Status: 📋 Specification
Spec Reference: FW-52-workflow-import-export-portability.md
Last Updated: 2026-03-22
Overview
FW-52 adds portable JSON/YAML packages for workflow definitions with optional bundled forms (FW-01) and decision tables (FW-45). Export strips tenant UUIDs; import performs validation, dry-run analysis, conflict resolution, and transactional apply via a SECURITY DEFINER RPC. Automation rules are not bundled in Phase 1.Integration Points (from Spec)
API / Edge Functions
Shared requirements:
getCorsHeaders, verifyOrgAccess, createLogger; verify_jwt: true.
AuthZ: fw.workflows.export (export), fw.workflows.import (import/dry-run/apply).
Platform Integration Layer
Security and Tenant Isolation
- No PHI in packages or logs (definitions only).
- All DB writes scoped to
organization_id; RPC runs as SECURITY DEFINER with explicitp_organization_idchecks. - RLS on
fw_import_logsviafw_has_org_access+pf_has_permission.
UI Routes (canonical)
Register in
src/routes/fw.tsx; labels in src/platform/navigation/route-labels.ts. Workflow export remains in-context on /fw/automations/:id/workflow (and other existing workflow surfaces).
Audit (PF-04)
On successful apply (client after RPC returns, or edge after RPC succeeds):logAuditEvent with action: 'workflow_import_applied', resource: 'fw_import_logs', module: 'fw', and count-only metadata (see spec FR-8.1). No cross-core event required for MVP.
Event Contracts
- None required for MVP (audit via
pf_audit_logsthroughlogAuditEvent).