Choose the smallest controlled primitive first

Validation, a rule, human task, persistent workflow, integration, scheduler, and domain code solve different problems. The choice needs an owner, authority, failure path, and terminal evidence.

Bounded answer

Real workflow primitives still need a controlled operating process

Open Mercato supplies workflow definitions and instances, human tasks, rules, activities, signals, timers, parallel branches, compensation, events, permissions and operator surfaces. A dependable business outcome still requires process design, authority, identity, integration contracts, queue and worker operation, acceptance, recovery, reconciliation and accountable owners.

Reviewed
2026-07-14
Revision
01911d00e28f44cf484d0b1d04860dcfef5370bf (v0.6.5-1202-g01911d00e)
Latest public tag
v0.6.5

Released milestones and current source

  1. Released

    v0.5.0

    Activity failure and timeout handling, serialized instance execution, trigger regex safety, webhook SSRF controls, and CALL_API role resolution.

  2. Released

    v0.6.0

    Additional outbound-webhook DNS-rebinding protection and initiator-based CALL_API role resolution.

  3. Released

    v0.6.2

    Code-defined workflows with customize and reset behavior.

  4. Released

    v0.6.3

    WAIT activities and WAIT_FOR_TIMER steps.

  5. Released

    v0.6.4

    Parallel fork/join, workflow ACL dependencies, failure persistence, compensation fixes, and integration coverage.

  6. Latest reviewed public tag

    v0.6.5

    Public baseline, not proof that every current composition is production-ready.

  7. Current source

    current

    Ninety-three workflow and business-rule paths differ from v0.6.5; current behavior below remains explicitly post-tag.

Workflow or rule decision model

configurable

Simple validation

Is simple validation the smallest controlled primitive?

primitive
Business rule validation or domain validator
surface
Rule/editor and command boundary
release
released/current
runtime
Synchronous evaluator or domain command
identity
Calling actor
authority
The process owner defines whether a human decision is required.
recovery
Reject with a specific error; retry only after correction
evidence
Validation result plus denied case
owner
Domain owner
limitation
An event subscriber is not universal pre-write enforcement
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Calculated decision

Is calculated decision the smallest controlled primitive?

primitive
CALCULATION rule or custom service
surface
Rule engine/API
release
released/current
runtime
Deterministic inputs and timeout
identity
Calling actor
authority
The process owner defines whether a human decision is required.
recovery
Fail closed or route to review
evidence
Golden calculations and logs
owner
Policy owner
limitation
A returned result is not a posted transaction
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Assignment suggestion

Is assignment suggestion the smallest controlled primitive?

primitive
ASSIGNMENT rule
surface
Rule engine/API
release
current
runtime
Scoped data and deterministic policy
identity
Calling actor
authority
The process owner defines whether a human decision is required.
recovery
Fallback queue or named owner
evidence
Assignment result and override record
owner
Operations owner
limitation
Suggestion is not accepted human authority
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

available

Stateful multi-step process

Is stateful multi-step process the smallest controlled primitive?

primitive
Workflow definition and instance
surface
Visual/form editor, APIs, instance UI
release
released/current
runtime
Database, engine and enabled definition
identity
Initiator or author policy
authority
The process owner defines whether a human decision is required.
recovery
Persist failure, retry or cancel under policy
evidence
Terminal engine state plus business evidence
owner
Process owner
limitation
COMPLETED is engine state, not external outcome
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Human approval

Is human approval the smallest controlled primitive?

primitive
USER_TASK plus manual transition
surface
Task UI and APIs
release
released/current
runtime
Assignment, claim and completion path
identity
Named approver role
authority
A named person or role must hold decision authority.
recovery
Overdue visibility and manual escalation plan
evidence
Task actor, decision and authority evidence
owner
Approval owner
limitation
Due date does not prove automatic escalation
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

integration-required

Wait for external input

Is wait for external input the smallest controlled primitive?

primitive
WAIT_FOR_SIGNAL
surface
Signal API and waiting instance
release
current
runtime
Authenticated correlation contract
identity
Scoped signal caller
authority
The process owner defines whether a human decision is required.
recovery
Duplicate, late, missing and replay policy
evidence
Provider acknowledgement and reconciliation
owner
Integration owner
limitation
Signal endpoint is not a verified provider webhook
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Delayed action

Is delayed action the smallest controlled primitive?

primitive
WAIT_FOR_TIMER
surface
Delayed queue job
release
released/current
runtime
Queue and discovered worker
identity
Worker service identity
authority
The process owner defines whether a human decision is required.
recovery
Expired, cancelled and replay policy
evidence
Timer event and resulting state
owner
Runtime owner
limitation
A timer is not a recurring scheduler
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Parallel work

Is parallel work the smallest controlled primitive?

primitive
PARALLEL_FORK and PARALLEL_JOIN
surface
Definition and instance branch data
release
released/current
runtime
Branch execution and join policy
identity
Initiator plus activity identities
authority
The process owner defines whether a human decision is required.
recovery
Partial failure and context-conflict recovery
evidence
Branch and join evidence
owner
Process owner
limitation
Parallelism is not transactionality
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

configurable

Sub-process

Is sub-process the smallest controlled primitive?

primitive
SUB_WORKFLOW
surface
Definition and instance linkage
release
current
runtime
Child definition and correlation
identity
Traceable initiator
authority
The process owner defines whether a human decision is required.
recovery
Child failure, cancellation and recovery
evidence
Parent-child terminal evidence
owner
Process owner
limitation
A child completion is not an external acknowledgement
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

integration-required

External integration

Is external integration the smallest controlled primitive?

primitive
CALL_WEBHOOK, CALL_API or signal
surface
Activity worker/API
release
released/current
runtime
Endpoint contract, auth, idempotency and worker
identity
Least-privilege service or initiator
authority
The process owner defines whether a human decision is required.
recovery
Retry, outage, terminal failure and reconciliation
evidence
External acknowledgement
owner
System owner
limitation
Activity success alone may not prove business completion
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

custom

Recurring schedule

Is recurring schedule the smallest controlled primitive?

primitive
Custom scheduler or external trigger
surface
Outside reviewed workflow primitive
release
not established
runtime
Scheduler, ownership and calendar policy
identity
Service identity
authority
The process owner defines whether a human decision is required.
recovery
Missed-run and duplicate-run recovery
evidence
Run ledger and reconciliation
owner
Operations owner
limitation
WAIT_FOR_TIMER does not establish recurrence
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

custom

Custom domain logic

Is custom domain logic the smallest controlled primitive?

primitive
Command handler, registered function or module code
surface
Extension seam
release
current framework
runtime
Reviewed code, tests and deployment
identity
Traceable actor/service
authority
The process owner defines whether a human decision is required.
recovery
Domain-specific rollback or manual repair
evidence
Domain acceptance evidence
owner
Domain owner
limitation
Visual editing does not replace engineering review
confidence
high
source
workflow and business-rules source at 01911d00e28f44cf484d0b1d04860dcfef5370bf
reviewed
2026-07-14

Workflow control map

1. process boundary

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

2. trigger

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

3. definition source

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

4. initial context

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

5. states and steps

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

6. transitions

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

7. conditions

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

8. user tasks

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

9. assignments

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

10. activities

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

11. signals

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

12. timers

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

13. parallel branches

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

14. sub-workflows

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

15. side effects

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

16. external systems

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

17. retries

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

18. idempotency

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

19. compensation

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

20. observability

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

21. reconciliation

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

22. change control

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

23. operating ownership

Name the current primitive, source and terminal evidence, human or technical authority, dependency, denial and failure path, recovery, reconciliation, owner and acceptance gate.

Definition, instance and outcome are different

  1. 1

    Definition and selected source

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  2. 2

    Running instance and correlation

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  3. 3

    Engine terminal state

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  4. 4

    Executed side effect

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  5. 5

    External acknowledgement

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  6. 6

    Reconciliation check

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

  7. 7

    Business acceptance

    Advance only with its own source record, scope, identity, expected state, failure evidence and accountable acceptance.

Nine step types

START

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

END

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

USER_TASK

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

AUTOMATED

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

PARALLEL_FORK

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

PARALLEL_JOIN

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

SUB_WORKFLOW

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

WAIT_FOR_SIGNAL

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

WAIT_FOR_TIMER

Verify intended use, entry and exit, identity, dependency, timeout, duplicate and failure behavior, evidence, limitation and recovery before activation.

Seven activity types and execution boundaries

SEND_EMAIL

May fall back to console logging without a provider while returning a sent-like result. Require provider delivery evidence.

CALL_API

Uses a temporary scoped API key from traceable active roles and refuses a no-role fallback. Require least privilege and replay safety.

EMIT_EVENT

Uses the event bus; an internal event is not external acknowledgement.

UPDATE_ENTITY

Uses the command bus; require command contract, scope, attribution, idempotency and failure tests.

CALL_WEBHOOK

Guards outbound URLs and rejects redirects. Authentication, signing, rate limits, idempotency, outage handling and reconciliation remain project controls.

EXECUTE_FUNCTION

Only registered reviewed functions fit; never put credentials in definitions or interpolation allowlists. APP_URL is allowed by default.

WAIT

Synchronous delay or queued work still needs timeout, worker, retry, backlog and cancellation policy.

Runtime, task and reliability controls

Asynchronous activities and timers use the workflow-activities queue and discovered worker. Production operation needs an explicit queue strategy, Redis where applicable, worker startup and graceful shutdown, concurrency, retry and backoff, terminal-failure policy, backlog metrics, alerts, replay controls, idempotency and an on-call owner. Event triggers require trusted tenant and organization context, exclude internal prefixes, map context and limit concurrent instances; debounceMs is not enforced in reviewed execution evidence. Signals need authenticated correlation and duplicate, late, missing, timeout, cancellation and replay policy. User tasks support direct or role assignment, claim, completion, forms, due dates and overdue display; automatic escalation, substitution, delegation, reminders, calendar-aware SLA and segregation of duties are not established.

Code and documentation conflict ledger

definition-versioning

Observed: Documentation describes immutable coexisting versions; current DB uniqueness and update API mutate one tenant workflow row.

Safe publication: Publish version as metadata and require a change log, promotion, active-instance policy and rollback.

Unknown: Immutable coexisting database versions remain unknown.

rule-side-effects

Observed: Rule action handlers return descriptors for notification, field, webhook and event actions.

Safe publication: Publish conditional evaluation and named workflow guards.

Unknown: A general side-effect dispatcher is not established.

pre-write

Observed: The CRUD subscriber evaluates trusted events after emission.

Safe publication: Publish event-scoped evaluation only.

Unknown: Universal before-write enforcement across UI, API, integration and commands is not established.

debounce

Observed: Schema and editor expose debounceMs; reviewed trigger processing does not consume it.

Safe publication: Publish filters, mapping, exclusions and concurrency limits.

Unknown: Enforced debounce is not established.

escalation

Observed: Tasks store due and escalation-shaped fields; runtime calculates due dates and UI shows overdue.

Safe publication: Publish assignment, claim, completion, due date and overdue display.

Unknown: Automatic escalation, reminders, delegation, substitution and calendar SLA are not established.

email-fallback

Observed: SEND_EMAIL can log to console when no email service is available while returning a sent-like result.

Safe publication: Publish the handler and require provider delivery evidence.

Unknown: Do not call an email delivered from engine result alone.

Ten workflow decisions

  1. 1

    Outcome and process boundary

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  2. 2

    Trigger and correlation

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  3. 3

    States and transitions

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  4. 4

    Rules and decision authority

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  5. 5

    Human tasks and approval

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  6. 6

    Side effects and systems

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  7. 7

    Identity and permissions

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  8. 8

    Failure and compensation

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  9. 9

    Observability and reconciliation

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

  10. 10

    Change and operating ownership

    Record the chosen primitive, authority, identity, evidence, failure, recovery, reconciliation, owner and stop condition.

Three synthetic process examples

Hypothetical only

Hypothetical purchase approval

Load the abstract canvas to inspect primitives, configuration, identity, human control, external boundary, exception, recovery, reconciliation evidence and a stop.

Hypothetical only

Hypothetical external confirmation

Load the abstract canvas to inspect primitives, configuration, identity, human control, external boundary, exception, recovery, reconciliation evidence and a stop.

Hypothetical only

Hypothetical parallel onboarding

Load the abstract canvas to inspect primitives, configuration, identity, human control, external boundary, exception, recovery, reconciliation evidence and a stop.

Local planning tool

Workflow control canvas

Completeness of decision fields is not a readiness, maturity, compliance or fit score.

Do not enter real data: Do not enter real customer, employee, supplier, order, invoice, product, process, endpoint, credential, role, price, regulated decision, production ID, internal SLA or confidential business data. Use abstract labels and synthetic examples only.

Privacy: this page does not submit worksheet content, place it in the URL, or store it in cookies.

Required-field progress: Not started (0/34). This is not a fit score or readiness decision.
Planning row 1

Manager acceptance pack

1. happy path

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

2. rejected rule

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

3. unauthorized actor

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

4. wrong organization

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

5. duplicate event

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

6. concurrent instance

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

7. repeated signal

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

8. missing signal

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

9. expired timer

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

10. abandoned task

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

11. overdue task

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

12. worker outage

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

13. queue backlog

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

14. transient API failure

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

15. permanent API failure

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

16. webhook redirect or unsafe URL

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

17. email fallback

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

18. partial parallel failure

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

19. compensation failure

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

20. stale definition edit

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

21. active-instance definition change

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

22. cancellation

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

23. retry

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

24. external mismatch

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

25. manual recovery

Specify synthetic setup, allowed and denied actors, expected engine and external states, prohibited side effects, evidence, cleanup and recovery owner.

Stop or choose another starting point

  • no stable process owner.
  • decision authority is undefined.
  • side effects are unsafe or non-idempotent.
  • no external-system contract exists.
  • no worker or queue operator exists.
  • no reconciliation or recovery owner exists.
  • visual edits are uncontrolled.
  • regulated approval lacks independent validation.
  • turnkey BPMN, process mining, or desktop RPA is required.
  • acceptance evidence has no owner.

Method and limitations

Evidence was refreshed at the exact revision across workflow and business-rule entities, validators, executors, handlers, workers, APIs, ACLs, user and framework documentation, changelog and tags. Code-defined and database-defined workflows coexist; a tenant DB override takes precedence and can be customized or reset. Runtime editing is not source control. Current definition persistence does not prove immutable coexisting database versions. Parallel work and configured compensation are not transactions or universal rollback.

This guide does not establish process correctness, general rule side effects, immutable versioning, debounce, escalation, email delivery, operated queues, external integration success, legal control effectiveness, performance, cost, timing, support or roadmap. It is not BPMN or DMN exchange, process mining, desktop RPA, universal case management or AI-authored process correctness.

Method, assumptions and limitations

Reviewed 14 July 2026. Product facts were checked against both the public code at the cited repository revision and official documentation. Where documentation and code differ, this guide describes behavior supported by code. Interpretations and recommendations concern implementation work, not product guarantees.

This material is not a quote, audit, certification, or legal, tax, or accounting advice. Edition, enabled modules, configuration, custom code, infrastructure, data, third-party providers, and operating practices affect the outcome.