Core Concepts

Agent workflows and run graphs

Use your agent framework for planning. Use Synapsor for the workflow contract: allowed capabilities, trusted session fields, evidence, native branches or external review branches, external actions, approvals, and replay.

Overview

Use your agent framework for planning. Put the approval and audit contract in Synapsor. LangGraph, OpenAI Agents SDK, CrewAI, MCP, or custom code can decide what happens next; Synapsor handles the database-side trust layer underneath the agent.

Keep planning and routing in your app or agent framework. Use Synapsor for the database-enforced part of the run: allowed capabilities, required evidence, native branch state or external review-branch proposal state, idempotent external actions, approval requirements, and replayable history.

With CREATE AGENT WORKFLOW, Synapsor records the enforceable database contract for a business process. LangGraph, OpenAI Agents SDK, CrewAI, MCP, or a custom loop can still choose what happens next; Synapsor validates each durable step against the workflow contract.

Synapsor workflows do not make the agent smarter. They make the agent's actions safer, clearer, replayable, and easier to approve.

The current surface records workflow runs and run graphs, links external-action outbox intents into the same graph, supports agent eval suites over stored workflow runs, governs memory evolution policies, exposes reviewed framework adapters, and returns trace-style spans for debugging.

This is why workflows are framework-independent. If a team changes orchestration frameworks later, the Synapsor workflow/capability contract can keep the same evidence, proposal, branch, settlement, and replay rules.

Workflow examples External actions Observability traces Agent evals

Run graph SQL

SQL

-- Define the durable contract your app/framework will follow.
CREATE AGENT WORKFLOW billing.late_fee_waiver_flow
VERSION '2026-05-27'                      -- version string chosen by your team
DESCRIPTION 'Resolve late-fee waiver requests with evidence and approval'
SESSION REQUIRE tenant_id, principal, current_ticket_id -- required trusted session fields
ENTRY CAPABILITY support.answer_ticket_question
ALLOWED CAPABILITIES (                    -- capability calls allowed inside this workflow
  support.answer_ticket_question,
  billing.propose_late_fee_waiver
)
ALLOWED EXTERNAL ACTIONS (stripe.issue_refund) -- outbox actions allowed inside this workflow
MAX STEPS 20
MAX TOOL CALLS 10
TOKEN BUDGET MAX INPUT TOKENS 12000, MAX OUTPUT TOKENS 2000
EVIDENCE REQUIRED
CHECKPOINT EVERY STEP
AUTO BRANCH ON PROPOSAL
  PREFIX 'wf_${workflow}_${run_id}'      -- Synapsor uses this template for proposal branches
  FROM main
ON RISK low AUTO_APPROVE                   -- low-risk deterministic approval can proceed
ON RISK medium REQUIRE APPROVAL ROLE 'billing_reviewer'
ON ERROR RETRY 2 THEN HOLD FOR REVIEW
RETENTION RUNS 365 DAYS, EVIDENCE 365 DAYS, PAYLOADS 90 DAYS;

-- A workflow-scoped settlement policy can settle all proposals linked to a run.
CREATE SETTLEMENT POLICY billing.late_fee_waiver_settlement
FOR WORKFLOW billing.late_fee_waiver_flow  -- applies only to this workflow's runs
TARGET BRANCH main
AUTO APPROVE WHEN
  JSON_VALUE(run.output, '$.risk') = 'low' -- workflow run output set by END AGENT RUN
  AND PAYLOAD decision = 'approved'        -- structured proposal payload field
  AND PAYLOAD reason_codes CONTAINS 'synapsor_auto_approval_gate'
  AND PAYLOAD risk_lane = 'green'
AUTO COMMIT
AUTO MERGE
ELSE LEAVE PROPOSED;

-- Start a run. Synapsor returns run_id; store it with your app trace/request id.
BEGIN AGENT RUN billing.late_fee_waiver_flow
VERSION '2026-05-27'
WITH JSON '{"user_request":"Can we waive this late fee?"}';

-- Use the returned run_id in later steps.
INVOKE AGENT CAPABILITY support.answer_ticket_question
IN AGENT RUN 'run_...'                     -- Synapsor-produced run_id
STEP 'answer_ticket_question'              -- step key chosen by your app/framework
WITH JSON '{"question":"Can we waive this late fee?"}';

RECORD AGENT GUARDRAIL EVENT
IN AGENT RUN 'run_...'
STEP 'risk_gate'
STATUS completed
WITH JSON '{"risk":"low","reason_code":"policy_match"}';

HANDOFF AGENT RUN 'run_...'
STEP 'handoff_to_billing'
TO 'billing_reviewer'
REASON 'Billing owner must review the staged waiver'
WITH JSON '{"queue":"billing_reviews"}';

INTERRUPT AGENT RUN 'run_...'
STEP 'wait_for_approval'
REASON 'Manager approval required'
WITH JSON '{"proposal":"wrp://..."}';

END AGENT RUN 'run_...'
STATUS waiting_approval
WITH JSON '{"risk":"low","decision":"waiver_proposed"}'; -- run.output used by JSON_VALUE(...)

-- Settle every write proposal linked to the run through a deterministic policy.
SETTLE AGENT RUN 'run_...'
USING POLICY billing.late_fee_waiver_settlement
IDEMPOTENCY KEY 'settle-run-...';           -- optional retry key chosen by your app

EXPLAIN AGENT RUN 'run_...';

Examples

sql

-- This is a database contract for a refund workflow, not an agent planner.
CREATE AGENT WORKFLOW support.ticket_refund_flow

SESSION REQUIRE
  tenant_id,                  -- trusted tenant/account id from your backend session
  principal,                  -- authenticated user/service identity
  current_ticket_id,          -- ticket id selected by your app
  current_customer_id         -- customer id selected by your app

ALLOWED CAPABILITIES (
  support.answer_ticket_question,
  billing.evaluate_refund_policy,
  billing.propose_refund
)

ALLOWED EXTERNAL ACTIONS (
  stripe.issue_refund,        -- queued through Synapsor's external-action outbox
  zendesk.update_ticket,
  resend.send_email
)

EVIDENCE REQUIRED             -- every risky answer/action must produce evidence
AUTO BRANCH ON PROPOSAL       -- proposal writes stage on a branch first
CHECKPOINT EVERY STEP         -- record each durable workflow step

ON RISK medium REQUIRE APPROVAL ROLE 'support_lead';

-- In plain English:
-- only reviewed capabilities/actions are allowed, trusted fields come from
-- session context, risky writes branch first, and medium risk needs approval.

The simple idea

Agent frameworks decide what to do next.

Synapsor decides what is allowed, what must be recorded, what evidence is required, what can be written, what needs approval, and how the whole run can be replayed.

Outside Synapsor, teams often build Agent framework + MCP tools + vector DB + normal DB + app glue + audit logs + approval code. With Synapsor, the shape becomes Agent framework + Synapsor workflow contract + Synapsor MCP/framework adapter.

The agent can still use LangGraph, OpenAI Agents SDK, CrewAI, MCP, or a custom planner. It is the database-side contract those orchestrators call into when a step touches customer data, policy, writes, memory, side effects, or audit state.

workflow-boundary.txt

Without Synapsor:
  Agent framework + MCP tools + vector DB + normal DB
  + app glue + audit logs + approval code

With Synapsor:
  Agent framework + Synapsor workflow contract
  + Synapsor MCP/framework adapter

What CREATE AGENT WORKFLOW means in plain English

In plain English, this says: for this refund workflow, the agent is only allowed to use these approved capabilities. It must have trusted tenant, user, ticket, and customer values. It must attach evidence. A risky Synapsor-native write must stage on a branch, while a risky external Postgres/MySQL write must stage as a Synapsor review branch. Every step must be recorded. If risk is medium, a support lead must approve.

That is very different from telling the model: please be careful, use policy, ask for approval if needed, and do not refund twice.

Prompts are advice. A Synapsor workflow is a database contract.

support.ticket_refund_flow.sql

CREATE AGENT WORKFLOW support.ticket_refund_flow

SESSION REQUIRE
  tenant_id,
  principal,
  current_ticket_id,
  current_customer_id

ALLOWED CAPABILITIES (
  support.answer_ticket_question,
  billing.evaluate_refund_policy,
  billing.propose_refund
)

ALLOWED EXTERNAL ACTIONS (
  stripe.issue_refund,
  zendesk.update_ticket,
  resend.send_email
)

EVIDENCE REQUIRED
AUTO BRANCH ON PROPOSAL -- native branch or external review branch by target
CHECKPOINT EVERY STEP

ON RISK medium REQUIRE APPROVAL ROLE 'support_lead';

Framework orchestration vs Synapsor governance

A LangGraph graph might say: triage -> policy lookup -> billing tool -> approval -> answer.

A Synapsor workflow says: this billing workflow requires tenant_id, principal, current_ticket_id, and current_customer_id; only these reviewed capabilities are allowed; evidence is required; refund proposals must stage as native branches or Synapsor review branches depending on target; medium-risk actions require support_lead approval; every step must be retained for replay.

Agent framework does

Plans the next step
Routes between agents/tools
Handles chat/UI loop
Calls tools
Handles human interaction
May checkpoint framework state
May trace tool calls

Synapsor workflow does

Validates trusted session fields
Restricts allowed capabilities/actions
Requires evidence for risky answers/actions
Links each durable step to a run graph
Stages risky writes on native branches or external review branches
Records replayable run state
Explains evidence, proposals, branches, approvals, and external actions

Where your framework stops and Synapsor starts

Use LangGraph, OpenAI Agents SDK, CrewAI, MCP, or your own loop for orchestration: deciding the next node, collecting the user response, calling the next tool, or waiting for a human.

Use Synapsor for the durable contract around that orchestration: trusted session keys, allowed capabilities, required evidence, Synapsor-native branch-staged writes or external review-branch proposals, external-action idempotency, approval rules, settlement policy, memory policy, retention, and replay.

The practical integration is simple: pass run_id and step_key from your framework into Synapsor calls whenever the step touches customer data, policy, memory, proposals, external actions, or audit state.

framework-boundary.txt

Agent framework route:
  triage -> policy lookup -> billing proposal -> approval -> response

Synapsor workflow contract:
  trusted session -> allowed capability -> evidence -> branch proposal
  -> settlement/approval -> external-action outbox -> replayable run graph

Why this improves agents

Synapsor workflows do not make the model smarter. They make the agent's durable actions safer, clearer, replayable, and easier to approve.

The sections below show the practical effect: fewer low-level tools, trusted session fields, automatic evidence, native branches or external review branches for risky writes, and replayable run graphs.

A. Fewer, safer tools

Without Synapsor, the model may see many low-level tools: get_customer, get_ticket, search_policy, get_invoice, issue_refund, update_ticket, send_email, save_memory, and write_audit_log.

With Synapsor, the model can see fewer high-level tools such as answer_ticket_with_evidence, propose_refund, and settle_agent_run.

Synapsor handles tenant binding, evidence, RBAC, branches, approvals, proposals, replay, and audit behind those tools.

B. The model cannot fake trusted fields

Values such as tenant_id, principal, current_customer_id, current_ticket_id, region, and entitlement should come from trusted backend session context, not model JSON.

The workflow can require those session fields before a run starts, and the capability can copy them into HIDDEN bindings. The caller can still provide ARG values such as question or amount_cents, but ARG values do not override HIDDEN values.

trusted-session-fields.sql

SESSION REQUIRE tenant_id, principal, current_ticket_id

CREATE AGENT CAPABILITY support.answer_ticket_question
ARG question VARCHAR REQUIRED                  -- caller-provided text
HIDDEN tenant_id FROM SESSION tenant_id        -- trusted backend session value
HIDDEN principal FROM SESSION principal        -- trusted backend identity
HIDDEN ticket_id FROM SESSION current_ticket_id -- trusted object selected by app
EXECUTION READ ONLY
RETURNS JSON
PROFILE MINIMAL;

C. Evidence becomes automatic

Without Synapsor, the app has to retrieve policy, include it in the prompt, save chunk ids, show citations, log evidence, and make replay possible.

Evidence becomes automatic: EVIDENCE REQUIRED and INLINE EVIDENCE handles_only let the agent receive compact handles while Synapsor keeps the durable why trail.

That keeps repeated context and evidence out of the prompt while preserving inspectable evidence for humans, support review, and replay.

evidence-handles.sql

EVIDENCE REQUIRED
INLINE EVIDENCE handles_only

-- The model sees compact handles; Synapsor stores the durable evidence bundle.
EXPLAIN AGENT RUN 'run_123';

D. Risky writes become proposals

Risky writes become proposals: AUTO BRANCH ON PROPOSAL means the agent proposes a change, Synapsor stages it on a Synapsor-native branch or an external-source review branch depending on target, and a human or settlement policy decides what can proceed later.

The application or framework can request a write, but the workflow contract decides whether that write must be staged, reviewed, settled, committed, merged for native data, or approved for trusted writeback for external data. Rejected proposals leave production unchanged.

proposal-branching.sql

AUTO BRANCH ON PROPOSAL -- native branch or external review branch by target
  PREFIX 'wf_${workflow}_${run_id}'
  FROM main

PROPOSE AGENT CAPABILITY billing.propose_refund
IN AGENT RUN 'run_...'
STEP 'propose_refund'
WITH JSON '{"amount_cents":2500,"reason":"courtesy_waiver"}';

PREVIEW WRITE 'wrp://...'; -- wrp://... is returned by Synapsor

E. The whole run becomes replayable

The whole run becomes replayable: a run can carry run_id, step_key, capability invocation id, evidence id, proposal id, branch name, external action id, guardrail event, handoff or interrupt event, and final output.

run-graph.sql

-- run_123 is returned by BEGIN AGENT RUN or db.agent_runs.start(...).
EXPLAIN AGENT RUN 'run_123';

What you can inspect later

A workflow run is useful only if operators and developers can reconstruct it later. Synapsor stores the run, ordered steps, edges, evidence lookup records, proposals, branches, external actions, guardrail events, handoffs, interrupts, and final output.

Use EXPLAIN AGENT RUN for the graph-shaped view. Use system views when you need SQL-level inspection for support, incident review, regression evals, or customer audit.

inspect-workflow-run.sql

-- run_... is returned by BEGIN AGENT RUN, SDK start, or the workflow adapter.
EXPLAIN AGENT RUN 'run_...' WITH EVIDENCE;

SELECT step_key, step_kind, status, evidence_id, proposal_id, external_action_id
FROM synapsor_agent_run_steps
WHERE run_id = 'run_...'
ORDER BY ordinal;

SELECT action_instance_id, action_name, status, idempotency_key
FROM synapsor_external_action_events
WHERE run_id = 'run_...';

What workflows do not claim

Synapsor workflows do not replace LangGraph, OpenAI Agents SDK, CrewAI, MCP, or a custom planner. They give those systems a durable database contract for sensitive steps.

Synapsor does not guarantee safe AI by prompt text alone. The value is in enforceable session binding, RBAC, evidence requirements, branch-staged proposals, deterministic settlement, and replayable records.

Synapsor does not pretend an outside API call can be rolled back by a database transaction. External actions are recorded as durable intents, claimed by trusted workers with idempotency keys, and confirmed back into the run graph.

Workflow contract boundary

Frameworks decide the route. Synapsor records and validates the pieces that must survive review, replay, and audit.

Agent framework does

Plans the next step
Routes between agents/tools
Handles chat/UI loop
Calls tools
Handles human interaction
May checkpoint framework state
May trace tool calls

Synapsor workflow does

Validates trusted session fields
Restricts allowed capabilities/actions
Requires evidence for risky answers/actions
Links each durable step to a run graph
Stages risky writes on branches
Records replayable run state
Explains evidence, proposals, branches, approvals, and external actions

Refund workflow governance

The framework can move from triage to refund to approval. Synapsor keeps the durable rules and artifacts for each trusted step.

Framework graph

Route refund ticket
Call policy agent
Call billing capability
Ask for human approval
Return final answer

Synapsor workflow

Require trusted session keys
Restrict capabilities/actions
Require evidence
Stage writes on a branch
Checkpoint and retain the run
Settle and replay the decision

Developer notes

Store the returned run_id with your app request or agent trace.
Pass run_id and step_key when invoking capabilities that belong to the workflow.
Use RECORD AGENT GUARDRAIL EVENT, HANDOFF AGENT RUN, and INTERRUPT AGENT RUN when orchestration state must become replayable database state.
Use SETTLE AGENT RUN when a workflow may create one or more proposal lookup ids and you want one Synapsor settlement summary.
Use EXPLAIN AGENT RUN or synapsor_agent_run_steps to inspect evidence, proposal, branch, and capability-run links.
Keep autonomous planning in your agent framework; keep policy, evidence, proposal, branch, and replay state in Synapsor.
Prefer a few reviewed workflow capabilities over many low-level provider tools when the step reads customer data, changes state, or creates an external side effect.