GitHub #584: server + workflow + waterline: v2 architecture Phase 6: rollout safety enforcement and coordination health (#506)

durable-workflow-ops · durable-workflow-ops · commit 1f3e7c7e9236 · 2026-05-08T03:06:38.000Z
diff --git a/docs/architecture/rollout-safety.md b/docs/architecture/rollout-safety.md
@@ -563,12 +563,26 @@ serving the snapshot — without re-aggregating metrics across the
 `matching_role` block. `wake_owner` is `worker_loop` on nodes that
 still run the in-worker broad-poll wake and `dedicated_repair_pass`
 on nodes that have opted out so the broad sweep runs as
-`php artisan workflow:v2:repair-pass` instead. Adding a new check
-is allowed; renaming or removing one is a protocol-level change.
-The canonical check names above match the strings emitted by
-`Workflow\V2\Support\HealthCheck::snapshot()` verbatim, and a runtime
-pinning test in the workflow package asserts the match so doc/code
-drift fails loudly.
+`php artisan workflow:v2:repair-pass` instead. The check also forwards
+`required_compatibility`, `active_workers`,
+`active_workers_supporting_required`, and the convenience boolean
+`fleet_supports_required` from the `workers` block so operators can
+tell whether a compatibility block reflects "no live worker advertises
+the required marker" (the canonical fail-closed admission case
+escalated under `DW_V2_FLEET_VALIDATION_MODE=fail`) vs a transient
+compatibility race that still has fleet coverage — without joining
+the `worker_compatibility` check separately.
+`fleet_supports_required` is `true` when no marker is required (the
+unscoped case) or at least one heartbeat advertises the required
+marker. When `compatibility_blocked_runs > 0` and
+`fleet_supports_required = false`, the check's `message` names the
+missing-coverage case explicitly so the operator action ("ensure a
+worker advertising the required marker rolls in") is unambiguous.
+Adding a new check is allowed; renaming or removing one is a
+protocol-level change. The canonical check names above match the
+strings emitted by `Workflow\V2\Support\HealthCheck::snapshot()`
+verbatim, and a runtime pinning test in the workflow package asserts
+the match so doc/code drift fails loudly.
 
 ### Queue visibility
 
diff --git a/src/V2/Support/HealthCheck.php b/src/V2/Support/HealthCheck.php
@@ -351,24 +351,36 @@ private static function routingHealthCheck(
             ? $matchingRole['task_dispatch_mode']
             : 'queue';
         $activeWorkerScopes = self::integer($workers['active_worker_scopes'] ?? 0);
+        $requiredCompatibility = is_string($workers['required_compatibility'] ?? null)
+            ? $workers['required_compatibility']
+            : null;
+        $activeWorkers = self::integer($workers['active_workers'] ?? 0);
+        $activeWorkersSupportingRequired = self::integer($workers['active_workers_supporting_required'] ?? 0);
+        // True when no marker is required (unscoped) or at least one heartbeat advertises it.
+        $fleetSupportsRequired = $requiredCompatibility === null
+            || $activeWorkersSupportingRequired > 0;
+
+        $compatibilityBlocked = $compatibilityBlockedRuns > 0;
+        $compatibilityBlockedWithoutFleetCoverage = $compatibilityBlocked && ! $fleetSupportsRequired;
 
         $message = 'No routing drains, compatibility blocks, or uncleared claim failures are currently projected.';
-        if ($compatibilityBlockedRuns > 0 || $dispatchOverdueTasks > 0 || $claimFailedTasks > 0) {
-            $signalCount = ($compatibilityBlockedRuns > 0 ? 1 : 0)
+        if ($compatibilityBlocked || $dispatchOverdueTasks > 0 || $claimFailedTasks > 0) {
+            $signalCount = ($compatibilityBlocked ? 1 : 0)
                 + ($dispatchOverdueTasks > 0 ? 1 : 0)
                 + ($claimFailedTasks > 0 ? 1 : 0);
 
             $message = match (true) {
                 $signalCount > 1 => 'Routing health is degraded: compatibility blocks, dispatch lag, or uncleared claim failures are visible in durable state.',
-                $compatibilityBlockedRuns > 0 => 'One or more runs are ready but waiting for a compatible worker in the active fleet.',
+                $compatibilityBlockedWithoutFleetCoverage => 'One or more runs are blocked because no active worker heartbeat advertises the required compatibility marker.',
+                $compatibilityBlocked => 'One or more runs are ready but waiting for a compatible worker in the active fleet.',
                 $dispatchOverdueTasks > 0 => 'One or more ready tasks have waited past the redispatch window without a successful dispatch wake.',
                 default => 'One or more ready tasks still carry an uncleared claim failure.',
             };
         }
 
         return self::check(
             'routing_health',
-            ($compatibilityBlockedRuns > 0 || $dispatchOverdueTasks > 0 || $claimFailedTasks > 0) ? 'warning' : 'ok',
+            ($compatibilityBlocked || $dispatchOverdueTasks > 0 || $claimFailedTasks > 0) ? 'warning' : 'ok',
             $message,
             self::CATEGORY_CORRECTNESS,
             [
@@ -394,6 +406,10 @@ private static function routingHealthCheck(
                 'wake_owner' => $wakeOwner,
                 'task_dispatch_mode' => $taskDispatchMode,
                 'active_worker_scopes' => $activeWorkerScopes,
+                'required_compatibility' => $requiredCompatibility,
+                'active_workers' => $activeWorkers,
+                'active_workers_supporting_required' => $activeWorkersSupportingRequired,
+                'fleet_supports_required' => $fleetSupportsRequired,
             ],
         );
     }
diff --git a/tests/Unit/V2/HealthCheckTest.php b/tests/Unit/V2/HealthCheckTest.php
@@ -810,6 +810,13 @@ public function testSnapshotReportsRoutingHealthOkWhenNoRoutingRisksAreVisible()
         $this->assertSame('queue', $routing['data']['task_dispatch_mode']);
         $this->assertTrue($routing['data']['queue_wake_enabled']);
         $this->assertSame(0, $routing['data']['active_worker_scopes']);
+        // No marker is required (fresh test config) and the fleet has no
+        // heartbeats yet, but `fleet_supports_required` is still true because
+        // the unscoped case never blocks routing.
+        $this->assertNull($routing['data']['required_compatibility']);
+        $this->assertSame(0, $routing['data']['active_workers']);
+        $this->assertSame(0, $routing['data']['active_workers_supporting_required']);
+        $this->assertTrue($routing['data']['fleet_supports_required']);
     }
 
     public function testSnapshotWarnsWhenRoutingHealthSeesCompatibilityDispatchAndClaimDrains(): void
@@ -934,6 +941,81 @@ public function testSnapshotWarnsWhenRoutingHealthSeesCompatibilityDispatchAndCl
         $this->assertSame('dedicated_repair_pass', $routing['data']['wake_owner']);
         $this->assertSame('poll', $routing['data']['task_dispatch_mode']);
         $this->assertSame(0, $routing['data']['active_worker_scopes']);
+        $this->assertNull($routing['data']['required_compatibility']);
+        $this->assertSame(0, $routing['data']['active_workers']);
+        $this->assertSame(0, $routing['data']['active_workers_supporting_required']);
+        $this->assertTrue($routing['data']['fleet_supports_required']);
+    }
+
+    public function testRoutingHealthMessageNamesMissingFleetCoverageWhenCompatibilityBlocksHaveZeroSupportingWorkers(): void
+    {
+        Carbon::setTestNow('2026-04-09 12:00:00');
+        $this->beforeApplicationDestroyed(static function (): void {
+            Carbon::setTestNow();
+        });
+
+        config()->set('queue.default', 'redis');
+        config()->set('queue.connections.redis.driver', 'redis');
+        config()->set('cache.default', 'array');
+        config()->set('cache.stores.array.driver', 'array');
+        config()->set('workflows.v2.compatibility.current', 'release-2026-04-09');
+
+        $instance = WorkflowInstance::query()->create([
+            'id' => 'health-routing-fleet-instance',
+            'workflow_class' => 'WorkflowClass',
+            'workflow_type' => 'workflow.test',
+            'run_count' => 1,
+        ]);
+
+        $run = WorkflowRun::query()->create([
+            'id' => '01JHEALTHROUTINGFLEET0001',
+            'workflow_instance_id' => $instance->id,
+            'run_number' => 1,
+            'workflow_class' => 'WorkflowClass',
+            'workflow_type' => 'workflow.test',
+            'status' => 'running',
+            'compatibility' => 'release-2026-04-09',
+            'started_at' => now()->subMinutes(8),
+            'last_progress_at' => now()->subMinute(),
+        ]);
+
+        $instance->forceFill([
+            'current_run_id' => $run->id,
+        ])->save();
+
+        WorkflowRunSummary::query()->create([
+            'id' => $run->id,
+            'workflow_instance_id' => $instance->id,
+            'run_number' => 1,
+            'is_current_run' => true,
+            'engine_source' => 'v2',
+            'class' => 'WorkflowClass',
+            'workflow_type' => 'workflow.test',
+            'status' => 'running',
+            'status_bucket' => 'running',
+            'compatibility' => 'release-2026-04-09',
+            'started_at' => now()->subMinutes(8),
+            'next_task_at' => now()->subMinutes(5),
+            'liveness_state' => 'workflow_task_waiting_for_compatible_worker',
+            'liveness_reason' => 'No active worker heartbeat advertises the required compatibility marker.',
+            'created_at' => now()->subMinutes(8),
+            'updated_at' => now(),
+        ]);
+
+        $snapshot = HealthCheck::snapshot();
+        $routing = collect($snapshot['checks'])->firstWhere('name', 'routing_health');
+
+        $this->assertNotNull($routing);
+        $this->assertSame('warning', $routing['status']);
+        $this->assertStringContainsString(
+            'no active worker heartbeat advertises the required compatibility marker',
+            $routing['message'],
+        );
+        $this->assertSame('release-2026-04-09', $routing['data']['required_compatibility']);
+        $this->assertSame(0, $routing['data']['active_workers']);
+        $this->assertSame(0, $routing['data']['active_workers_supporting_required']);
+        $this->assertFalse($routing['data']['fleet_supports_required']);
+        $this->assertSame(1, $routing['data']['compatibility_blocked_runs']);
     }
 
     public function testSnapshotClassifiesEveryCheckAsCorrectnessOrAcceleration(): void
diff --git a/tests/Unit/V2/RolloutSafetyDocumentationTest.php b/tests/Unit/V2/RolloutSafetyDocumentationTest.php
@@ -608,6 +608,27 @@ public function testContractDocumentFreezesRoutingHealthWakeOwnerRollup(): void
         );
     }
 
+    public function testContractDocumentFreezesRoutingHealthFleetCoverageRollup(): void
+    {
+        $contents = $this->documentContents();
+
+        $this->assertMatchesRegularExpression(
+            '/`routing_health`[\s\S]{0,1200}`required_compatibility`[\s\S]{0,200}`active_workers`[\s\S]{0,200}`active_workers_supporting_required`[\s\S]{0,200}`fleet_supports_required`/',
+            $contents,
+            'Rollout safety contract must pin the routing_health fleet-coverage rollup quad (required_compatibility, active_workers, active_workers_supporting_required, fleet_supports_required) so operators reading routing_health alone can tell whether a compatibility block reflects "no live worker advertises the required marker" — the canonical fail-closed admission case escalated under DW_V2_FLEET_VALIDATION_MODE=fail — without joining the worker_compatibility check separately.',
+        );
+        $this->assertMatchesRegularExpression(
+            '/`fleet_supports_required` is `true` when no marker is required[\s\S]{0,200}or at least one heartbeat advertises the required\s+marker/i',
+            $contents,
+            'Rollout safety contract must define when fleet_supports_required is true (no marker required, or at least one heartbeat advertises the required marker) so operators can interpret the routing_health convenience boolean unambiguously.',
+        );
+        $this->assertMatchesRegularExpression(
+            '/`compatibility_blocked_runs > 0`[\s\S]{0,200}`fleet_supports_required = false`[\s\S]{0,400}`message`[\s\S]{0,200}missing-coverage/i',
+            $contents,
+            'Rollout safety contract must require the routing_health message to name the missing-coverage case (compatibility_blocked_runs > 0 AND fleet_supports_required = false) explicitly so operators do not have to cross-reference worker_compatibility to understand the block.',
+        );
+    }
+
     public function testContractDocumentFreezesHealthCheckNames(): void
     {
         $contents = $this->documentContents();
