Workflow Automation is the ninth CleverInit module and the platform's programmability layer. Install it on your tenant and your operations team can chain triggers to actions on a visual canvas — no developer required. Welcome a new customer after a CustomerCreatedV1 event. Dun a failed payment. Nudge a trial three days before it ends. Pause a renewal until a tenant admin approves. Every recipe runs inside your tenant, against the data you already own, with durable execution and full audit.
What makes it different: it is not yet another Zapier. Zapier connects to anything, but it has no knowledge of your data shape. Workflow Automation is opinionated to CleverInit's vocabulary — every installed module contributes its events as triggers and its Commands as actions, automatically. Most workflows never make an outbound network call. The cost per run is near-zero and the integration-quality lottery disappears.
A tenant operator opens the canvas. Drags a PaymentFailedV1 trigger. Wires it to Send Email. Adds a 2-day delay. Adds a Request Approval node. Wires approval to Retry Charge (a Command exposed by the payment-gateways module). Hits Publish. Twenty minutes later a real payment fails — the workflow fires, the email goes out, the approval lands in the tenant admin's inbox, and the retry runs in the same audited MediatR pipeline as every other Command. No engineer touched a keyboard. No external SaaS subscription was added.
Workflow Automation pays off for any team whose job is to react to platform state — not just for power users. These are the personas that adopt it on day one.
Automate onboarding sequences, document expiry reminders, weekly digests, and any when-X-happens-do-Y rule that today lives in a manual checklist or a stale spreadsheet.
Trial-ending nudges, churn-risk save flows, VIP thank-yous, abuse-report escalation — all with human-in-the-loop approval where judgment matters.
Failed-payment dunning, invoice-due reminders, renewal post-flight emails. Pause and approve before invoicing edge cases. Full audit trail on every run.
Bundle vertical-specific templates — fintech onboarding, e-commerce abandoned-cart, healthcare consent — and turn generic CleverInit into a vertical SaaS without changing a single line of code.
Authoring is a drag-and-drop graph. Publishing is a typed validation pass. Execution is durable. No engineer is in the loop unless an action's permission requires it.
Any *V1 event from any installed module. Or a cron schedule. Or a signed webhook. Or a manual Run-now button. Or a sub-workflow invocation.
Drag actions, conditions, parallel branches, loops, waits, and approval nodes. Connect output ports to input ports. The editor validates as you build.
No orphan nodes. No accidental cycles. No sub-workflow recursion. No expression that exceeds execution caps. Publish is blocked until the graph is provably safe.
A new version goes live. New triggers run against it; in-flight runs continue against their original version. The runner heartbeats every step — process restarts resume from the last checkpoint.
Every step writes input, output, error, duration, and cost. PII is redacted before persistence. Replay any historical run. Dry-run any draft against mock side effects.
Six categories ship at v1. Every installed module can contribute more without editing this module — register an action or a trigger from your module's contracts package and the editor surfaces it automatically.
When customers, invoicing, payment-gateways, chat, or any future module ships, its events become triggers and its Commands become actions. No edits to Workflow Automation. No coordination. The palette grows with your marketplace.
Each template is a complete, working workflow you can clone into your tenant in two clicks. The template is hidden in the editor if a required source module isn't installed.
A two-touch welcome sequence that warms up a new customer without spamming their inbox. Drop in your brand template and publish.
Recover failed payments without writing a single line of code. The retry runs through your payment-gateways module's existing Command, with full audit.
A scheduled trigger queries subscription-manager for trials about to end, then sends a personalised nudge to each customer in their locale.
When insights flags a churn risk, this workflow warms the customer up first, then asks a CSM whether to approve a retention discount before sending it.
Close the loop after every successful renewal. VIP customers get an extra personal touch automatically — no human picks up the phone.
A weekly summary email of platform health, automatically summarised by AI Copilot when installed. When it isn't, the digest still ships with raw numbers.
Durability, encryption, signed webhooks, default-deny outbound, per-tenant quotas, and snapshotted permissions — every guardrail is on by default and surfaces in the audit log.
Every step transition is persisted before the step starts and after it completes. A process restart, deploy, or host crash never loses an in-flight run — the runner replays from the last checkpoint with idempotency keys protecting side effects.
Workflow secrets (API keys, HTTP basic auth, OAuth tokens) are AES-256 encrypted with ASP.NET Core Data Protection — the same key chain as the payment-gateways module. Plaintext is resolved only inside the runner's request scope, never logged, never returned by the API.
Inbound webhook triggers verify HMAC-SHA256 signatures over the request body before any step executes. The signing secret rotates on a tenant operator's command. Unsigned or wrong-signed requests get 401 — never a partial run.
Outbound HTTP denies private IP space and DNS-rebinding attacks by default. The runner resolves hostnames once, binds the socket to the resolved IPs, and rejects anything on the deny-list. Per-tenant allow-lists open specific internal hosts only when explicitly configured.
Concurrent runs, daily run cap, per-workflow concurrency, outbound HTTP rate limits, max steps per workflow, max nesting depth, max run duration, max payload size. Every cap is configurable. Breaches publish WorkflowQuotaBreachedV1 for monitoring.
A workflow runs with its owner's effective permissions captured at trigger time. Every publish, run, approval, secret rotation, and quota change writes an immutable audit entry. Replay any historical run for forensics or debugging.
Install from your marketplace, pick a built-in template, and a failed-payment dunning, a trial-ending nudge, or a weekly digest can be live on your tenant before lunch — running on the durable engine, against the data you already own.
Tell us where you want to take your business. We'll show you the fastest path to get there — whether you want a fully managed platform, a custom module built exclusively for your tenant, or a fully branded product to sell to your own clients.