success: false, error: error.message } : { success: true, data };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_steps").update(su).eq("id", args.step_id).select().single();
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "delete_step":
+      {
+        // H9 FIX: Verify step belongs to a workflow owned by this store
+        const {
+          data: stepCheck
+        } = await supabase.from("workflow_steps").select("id, workflow_id, workflows!inner(store_id)").eq("id", args.step_id).single();
+        if (!stepCheck || stepCheck.workflows?.store_id !== sid) {
+          return {
+            success: false,
+            error: "Step not found in this store's workflows"
+          };
         }
-        case "delete_step": {
-            // H9 FIX: Verify step belongs to a workflow owned by this store
-            const { data: stepCheck } = await supabase.from("workflow_steps")
-                .select("id, workflow_id, workflows!inner(store_id)")
-                .eq("id", args.step_id).single();
-            if (!stepCheck || stepCheck.workflows?.store_id !== sid) {
-                return { success: false, error: "Step not found in this store's workflows" };
-            }
-            const { error } = await supabase.from("workflow_steps").delete().eq("id", args.step_id);
-            return error ? { success: false, error: error.message } : { success: true, data: { deleted: true } };
+        const {
+          error
+        } = await supabase.from("workflow_steps").delete().eq("id", args.step_id);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            deleted: true
+          }
+        };
+      }
+    case "start":
+      {
+        const wfId = args.workflow_id;
+
+        // FIX 5: Validate idempotency key format if provided
+        if (args.idempotency_key) {
+          const key = String(args.idempotency_key);
+          if (key.length > 255 || !/^[a-zA-Z0-9._:\/-]+$/.test(key)) {
+            return {
+              success: false,
+              error: "Invalid idempotency_key: must be 1-255 alphanumeric characters (with . _ : / -)"
+            };
+          }
         }
-        case "start": {
-            const wfId = args.workflow_id;
-            // FIX 5: Validate idempotency key format if provided
-            if (args.idempotency_key) {
-                const key = String(args.idempotency_key);
-                if (key.length > 255 || !/^[a-zA-Z0-9._:\/-]+$/.test(key)) {
-                    return { success: false, error: "Invalid idempotency_key: must be 1-255 alphanumeric characters (with . _ : / -)" };
-                }
-            }
-            // FIX 6: Reject oversized trigger payloads before storing
-            if (args.trigger_payload) {
-                const payloadStr = JSON.stringify(args.trigger_payload);
-                if (payloadStr.length > 10_000_000) {
-                    return { success: false, error: "Trigger payload too large (max 10MB)" };
-                }
-            }
-            // Auto-activate workflow if needed (start implies intent to run)
-            await supabase.from("workflows").update({ is_active: true, status: "active" })
-                .eq("id", wfId).eq("store_id", sid).in("status", ["draft", "paused"]);
-            // Load workflow config for strategy + concurrency + versioning
-            const { data: wfConfig } = await supabase.from("workflows")
-                .select("multitask_strategy, published_version_id, max_concurrent_runs").eq("id", wfId).eq("store_id", sid).single();
-            if (!wfConfig)
-                return { success: false, error: "Workflow not found or access denied" };
-            const strategy = wfConfig.multitask_strategy || "allow";
-            // Concurrency is enforced atomically inside start_workflow_run RPC (FOR UPDATE lock)
-            // No app-side check needed — the RPC handles the race-free count + insert
-            if (strategy !== "allow") {
-                // Check for in-flight runs
-                const { data: activeRuns } = await supabase.from("workflow_runs")
-                    .select("id, status, created_at")
-                    .eq("workflow_id", wfId).eq("store_id", sid)
-                    .in("status", ["running", "pending"])
-                    .order("created_at", { ascending: false })
-                    .limit(10);
-                if (activeRuns?.length) {
-                    switch (strategy) {
-                        case "reject":
-                            return { success: false, error: `Workflow already has ${activeRuns.length} active run(s). Strategy: reject concurrent runs.`, data: { strategy: "reject", active_runs: activeRuns.length } };
-                        case "enqueue":
-                            // Let it through — the run will be created and the worker picks it up in order
-                            // Set priority lower so existing runs finish first
-                            break;
-                        case "interrupt":
-                            // Cancel all active runs before starting new one
-                            for (const run of activeRuns) {
-                                await completeWorkflowRun(supabase, run.id, wfId, sid, "cancelled", "Interrupted by new run (multitask_strategy: interrupt)");
-                            }
-                            break;
-                        case "replace":
-                            // Cancel all active runs AND delete their step runs
-                            for (const run of activeRuns) {
-                                await completeWorkflowRun(supabase, run.id, wfId, sid, "cancelled", "Replaced by new run (multitask_strategy: replace)");
-                            }
-                            break;
-                    }
-                }
-            }
-            const { data, error } = await supabase.rpc("start_workflow_run", {
-                p_workflow_id: wfId, p_store_id: sid,
-                p_trigger_type: args.trigger_type || "manual",
-                p_trigger_payload: args.trigger_payload || {},
-                p_idempotency_key: args.idempotency_key || null,
-            });
-            if (error)
-                return { success: false, error: error.message };
-            if (!data?.success)
-                return { success: false, error: data?.error || "Failed" };
-            // Generate trace_id for distributed tracing
-            const traceId = data.run_id ? randomUUID() : undefined;
-            // Set version_id, trace_id, priority
-            if (data.run_id && !data.deduplicated) {
-                const runUpdates = { trace_id: traceId };
-                if (wfConfig?.published_version_id)
-                    runUpdates.version_id = wfConfig.published_version_id;
-                if (strategy === "enqueue")
-                    runUpdates.priority = 3;
-                await supabase.from("workflow_runs").update(runUpdates).eq("id", data.run_id);
-                // Phase 1: Inline execution — execute first step immediately
-                try {
-                    await executeInlineChain(supabase, data.run_id);
+
+        // FIX 6: Reject oversized trigger payloads before storing
+        if (args.trigger_payload) {
+          const payloadStr = JSON.stringify(args.trigger_payload);
+          if (payloadStr.length > 10_000_000) {
+            return {
+              success: false,
+              error: "Trigger payload too large (max 10MB)"
+            };
+          }
+        }
+
+        // Auto-activate workflow if needed (start implies intent to run)
+        await supabase.from("workflows").update({
+          is_active: true,
+          status: "active"
+        }).eq("id", wfId).eq("store_id", sid).in("status", ["draft", "paused"]);
+
+        // Load workflow config for strategy + concurrency + versioning
+        const {
+          data: wfConfig
+        } = await supabase.from("workflows").select("multitask_strategy, published_version_id, max_concurrent_runs").eq("id", wfId).eq("store_id", sid).single();
+        if (!wfConfig) return {
+          success: false,
+          error: "Workflow not found or access denied"
+        };
+        const strategy = wfConfig.multitask_strategy || "allow";
+
+        // Concurrency is enforced atomically inside start_workflow_run RPC (FOR UPDATE lock)
+        // No app-side check needed — the RPC handles the race-free count + insert
+
+        if (strategy !== "allow") {
+          // Check for in-flight runs
+          const {
+            data: activeRuns
+          } = await supabase.from("workflow_runs").select("id, status, created_at").eq("workflow_id", wfId).eq("store_id", sid).in("status", ["running", "pending"]).order("created_at", {
+            ascending: false
+          }).limit(10);
+          if (activeRuns?.length) {
+            switch (strategy) {
+              case "reject":
+                return {
+                  success: false,
+                  error: `Workflow already has ${activeRuns.length} active run(s). Strategy: reject concurrent runs.`,
+                  data: {
+                    strategy: "reject",
+                    active_runs: activeRuns.length
+                  }
+                };
+              case "enqueue":
+                // Let it through — the run will be created and the worker picks it up in order
+                // Set priority lower so existing runs finish first
+                break;
+              case "interrupt":
+                // Cancel all active runs before starting new one
+                for (const run of activeRuns) {
+                  await completeWorkflowRun(supabase, run.id, wfId, sid, "cancelled", "Interrupted by new run (multitask_strategy: interrupt)");
                 }
-                catch (err) {
-                    console.error("[workflow-inline] Error in inline chain:", err.message);
-                    // Non-fatal — worker will pick up remaining steps
+                break;
+              case "replace":
+                // Cancel all active runs AND delete their step runs
+                for (const run of activeRuns) {
+                  await completeWorkflowRun(supabase, run.id, wfId, sid, "cancelled", "Replaced by new run (multitask_strategy: replace)");
                 }
+                break;
             }
-            return { success: true, data: { ...data, strategy, trace_id: traceId } };
-        }
-        case "pause": {
-            const { error } = await supabase.from("workflow_runs").update({ status: "paused" })
-                .eq("id", args.run_id).eq("store_id", sid).eq("status", "running");
-            return error ? { success: false, error: error.message } : { success: true, data: { paused: true } };
-        }
-        case "resume": {
-            const { error } = await supabase.from("workflow_runs").update({ status: "running" })
-                .eq("id", args.run_id).eq("store_id", sid).eq("status", "paused");
-            return error ? { success: false, error: error.message } : { success: true, data: { resumed: true } };
+          }
         }
-        case "cancel": {
-            const { data: run } = await supabase.from("workflow_runs")
-                .select("workflow_id, store_id").eq("id", args.run_id).eq("store_id", sid).single();
-            if (!run)
-                return { success: false, error: "Run not found or access denied" };
-            await completeWorkflowRun(supabase, args.run_id, run.workflow_id, run.store_id, "cancelled", "Cancelled by user");
-            return { success: true, data: { cancelled: true } };
+        const {
+          data,
+          error
+        } = await supabase.rpc("start_workflow_run", {
+          p_workflow_id: wfId,
+          p_store_id: sid,
+          p_trigger_type: args.trigger_type || "manual",
+          p_trigger_payload: args.trigger_payload || {},
+          p_idempotency_key: args.idempotency_key || null
+        });
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        if (!data?.success) return {
+          success: false,
+          error: data?.error || "Failed"
+        };
+
+        // Generate trace_id for distributed tracing
+        const traceId = data.run_id ? randomUUID() : undefined;
+
+        // Set version_id, trace_id, priority
+        if (data.run_id && !data.deduplicated) {
+          const runUpdates = {
+            trace_id: traceId
+          };
+          if (wfConfig?.published_version_id) runUpdates.version_id = wfConfig.published_version_id;
+          if (strategy === "enqueue") runUpdates.priority = 3;
+          await supabase.from("workflow_runs").update(runUpdates).eq("id", data.run_id);
+
+          // Phase 1: Inline execution — execute first step immediately
+          try {
+            await executeInlineChain(supabase, data.run_id);
+          } catch (err) {
+            console.error("[workflow-inline] Error in inline chain:", err.message);
+            // Non-fatal — worker will pick up remaining steps
+          }
         }
-        case "reset_circuit_breaker": {
-            const { data, error } = await supabase.from("workflows")
-                .update({ circuit_breaker_state: "closed", circuit_breaker_failures: 0 })
-                .eq("id", args.workflow_id).eq("store_id", sid).select().single();
-            if (error)
-                return { success: false, error: error.message };
-            if (!data)
-                return { success: false, error: "Workflow not found" };
-            return { success: true, data: { reset: true, workflow_id: data.id } };
+        return {
+          success: true,
+          data: {
+            ...data,
+            strategy,
+            trace_id: traceId
+          }
+        };
+      }
+    case "pause":
+      {
+        const {
+          error
+        } = await supabase.from("workflow_runs").update({
+          status: "paused"
+        }).eq("id", args.run_id).eq("store_id", sid).eq("status", "running");
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            paused: true
+          }
+        };
+      }
+    case "resume":
+      {
+        const {
+          error
+        } = await supabase.from("workflow_runs").update({
+          status: "running"
+        }).eq("id", args.run_id).eq("store_id", sid).eq("status", "paused");
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            resumed: true
+          }
+        };
+      }
+    case "cancel":
+      {
+        const {
+          data: run
+        } = await supabase.from("workflow_runs").select("workflow_id, store_id").eq("id", args.run_id).eq("store_id", sid).single();
+        if (!run) return {
+          success: false,
+          error: "Run not found or access denied"
+        };
+        await completeWorkflowRun(supabase, args.run_id, run.workflow_id, run.store_id, "cancelled", "Cancelled by user");
+        return {
+          success: true,
+          data: {
+            cancelled: true
+          }
+        };
+      }
+    case "reset_circuit_breaker":
+      {
+        const {
+          data,
+          error
+        } = await supabase.from("workflows").update({
+          circuit_breaker_state: "closed",
+          circuit_breaker_failures: 0
+        }).eq("id", args.workflow_id).eq("store_id", sid).select().single();
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        if (!data) return {
+          success: false,
+          error: "Workflow not found"
+        };
+        return {
+          success: true,
+          data: {
+            reset: true,
+            workflow_id: data.id
+          }
+        };
+      }
+    case "runs":
+      {
+        let q = supabase.from("workflow_runs").select("id, workflow_id, status, trigger_type, trigger_payload, current_step_key, error_message, error_step_key, started_at, completed_at, duration_ms, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.workflow_id) q = q.eq("workflow_id", args.workflow_id);
+        if (args.status) q = q.eq("status", args.status);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 25);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "step_runs":
+      {
+        // IDOR FIX: Verify the run belongs to this store before querying step_runs
+        const {
+          data: runCheck
+        } = await supabase.from("workflow_runs").select("id").eq("id", args.run_id).eq("store_id", sid).single();
+        if (!runCheck) return {
+          success: false,
+          error: "Run not found or access denied"
+        };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_step_runs").select("id, step_key, step_type, status, input, output, error_message, attempt_count, started_at, completed_at, duration_ms, parent_step_run_id, child_run_id").eq("run_id", args.run_id).order("created_at", {
+          ascending: true
+        });
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "analytics":
+      {
+        const {
+          data,
+          error
+        } = await supabase.rpc("get_workflow_analytics", {
+          p_store_id: sid,
+          p_days: args.days || 30
+        });
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "create_webhook":
+      {
+        // P1 FIX: Ensure slug is globally unique to prevent cross-store webhook interception.
+        // handleWebhookIngestion queries by slug without store_id, so duplicate slugs across
+        // stores would cause one store to intercept another's webhooks.
+        const {
+          data: existingSlug
+        } = await supabase.from("webhook_endpoints").select("id").eq("slug", args.slug).eq("is_active", true).limit(1);
+        if (existingSlug?.length) {
+          return {
+            success: false,
+            error: "Webhook slug already in use. Choose a different slug."
+          };
         }
-        case "runs": {
-            let q = supabase.from("workflow_runs")
-                .select("id, workflow_id, status, trigger_type, trigger_payload, current_step_key, error_message, error_step_key, started_at, completed_at, duration_ms, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.workflow_id)
-                q = q.eq("workflow_id", args.workflow_id);
-            if (args.status)
-                q = q.eq("status", args.status);
-            const { data, error } = await q.limit(args.limit || 25);
-            return error ? { success: false, error: error.message } : { success: true, data };
+        const {
+          data,
+          error
+        } = await supabase.from("webhook_endpoints").insert({
+          store_id: sid,
+          name: args.name,
+          description: args.description || null,
+          slug: args.slug,
+          workflow_id: args.workflow_id,
+          verify_signature: args.verify_signature ?? true,
+          max_requests_per_minute: args.max_requests_per_minute || 60,
+          payload_transform: args.payload_transform || null,
+          sync_response: args.sync_response ?? false,
+          sync_timeout_seconds: args.sync_timeout_seconds || 30
+        }).select().single();
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        return {
+          success: true,
+          data: {
+            ...data,
+            webhook_url: `https://whale-agent.fly.dev/webhooks/${data.slug}`
+          }
+        };
+      }
+    case "list_webhooks":
+      {
+        const {
+          data,
+          error
+        } = await supabase.from("webhook_endpoints").select("id, name, description, slug, workflow_id, is_active, verify_signature, sync_response, last_received_at, total_received, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "delete_webhook":
+      {
+        const {
+          error
+        } = await supabase.from("webhook_endpoints").delete().eq("id", args.webhook_id).eq("store_id", sid);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            deleted: true
+          }
+        };
+      }
+
+    // ================================================================
+    // PHASE 2: Approval actions
+    // ================================================================
+
+    case "list_approvals":
+      {
+        let q = supabase.from("workflow_approval_requests").select("id, run_id, step_run_id, workflow_id, title, description, prompt, options, form_schema, assigned_to, assigned_role, status, response_data, responded_by, responded_at, expires_at, timeout_action, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.status) q = q.eq("status", args.status);
+        if (args.workflow_id) q = q.eq("workflow_id", args.workflow_id);
+        if (args.run_id) q = q.eq("run_id", args.run_id);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 25);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "respond_approval":
+      {
+        if (!args.approval_id) return {
+          success: false,
+          error: "approval_id required"
+        };
+        if (!args.response_status) return {
+          success: false,
+          error: "response_status required (approved/rejected)"
+        };
+
+        // FIX 3: Check expiration before calling the RPC (defense in depth)
+        const {
+          data: approval,
+          error: approvalErr
+        } = await supabase.from("workflow_approval_requests").select("id, expires_at, status").eq("id", args.approval_id).eq("store_id", sid).single();
+        if (approvalErr || !approval) return {
+          success: false,
+          error: "Approval not found"
+        };
+        if (approval.status !== "pending") return {
+          success: false,
+          error: `Approval already ${approval.status}`
+        };
+        if (approval.expires_at && new Date(approval.expires_at) < new Date()) {
+          return {
+            success: false,
+            error: "Approval has expired"
+          };
         }
-        case "step_runs": {
-            // IDOR FIX: Verify the run belongs to this store before querying step_runs
-            const { data: runCheck } = await supabase.from("workflow_runs")
-                .select("id").eq("id", args.run_id).eq("store_id", sid).single();
-            if (!runCheck)
-                return { success: false, error: "Run not found or access denied" };
-            const { data, error } = await supabase.from("workflow_step_runs")
-                .select("id, step_key, step_type, status, input, output, error_message, attempt_count, started_at, completed_at, duration_ms, parent_step_run_id, child_run_id")
-                .eq("run_id", args.run_id).order("created_at", { ascending: true });
-            return error ? { success: false, error: error.message } : { success: true, data };
+        const {
+          data,
+          error
+        } = await supabase.rpc("respond_to_approval", {
+          p_approval_id: args.approval_id,
+          p_store_id: sid,
+          p_response: args.response_status,
+          p_response_data: args.response_data || {},
+          p_responded_by: args.responded_by || null
+        });
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        return data?.success ? {
+          success: true,
+          data
+        } : {
+          success: false,
+          error: data?.error || "Failed"
+        };
+      }
+
+    // ================================================================
+    // PHASE 4: Versioning actions
+    // ================================================================
+
+    case "publish":
+      {
+        if (!args.workflow_id) return {
+          success: false,
+          error: "workflow_id required"
+        };
+        const {
+          data,
+          error
+        } = await supabase.rpc("publish_workflow_version", {
+          p_workflow_id: args.workflow_id,
+          p_store_id: sid,
+          p_changelog: args.changelog || null,
+          p_published_by: args.published_by || null
+        });
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        if (!data?.success) return {
+          success: false,
+          error: data?.error || "Failed"
+        };
+        // Auto-activate on publish — publishing implies ready to run
+        await supabase.from("workflows").update({
+          is_active: true,
+          status: "active"
+        }).eq("id", args.workflow_id).eq("store_id", sid);
+        return {
+          success: true,
+          data
+        };
+      }
+    case "versions":
+      {
+        if (!args.workflow_id) return {
+          success: false,
+          error: "workflow_id required"
+        };
+        // IDOR FIX: Verify the workflow belongs to this store
+        const {
+          data: versionsWfCheck
+        } = await supabase.from("workflows").select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
+        if (!versionsWfCheck) return {
+          success: false,
+          error: "Workflow not found or access denied"
+        };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_versions").select("id, version, name, description, trigger_type, published_by, published_at, changelog").eq("workflow_id", args.workflow_id).order("version", {
+          ascending: false
+        }).limit(args.limit || 25);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "version_detail":
+      {
+        if (!args.version_id) return {
+          success: false,
+          error: "version_id required"
+        };
+        // Load full version row
+        const {
+          data: ver,
+          error: vErr
+        } = await supabase.from("workflow_versions").select("*").eq("id", args.version_id).single();
+        if (vErr || !ver) return {
+          success: false,
+          error: vErr?.message || "Version not found"
+        };
+        // IDOR FIX: Verify the version's workflow belongs to this store
+        const {
+          data: versionWfCheck
+        } = await supabase.from("workflows").select("id").eq("id", ver.workflow_id).eq("store_id", sid).single();
+        if (!versionWfCheck) return {
+          success: false,
+          error: "Version not found or access denied"
+        };
+        // Also load the workflow steps that existed at publish time
+        // (stored as a snapshot in the version row, or we load current steps for the workflow)
+        let steps = [];
+        if (ver.steps_snapshot && Array.isArray(ver.steps_snapshot)) {
+          steps = ver.steps_snapshot;
+        } else {
+          // Fallback: load current steps from workflow_steps table
+          const {
+            data: stepData
+          } = await supabase.from("workflow_steps").select("id, step_key, name, type, config, position_x, position_y, depends_on").eq("workflow_id", ver.workflow_id).order("step_order", {
+            ascending: true
+          });
+          steps = stepData || [];
         }
-        case "analytics": {
-            const { data, error } = await supabase.rpc("get_workflow_analytics", {
-                p_store_id: sid, p_days: args.days || 30,
+        return {
+          success: true,
+          data: {
+            ...ver,
+            steps
+          }
+        };
+      }
+    case "rollback":
+      {
+        if (!args.workflow_id || !args.version_id) return {
+          success: false,
+          error: "workflow_id and version_id required"
+        };
+        // Verify workflow belongs to this store
+        const {
+          data: rbWfCheck
+        } = await supabase.from("workflows").select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
+        if (!rbWfCheck) return {
+          success: false,
+          error: "Workflow not found or access denied"
+        };
+        // Verify version belongs to this workflow
+        const {
+          data: version,
+          error: verErr
+        } = await supabase.from("workflow_versions").select("id, version, steps_snapshot").eq("id", args.version_id).eq("workflow_id", args.workflow_id).single();
+        if (verErr || !version) return {
+          success: false,
+          error: "Version not found for this workflow"
+        };
+
+        // P1 FIX: Restore steps from snapshot — not just the version pointer
+        if (version.steps_snapshot && Array.isArray(version.steps_snapshot)) {
+          // Delete current steps
+          await supabase.from("workflow_steps").delete().eq("workflow_id", args.workflow_id);
+          // Upsert from snapshot
+          const stepsToInsert = version.steps_snapshot.map(s => ({
+            ...s,
+            workflow_id: args.workflow_id
+          }));
+          if (stepsToInsert.length > 0) {
+            await supabase.from("workflow_steps").upsert(stepsToInsert, {
+              onConflict: "id"
             });
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "create_webhook": {
-            // P1 FIX: Ensure slug is globally unique to prevent cross-store webhook interception.
-            // handleWebhookIngestion queries by slug without store_id, so duplicate slugs across
-            // stores would cause one store to intercept another's webhooks.
-            const { data: existingSlug } = await supabase
-                .from("webhook_endpoints")
-                .select("id")
-                .eq("slug", args.slug)
-                .eq("is_active", true)
-                .limit(1);
-            if (existingSlug?.length) {
-                return { success: false, error: "Webhook slug already in use. Choose a different slug." };
-            }
-            const { data, error } = await supabase.from("webhook_endpoints").insert({
-                store_id: sid, name: args.name, description: args.description || null,
-                slug: args.slug, workflow_id: args.workflow_id,
-                verify_signature: args.verify_signature ?? true,
-                max_requests_per_minute: args.max_requests_per_minute || 60,
-                payload_transform: args.payload_transform || null,
-                sync_response: args.sync_response ?? false,
-                sync_timeout_seconds: args.sync_timeout_seconds || 30,
-            }).select().single();
-            if (error)
-                return { success: false, error: error.message };
-            return { success: true, data: { ...data, webhook_url: `https://whale-agent.fly.dev/webhooks/${data.slug}` } };
+          }
         }
-        case "list_webhooks": {
-            const { data, error } = await supabase.from("webhook_endpoints")
-                .select("id, name, description, slug, workflow_id, is_active, verify_signature, sync_response, last_received_at, total_received, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            return error ? { success: false, error: error.message } : { success: true, data };
+        const {
+          error
+        } = await supabase.from("workflows").update({
+          published_version_id: version.id
+        }).eq("id", args.workflow_id).eq("store_id", sid);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            rolled_back_to: version.version,
+            version_id: version.id,
+            steps_restored: !!version.steps_snapshot
+          }
+        };
+      }
+
+    // ================================================================
+    // PHASE 5: Template actions
+    // ================================================================
+
+    case "list_templates":
+      {
+        let q = supabase.from("workflows").select("id, name, description, icon, trigger_type, template_category, template_tags, clone_count, created_at").eq("is_template", true).order("clone_count", {
+          ascending: false
+        });
+        if (args.category) q = q.eq("template_category", args.category);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 50);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "clone_template":
+      {
+        if (!args.template_id) return {
+          success: false,
+          error: "template_id required"
+        };
+        const {
+          data,
+          error
+        } = await supabase.rpc("clone_workflow_template", {
+          p_template_id: args.template_id,
+          p_store_id: sid,
+          p_name: args.name || null
+        });
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        return data?.success ? {
+          success: true,
+          data
+        } : {
+          success: false,
+          error: data?.error || "Failed"
+        };
+      }
+
+    // ================================================================
+    // Checkpoint / replay — time-travel debugging
+    // ================================================================
+
+    case "checkpoints":
+      {
+        if (!args.run_id) return {
+          success: false,
+          error: "run_id required"
+        };
+        // IDOR FIX: Verify the run belongs to this store
+        const {
+          data: cpRunCheck
+        } = await supabase.from("workflow_runs").select("id").eq("id", args.run_id).eq("store_id", sid).single();
+        if (!cpRunCheck) return {
+          success: false,
+          error: "Run not found or access denied"
+        };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_checkpoints").select("id, step_key, step_run_id, sequence_number, created_at").eq("run_id", args.run_id).order("sequence_number", {
+          ascending: true
+        });
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "replay":
+      {
+        if (!args.run_id) return {
+          success: false,
+          error: "run_id required"
+        };
+        const fromStepKey = args.from_step;
+
+        // Load the checkpoint to replay from
+        let checkpointQuery = supabase.from("workflow_checkpoints").select("*").eq("run_id", args.run_id);
+        if (fromStepKey) {
+          checkpointQuery = checkpointQuery.eq("step_key", fromStepKey);
+        } else {
+          // Default: replay from last successful checkpoint
+          checkpointQuery = checkpointQuery.order("sequence_number", {
+            ascending: false
+          }).limit(1);
         }
-        case "delete_webhook": {
-            const { error } = await supabase.from("webhook_endpoints").delete()
-                .eq("id", args.webhook_id).eq("store_id", sid);
-            return error ? { success: false, error: error.message } : { success: true, data: { deleted: true } };
-        }
-        // ================================================================
-        // PHASE 2: Approval actions
-        // ================================================================
-        case "list_approvals": {
-            let q = supabase.from("workflow_approval_requests")
-                .select("id, run_id, step_run_id, workflow_id, title, description, prompt, options, form_schema, assigned_to, assigned_role, status, response_data, responded_by, responded_at, expires_at, timeout_action, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.status)
-                q = q.eq("status", args.status);
-            if (args.workflow_id)
-                q = q.eq("workflow_id", args.workflow_id);
-            if (args.run_id)
-                q = q.eq("run_id", args.run_id);
-            const { data, error } = await q.limit(args.limit || 25);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "respond_approval": {
-            if (!args.approval_id)
-                return { success: false, error: "approval_id required" };
-            if (!args.response_status)
-                return { success: false, error: "response_status required (approved/rejected)" };
-            // FIX 3: Check expiration before calling the RPC (defense in depth)
-            const { data: approval, error: approvalErr } = await supabase.from("workflow_approval_requests")
-                .select("id, expires_at, status")
-                .eq("id", args.approval_id).eq("store_id", sid).single();
-            if (approvalErr || !approval)
-                return { success: false, error: "Approval not found" };
-            if (approval.status !== "pending")
-                return { success: false, error: `Approval already ${approval.status}` };
-            if (approval.expires_at && new Date(approval.expires_at) < new Date()) {
-                return { success: false, error: "Approval has expired" };
-            }
-            const { data, error } = await supabase.rpc("respond_to_approval", {
-                p_approval_id: args.approval_id,
-                p_store_id: sid,
-                p_response: args.response_status,
-                p_response_data: args.response_data || {},
-                p_responded_by: args.responded_by || null,
+        const {
+          data: checkpoint
+        } = await checkpointQuery.single();
+        if (!checkpoint) return {
+          success: false,
+          error: "No checkpoint found"
+        };
+
+        // Get original run's workflow (IDOR FIX: scope to store)
+        const {
+          data: origRun
+        } = await supabase.from("workflow_runs").select("workflow_id, trigger_type, trigger_payload, version_id").eq("id", args.run_id).eq("store_id", sid).single();
+        if (!origRun) return {
+          success: false,
+          error: "Original run not found"
+        };
+
+        // Start a new run with checkpoint state pre-loaded
+        const {
+          data: newRun,
+          error: startErr
+        } = await supabase.rpc("start_workflow_run", {
+          p_workflow_id: origRun.workflow_id,
+          p_store_id: sid,
+          p_trigger_type: "replay",
+          p_trigger_payload: checkpoint.trigger_payload || origRun.trigger_payload || {},
+          p_idempotency_key: null
+        });
+        if (startErr || !newRun?.success) return {
+          success: false,
+          error: startErr?.message || "Failed to start replay run"
+        };
+
+        // Pre-load step_outputs from checkpoint
+        await supabase.from("workflow_runs").update({
+          step_outputs: checkpoint.step_outputs,
+          version_id: origRun.version_id
+        }).eq("id", newRun.run_id);
+
+        // Cancel the auto-created entry step runs (we'll create our own starting from the checkpoint step)
+        await supabase.from("workflow_step_runs").update({
+          status: "cancelled"
+        }).eq("run_id", newRun.run_id).eq("status", "pending");
+
+        // Find what step comes AFTER the checkpoint step
+        const {
+          data: checkpointStepDef
+        } = await supabase.from("workflow_steps").select("on_success").eq("workflow_id", origRun.workflow_id).eq("step_key", checkpoint.step_key).single();
+        if (checkpointStepDef?.on_success) {
+          // createNextStepRunByKey is internal to workflow-steps — use direct insert
+          const {
+            data: nextStepDef
+          } = await supabase.from("workflow_steps").select("id, step_key, step_type, max_retries").eq("workflow_id", origRun.workflow_id).eq("step_key", checkpointStepDef.on_success).single();
+          if (nextStepDef) {
+            await supabase.from("workflow_step_runs").insert({
+              run_id: newRun.run_id,
+              step_id: nextStepDef.id,
+              step_key: nextStepDef.step_key,
+              step_type: nextStepDef.step_type,
+              status: "pending",
+              max_attempts: nextStepDef.max_retries ?? 3
             });
-            if (error)
-                return { success: false, error: error.message };
-            return data?.success ? { success: true, data } : { success: false, error: data?.error || "Failed" };
-        }
-        // ================================================================
-        // PHASE 4: Versioning actions
-        // ================================================================
-        case "publish": {
-            if (!args.workflow_id)
-                return { success: false, error: "workflow_id required" };
-            const { data, error } = await supabase.rpc("publish_workflow_version", {
-                p_workflow_id: args.workflow_id,
-                p_store_id: sid,
-                p_changelog: args.changelog || null,
-                p_published_by: args.published_by || null,
-            });
-            if (error)
-                return { success: false, error: error.message };
-            if (!data?.success)
-                return { success: false, error: data?.error || "Failed" };
-            // Auto-activate on publish — publishing implies ready to run
-            await supabase.from("workflows").update({ is_active: true, status: "active" })
-                .eq("id", args.workflow_id).eq("store_id", sid);
-            return { success: true, data };
-        }
-        case "versions": {
-            if (!args.workflow_id)
-                return { success: false, error: "workflow_id required" };
-            // IDOR FIX: Verify the workflow belongs to this store
-            const { data: versionsWfCheck } = await supabase.from("workflows")
-                .select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
-            if (!versionsWfCheck)
-                return { success: false, error: "Workflow not found or access denied" };
-            const { data, error } = await supabase.from("workflow_versions")
-                .select("id, version, name, description, trigger_type, published_by, published_at, changelog")
-                .eq("workflow_id", args.workflow_id)
-                .order("version", { ascending: false })
-                .limit(args.limit || 25);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "version_detail": {
-            if (!args.version_id)
-                return { success: false, error: "version_id required" };
-            // Load full version row
-            const { data: ver, error: vErr } = await supabase.from("workflow_versions")
-                .select("*")
-                .eq("id", args.version_id)
-                .single();
-            if (vErr || !ver)
-                return { success: false, error: vErr?.message || "Version not found" };
-            // IDOR FIX: Verify the version's workflow belongs to this store
-            const { data: versionWfCheck } = await supabase.from("workflows")
-                .select("id").eq("id", ver.workflow_id).eq("store_id", sid).single();
-            if (!versionWfCheck)
-                return { success: false, error: "Version not found or access denied" };
-            // Also load the workflow steps that existed at publish time
-            // (stored as a snapshot in the version row, or we load current steps for the workflow)
-            let steps = [];
-            if (ver.steps_snapshot && Array.isArray(ver.steps_snapshot)) {
-                steps = ver.steps_snapshot;
-            }
-            else {
-                // Fallback: load current steps from workflow_steps table
-                const { data: stepData } = await supabase.from("workflow_steps")
-                    .select("id, step_key, name, type, config, position_x, position_y, depends_on")
-                    .eq("workflow_id", ver.workflow_id)
-                    .order("step_order", { ascending: true });
-                steps = stepData || [];
-            }
-            return { success: true, data: { ...ver, steps } };
-        }
-        case "rollback": {
-            if (!args.workflow_id || !args.version_id)
-                return { success: false, error: "workflow_id and version_id required" };
-            // Verify workflow belongs to this store
-            const { data: rbWfCheck } = await supabase.from("workflows")
-                .select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
-            if (!rbWfCheck)
-                return { success: false, error: "Workflow not found or access denied" };
-            // Verify version belongs to this workflow
-            const { data: version, error: verErr } = await supabase.from("workflow_versions")
-                .select("id, version, steps_snapshot").eq("id", args.version_id)
-                .eq("workflow_id", args.workflow_id).single();
-            if (verErr || !version)
-                return { success: false, error: "Version not found for this workflow" };
-            // P1 FIX: Restore steps from snapshot — not just the version pointer
-            if (version.steps_snapshot && Array.isArray(version.steps_snapshot)) {
-                // Delete current steps
-                await supabase.from("workflow_steps")
-                    .delete().eq("workflow_id", args.workflow_id);
-                // Upsert from snapshot
-                const stepsToInsert = version.steps_snapshot.map((s) => ({
-                    ...s,
-                    workflow_id: args.workflow_id,
-                }));
-                if (stepsToInsert.length > 0) {
-                    await supabase.from("workflow_steps").upsert(stepsToInsert, { onConflict: "id" });
-                }
-            }
-            const { error } = await supabase.from("workflows").update({
-                published_version_id: version.id,
-            }).eq("id", args.workflow_id).eq("store_id", sid);
-            return error ? { success: false, error: error.message } : { success: true, data: { rolled_back_to: version.version, version_id: version.id, steps_restored: !!(version.steps_snapshot) } };
+          }
+          try {
+            await executeInlineChain(supabase, newRun.run_id);
+          } catch (err) {
+            console.error("[workflow] Inline chain failed for replay run", newRun.run_id, ":", err.message);
+          }
         }
-        // ================================================================
-        // PHASE 5: Template actions
-        // ================================================================
-        case "list_templates": {
-            let q = supabase.from("workflows")
-                .select("id, name, description, icon, trigger_type, template_category, template_tags, clone_count, created_at")
-                .eq("is_template", true).order("clone_count", { ascending: false });
-            if (args.category)
-                q = q.eq("template_category", args.category);
-            const { data, error } = await q.limit(args.limit || 50);
-            return error ? { success: false, error: error.message } : { success: true, data };
+        logWorkflowEvent(supabase, newRun.run_id, "run_replayed", {
+          original_run_id: args.run_id,
+          from_step: checkpoint.step_key,
+          checkpoint_id: checkpoint.id
+        });
+        return {
+          success: true,
+          data: {
+            run_id: newRun.run_id,
+            replayed_from: checkpoint.step_key,
+            original_run_id: args.run_id
+          }
+        };
+      }
+
+    // ================================================================
+    // Event journal — time-travel debugging
+    // ================================================================
+
+    case "events":
+      {
+        if (!args.run_id) return {
+          success: false,
+          error: "run_id required"
+        };
+        // IDOR FIX: Verify the run belongs to this store
+        const {
+          data: eventsRunCheck
+        } = await supabase.from("workflow_runs").select("id").eq("id", args.run_id).eq("store_id", sid).single();
+        if (!eventsRunCheck) return {
+          success: false,
+          error: "Run not found or access denied"
+        };
+        const {
+          data,
+          error
+        } = await supabase.from("workflow_events").select("id, event_type, step_run_id, payload, created_at").eq("run_id", args.run_id).order("created_at", {
+          ascending: true
+        }).limit(args.limit || 200);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+
+    // ================================================================
+    // Waitpoint actions
+    // ================================================================
+
+    case "list_waitpoints":
+      {
+        let q = supabase.from("waitpoint_tokens").select("id, token, run_id, step_run_id, label, status, expires_at, completed_at, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.run_id) q = q.eq("run_id", args.run_id);
+        if (args.status) q = q.eq("status", args.status);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 25);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "complete_waitpoint":
+      {
+        if (!args.token) return {
+          success: false,
+          error: "token required"
+        };
+        // Find the waitpoint
+        const {
+          data: wp,
+          error: wpErr
+        } = await supabase.from("waitpoint_tokens").select("id, run_id, step_run_id, store_id, expires_at, status").eq("token", args.token).eq("store_id", sid).single();
+        if (wpErr || !wp) return {
+          success: false,
+          error: "Waitpoint token not found"
+        };
+        if (wp.status === "completed") return {
+          success: false,
+          error: "Waitpoint already completed"
+        };
+        if (wp.expires_at && new Date(wp.expires_at) < new Date()) return {
+          success: false,
+          error: "Waitpoint expired"
+        };
+        // Mark completed
+        await supabase.from("waitpoint_tokens").update({
+          status: "completed",
+          completion_data: args.data || {},
+          completed_at: new Date().toISOString()
+        }).eq("id", wp.id);
+        // Resume the waiting step
+        await supabase.from("workflow_step_runs").update({
+          status: "pending",
+          input: {
+            waitpoint_completed: true,
+            waitpoint_data: args.data || {}
+          }
+        }).eq("id", wp.step_run_id).eq("status", "waiting");
+        // Inline resume
+        try {
+          await executeInlineChain(supabase, wp.run_id);
+        } catch (err) {
+          console.error("[workflow] Inline chain failed after waitpoint:", err.message);
         }
-        case "clone_template": {
-            if (!args.template_id)
-                return { success: false, error: "template_id required" };
-            const { data, error } = await supabase.rpc("clone_workflow_template", {
-                p_template_id: args.template_id,
-                p_store_id: sid,
-                p_name: args.name || null,
-            });
-            if (error)
-                return { success: false, error: error.message };
-            return data?.success ? { success: true, data } : { success: false, error: data?.error || "Failed" };
+        return {
+          success: true,
+          data: {
+            completed: true,
+            run_id: wp.run_id
+          }
+        };
+      }
+
+    // ================================================================
+    // Dead Letter Queue actions
+    // ================================================================
+
+    case "dlq":
+      {
+        let q = supabase.from("workflow_dlq").select("id, workflow_id, workflow_name, run_id, error_message, error_step_key, trigger_type, status, run_duration_ms, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.status) q = q.eq("status", args.status);
+        if (args.workflow_id) q = q.eq("workflow_id", args.workflow_id);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 25);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "dlq_retry":
+      {
+        if (!args.dlq_id) return {
+          success: false,
+          error: "dlq_id required"
+        };
+        const {
+          data: dlqEntry
+        } = await supabase.from("workflow_dlq").select("*").eq("id", args.dlq_id).eq("store_id", sid).single();
+        if (!dlqEntry) return {
+          success: false,
+          error: "DLQ entry not found"
+        };
+        if (dlqEntry.status !== "pending") return {
+          success: false,
+          error: `DLQ entry already ${dlqEntry.status}`
+        };
+
+        // FIX 1: Preserve version_id from the original failed run
+        const {
+          data: originalRun
+        } = await supabase.from("workflow_runs").select("version_id").eq("id", dlqEntry.run_id).single();
+
+        // Start a fresh run of the same workflow with the same trigger
+        const {
+          data: result,
+          error: startErr
+        } = await supabase.rpc("start_workflow_run", {
+          p_workflow_id: dlqEntry.workflow_id,
+          p_store_id: sid,
+          p_trigger_type: dlqEntry.trigger_type || "dlq_retry",
+          p_trigger_payload: {
+            ...(dlqEntry.trigger_payload || {}),
+            dlq_retry: true,
+            original_run_id: dlqEntry.run_id
+          },
+          p_idempotency_key: null
+        });
+        if (startErr || !result?.success) return {
+          success: false,
+          error: startErr?.message || result?.error || "Retry failed"
+        };
+
+        // Set version_id from the original failed run (same pattern as "start" action)
+        if (result.run_id && !result.deduplicated && originalRun?.version_id) {
+          await supabase.from("workflow_runs").update({
+            version_id: originalRun.version_id
+          }).eq("id", result.run_id);
         }
-        // ================================================================
-        // Checkpoint / replay — time-travel debugging
-        // ================================================================
-        case "checkpoints": {
-            if (!args.run_id)
-                return { success: false, error: "run_id required" };
-            // IDOR FIX: Verify the run belongs to this store
-            const { data: cpRunCheck } = await supabase.from("workflow_runs")
-                .select("id").eq("id", args.run_id).eq("store_id", sid).single();
-            if (!cpRunCheck)
-                return { success: false, error: "Run not found or access denied" };
-            const { data, error } = await supabase.from("workflow_checkpoints")
-                .select("id, step_key, step_run_id, sequence_number, created_at")
-                .eq("run_id", args.run_id)
-                .order("sequence_number", { ascending: true });
-            return error ? { success: false, error: error.message } : { success: true, data };
+
+        // Update DLQ entry
+        await supabase.from("workflow_dlq").update({
+          status: "retried",
+          retried_run_id: result.run_id,
+          attempt_count: (dlqEntry.attempt_count || 1) + 1
+        }).eq("id", dlqEntry.id);
+
+        // Inline execution for the retry
+        try {
+          await executeInlineChain(supabase, result.run_id);
+        } catch (err) {
+          console.error("[workflow] Inline chain failed for DLQ retry run", result.run_id, ":", err.message);
         }
-        case "replay": {
-            if (!args.run_id)
-                return { success: false, error: "run_id required" };
-            const fromStepKey = args.from_step;
-            // Load the checkpoint to replay from
-            let checkpointQuery = supabase.from("workflow_checkpoints")
-                .select("*").eq("run_id", args.run_id);
-            if (fromStepKey) {
-                checkpointQuery = checkpointQuery.eq("step_key", fromStepKey);
-            }
-            else {
-                // Default: replay from last successful checkpoint
-                checkpointQuery = checkpointQuery.order("sequence_number", { ascending: false }).limit(1);
-            }
-            const { data: checkpoint } = await checkpointQuery.single();
-            if (!checkpoint)
-                return { success: false, error: "No checkpoint found" };
-            // Get original run's workflow (IDOR FIX: scope to store)
-            const { data: origRun } = await supabase.from("workflow_runs")
-                .select("workflow_id, trigger_type, trigger_payload, version_id")
-                .eq("id", args.run_id).eq("store_id", sid).single();
-            if (!origRun)
-                return { success: false, error: "Original run not found" };
-            // Start a new run with checkpoint state pre-loaded
-            const { data: newRun, error: startErr } = await supabase.rpc("start_workflow_run", {
-                p_workflow_id: origRun.workflow_id,
-                p_store_id: sid,
-                p_trigger_type: "replay",
-                p_trigger_payload: checkpoint.trigger_payload || origRun.trigger_payload || {},
-                p_idempotency_key: null,
+        return {
+          success: true,
+          data: {
+            retried: true,
+            new_run_id: result.run_id,
+            dlq_id: dlqEntry.id
+          }
+        };
+      }
+    case "dlq_dismiss":
+      {
+        if (!args.dlq_id) return {
+          success: false,
+          error: "dlq_id required"
+        };
+        const {
+          error
+        } = await supabase.from("workflow_dlq").update({
+          status: "dismissed",
+          dismissed_by: args.dismissed_by || null,
+          dismissed_at: new Date().toISOString(),
+          notes: args.notes || null
+        }).eq("id", args.dlq_id).eq("store_id", sid).eq("status", "pending");
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data: {
+            dismissed: true
+          }
+        };
+      }
+
+    // ================================================================
+    // Enhanced metrics + DAG visualization
+    // ================================================================
+
+    case "metrics":
+      {
+        const {
+          data,
+          error
+        } = await supabase.rpc("get_workflow_metrics", {
+          p_store_id: sid,
+          p_days: args.days || 30
+        });
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "graph":
+      {
+        // Return DAG visualization data (nodes + edges) for a workflow
+        if (!args.workflow_id) return {
+          success: false,
+          error: "workflow_id required"
+        };
+        // P0 FIX: IDOR protection — verify workflow belongs to this store before querying steps
+        const {
+          data: graphWfCheck
+        } = await supabase.from("workflows").select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
+        if (!graphWfCheck) return {
+          success: false,
+          error: "Workflow not found or access denied"
+        };
+        const {
+          data: steps,
+          error: stepsErr
+        } = await supabase.from("workflow_steps").select("id, step_key, step_type, is_entry_point, on_success, on_failure, position_x, position_y, step_config, timeout_seconds, max_retries").eq("workflow_id", args.workflow_id).order("position_y", {
+          ascending: true
+        });
+        if (stepsErr) return {
+          success: false,
+          error: stepsErr.message
+        };
+        const nodes = (steps || []).map(s => ({
+          id: s.step_key,
+          step_id: s.id,
+          // UUID for update_step/delete_step
+          type: s.step_type,
+          label: s.step_key,
+          is_entry_point: s.is_entry_point,
+          on_success: s.on_success || null,
+          on_failure: s.on_failure || null,
+          max_retries: s.max_retries,
+          timeout_seconds: s.timeout_seconds,
+          step_config: s.step_config || {},
+          position: {
+            x: s.position_x || 0,
+            y: s.position_y || 0
+          },
+          config_summary: {
+            timeout: s.timeout_seconds,
+            max_retries: s.max_retries,
+            ...(s.step_type === "condition" ? {
+              expression: s.step_config?.expression
+            } : {}),
+            ...(s.step_type === "tool" ? {
+              tool_name: s.step_config?.tool_name
+            } : {}),
+            ...(s.step_type === "delay" ? {
+              seconds: s.step_config?.seconds
+            } : {})
+          }
+        }));
+        const edges = [];
+        for (const s of steps || []) {
+          if (s.on_success) edges.push({
+            from: s.step_key,
+            to: s.on_success,
+            type: "success"
+          });
+          if (s.on_failure) edges.push({
+            from: s.step_key,
+            to: s.on_failure,
+            type: "failure"
+          });
+          // Handle condition branches
+          const cfg = s.step_config;
+          if (s.step_type === "condition") {
+            if (cfg?.on_true) edges.push({
+              from: s.step_key,
+              to: cfg.on_true,
+              type: "true"
             });
-            if (startErr || !newRun?.success)
-                return { success: false, error: startErr?.message || "Failed to start replay run" };
-            // Pre-load step_outputs from checkpoint
-            await supabase.from("workflow_runs").update({
-                step_outputs: checkpoint.step_outputs,
-                version_id: origRun.version_id,
-            }).eq("id", newRun.run_id);
-            // Cancel the auto-created entry step runs (we'll create our own starting from the checkpoint step)
-            await supabase.from("workflow_step_runs").update({ status: "cancelled" })
-                .eq("run_id", newRun.run_id).eq("status", "pending");
-            // Find what step comes AFTER the checkpoint step
-            const { data: checkpointStepDef } = await supabase.from("workflow_steps")
-                .select("on_success").eq("workflow_id", origRun.workflow_id)
-                .eq("step_key", checkpoint.step_key).single();
-            if (checkpointStepDef?.on_success) {
-                // createNextStepRunByKey is internal to workflow-steps — use direct insert
-                const { data: nextStepDef } = await supabase.from("workflow_steps")
-                    .select("id, step_key, step_type, max_retries")
-                    .eq("workflow_id", origRun.workflow_id).eq("step_key", checkpointStepDef.on_success).single();
-                if (nextStepDef) {
-                    await supabase.from("workflow_step_runs").insert({
-                        run_id: newRun.run_id, step_id: nextStepDef.id, step_key: nextStepDef.step_key,
-                        step_type: nextStepDef.step_type, status: "pending", max_attempts: nextStepDef.max_retries ?? 3,
-                    });
-                }
-                try {
-                    await executeInlineChain(supabase, newRun.run_id);
-                }
-                catch (err) {
-                    console.error("[workflow] Inline chain failed for replay run", newRun.run_id, ":", err.message);
-                }
-            }
-            logWorkflowEvent(supabase, newRun.run_id, "run_replayed", {
-                original_run_id: args.run_id, from_step: checkpoint.step_key, checkpoint_id: checkpoint.id,
+            if (cfg?.on_false) edges.push({
+              from: s.step_key,
+              to: cfg.on_false,
+              type: "false"
             });
-            return { success: true, data: { run_id: newRun.run_id, replayed_from: checkpoint.step_key, original_run_id: args.run_id } };
-        }
-        // ================================================================
-        // Event journal — time-travel debugging
-        // ================================================================
-        case "events": {
-            if (!args.run_id)
-                return { success: false, error: "run_id required" };
-            // IDOR FIX: Verify the run belongs to this store
-            const { data: eventsRunCheck } = await supabase.from("workflow_runs")
-                .select("id").eq("id", args.run_id).eq("store_id", sid).single();
-            if (!eventsRunCheck)
-                return { success: false, error: "Run not found or access denied" };
-            const { data, error } = await supabase.from("workflow_events")
-                .select("id, event_type, step_run_id, payload, created_at")
-                .eq("run_id", args.run_id)
-                .order("created_at", { ascending: true })
-                .limit(args.limit || 200);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        // ================================================================
-        // Waitpoint actions
-        // ================================================================
-        case "list_waitpoints": {
-            let q = supabase.from("waitpoint_tokens")
-                .select("id, token, run_id, step_run_id, label, status, expires_at, completed_at, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.run_id)
-                q = q.eq("run_id", args.run_id);
-            if (args.status)
-                q = q.eq("status", args.status);
-            const { data, error } = await q.limit(args.limit || 25);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "complete_waitpoint": {
-            if (!args.token)
-                return { success: false, error: "token required" };
-            // Find the waitpoint
-            const { data: wp, error: wpErr } = await supabase.from("waitpoint_tokens")
-                .select("id, run_id, step_run_id, store_id, expires_at, status")
-                .eq("token", args.token).eq("store_id", sid).single();
-            if (wpErr || !wp)
-                return { success: false, error: "Waitpoint token not found" };
-            if (wp.status === "completed")
-                return { success: false, error: "Waitpoint already completed" };
-            if (wp.expires_at && new Date(wp.expires_at) < new Date())
-                return { success: false, error: "Waitpoint expired" };
-            // Mark completed
-            await supabase.from("waitpoint_tokens").update({
-                status: "completed", completion_data: args.data || {}, completed_at: new Date().toISOString(),
-            }).eq("id", wp.id);
-            // Resume the waiting step
-            await supabase.from("workflow_step_runs").update({
-                status: "pending", input: { waitpoint_completed: true, waitpoint_data: args.data || {} },
-            }).eq("id", wp.step_run_id).eq("status", "waiting");
-            // Inline resume
-            try {
-                await executeInlineChain(supabase, wp.run_id);
-            }
-            catch (err) {
-                console.error("[workflow] Inline chain failed after waitpoint:", err.message);
+          }
+          // Handle parallel children
+          const parallelKeys = cfg?.step_keys || cfg?.child_steps;
+          if (s.step_type === "parallel" && Array.isArray(parallelKeys)) {
+            for (const childKey of parallelKeys) {
+              edges.push({
+                from: s.step_key,
+                to: childKey,
+                type: "parallel"
+              });
             }
-            return { success: true, data: { completed: true, run_id: wp.run_id } };
+          }
         }
-        // ================================================================
-        // Dead Letter Queue actions
-        // ================================================================
-        case "dlq": {
-            let q = supabase.from("workflow_dlq")
-                .select("id, workflow_id, workflow_name, run_id, error_message, error_step_key, trigger_type, status, run_duration_ms, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.status)
-                q = q.eq("status", args.status);
-            if (args.workflow_id)
-                q = q.eq("workflow_id", args.workflow_id);
-            const { data, error } = await q.limit(args.limit || 25);
-            return error ? { success: false, error: error.message } : { success: true, data };
+
+        // If run_id provided, overlay live status on nodes
+        let nodeStatus = {};
+        if (args.run_id) {
+          const {
+            data: stepRuns
+          } = await supabase.from("workflow_step_runs").select("step_key, status, duration_ms, error_message").eq("run_id", args.run_id);
+          for (const sr of stepRuns || []) {
+            nodeStatus[sr.step_key] = {
+              status: sr.status,
+              duration_ms: sr.duration_ms,
+              ...(sr.error_message ? {
+                error: sr.error_message
+              } : {})
+            };
+          }
         }
-        case "dlq_retry": {
-            if (!args.dlq_id)
-                return { success: false, error: "dlq_id required" };
-            const { data: dlqEntry } = await supabase.from("workflow_dlq")
-                .select("*").eq("id", args.dlq_id).eq("store_id", sid).single();
-            if (!dlqEntry)
-                return { success: false, error: "DLQ entry not found" };
-            if (dlqEntry.status !== "pending")
-                return { success: false, error: `DLQ entry already ${dlqEntry.status}` };
-            // FIX 1: Preserve version_id from the original failed run
-            const { data: originalRun } = await supabase.from("workflow_runs")
-                .select("version_id")
-                .eq("id", dlqEntry.run_id)
-                .single();
-            // Start a fresh run of the same workflow with the same trigger
-            const { data: result, error: startErr } = await supabase.rpc("start_workflow_run", {
-                p_workflow_id: dlqEntry.workflow_id,
-                p_store_id: sid,
-                p_trigger_type: dlqEntry.trigger_type || "dlq_retry",
-                p_trigger_payload: { ...(dlqEntry.trigger_payload || {}), dlq_retry: true, original_run_id: dlqEntry.run_id },
-                p_idempotency_key: null,
-            });
-            if (startErr || !result?.success)
-                return { success: false, error: startErr?.message || result?.error || "Retry failed" };
-            // Set version_id from the original failed run (same pattern as "start" action)
-            if (result.run_id && !result.deduplicated && originalRun?.version_id) {
-                await supabase.from("workflow_runs").update({ version_id: originalRun.version_id }).eq("id", result.run_id);
+        return {
+          success: true,
+          data: {
+            nodes,
+            edges,
+            node_status: Object.keys(nodeStatus).length ? nodeStatus : undefined
+          }
+        };
+      }
+
+    // ================================================================
+    // Schedule management
+    // ================================================================
+
+    case "set_schedule":
+      {
+        if (!args.workflow_id) return {
+          success: false,
+          error: "workflow_id required"
+        };
+        const cronExpr = args.cron_expression;
+        const runAt = args.run_at;
+        if (runAt) {
+          // One-time schedule: run once at a specific datetime
+          const runAtDate = new Date(runAt);
+          if (isNaN(runAtDate.getTime())) return {
+            success: false,
+            error: `Invalid run_at datetime: ${runAt}`
+          };
+          if (runAtDate <= new Date()) return {
+            success: false,
+            error: "run_at must be in the future"
+          };
+          const {
+            error
+          } = await supabase.from("workflows").update({
+            cron_expression: null,
+            next_run_at: runAtDate.toISOString(),
+            trigger_type: "schedule",
+            timezone: args.timezone || "UTC",
+            is_active: true,
+            status: "active"
+          }).eq("id", args.workflow_id).eq("store_id", sid);
+          return error ? {
+            success: false,
+            error: error.message
+          } : {
+            success: true,
+            data: {
+              one_time: true,
+              run_at: runAtDate.toISOString()
             }
-            // Update DLQ entry
-            await supabase.from("workflow_dlq").update({
-                status: "retried", retried_run_id: result.run_id,
-                attempt_count: (dlqEntry.attempt_count || 1) + 1,
-            }).eq("id", dlqEntry.id);
-            // Inline execution for the retry
-            try {
-                await executeInlineChain(supabase, result.run_id);
+          };
+        } else if (cronExpr) {
+          // Recurring cron schedule
+          const next = getNextCronTime(cronExpr);
+          if (!next) return {
+            success: false,
+            error: `Invalid cron expression: ${cronExpr}`
+          };
+          const {
+            error
+          } = await supabase.from("workflows").update({
+            cron_expression: cronExpr,
+            next_run_at: next.toISOString(),
+            trigger_type: "schedule",
+            timezone: args.timezone || "UTC"
+          }).eq("id", args.workflow_id).eq("store_id", sid);
+          return error ? {
+            success: false,
+            error: error.message
+          } : {
+            success: true,
+            data: {
+              cron: cronExpr,
+              next_run_at: next.toISOString()
             }
-            catch (err) {
-                console.error("[workflow] Inline chain failed for DLQ retry run", result.run_id, ":", err.message);
+          };
+        } else {
+          // Clear schedule
+          const {
+            error
+          } = await supabase.from("workflows").update({
+            cron_expression: null,
+            next_run_at: null
+          }).eq("id", args.workflow_id).eq("store_id", sid);
+          return error ? {
+            success: false,
+            error: error.message
+          } : {
+            success: true,
+            data: {
+              schedule_cleared: true
             }
-            return { success: true, data: { retried: true, new_run_id: result.run_id, dlq_id: dlqEntry.id } };
-        }
-        case "dlq_dismiss": {
-            if (!args.dlq_id)
-                return { success: false, error: "dlq_id required" };
-            const { error } = await supabase.from("workflow_dlq").update({
-                status: "dismissed",
-                dismissed_by: args.dismissed_by || null,
-                dismissed_at: new Date().toISOString(),
-                notes: args.notes || null,
-            }).eq("id", args.dlq_id).eq("store_id", sid).eq("status", "pending");
-            return error ? { success: false, error: error.message } : { success: true, data: { dismissed: true } };
-        }
-        // ================================================================
-        // Enhanced metrics + DAG visualization
-        // ================================================================
-        case "metrics": {
-            const { data, error } = await supabase.rpc("get_workflow_metrics", {
-                p_store_id: sid, p_days: args.days || 30,
-            });
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "graph": {
-            // Return DAG visualization data (nodes + edges) for a workflow
-            if (!args.workflow_id)
-                return { success: false, error: "workflow_id required" };
-            // P0 FIX: IDOR protection — verify workflow belongs to this store before querying steps
-            const { data: graphWfCheck } = await supabase.from("workflows")
-                .select("id").eq("id", args.workflow_id).eq("store_id", sid).single();
-            if (!graphWfCheck)
-                return { success: false, error: "Workflow not found or access denied" };
-            const { data: steps, error: stepsErr } = await supabase.from("workflow_steps")
-                .select("id, step_key, step_type, is_entry_point, on_success, on_failure, position_x, position_y, step_config, timeout_seconds, max_retries")
-                .eq("workflow_id", args.workflow_id)
-                .order("position_y", { ascending: true });
-            if (stepsErr)
-                return { success: false, error: stepsErr.message };
-            const nodes = (steps || []).map(s => ({
-                id: s.step_key,
-                step_id: s.id, // UUID for update_step/delete_step
-                type: s.step_type,
-                label: s.step_key,
-                is_entry_point: s.is_entry_point,
-                on_success: s.on_success || null,
-                on_failure: s.on_failure || null,
-                max_retries: s.max_retries,
-                timeout_seconds: s.timeout_seconds,
-                step_config: s.step_config || {},
-                position: { x: s.position_x || 0, y: s.position_y || 0 },
-                config_summary: {
-                    timeout: s.timeout_seconds,
-                    max_retries: s.max_retries,
-                    ...(s.step_type === "condition" ? { expression: s.step_config?.expression } : {}),
-                    ...(s.step_type === "tool" ? { tool_name: s.step_config?.tool_name } : {}),
-                    ...(s.step_type === "delay" ? { seconds: s.step_config?.seconds } : {}),
-                },
-            }));
-            const edges = [];
-            for (const s of steps || []) {
-                if (s.on_success)
-                    edges.push({ from: s.step_key, to: s.on_success, type: "success" });
-                if (s.on_failure)
-                    edges.push({ from: s.step_key, to: s.on_failure, type: "failure" });
-                // Handle condition branches
-                const cfg = s.step_config;
-                if (s.step_type === "condition") {
-                    if (cfg?.on_true)
-                        edges.push({ from: s.step_key, to: cfg.on_true, type: "true" });
-                    if (cfg?.on_false)
-                        edges.push({ from: s.step_key, to: cfg.on_false, type: "false" });
-                }
-                // Handle parallel children
-                const parallelKeys = cfg?.step_keys || cfg?.child_steps;
-                if (s.step_type === "parallel" && Array.isArray(parallelKeys)) {
-                    for (const childKey of parallelKeys) {
-                        edges.push({ from: s.step_key, to: childKey, type: "parallel" });
-                    }
-                }
-            }
-            // If run_id provided, overlay live status on nodes
-            let nodeStatus = {};
-            if (args.run_id) {
-                const { data: stepRuns } = await supabase.from("workflow_step_runs")
-                    .select("step_key, status, duration_ms, error_message")
-                    .eq("run_id", args.run_id);
-                for (const sr of stepRuns || []) {
-                    nodeStatus[sr.step_key] = { status: sr.status, duration_ms: sr.duration_ms, ...(sr.error_message ? { error: sr.error_message } : {}) };
-                }
-            }
-            return { success: true, data: { nodes, edges, node_status: Object.keys(nodeStatus).length ? nodeStatus : undefined } };
-        }
-        // ================================================================
-        // Schedule management
-        // ================================================================
-        case "set_schedule": {
-            if (!args.workflow_id)
-                return { success: false, error: "workflow_id required" };
-            const cronExpr = args.cron_expression;
-            const runAt = args.run_at;
-            if (runAt) {
-                // One-time schedule: run once at a specific datetime
-                const runAtDate = new Date(runAt);
-                if (isNaN(runAtDate.getTime()))
-                    return { success: false, error: `Invalid run_at datetime: ${runAt}` };
-                if (runAtDate <= new Date())
-                    return { success: false, error: "run_at must be in the future" };
-                const { error } = await supabase.from("workflows").update({
-                    cron_expression: null,
-                    next_run_at: runAtDate.toISOString(),
-                    trigger_type: "schedule",
-                    timezone: args.timezone || "UTC",
-                    is_active: true,
-                    status: "active",
-                }).eq("id", args.workflow_id).eq("store_id", sid);
-                return error ? { success: false, error: error.message } : { success: true, data: { one_time: true, run_at: runAtDate.toISOString() } };
-            }
-            else if (cronExpr) {
-                // Recurring cron schedule
-                const next = getNextCronTime(cronExpr);
-                if (!next)
-                    return { success: false, error: `Invalid cron expression: ${cronExpr}` };
-                const { error } = await supabase.from("workflows").update({
-                    cron_expression: cronExpr,
-                    next_run_at: next.toISOString(),
-                    trigger_type: "schedule",
-                    timezone: args.timezone || "UTC",
-                }).eq("id", args.workflow_id).eq("store_id", sid);
-                return error ? { success: false, error: error.message } : { success: true, data: { cron: cronExpr, next_run_at: next.toISOString() } };
-            }
-            else {
-                // Clear schedule
-                const { error } = await supabase.from("workflows").update({
-                    cron_expression: null, next_run_at: null,
-                }).eq("id", args.workflow_id).eq("store_id", sid);
-                return error ? { success: false, error: error.message } : { success: true, data: { schedule_cleared: true } };
-            }
-        }
-        // ================================================================
-        // Event bus — fire events & manage subscriptions
-        // ================================================================
-        case "fire_event": {
-            if (!args.event_type)
-                return { success: false, error: "event_type required" };
-            const { data: evtId, error: evtErr } = await supabase.rpc("fire_event", {
-                p_store_id: sid,
-                p_event_type: args.event_type,
-                p_event_payload: args.event_payload || {},
-                p_source: args.source || "workflow_tool",
-            });
-            return evtErr ? { success: false, error: evtErr.message } : { success: true, data: { event_id: evtId } };
-        }
-        case "list_subscriptions": {
-            let q = supabase.from("workflow_event_subscriptions")
-                .select("id, store_id, workflow_id, event_type, filter_expression, is_active, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.event_type)
-                q = q.eq("event_type", args.event_type);
-            if (args.workflow_id)
-                q = q.eq("workflow_id", args.workflow_id);
-            const { data, error } = await q.limit(args.limit || 50);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "create_subscription": {
-            if (!args.workflow_id)
-                return { success: false, error: "workflow_id required" };
-            if (!args.event_type)
-                return { success: false, error: "event_type required" };
-            const { data: sub, error: subErr } = await supabase.from("workflow_event_subscriptions")
-                .insert({
-                store_id: sid,
-                workflow_id: args.workflow_id,
-                event_type: args.event_type,
-                filter_expression: args.filter_expression || null,
-                is_active: args.is_active !== false,
-            })
-                .select().single();
-            return subErr ? { success: false, error: subErr.message } : { success: true, data: sub };
-        }
-        case "delete_subscription": {
-            if (!args.subscription_id)
-                return { success: false, error: "subscription_id required" };
-            const { error: delErr } = await supabase.from("workflow_event_subscriptions")
-                .delete().eq("id", args.subscription_id).eq("store_id", sid);
-            return delErr ? { success: false, error: delErr.message } : { success: true, data: { deleted: true } };
-        }
-        case "list_events": {
-            let q = supabase.from("automation_events")
-                .select("id, store_id, event_type, event_payload, source, status, processed_at, error_message, created_at")
-                .eq("store_id", sid).order("created_at", { ascending: false });
-            if (args.event_type)
-                q = q.eq("event_type", args.event_type);
-            if (args.status)
-                q = q.eq("status", args.status);
-            const { data, error } = await q.limit(args.limit || 50);
-            return error ? { success: false, error: error.message } : { success: true, data };
-        }
-        case "list_tools": {
-            const { data, error } = await supabase.from("ai_tool_registry")
-                .select("name, description, category, definition, tool_mode, is_read_only, requires_store_id")
-                .eq("is_active", true)
-                .or("tool_mode.is.null,tool_mode.neq.code")
-                .order("category").order("name");
-            if (error)
-                return { success: false, error: error.message };
-            const tools = (data || []).map((row) => {
-                const def = row.definition;
-                const inputSchema = def?.input_schema;
-                const actionProp = inputSchema?.properties?.action;
-                const actions = actionProp?.enum || [];
-                return {
-                    name: row.name,
-                    description: row.description || def?.description || "",
-                    category: row.category || "other",
-                    actions,
-                    input_schema: inputSchema || null,
-                    tool_mode: row.tool_mode || null,
-                    is_read_only: row.is_read_only ?? false,
-                    requires_store_id: row.requires_store_id ?? false,
-                };
-            });
-            return { success: true, data: { tools } };
+          };
         }
-        default:
-            return { success: false, error: `Unknown workflow action: ${action}` };
-    }
+      }
+
+    // ================================================================
+    // Event bus — fire events & manage subscriptions
+    // ================================================================
+
+    case "fire_event":
+      {
+        if (!args.event_type) return {
+          success: false,
+          error: "event_type required"
+        };
+        const {
+          data: evtId,
+          error: evtErr
+        } = await supabase.rpc("fire_event", {
+          p_store_id: sid,
+          p_event_type: args.event_type,
+          p_event_payload: args.event_payload || {},
+          p_source: args.source || "workflow_tool"
+        });
+        return evtErr ? {
+          success: false,
+          error: evtErr.message
+        } : {
+          success: true,
+          data: {
+            event_id: evtId
+          }
+        };
+      }
+    case "list_subscriptions":
+      {
+        let q = supabase.from("workflow_event_subscriptions").select("id, store_id, workflow_id, event_type, filter_expression, is_active, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.event_type) q = q.eq("event_type", args.event_type);
+        if (args.workflow_id) q = q.eq("workflow_id", args.workflow_id);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 50);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "create_subscription":
+      {
+        if (!args.workflow_id) return {
+          success: false,
+          error: "workflow_id required"
+        };
+        if (!args.event_type) return {
+          success: false,
+          error: "event_type required"
+        };
+        const {
+          data: sub,
+          error: subErr
+        } = await supabase.from("workflow_event_subscriptions").insert({
+          store_id: sid,
+          workflow_id: args.workflow_id,
+          event_type: args.event_type,
+          filter_expression: args.filter_expression || null,
+          is_active: args.is_active !== false
+        }).select().single();
+        return subErr ? {
+          success: false,
+          error: subErr.message
+        } : {
+          success: true,
+          data: sub
+        };
+      }
+    case "delete_subscription":
+      {
+        if (!args.subscription_id) return {
+          success: false,
+          error: "subscription_id required"
+        };
+        const {
+          error: delErr
+        } = await supabase.from("workflow_event_subscriptions").delete().eq("id", args.subscription_id).eq("store_id", sid);
+        return delErr ? {
+          success: false,
+          error: delErr.message
+        } : {
+          success: true,
+          data: {
+            deleted: true
+          }
+        };
+      }
+    case "list_events":
+      {
+        let q = supabase.from("automation_events").select("id, store_id, event_type, event_payload, source, status, processed_at, error_message, created_at").eq("store_id", sid).order("created_at", {
+          ascending: false
+        });
+        if (args.event_type) q = q.eq("event_type", args.event_type);
+        if (args.status) q = q.eq("status", args.status);
+        const {
+          data,
+          error
+        } = await q.limit(args.limit || 50);
+        return error ? {
+          success: false,
+          error: error.message
+        } : {
+          success: true,
+          data
+        };
+      }
+    case "list_tools":
+      {
+        const {
+          data,
+          error
+        } = await supabase.from("ai_tool_registry").select("name, description, category, definition, tool_mode, is_read_only, requires_store_id").eq("is_active", true).or("tool_mode.is.null,tool_mode.neq.code").order("category").order("name");
+        if (error) return {
+          success: false,
+          error: error.message
+        };
+        const tools = (data || []).map(row => {
+          const def = row.definition;
+          const inputSchema = def?.input_schema;
+          const actionProp = inputSchema?.properties?.action;
+          const actions = actionProp?.enum || [];
+          return {
+            name: row.name,
+            description: row.description || def?.description || "",
+            category: row.category || "other",
+            actions,
+            input_schema: inputSchema || null,
+            tool_mode: row.tool_mode || null,
+            is_read_only: row.is_read_only ?? false,
+            requires_store_id: row.requires_store_id ?? false
+          };
+        });
+        return {
+          success: true,
+          data: {
+            tools
+          }
+        };
+      }
+    default:
+      return {
+        success: false,
+        error: `Unknown workflow action: ${action}`
+      };
+  }
 }
+//# sourceMappingURL=workflows.js.map