Orchestration & Human-in-the-Loop

Orchestrator

• Workflow engine/state machine; correlation IDs and timers
• Compensations, retries, timeouts, and escalation hooks

Workers

• Stateless, idempotent handlers; safe to retry
• Access via allowlisted tools/APIs; role-scoped credentials

Saga & compensation

• Split long transactions; define compensating steps for partial failure
• Prefer logical undo over database-level XA

Retries & backoff

• Exponential backoff + jitter; cap retries; send to DLQ
• Timeouts and circuit breakers for unstable dependencies

Idempotency

• Use correlation/idempotency keys; ignore duplicate work
• Design handlers to be repeat-safe (HTTP semantics: RFC 9110)

Work routing

• Queues by priority, skill, region; FIFO within class
• Assignment: round-robin, load, or skill-based
• Limit WIP to protect lead time (Little’s Law)

SLAs

• Define per step; timers and escalations; visible aging
• Auto-reassign stuck work; notify owners

Thresholds

• Confidence × impact grid: auto-approve, review, block
• Dual-control for high-risk steps (four-eyes)

Reviewer UX

• Show sources, diffs, and suggested actions
• One-click edits; capture rationale; next-best steps

Logging

• Who did what, when, to which record (user, timestamp, object)
• Immutable/tamper-evident logs; retention by policy

Controls

• Segregation of duties; thresholds and approvals
• Change control for workflows, bots, and integrations

Tracing & metrics

• Distributed traces across orchestrator, workers, and queues
• SLIs: success rate, latency, error types, retries, DLQ size

SLOs

• Targets for latency/success; error budgets to govern change pace