Surface unhealthy-age rollup on operator metrics

durable-workflow-ops · durable-workflow-ops · commit 044ba0783dee · 2026-04-25T05:48:54.000Z
OperatorMetrics::snapshot()['tasks'] now exposes oldest_unhealthy_at
and max_unhealthy_age_ms — the earliest of the four contributing
per-path timestamps (oldest_dispatch_failed_at, oldest_claim_failed_at,
oldest_dispatch_overdue_since, oldest_lease_expired_at) and the largest
age in milliseconds across them. Operators reading the metric snapshot
can now answer "how stale is the worst-case duplicate-risk task
overall?" from a single key pair instead of taking a max across four
per-path age fields. The rollout-safety contract pins the new keys on
the tasks row, V2OperatorMetricsTest pins both the populated and
no-unhealthy-tasks paths, and RolloutSafetyDocumentationTest adds a
row-shape regression so future doc edits cannot drop the rollup
language without tripping the doc test.
diff --git a/docs/architecture/rollout-safety.md b/docs/architecture/rollout-safety.md
@@ -414,7 +414,7 @@ change.
 | `tasks` | `oldest_dispatch_overdue_since`, `max_dispatch_overdue_age_ms` | earliest `COALESCE(last_dispatched_at, created_at)` among dispatch-overdue tasks — the timestamp the worst-case ready-but-unclaimed task has been waiting for a successful dispatch wake since (either its last attempted dispatch that didn't stick or its creation time if it was never dispatched) — and the largest age in milliseconds, mirroring the `oldest_ready_due_at` / `max_ready_due_age_ms` shape so operators can read wake-latency ("how long has the oldest ready-but-unclaimed task been waiting for a working dispatch wake?") from the metric alone without walking `workflow_tasks` |
 | `tasks` | `oldest_claim_failed_at`, `max_claim_failed_age_ms` | earliest `last_claim_failed_at` among claim-failed tasks (Ready tasks whose most recent claim attempt recorded an uncleared `last_claim_error`) and the largest claim-failed age in milliseconds, mirroring the `oldest_dispatch_overdue_since` / `max_dispatch_overdue_age_ms` shape for the dispatch path so operators can read "how long has the worst-case task been sitting with an uncleared claim error?" — the primary lease-conflict and duplicate-risk age indicator for the claim path — from the metric alone without walking `workflow_tasks` |
 | `tasks` | `oldest_dispatch_failed_at`, `max_dispatch_failed_age_ms` | earliest `last_dispatch_attempt_at` among dispatch-failed tasks (Ready tasks whose most recent dispatch attempt recorded an uncleared `last_dispatch_error` that has not been superseded by a later successful dispatch) and the largest dispatch-failed age in milliseconds, mirroring the `oldest_claim_failed_at` / `max_claim_failed_age_ms` shape for the claim path so operators can read "how long has the worst-case task been sitting with an uncleared dispatch error?" — the primary transport-failure age indicator on the dispatch path — from the metric alone without walking `workflow_tasks` |
-| `tasks` | `unhealthy` | sum of transport failure and lease expiry counts (the primary duplicate-risk indicator) |
+| `tasks` | `unhealthy`, `oldest_unhealthy_at`, `max_unhealthy_age_ms` | sum of transport failure and lease expiry counts (the primary duplicate-risk indicator), the earliest of `oldest_dispatch_failed_at` / `oldest_claim_failed_at` / `oldest_dispatch_overdue_since` / `oldest_lease_expired_at` (`null` when `unhealthy = 0`), and the largest unhealthy age in milliseconds across those four contributing paths so operators can read "how stale is my worst-case duplicate-risk task overall?" from the metric alone without taking a max over four separate per-path age fields |
 | `activities` | `retrying`, `oldest_retrying_started_at`, `max_retrying_age_ms` | activity executions currently in the retry window (Pending status with `attempt_count > 0`), the earliest `started_at` among them, and the largest retrying age in milliseconds, mirroring the `tasks.oldest_lease_expired_at` / `max_lease_expired_age_ms` shape on the task path so operators can answer "how long has the worst-case activity been chewing retries?" — the primary retry-rate age indicator on the activity path — from the metric alone without walking `activity_executions` |
 | `backlog` | `runnable_tasks`, `delayed_tasks`, `leased_tasks` | authoritative backlog counts |
 | `backlog` | `unhealthy_tasks`, `repair_needed_runs`, `claim_failed_runs`, `compatibility_blocked_runs` | stuck/blocked roll-ups |
diff --git a/src/V2/Support/OperatorMetrics.php b/src/V2/Support/OperatorMetrics.php
@@ -124,6 +124,12 @@ private static function taskMetrics(CarbonInterface $now, ?string $namespace): a
         $oldestDispatchOverdueSince = self::oldestDispatchOverdueSince($now, $namespace);
         $oldestClaimFailedAt = self::oldestClaimFailedAt($namespace);
         $oldestDispatchFailedAt = self::oldestDispatchFailedAt($namespace);
+        $oldestUnhealthyAt = self::earliestTimestamp([
+            $oldestDispatchFailedAt,
+            $oldestClaimFailedAt,
+            $oldestDispatchOverdueSince,
+            $oldestLeaseExpiredAt,
+        ]);
 
         return [
             'open' => self::openTasks($namespace),
@@ -159,6 +165,10 @@ private static function taskMetrics(CarbonInterface $now, ?string $namespace): a
                 + self::claimFailedTasks($namespace)
                 + self::dispatchOverdueTasks($now, $namespace)
                 + self::leaseExpiredTasks($now, $namespace),
+            'oldest_unhealthy_at' => $oldestUnhealthyAt?->toJSON(),
+            'max_unhealthy_age_ms' => $oldestUnhealthyAt === null
+                ? 0
+                : (int) $oldestUnhealthyAt->diffInMilliseconds($now),
         ];
     }
 
@@ -380,6 +390,31 @@ private static function stringOrNull(mixed $value): ?string
         return is_string($value) ? $value : null;
     }
 
+    /**
+     * Returns the earliest non-null `CarbonInterface` from the given list,
+     * or `null` if every entry is `null`. Used to roll up multiple per-path
+     * "oldest at" timestamps into a single worst-case duplicate-risk age the
+     * rollout-safety contract pins on `OperatorMetrics::snapshot()`.
+     *
+     * @param  array<int, CarbonInterface|null>  $timestamps
+     */
+    private static function earliestTimestamp(array $timestamps): ?CarbonInterface
+    {
+        $earliest = null;
+
+        foreach ($timestamps as $timestamp) {
+            if ($timestamp === null) {
+                continue;
+            }
+
+            if ($earliest === null || $timestamp->lessThan($earliest)) {
+                $earliest = $timestamp;
+            }
+        }
+
+        return $earliest;
+    }
+
     /**
      * @return array<string, int>
      */
diff --git a/tests/Feature/V2/V2OperatorMetricsTest.php b/tests/Feature/V2/V2OperatorMetricsTest.php
@@ -250,6 +250,13 @@ public function testSnapshotSummarizesDurableBacklogRepairCompatibilityAndWorker
         );
         $this->assertSame(10 * 1000, $snapshot['tasks']['max_claim_failed_age_ms']);
         $this->assertSame(4, $snapshot['tasks']['unhealthy']);
+        $this->assertSame(
+            Carbon::parse('2026-04-09 12:00:00')
+                ->subMinute()
+                ->toJSON(),
+            $snapshot['tasks']['oldest_unhealthy_at'],
+        );
+        $this->assertSame(60 * 1000, $snapshot['tasks']['max_unhealthy_age_ms']);
         $this->assertSame(4, $snapshot['backlog']['runnable_tasks']);
         $this->assertSame(1, $snapshot['backlog']['delayed_tasks']);
         $this->assertSame(2, $snapshot['backlog']['leased_tasks']);
@@ -1454,6 +1461,111 @@ public function testSnapshotReportsDispatchFailedAgeAsZeroWhenNoTasksFailedToDis
         $this->assertSame(0, $taskTransport['data']['max_dispatch_failed_age_ms']);
     }
 
+    public function testSnapshotSurfacesUnhealthyAgeRollupAsEarliestOfTheFourContributingPaths(): void
+    {
+        Carbon::setTestNow('2026-04-09 12:00:00');
+        $this->beforeApplicationDestroyed(static function (): void {
+            Carbon::setTestNow();
+        });
+
+        $now = Carbon::now();
+
+        $run = $this->createRunWithSummary(
+            instanceId: 'unhealthy-age-rollup-instance',
+            runId: '01JUNHEALRUN00000000000001',
+            status: 'running',
+            statusBucket: 'running',
+            livenessState: 'running',
+        );
+
+        // Lease-expired task (-30s) — newer than the dispatch-failed worst case below.
+        $this->createTask($run, '01JUNHEALTASK0000000000001', TaskStatus::Leased->value, [
+            'leased_at' => $now->copy()
+                ->subSeconds(120),
+            'lease_owner' => 'worker-expired',
+            'lease_expires_at' => $now->copy()
+                ->subSeconds(30),
+            'created_at' => $now->copy()
+                ->subSeconds(120),
+        ]);
+
+        // Claim-failed task (-45s) — newer than the dispatch-failed worst case below.
+        $this->createTask($run, '01JUNHEALTASK0000000000002', TaskStatus::Ready->value, [
+            'available_at' => $now->copy()
+                ->subSecond(),
+            'connection' => 'sync',
+            'last_dispatched_at' => $now->copy()
+                ->subSeconds(60),
+            'last_claim_failed_at' => $now->copy()
+                ->subSeconds(45),
+            'last_claim_error' => 'Workflow v2 backend capabilities are unsupported: [queue_sync_unsupported] sync.',
+            'created_at' => $now->copy()
+                ->subSeconds(60),
+        ]);
+
+        // Dispatch-overdue task (-20s) — newer than the dispatch-failed worst case below.
+        $this->createTask($run, '01JUNHEALTASK0000000000003', TaskStatus::Ready->value, [
+            'available_at' => $now->copy()
+                ->subSeconds(20),
+            'last_dispatched_at' => $now->copy()
+                ->subSeconds(20),
+            'created_at' => $now->copy()
+                ->subSeconds(20),
+        ]);
+
+        // Dispatch-failed task (-90s) — the worst case across all four paths.
+        $this->createTask($run, '01JUNHEALTASK0000000000004', TaskStatus::Ready->value, [
+            'available_at' => $now->copy()
+                ->subSeconds(120),
+            'last_dispatched_at' => null,
+            'last_dispatch_attempt_at' => $now->copy()
+                ->subSeconds(90),
+            'last_dispatch_error' => 'Connection refused while broadcasting workflow task wake.',
+            'created_at' => $now->copy()
+                ->subSeconds(150),
+        ]);
+
+        $snapshot = OperatorMetrics::snapshot($now);
+
+        $this->assertSame(4, $snapshot['tasks']['unhealthy']);
+        $this->assertSame($now->copy() ->subSeconds(90) ->toJSON(), $snapshot['tasks']['oldest_unhealthy_at']);
+        $this->assertSame(90 * 1000, $snapshot['tasks']['max_unhealthy_age_ms']);
+    }
+
+    public function testSnapshotReportsUnhealthyAgeRollupAsZeroWhenNoTasksAreUnhealthy(): void
+    {
+        Carbon::setTestNow('2026-04-09 12:00:00');
+        $this->beforeApplicationDestroyed(static function (): void {
+            Carbon::setTestNow();
+        });
+
+        $now = Carbon::now();
+
+        $run = $this->createRunWithSummary(
+            instanceId: 'unhealthy-age-none-instance',
+            runId: '01JUNHEALNONRUN00000000001',
+            status: 'running',
+            statusBucket: 'running',
+            livenessState: 'running',
+        );
+
+        // Fresh healthy ready task — no transport failure, no expired lease.
+        $this->createTask($run, '01JUNHEALNONTASK0000000001', TaskStatus::Ready->value, [
+            'available_at' => $now->copy()
+                ->subSecond(),
+            'last_dispatched_at' => $now->copy()
+                ->subSecond(),
+            'created_at' => $now->copy()
+                ->subSecond(),
+        ]);
+
+        $snapshot = OperatorMetrics::snapshot($now);
+
+        $this->assertSame(0, $snapshot['tasks']['unhealthy']);
+        $this->assertNull($snapshot['tasks']['oldest_unhealthy_at']);
+        $this->assertSame(0, $snapshot['tasks']['max_unhealthy_age_ms']);
+    }
+
     public function testSnapshotReportsRunWaitAgeAsZeroWhenNoRunsAreWaiting(): void
     {
         Carbon::setTestNow('2026-04-09 12:00:00');
diff --git a/tests/Unit/V2/RolloutSafetyDocumentationTest.php b/tests/Unit/V2/RolloutSafetyDocumentationTest.php
@@ -135,6 +135,8 @@ final class RolloutSafetyDocumentationTest extends TestCase
         'oldest_retrying_started_at',
         'max_retrying_age_ms',
         'unhealthy',
+        'oldest_unhealthy_at',
+        'max_unhealthy_age_ms',
         'runnable_tasks',
         'delayed_tasks',
         'leased_tasks',
@@ -433,6 +435,17 @@ public function testContractDocumentFreezesBackendSeverityRollupRow(): void
         );
     }
 
+    public function testContractDocumentFreezesUnhealthyAgeRollupRow(): void
+    {
+        $contents = $this->documentContents();
+
+        $this->assertMatchesRegularExpression(
+            '/\|\s*`tasks`\s*\|[^|]*`unhealthy`[^|]*`oldest_unhealthy_at`[^|]*`max_unhealthy_age_ms`/',
+            $contents,
+            'Rollout safety contract must pin the tasks unhealthy-age rollup row so operators can read "how stale is my worst-case duplicate-risk task overall?" from a single OperatorMetrics::snapshot() pair instead of taking a max over the four contributing per-path age fields.',
+        );
+    }
+
     public function testContractDocumentFreezesHealthCheckNames(): void
     {
         $contents = $this->documentContents();
