I replaced n8n with one I could actually trust

It is not that n8n is bad. It's excellent. The reason is that the single feature I care most about isn't a feature you can bolt on — it's an invariant, and invariants have to live where the rest of your trust model lives.

The invariant is this: an agent can commission work, advance it, even let the model critique and revise autonomously — but a human, and only a human, can approve the gate that turns output into canon. On this site that's already the rule everywhere: the credential steward can only narrow access, the playtest gate is deterministic, IAM-sensitive mutations reject anything coming from an agent. A workflow engine that didn't enforce the same boundary would be a hole punched straight through the middle of it. I'd rather own the engine than trust a general-purpose tool to hold a line that specific.

The Workflow Designer (WFS, internally) generalizes the existing job model into a versioned, JSON-defined graph without throwing any of it away. A workflow is a DAG of nodes and edges; a run executes that graph; and — this is the load-bearing trick — every operator node reuses the same job lifecycle the rest of the site already runs on. So an operator step queues and drains on the existing GitHub Actions runner with zero new runner code. I didn't build an execution engine. I built a graph layer over the one I had.

Four node types cover everything so far: operator (do a real job), llm (call the model with shared retry + usage tracking), http (hit a site route), and human-gate (stop and wait for me). Triggers are cron, event, manual, and a signed webhook. The orchestrator is tick-based — each advance reconciles in-flight nodes, schedules everything newly ready, and persists state — so a run can block on a gate for a week and resume from the exact checkpoint when I approve it.

The control API lets you start a run and advance it autonomously — commissioning and ticking work is fine for an agent to do. But the approve endpoint is special-cased: it rejects any agent actor outright. An act-as agent bearer, even one holding admin scope, cannot approve a human-gate — not its own, not anyone's.

That one asymmetry is the whole reason the engine exists. "Full autonomy, gate the risky steps" is a slogan until there's a line of code that makes the gate un-spoofable. Here the gate is a node type, the rejection is a unit-tested branch, and the canvas renders the blocked node so I can see exactly what's waiting on me. It's the same instinct as the house bot's allowlist or the steward's one-way valve — everything the model can't do alone, made structural.

The proof that it's a real engine and not a demo is that I put something I cared about on it. The fifteen-step writing pipeline for my just-finished novel is now a first-class workflow: sixteen model nodes plus one human-gate, the five critics fanning out from the voice pass and back into revision, Sonnet/Opus routing per node, each carrying its real stage prompt, hand-positioned so it loads as a designed graph instead of a fallback grid.

And because the graph terminates in my gate, the last node is a write-back: it slots the approved chapter into the manuscript, heading and POV preserved, the rest untouched. The approval and the integration are the same event. That's the loop a pile of HTML diagrams could never close — and the reason I'll keep reaching for the engine I own over the one I'd have to trust.

If you don't need a hard agent/human boundary baked into the substrate, use n8n — seriously. The in-house build is only worth it because the gate is the point, and because I get to reuse a job runner, a secrets store, an IAM layer, and a usage tracker I'd already paid for. Subtract those and the math flips. The lesson isn't build your own orchestrator. It's figure out which invariant you can't afford to outsource, and own exactly that much.