Workflow model
- Draft: editable, not externally executable
- Published: executable via internal/external triggers
- Unpublished: retained configuration, execution disabled
Trigger token security
- Treat trigger URLs as bearer secrets.
- Never expose token URLs in public docs, screenshots, or client-side logs.
- Rotate tokens if compromised or shared with the wrong party.
Execution history
- Every trigger should produce an execution record.
- Execution records provide status and debugging context.
- Keep execution review in standard incident process for failed automations.
Plan and role boundaries
- Workflow access depends on plan entitlement and workspace role.
- Support should verify plan and role before debugging workflow behavior.