fix(server): implement multi-workflow mode API wiring

api/router.go

@@ -22,6 +22,10 @@ type Config struct {
 
 	// OAuth providers keyed by provider name (e.g. "google", "okta").
 	OAuthProviders map[string]*OAuthProviderConfig
+
+	// Engine is an optional engine lifecycle manager used by the workflow
+	// deploy/stop endpoints to actually start and stop workflow engines.
+	Engine EngineRunner
 }
 
 // Stores groups all store interfaces needed by the API.
@@ -109,6 +113,9 @@ func NewRouterWithIAM(stores Stores, cfg Config, iamResolver *iam.IAMResolver) h
 
 	// --- Workflows ---
 	wfH := NewWorkflowHandler(stores.Workflows, stores.Projects, stores.Memberships, permissions)
+	if cfg.Engine != nil {
+		wfH.WithEngine(cfg.Engine)
+	}
 	mux.Handle("POST /api/v1/projects/{pid}/workflows", mw.RequireAuth(http.HandlerFunc(wfH.Create)))
 	mux.Handle("GET /api/v1/workflows", mw.RequireAuth(http.HandlerFunc(wfH.ListAll)))
 	mux.Handle("GET /api/v1/projects/{pid}/workflows", mw.RequireAuth(http.HandlerFunc(wfH.ListInProject)))

api/workflow_handler.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
@@ -11,12 +12,20 @@ import (
 	"github.com/google/uuid"
 )
 
+// EngineRunner is an optional engine lifecycle manager that the workflow handler
+// uses to actually start and stop workflow engines when deploying/stopping workflows.
+type EngineRunner interface {
+	DeployWorkflow(ctx context.Context, workflowID uuid.UUID) error
+	StopWorkflow(ctx context.Context, workflowID uuid.UUID) error
+}
+
 // WorkflowHandler handles workflow CRUD and lifecycle endpoints.
 type WorkflowHandler struct {
 	workflows   store.WorkflowStore
 	projects    store.ProjectStore
 	memberships store.MembershipStore
 	permissions *PermissionService
+	engine      EngineRunner
 }
 
 // NewWorkflowHandler creates a new WorkflowHandler.
@@ -29,6 +38,12 @@ func NewWorkflowHandler(workflows store.WorkflowStore, projects store.ProjectSto
 	}
 }
 
+// WithEngine sets the optional engine runner used by Deploy and Stop.
+func (h *WorkflowHandler) WithEngine(engine EngineRunner) *WorkflowHandler {
+	h.engine = engine
+	return h
+}
+
 // Create handles POST /api/v1/projects/{pid}/workflows.
 func (h *WorkflowHandler) Create(w http.ResponseWriter, r *http.Request) {
 	user := UserFromContext(r.Context())
@@ -259,6 +274,12 @@ func (h *WorkflowHandler) Deploy(w http.ResponseWriter, r *http.Request) {
 		WriteError(w, http.StatusInternalServerError, "internal error")
 		return
 	}
+	if h.engine != nil {
+		if err := h.engine.DeployWorkflow(r.Context(), id); err != nil {
+			WriteError(w, http.StatusInternalServerError, "failed to deploy workflow engine")
+			return
+		}
+	}
 	wf.Status = store.WorkflowStatusActive
 	wf.UpdatedAt = time.Now()
 	if err := h.workflows.Update(r.Context(), wf); err != nil {
@@ -284,6 +305,12 @@ func (h *WorkflowHandler) Stop(w http.ResponseWriter, r *http.Request) {
 		WriteError(w, http.StatusInternalServerError, "internal error")
 		return
 	}
+	if h.engine != nil {
+		if err := h.engine.StopWorkflow(r.Context(), id); err != nil {
+			WriteError(w, http.StatusInternalServerError, "failed to stop workflow engine")
+			return
+		}
+	}
 	wf.Status = store.WorkflowStatusStopped
 	wf.UpdatedAt = time.Now()
 	if err := h.workflows.Update(r.Context(), wf); err != nil {

cmd/server/main.go

@@ -4,8 +4,9 @@
 	"context"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"flag"
 	"errors"
 	"fmt"
 	"log"
 	"log/slog"
@@ -24,7 +25,7 @@
 	"github.com/GoCodeAlone/workflow/ai"
 	copilotai "github.com/GoCodeAlone/workflow/ai/copilot"
 	"github.com/GoCodeAlone/workflow/ai/llm"
-	workflowapi "github.com/GoCodeAlone/workflow/api"
+	apihandler "github.com/GoCodeAlone/workflow/api"
 	"github.com/GoCodeAlone/workflow/audit"
 	"github.com/GoCodeAlone/workflow/billing"
 	"github.com/GoCodeAlone/workflow/bundle"
@@ -82,10 +83,11 @@
 	anthropicModel = flag.String("anthropic-model", "", "Anthropic model name")
 
 	// Multi-workflow mode flags
-	databaseDSN   = flag.String("database-dsn", "", "PostgreSQL connection string for multi-workflow mode")
-	jwtSecret     = flag.String("jwt-secret", "", "JWT signing secret for API authentication")
-	adminEmail    = flag.String("admin-email", "", "Initial admin user email (first-run bootstrap)")
-	adminPassword = flag.String("admin-password", "", "Initial admin user password (first-run bootstrap)")
+	databaseDSN       = flag.String("database-dsn", "", "PostgreSQL connection string for multi-workflow mode")
+	jwtSecret         = flag.String("jwt-secret", "", "JWT signing secret for API authentication")
+	adminEmail        = flag.String("admin-email", "", "Initial admin user email (first-run bootstrap)")
+	adminPassword     = flag.String("admin-password", "", "Initial admin user password (first-run bootstrap)")
+	multiWorkflowAddr = flag.String("multi-workflow-addr", ":8090", "HTTP listen address for multi-workflow REST API")
 
 	// License flags
 	licenseKey = flag.String("license-key", "", "License key for the workflow engine (or set WORKFLOW_LICENSE_KEY env var)")
@@ -1335,25 +1337,131 @@
 	}))
 
 	if *databaseDSN != "" {
-		// Multi-workflow mode: PG-backed engine manager with REST API.
-		logger.Info("Starting in multi-workflow mode")
-
-		if err := runMultiWorkflow(logger); err != nil {
-			log.Fatalf("Multi-workflow error: %v", err)
+		// Multi-workflow mode: connect to PostgreSQL, run migrations, start the
+		// REST API router on a dedicated port. Single-config mode is skipped.
+		if *jwtSecret == "" {
+			log.Fatal("multi-workflow mode: --jwt-secret is required")
+		}
+		logger.Info("Starting in multi-workflow mode",
+			"database_dsn_set", true,
+			"admin_email_set", *adminEmail != "",
+			"api_addr", *multiWorkflowAddr,
+		)
+		dbCtx, dbCancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer dbCancel()
+		pgStore, pgErr := evstore.NewPGStore(dbCtx, evstore.PGConfig{URL: *databaseDSN})
+		if pgErr != nil {
+			log.Fatalf("multi-workflow mode: failed to connect to PostgreSQL: %v", pgErr) //nolint:gocritic // exitAfterDefer: intentional, cleanup is best-effort
+		}
+		migrator := evstore.NewMigrator(pgStore.Pool())
+		if mErr := migrator.Migrate(dbCtx); mErr != nil {
+			log.Fatalf("multi-workflow mode: database migration failed: %v", mErr)
+		}
+		logger.Info("multi-workflow mode: database migrations applied")
+
+		// Bootstrap admin user on first run.
+		if *adminEmail != "" && *adminPassword != "" {
+			_, lookupErr := pgStore.Users().GetByEmail(context.Background(), *adminEmail)
+			switch {
+			case errors.Is(lookupErr, evstore.ErrNotFound):
+				hash, hashErr := bcrypt.GenerateFromPassword([]byte(*adminPassword), bcrypt.DefaultCost)
+				if hashErr != nil {
+					log.Fatalf("multi-workflow mode: failed to hash admin password: %v", hashErr)
+				}
+				now := time.Now()
+				adminUser := &evstore.User{
+					ID:           uuid.New(),
+					Email:        *adminEmail,
+					PasswordHash: string(hash),
+					DisplayName:  "Admin",
+					Active:       true,
+					CreatedAt:    now,
+					UpdatedAt:    now,
+				}
+				if createErr := pgStore.Users().Create(context.Background(), adminUser); createErr != nil {
+					logger.Warn("multi-workflow mode: failed to create admin user (may already exist)", "error", createErr)
+				} else {
+					logger.Info("multi-workflow mode: created bootstrap admin user", "email", *adminEmail)
+				}
+			case lookupErr != nil:
+				log.Fatalf("multi-workflow mode: failed to check for admin user: %v", lookupErr)
+			default:
+				logger.Info("multi-workflow mode: admin user already exists, skipping bootstrap", "email", *adminEmail)
+			}
 		}
-		fmt.Println("Shutdown complete")
+
+		engineBuilder := func(cfg *config.WorkflowConfig, lg *slog.Logger) (*workflow.StdEngine, modular.Application, error) {
+			eng, _, _, buildErr := buildEngine(cfg, lg)
+			if buildErr != nil {
+				return nil, nil, buildErr
+			}
+			app := eng.GetApp()
+			return eng, app, nil
+		}
+		engineMgr := workflow.NewWorkflowEngineManager(pgStore.Workflows(), pgStore.CrossWorkflowLinks(), logger, engineBuilder)
+
+		apiRouter := apihandler.NewRouter(apihandler.Stores{
+			Users:       pgStore.Users(),
+			Sessions:    pgStore.Sessions(),
+			Companies:   pgStore.Companies(),
+			Projects:    pgStore.Projects(),
+			Workflows:   pgStore.Workflows(),
+			Memberships: pgStore.Memberships(),
+			Links:       pgStore.CrossWorkflowLinks(),
+			Executions:  pgStore.Executions(),
+			Logs:        pgStore.Logs(),
+			Audit:       pgStore.Audit(),
+			IAM:         pgStore.IAM(),
+		}, apihandler.Config{JWTSecret: *jwtSecret, Engine: engineMgr})
+
+		// Bind the listener eagerly so port conflicts are detected before the
+		// deferred cleanup is registered (fail-fast instead of silent goroutine death).
+		listener, listenErr := net.Listen("tcp", *multiWorkflowAddr)
+		if listenErr != nil {
+			log.Fatalf("multi-workflow mode: failed to listen on %s: %v", *multiWorkflowAddr, listenErr)
+		}
+
+		apiServer := &http.Server{
+			Handler:           apiRouter,
+			ReadHeaderTimeout: 10 * time.Second,
+		}
+		go func() {
+			logger.Info("multi-workflow API listening", "addr", *multiWorkflowAddr)
+			if sErr := apiServer.Serve(listener); sErr != nil && sErr != http.ErrServerClosed {
+				logger.Error("multi-workflow API server error", "error", sErr)
+			}
+		}()
+		defer func() {
+			shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 30*time.Second)
+			defer shutdownCancel()
+			if sErr := apiServer.Shutdown(shutdownCtx); sErr != nil {
+				logger.Warn("multi-workflow API server shutdown error", "error", sErr)
+			}
+			if sErr := engineMgr.StopAll(shutdownCtx); sErr != nil {
+				logger.Warn("multi-workflow engine manager shutdown error", "error", sErr)
+			}
+			if shutdownCtx.Err() == context.DeadlineExceeded {
+				logger.Warn("multi-workflow shutdown timed out; some in-flight operations may be incomplete")
+			}
+			pgStore.Close()
+		}()
+
+		// Block until a termination signal is received, then let deferred cleanup run.
+		sigCh := make(chan os.Signal, 1)
+		signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+		fmt.Printf("Multi-workflow API on %s\n", *multiWorkflowAddr)
+		<-sigCh
+		fmt.Println("Shutting down multi-workflow mode...")
 		return
 	}
-
-	// Existing single-config behavior
 	cfg, err := loadConfig(logger)
 	if err != nil {
-		log.Fatalf("Configuration error: %v", err)
+		log.Fatalf("Configuration error: %v", err) //nolint:gocritic // exitAfterDefer: intentional, cleanup is best-effort
 	}
 
 	app, err := setup(logger, cfg)
 	if err != nil {
-		log.Fatalf("Setup error: %v", err)
+		log.Fatalf("Setup error: %v", err) //nolint:gocritic // exitAfterDefer: intentional, cleanup is best-effort
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -1448,7 +1556,7 @@
 		secret = "dev-secret-change-me"
 		logger.Error("No JWT secret configured — using insecure default; set JWT_SECRET env var or -jwt-secret flag")
 	}
-	stores := workflowapi.Stores{
+	stores := apihandler.Stores{
 		Users:       pg.Users(),
 		Sessions:    pg.Sessions(),
 		Companies:   pg.Companies(),
@@ -1461,13 +1569,13 @@
 		Audit:       pg.Audit(),
 		IAM:         pg.IAM(),
 	}
-	apiCfg := workflowapi.Config{
+	apiCfg := apihandler.Config{
 		JWTSecret:  secret,
 		JWTIssuer:  "workflow-server",
 		AccessTTL:  15 * time.Minute,
 		RefreshTTL: 7 * 24 * time.Hour,
 	}
-	apiRouter := workflowapi.NewRouter(stores, apiCfg)
+	apiRouter := apihandler.NewRouter(stores, apiCfg)
 
 	// 7. Set up admin UI and management infrastructure for workflow management
 	singleCfg, err := loadConfig(logger)