Surface activity timeout-overdue age on operator metrics

Adds `activities.timeout_overdue`, `activities.oldest_timeout_overdue_at`,
and `activities.max_timeout_overdue_age_ms` to `OperatorMetrics::snapshot()`
so operators can read "how long has the worst-case activity been past a
timeout deadline without enforcement?" — the primary stuck-activity
duplicate-risk age indicator on the activity path — from the metric alone
without walking `activity_executions`.

The `timeout_overdue` predicate mirrors
`ActivityTimeoutEnforcer::expiredExecutionIds()` exactly, so the count is
the operator-visible view of the same enforcement backlog: it covers open
activity executions whose `schedule_deadline_at` (Pending),
`close_deadline_at` (Running), `schedule_to_close_deadline_at` (Pending or
Running), or `heartbeat_deadline_at` (Running) has passed and is therefore
waiting for the timeout sweep to act. Sustained non-zero readings indicate
the activity-timeout sweep is lagging or stalled and that worker liveness
via heartbeat or start-to-close has stopped on at least one execution. The
signal is the activity-path counterpart of `tasks.lease_expired` — both
surface stuck work that the corresponding sweep has not yet reclaimed.

Pinned in `docs/architecture/rollout-safety.md` Frozen metric keys table
and asserted by `RolloutSafetyDocumentationTest` (frozen-keys list plus a
dedicated row regex). Covered end-to-end by two new
`V2OperatorMetricsTest` cases that verify the four-deadline predicate
matches the enforcer (each enforcement-relevant deadline and status guard,
status-only-applicable deadline columns excluded, Completed executions
excluded) and that the signal returns to zero when no activity is overdue.

Author: durable-workflow-ops

docs/architecture/rollout-safety.md

@@ -416,6 +416,7 @@ change.
 | `tasks` | `oldest_dispatch_failed_at`, `max_dispatch_failed_age_ms` | earliest `last_dispatch_attempt_at` among dispatch-failed tasks (Ready tasks whose most recent dispatch attempt recorded an uncleared `last_dispatch_error` that has not been superseded by a later successful dispatch) and the largest dispatch-failed age in milliseconds, mirroring the `oldest_claim_failed_at` / `max_claim_failed_age_ms` shape for the claim path so operators can read "how long has the worst-case task been sitting with an uncleared dispatch error?" — the primary transport-failure age indicator on the dispatch path — from the metric alone without walking `workflow_tasks` |
 | `tasks` | `unhealthy`, `oldest_unhealthy_at`, `max_unhealthy_age_ms` | sum of transport failure and lease expiry counts (the primary duplicate-risk indicator), the earliest of `oldest_dispatch_failed_at` / `oldest_claim_failed_at` / `oldest_dispatch_overdue_since` / `oldest_lease_expired_at` (`null` when `unhealthy = 0`), and the largest unhealthy age in milliseconds across those four contributing paths so operators can read "how stale is my worst-case duplicate-risk task overall?" from the metric alone without taking a max over four separate per-path age fields |
 | `activities` | `retrying`, `oldest_retrying_started_at`, `max_retrying_age_ms` | activity executions currently in the retry window (Pending status with `attempt_count > 0`), the earliest `started_at` among them, and the largest retrying age in milliseconds, mirroring the `tasks.oldest_lease_expired_at` / `max_lease_expired_age_ms` shape on the task path so operators can answer "how long has the worst-case activity been chewing retries?" — the primary retry-rate age indicator on the activity path — from the metric alone without walking `activity_executions` |
+| `activities` | `timeout_overdue`, `oldest_timeout_overdue_at`, `max_timeout_overdue_age_ms` | open activity executions whose `schedule_deadline_at` (Pending), `close_deadline_at` (Running), `schedule_to_close_deadline_at`, or `heartbeat_deadline_at` (Running) is `<= $now` and is therefore waiting for `ActivityTimeoutEnforcer` to enforce the timeout, the earliest such expired deadline timestamp across the four enforcement-relevant columns, and the largest overdue age in milliseconds. The `timeout_overdue` predicate mirrors `ActivityTimeoutEnforcer::expiredExecutionIds()` exactly, so the count is the operator-visible view of the same enforcement backlog — the activity-path counterpart of `tasks.lease_expired`. Both surface stuck work that the corresponding sweep has not yet reclaimed; sustained non-zero readings indicate the activity-timeout sweep is lagging or stalled and that worker liveness via heartbeat or start-to-close has stopped on at least one execution. The age data lets operators read "how long has the worst-case activity been past a timeout deadline without enforcement?" — the primary stuck-activity duplicate-risk age indicator on the activity path — from the metric alone without walking `activity_executions` |
 | `backlog` | `runnable_tasks`, `delayed_tasks`, `leased_tasks` | authoritative backlog counts |
 | `backlog` | `unhealthy_tasks`, `repair_needed_runs`, `claim_failed_runs`, `compatibility_blocked_runs` | stuck/blocked roll-ups |
 | `backlog` | `oldest_compatibility_blocked_started_at`, `max_compatibility_blocked_age_ms` | earliest wait-start timestamp among compatibility-blocked runs and the largest blocked age in milliseconds, mirroring the `repair.oldest_missing_run_started_at` / `max_missing_run_age_ms` shape so operators can answer "how stale is the worst mixed-build block?" from the metric alone |

src/V2/Support/OperatorMetrics.php

@@ -206,6 +206,7 @@ private static function backlogMetrics(CarbonInterface $now, ?string $namespace)
     private static function activityMetrics(CarbonInterface $now, ?string $namespace): array
     {
         $oldestRetryingStartedAt = self::oldestRetryingActivityStartedAt($namespace);
+        $oldestTimeoutOverdueAt = self::oldestActivityTimeoutOverdueAt($now, $namespace);
 
         return [
             'open' => self::scopedRunModelQuery(self::activityExecutionModel(), $namespace)
@@ -222,6 +223,11 @@ private static function activityMetrics(CarbonInterface $now, ?string $namespace
             'max_retrying_age_ms' => $oldestRetryingStartedAt === null
                 ? 0
                 : (int) $oldestRetryingStartedAt->diffInMilliseconds($now),
+            'timeout_overdue' => self::timeoutOverdueActivities($now, $namespace),
+            'oldest_timeout_overdue_at' => $oldestTimeoutOverdueAt?->toJSON(),
+            'max_timeout_overdue_age_ms' => $oldestTimeoutOverdueAt === null
+                ? 0
+                : (int) $oldestTimeoutOverdueAt->diffInMilliseconds($now),
             'failed_attempts' => self::scopedRunModelQuery(self::activityAttemptModel(), $namespace)
                 ->where('status', ActivityAttemptStatus::Failed->value)
                 ->count(),
@@ -856,6 +862,115 @@ private static function retryingActivities(?string $namespace): int
             ->count();
     }
 
+    /**
+     * Open activity executions whose schedule-to-start, start-to-close,
+     * schedule-to-close, or heartbeat deadline has passed and is therefore
+     * waiting for `ActivityTimeoutEnforcer` to enforce the timeout.
+     *
+     * The predicate mirrors `ActivityTimeoutEnforcer::expiredExecutionIds()`
+     * exactly so the count is the operator-visible view of the same
+     * sweep backlog: a non-zero value means at least one activity has hit
+     * a deadline that the enforcement pass has not yet acted on. When the
+     * sweep is healthy this count returns to zero between passes; sustained
+     * non-zero readings indicate the activity-timeout sweep is lagging or
+     * stalled and that worker liveness via heartbeat or start-to-close has
+     * stopped on at least one execution. The signal is the activity-path
+     * counterpart of `tasks.lease_expired` — both surface stuck work that
+     * the corresponding sweep has not yet reclaimed.
+     */
+    private static function timeoutOverdueActivities(CarbonInterface $now, ?string $namespace): int
+    {
+        return self::scopedRunModelQuery(self::activityExecutionModel(), $namespace)
+            ->whereIn('status', [ActivityStatus::Pending->value, ActivityStatus::Running->value])
+            ->where(static function ($query) use ($now): void {
+                $query->where(static function ($schedule) use ($now): void {
+                    $schedule->where('status', ActivityStatus::Pending->value)
+                        ->whereNotNull('schedule_deadline_at')
+                        ->where('schedule_deadline_at', '<=', $now);
+                })->orWhere(static function ($close) use ($now): void {
+                    $close->where('status', ActivityStatus::Running->value)
+                        ->whereNotNull('close_deadline_at')
+                        ->where('close_deadline_at', '<=', $now);
+                })->orWhere(static function ($scheduleToClose) use ($now): void {
+                    $scheduleToClose->whereNotNull('schedule_to_close_deadline_at')
+                        ->where('schedule_to_close_deadline_at', '<=', $now);
+                })->orWhere(static function ($heartbeat) use ($now): void {
+                    $heartbeat->where('status', ActivityStatus::Running->value)
+                        ->whereNotNull('heartbeat_deadline_at')
+                        ->where('heartbeat_deadline_at', '<=', $now);
+                });
+            })
+            ->count();
+    }
+
+    /**
+     * Earliest deadline timestamp across activity executions whose
+     * schedule-to-start, start-to-close, schedule-to-close, or heartbeat
+     * deadline has already passed. Rollout-safety surfaces this alongside
+     * `activities.timeout_overdue` so operators can answer "how long has
+     * the worst-case activity been past a timeout deadline without
+     * enforcement?" — the primary stuck-activity duplicate-risk age
+     * indicator on the activity path — from the metric alone, mirroring
+     * the `tasks.oldest_lease_expired_at` / `max_lease_expired_age_ms`
+     * shape on the task path. The earliest expired deadline among the
+     * four enforcement-relevant deadline columns wins.
+     */
+    private static function oldestActivityTimeoutOverdueAt(CarbonInterface $now, ?string $namespace): ?CarbonInterface
+    {
+        return self::earliestTimestamp([
+            self::firstActivityDeadlineAt(
+                $namespace,
+                'schedule_deadline_at',
+                $now,
+                [ActivityStatus::Pending->value],
+            ),
+            self::firstActivityDeadlineAt($namespace, 'close_deadline_at', $now, [ActivityStatus::Running->value]),
+            self::firstActivityDeadlineAt(
+                $namespace,
+                'schedule_to_close_deadline_at',
+                $now,
+                [ActivityStatus::Pending->value, ActivityStatus::Running->value],
+            ),
+            self::firstActivityDeadlineAt(
+                $namespace,
+                'heartbeat_deadline_at',
+                $now,
+                [ActivityStatus::Running->value],
+            ),
+        ]);
+    }
+
+    /**
+     * Earliest expired deadline timestamp on $column among activity
+     * executions in one of $statuses, or null when none are expired. Used
+     * by `oldestActivityTimeoutOverdueAt()` to roll the four
+     * enforcement-relevant deadline columns into a single worst-case age.
+     *
+     * @param  list<string>  $statuses
+     */
+    private static function firstActivityDeadlineAt(
+        ?string $namespace,
+        string $column,
+        CarbonInterface $now,
+        array $statuses,
+    ): ?CarbonInterface {
+        /** @var ActivityExecution|null $execution */
+        $execution = self::scopedRunModelQuery(self::activityExecutionModel(), $namespace)
+            ->whereIn('status', $statuses)
+            ->whereNotNull($column)
+            ->where($column, '<=', $now)
+            ->orderBy($column)
+            ->first();
+
+        if (! $execution instanceof ActivityExecution) {
+            return null;
+        }
+
+        $value = $execution->getAttribute($column);
+
+        return $value instanceof CarbonInterface ? $value : null;
+    }
+
     /**
      * Earliest `started_at` across activity executions currently in the
      * retry window — Pending status with `attempt_count > 0`. Rollout-safety

tests/Feature/V2/V2OperatorMetricsTest.php

@@ -1709,6 +1709,188 @@ public function testSnapshotReportsRetryingActivityAgeAsZeroWhenNoActivitiesAreR
         $this->assertSame(0, $snapshot['activities']['max_retrying_age_ms']);
     }
 
+    public function testSnapshotSurfacesActivityTimeoutOverdueAgeFromEarliestExpiredDeadline(): void
+    {
+        Carbon::setTestNow('2026-04-09 12:00:00');
+        $this->beforeApplicationDestroyed(static function (): void {
+            Carbon::setTestNow();
+        });
+
+        $now = Carbon::now();
+
+        $run = $this->createRunWithSummary(
+            instanceId: 'timeout-overdue-instance',
+            runId: '01JTIMEOUTOVDRUN000000001',
+            status: 'running',
+            statusBucket: 'running',
+            livenessState: 'running',
+        );
+
+        // Worst-case: Pending activity whose schedule_deadline_at expired
+        // 240s ago — earliest expired deadline across the four enforcement
+        // columns, so it wins both the count and the oldest selection.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000001', [
+            'sequence' => 1,
+            'status' => ActivityStatus::Pending->value,
+            'attempt_count' => 0,
+            'started_at' => $now->copy()
+                ->subSeconds(300),
+            'schedule_deadline_at' => $now->copy()
+                ->subSeconds(240),
+        ]);
+
+        // Running activity whose start-to-close (close_deadline_at) expired
+        // 90s ago — counted, but a newer expiry than the worst-case above.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000002', [
+            'sequence' => 2,
+            'status' => ActivityStatus::Running->value,
+            'attempt_count' => 1,
+            'started_at' => $now->copy()
+                ->subSeconds(180),
+            'close_deadline_at' => $now->copy()
+                ->subSeconds(90),
+        ]);
+
+        // Running activity whose heartbeat_deadline_at expired 60s ago —
+        // counted, but newer than 240s and 90s above.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000003', [
+            'sequence' => 3,
+            'status' => ActivityStatus::Running->value,
+            'attempt_count' => 1,
+            'started_at' => $now->copy()
+                ->subSeconds(120),
+            'heartbeat_deadline_at' => $now->copy()
+                ->subSeconds(60),
+        ]);
+
+        // Pending activity whose schedule_to_close_deadline_at expired 30s
+        // ago — counted (schedule_to_close applies to both Pending and
+        // Running), still newer than the worst-case.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000004', [
+            'sequence' => 4,
+            'status' => ActivityStatus::Pending->value,
+            'attempt_count' => 0,
+            'started_at' => null,
+            'schedule_to_close_deadline_at' => $now->copy()
+                ->subSeconds(30),
+        ]);
+
+        // Running activity with deadlines that are all in the future — NOT
+        // counted; the enforcement sweep has nothing to do here.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000005', [
+            'sequence' => 5,
+            'status' => ActivityStatus::Running->value,
+            'attempt_count' => 0,
+            'started_at' => $now->copy()
+                ->subSeconds(15),
+            'close_deadline_at' => $now->copy()
+                ->addSeconds(60),
+            'heartbeat_deadline_at' => $now->copy()
+                ->addSeconds(30),
+        ]);
+
+        // Closed activity whose deadlines are all in the past — Completed
+        // executions are not selected by the enforcer, so they are NOT
+        // counted even with deadlines well in the past.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000006', [
+            'sequence' => 6,
+            'status' => ActivityStatus::Completed->value,
+            'attempt_count' => 1,
+            'started_at' => $now->copy()
+                ->subSeconds(420),
+            'close_deadline_at' => $now->copy()
+                ->subSeconds(360),
+            'closed_at' => $now->copy()
+                ->subSeconds(300),
+        ]);
+
+        // Running activity with a Pending-only deadline (schedule_deadline_at)
+        // expired in the past — schedule_deadline_at only counts when the
+        // status is Pending, so this row is NOT counted by the enforcer
+        // predicate even though the deadline column has an expired value.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000007', [
+            'sequence' => 7,
+            'status' => ActivityStatus::Running->value,
+            'attempt_count' => 1,
+            'started_at' => $now->copy()
+                ->subSeconds(150),
+            'schedule_deadline_at' => $now->copy()
+                ->subSeconds(360),
+        ]);
+
+        // Pending activity with a Running-only deadline (heartbeat_deadline_at)
+        // expired in the past — heartbeat_deadline_at only counts when the
+        // status is Running, so this row is NOT counted by the enforcer
+        // predicate even though the deadline column has an expired value.
+        $this->createActivityExecution($run, '01JTIMEOUTOVDEXEC0000008', [
+            'sequence' => 8,
+            'status' => ActivityStatus::Pending->value,
+            'attempt_count' => 0,
+            'started_at' => null,
+            'heartbeat_deadline_at' => $now->copy()
+                ->subSeconds(360),
+        ]);
+
+        $snapshot = OperatorMetrics::snapshot($now);
+
+        $expectedOldestTimeoutOverdueAt = $now->copy()
+            ->subSeconds(240)
+            ->toJSON();
+
+        $this->assertSame(4, $snapshot['activities']['timeout_overdue']);
+        $this->assertSame($expectedOldestTimeoutOverdueAt, $snapshot['activities']['oldest_timeout_overdue_at']);
+        $this->assertSame(240 * 1000, $snapshot['activities']['max_timeout_overdue_age_ms']);
+    }
+
+    public function testSnapshotReportsActivityTimeoutOverdueAgeAsZeroWhenNoActivityIsOverdue(): void
+    {
+        Carbon::setTestNow('2026-04-09 12:00:00');
+        $this->beforeApplicationDestroyed(static function (): void {
+            Carbon::setTestNow();
+        });
+
+        $now = Carbon::now();
+
+        $run = $this->createRunWithSummary(
+            instanceId: 'timeout-none-instance',
+            runId: '01JTIMEOUTNONERUN00000001',
+            status: 'running',
+            statusBucket: 'running',
+            livenessState: 'running',
+        );
+
+        // Pending activity with no enforcement deadlines yet recorded —
+        // not counted; nothing to enforce.
+        $this->createActivityExecution($run, '01JTIMEOUTNONEEXEC000001', [
+            'sequence' => 1,
+            'status' => ActivityStatus::Pending->value,
+            'attempt_count' => 0,
+            'started_at' => null,
+        ]);
+
+        // Running activity with deadlines safely in the future — not
+        // counted; the enforcement sweep has nothing to do.
+        $this->createActivityExecution($run, '01JTIMEOUTNONEEXEC000002', [
+            'sequence' => 2,
+            'status' => ActivityStatus::Running->value,
+            'attempt_count' => 1,
+            'started_at' => $now->copy()
+                ->subSeconds(15),
+            'close_deadline_at' => $now->copy()
+                ->addSeconds(120),
+            'heartbeat_deadline_at' => $now->copy()
+                ->addSeconds(60),
+            'schedule_to_close_deadline_at' => $now->copy()
+                ->addSeconds(900),
+        ]);
+
+        $snapshot = OperatorMetrics::snapshot($now);
+
+        $this->assertSame(0, $snapshot['activities']['timeout_overdue']);
+        $this->assertNull($snapshot['activities']['oldest_timeout_overdue_at']);
+        $this->assertSame(0, $snapshot['activities']['max_timeout_overdue_age_ms']);
+    }
+
     public function testSnapshotSurfacesMissingRunSummaryProjectionAgeFromOldestMissingRun(): void
     {
         Carbon::setTestNow('2026-04-09 12:00:00');

tests/Unit/V2/RolloutSafetyDocumentationTest.php

@@ -134,6 +134,9 @@ final class RolloutSafetyDocumentationTest extends TestCase
         'max_dispatch_failed_age_ms',
         'oldest_retrying_started_at',
         'max_retrying_age_ms',
+        'timeout_overdue',
+        'oldest_timeout_overdue_at',
+        'max_timeout_overdue_age_ms',
         'unhealthy',
         'oldest_unhealthy_at',
         'max_unhealthy_age_ms',
@@ -413,6 +416,17 @@ public function testContractDocumentFreezesRetryingActivityAgeRow(): void
         );
     }
 
+    public function testContractDocumentFreezesActivityTimeoutOverdueAgeRow(): void
+    {
+        $contents = $this->documentContents();
+
+        $this->assertMatchesRegularExpression(
+            '/\|\s*`activities`\s*\|[^|]*`timeout_overdue`[^|]*`oldest_timeout_overdue_at`[^|]*`max_timeout_overdue_age_ms`/',
+            $contents,
+            'Rollout safety contract must pin the activities timeout-overdue age row so operators can read "how long has the worst-case activity been past a timeout deadline without enforcement?" — the primary stuck-activity duplicate-risk age indicator on the activity path — from OperatorMetrics::snapshot() without walking activity_executions.',
+        );
+    }
+
     public function testContractDocumentFreezesRunSummaryProjectionMissingRunAgeRow(): void
     {
         $contents = $this->documentContents();