USDA lot drawdown commit · risk 4

01 / Trigger 02 / Context + preconditions 03 / HITL gate (Mike approves) 04 / Fan-out cascade 05 / Post actions (log_run + reflexion + events) 06 / Verify (SQL / R2 / HTTP checks) How this workflow gets kicked off. Could be a chat-tool invocation, a cron tick, an inbound event (e.g. price.changed), or Mike clicking 'execute' from an admin page. TRIGGER kind: event sources: inventory_threshold_cron, manual_lot_close invoker: Mike (single-admin) risk_level: 4i Manual Mike invokes risk 4 Before deciding anything, pull related data from D1 (the local mirror of NetSuite). Each query loads a slice of the entity's current state so the AI and Mike can review before any writes happen. LOAD CONTEXT (D1 queries before fan-out) current_lots: SELECT lot_id, remaining_qty, unit_cost FROM usda_commodity_lots WHERE commodit… affected_quotes: SELECT id FROM quotes q JOIN quote_lines ql ON ql.quote_id=q.id WHERE ql.item_c…i Load context 2 D1 queries Safety checks that must pass before any writes. 'block' severity halts the run; 'warn' surfaces a warning but continues. Without these, a bad input could cascade into NetSuite. PRECONDITIONS (checked before fan-out) [block] next_lot_exists: current_lots.length > 0 [warn] cost_diff_reasonable: abs(next_lot_unit_cost - exhausted_lot.unit_cost) / exhausted_lot.unit_cost < 0…i Preconditions 2 checks The HITL (Human-In-The-Loop) gate. The workflow stages a proposed_action and waits for Mike to approve in /proposed-actions.html. Only fires when risk_level >= 3. This is the invariant: no NS write happens without Mike's go-ahead. HITL GATE (Mike approves before fan-out) action_type: workflow_usda_drawdown_commit entity_ref: workflow:usda_drawdown_commit:run_<run_id> approver: mike (single-admin) risk_gate: >= 3 (this workflow = 4) approval window: typical <= 60 min envelope: proposed_actions row staged by runneri Mike approves stage_proposed_action risk ≥ 3 gate Write to the local D1 mirror (the read-side cache of NetSuite). Used for derived data and platform state. STUB today - per-tool d1_write logic lives in chat_tools/impls.ts. FAN-OUT #update_vendor_costs -> D1: multiple kind: d1_write op: INSERT vendor_costs row with new weighted avg status: REAL (src/lib/workflow_runner.ts)i update_vendor_costs d1_write STUB Invoke an existing chat tool (one of 50+ registered in tool_registry) as part of the cascade. STUB today - runner doesn't yet dispatch. FAN-OUT #recompute_assemblies -> tool: recompute_assembly_cost_rollup kind: chat_tool tool: recompute_assembly_cost_rollup status: REAL (src/lib/workflow_runner.ts)i recompute_assemblies chat_tool STUB Queue a write for Mike's HITL approval - staged in the proposed_actions table with status='pending'. Doesn't touch NetSuite directly. Real implementation. FAN-OUT #flag_affected_quotes -> proposed_actions kind: stage_proposed_action action_type: flag_stale_quote status: REAL (src/lib/workflow_runner.ts)i flag_affected_quotes stage_proposed_action REAL Write to the local D1 mirror (the read-side cache of NetSuite). Used for derived data and platform state. STUB today - per-tool d1_write logic lives in chat_tools/impls.ts. FAN-OUT #usda_reconcile -> D1: usda_commodity_programs kind: d1_write op: UPDATE usda_commodity_programs SET reconciliation_status='pending' WHERE prog… status: REAL (src/lib/workflow_runner.ts)i usda_reconcile d1_write STUB Always-runs at the end of every workflow execution: writes a row to workflow_run_log with status, duration, step counts, and errors. Real implementation. POST ACTION: log_run -> D1: workflow_run_log fields: run_id, workflow_type, status, started_at, completed_at, summary_json source: runner automatic (always)i log_run workflow_run_log REAL Writes an entry to reflexion_log so the AI 'remembers' what happened. Only fires if the contract has reflexion_enabled=1. Future workflows can search this log for prior context. Real implementation. POST ACTION: reflexion -> D1: reflexion_log tags: usda_drawdown_commit reflexion_enabled: True fields: run_id, narrative, tags source: runner automatic (when reflexion_enabled=1)i reflexion reflexion_log REAL Fires a workflow.completed / workflow.partial / workflow.failed event into the event ledger so downstream subscriptions can react. Uses an idempotency_key so producer retries collapse. Real implementation (R564). POST ACTION: event -> Event ledger (recordEvent) types: workflow.completed | workflow.partial | workflow.failed idempotency_key per run_id source: runner automatici event workflow.completed REAL A post-execution sanity check. The runner stages this with status='pending'; the verify-scheduler cron (every :08 and :38 hourly) wakes up after the configured window (e.g. +24h) and executes the sql_check, then flips status to pass/fail/timeout. Real implementation (R564). VERIFY: new_cost_applied window: 10s sql_check: SELECT unit_cost FROM vendor_costs WHERE effective_from=? ORDER BY id DESC LIMI… scheduler: verify cron @ :08/:38 (R563) result row: workflow_verify_resultsi new_cost_applied ≤60m Legend User UI Agent logic Policy Tool action Context / trace

Contract

  • • Type: usda_drawdown_commit
  • • Risk: 4
  • • Trigger: manual
  • • Fan-out: 4 targets

HITL semantics

  • • risk ≥ 3 ⇒ stage_proposed_action
  • • Mike approves before fan-out
  • • REAL = solid green · STUB = dashed

Post actions

  • • log_run → workflow_run_log
  • • reflexion → reflexion_log
  • • event → workflow.completed
  • • verify × 1

Workflow diagram • Built with Archify • Press T for theme and E for export