Status: ✅ Complete
Spec Reference: FW-46-durable-execution-worker.md
Last Updated: 2026-03-16
Overview
FW-46 introduces a durable, queue-backed workflow execution worker that processesfw_workflow_executions records from queued/retry_pending states using pgmq plus scheduled worker invocation. The integration reuses existing FW execution logic (automation-executor) and platform primitives (PF-01 tenant model, PF-10 notification delivery), while adding dead-letter routing and retry-safe checkpointing.
Integration Points (from Spec)
API / Platform Contracts
- Worker edge function (planned):
workflow-executor-worker- Triggered on schedule and processes batched queue messages.
- Database function (planned):
fw_claim_queued_executions()FOR UPDATE SKIP LOCKEDfallback claim path when queue read path is unavailable.
- RPC function (planned):
fw_enqueue_form_submission_automation()- User-callable enqueue path for form-submission automation bridge with org access validation.
- Shared execution contract: worker delegates to existing FW-03 automation execution logic (single source of execution semantics).
Scheduled Processing Contract
- Job Name:
process-workflow-queue - Schedule:
* * * * *(or*/10 * * * * *when second-level pg_cron is available) - Invocation Target:
workflow-executor-workeredge function - Batch Behavior: process queue in batches, acknowledge success, retry on transient failure, route permanent failures to
workflow_dlq - Concurrency Safety: semaphore/state guard prevents overlapping worker runs
Event Contracts
FW-46 does not introduce a new external cross-core event contract in Phase 1. It extends FW internal event-processing flow by connecting FW-16 queued execution production to worker consumption and execution orchestration.Security and Tenant Isolation
- Queue payloads contain only operational identifiers (
execution_id,rule_id,organization_id), not PHI/PII. - Worker runtime uses service-role credentials via Vault; no end-user token storage in queue messages.
- Organization scoping is verified at message processing time against execution records.
- User-callable enqueue RPC validates org access (
fw_has_org_access()) before accepting requests. - Error persistence uses sanitized messages; internal stack traces are not exposed.