Reject ambiguous workflow command retry and timeout scopes

durable-workflow-ops · durable-workflow-ops · commit 4568aa5a8812 · 2026-04-22T10:44:32.000Z
Reject ambiguous retry timeout command scopes
diff --git a/README.md b/README.md
@@ -476,6 +476,18 @@ curl "$SERVER/api/workflows/order-42/runs/abc123/history" \
 | `record_version_marker` | No | Record a version marker |
 | `upsert_search_attributes` | No | Update search attributes |
 
+Retry and timeout fields are scoped to the command layer they control.
+`schedule_activity` accepts activity `retry_policy`,
+`start_to_close_timeout`, `schedule_to_start_timeout`,
+`schedule_to_close_timeout`, and `heartbeat_timeout`; heartbeat, start, and
+schedule-to-start budgets cannot exceed schedule-to-close or start-to-close
+where those outer budgets are present. `start_child_workflow` accepts child
+workflow `retry_policy`, `execution_timeout_seconds`, and
+`run_timeout_seconds`; the run timeout cannot exceed the execution timeout.
+`non_retryable` is only a failure outcome flag on `fail_workflow` and
+`fail_update`. HTTP transport retry policy is configured by clients outside the
+workflow-task command payload.
+
 ## API Overview
 
 ### System
diff --git a/app/Http/Controllers/Api/WorkerController.php b/app/Http/Controllers/Api/WorkerController.php
@@ -13,6 +13,7 @@
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Str;
+use Illuminate\Validation\ValidationException;
 use Workflow\V2\Contracts\WorkflowTaskBridge;
 use Workflow\V2\Exceptions\StructuralLimitExceededException;
 use Workflow\V2\Models\WorkflowTask;
@@ -487,6 +488,8 @@ public function completeWorkflowTask(Request $request, string $taskId): JsonResp
             'commands.*.timeout_seconds' => ['nullable', 'integer', 'min:0'],
         ]);
 
+        $this->validateWorkflowTaskCommandScopes($validated['commands']);
+
         if ($response = $this->guardWorkflowTaskOwnership(
             $request,
             $namespace,
@@ -529,6 +532,122 @@ public function completeWorkflowTask(Request $request, string $taskId): JsonResp
         ], $this->workflowOutcomeStatus($outcome['reason']));
     }
 
+    /**
+     * @param  list<array<string, mixed>>  $commands
+     *
+     * @throws ValidationException
+     */
+    private function validateWorkflowTaskCommandScopes(array $commands): void
+    {
+        $errors = [];
+
+        foreach ($commands as $index => $command) {
+            $type = $command['type'] ?? null;
+
+            if (! is_string($type)) {
+                continue;
+            }
+
+            if ($this->hasCommandValue($command, 'retry_policy')
+                && ! in_array($type, ['schedule_activity', 'start_child_workflow'], true)
+            ) {
+                $errors["commands.{$index}.retry_policy"][] =
+                    'retry_policy is only supported for schedule_activity and start_child_workflow commands.';
+            }
+
+            foreach (['start_to_close_timeout', 'schedule_to_start_timeout', 'schedule_to_close_timeout', 'heartbeat_timeout'] as $field) {
+                if ($this->hasCommandValue($command, $field) && $type !== 'schedule_activity') {
+                    $errors["commands.{$index}.{$field}"][] =
+                        "{$field} is only supported for schedule_activity commands.";
+                }
+            }
+
+            foreach (['execution_timeout_seconds', 'run_timeout_seconds'] as $field) {
+                if ($this->hasCommandValue($command, $field) && $type !== 'start_child_workflow') {
+                    $errors["commands.{$index}.{$field}"][] =
+                        "{$field} is only supported for start_child_workflow commands.";
+                }
+            }
+
+            if ($this->hasCommandValue($command, 'non_retryable')
+                && ! in_array($type, ['fail_workflow', 'fail_update'], true)
+            ) {
+                $errors["commands.{$index}.non_retryable"][] =
+                    'non_retryable is only supported for fail_workflow and fail_update commands.';
+            }
+
+            if ($type === 'schedule_activity') {
+                $this->validateActivityTimeoutEnvelope($command, $index, $errors);
+            }
+
+            if ($type === 'start_child_workflow') {
+                $this->validateChildWorkflowTimeoutEnvelope($command, $index, $errors);
+            }
+        }
+
+        if ($errors !== []) {
+            throw ValidationException::withMessages($errors);
+        }
+    }
+
+    /**
+     * @param  array<string, mixed>  $command
+     */
+    private function hasCommandValue(array $command, string $field): bool
+    {
+        return array_key_exists($field, $command) && $command[$field] !== null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $command
+     * @param  array<string, list<string>>  $errors
+     */
+    private function validateActivityTimeoutEnvelope(array $command, int $index, array &$errors): void
+    {
+        $startToClose = $this->optionalCommandInt($command, 'start_to_close_timeout');
+        $scheduleToStart = $this->optionalCommandInt($command, 'schedule_to_start_timeout');
+        $scheduleToClose = $this->optionalCommandInt($command, 'schedule_to_close_timeout');
+        $heartbeat = $this->optionalCommandInt($command, 'heartbeat_timeout');
+
+        if ($heartbeat !== null && $startToClose !== null && $heartbeat > $startToClose) {
+            $errors["commands.{$index}.heartbeat_timeout"][] =
+                'heartbeat_timeout cannot exceed start_to_close_timeout.';
+        }
+
+        if ($startToClose !== null && $scheduleToClose !== null && $startToClose > $scheduleToClose) {
+            $errors["commands.{$index}.start_to_close_timeout"][] =
+                'start_to_close_timeout cannot exceed schedule_to_close_timeout.';
+        }
+
+        if ($scheduleToStart !== null && $scheduleToClose !== null && $scheduleToStart > $scheduleToClose) {
+            $errors["commands.{$index}.schedule_to_start_timeout"][] =
+                'schedule_to_start_timeout cannot exceed schedule_to_close_timeout.';
+        }
+    }
+
+    /**
+     * @param  array<string, mixed>  $command
+     * @param  array<string, list<string>>  $errors
+     */
+    private function validateChildWorkflowTimeoutEnvelope(array $command, int $index, array &$errors): void
+    {
+        $executionTimeout = $this->optionalCommandInt($command, 'execution_timeout_seconds');
+        $runTimeout = $this->optionalCommandInt($command, 'run_timeout_seconds');
+
+        if ($executionTimeout !== null && $runTimeout !== null && $runTimeout > $executionTimeout) {
+            $errors["commands.{$index}.run_timeout_seconds"][] =
+                'run_timeout_seconds cannot exceed execution_timeout_seconds.';
+        }
+    }
+
+    /**
+     * @param  array<string, mixed>  $command
+     */
+    private function optionalCommandInt(array $command, string $field): ?int
+    {
+        return is_int($command[$field] ?? null) ? $command[$field] : null;
+    }
+
     /**
      * Heartbeat a claimed workflow task to extend its lease.
      */
diff --git a/tests/Feature/WorkerProtocolContractTest.php b/tests/Feature/WorkerProtocolContractTest.php
@@ -104,6 +104,109 @@ public function test_workflow_task_command_validation_errors_use_worker_protocol
         );
     }
 
+    /**
+     * @param  array<string, mixed>  $command
+     */
+    #[DataProvider('invalidWorkflowTaskCommandScopeProvider')]
+    public function test_workflow_task_command_rejects_retry_and_timeout_fields_outside_their_scope(
+        array $command,
+        string $errorField,
+        string $expectedMessage,
+    ): void {
+        $response = $this->withHeaders($this->workerHeaders() + [
+            ControlPlaneProtocol::HEADER => ControlPlaneProtocol::VERSION,
+        ])->postJson('/api/worker/workflow-tasks/missing-task/complete', [
+            'lease_owner' => 'command-scope-worker',
+            'workflow_task_attempt' => 1,
+            'commands' => [$command],
+        ]);
+
+        $response->assertStatus(422)
+            ->assertHeader(WorkerProtocol::HEADER, WorkerProtocol::VERSION)
+            ->assertHeaderMissing(ControlPlaneProtocol::HEADER)
+            ->assertJsonPath('protocol_version', WorkerProtocol::VERSION)
+            ->assertJsonPath('reason', 'validation_failed')
+            ->assertJsonMissingPath('control_plane');
+
+        $this->assertSame(
+            $expectedMessage,
+            $response->json('validation_errors')[$errorField][0] ?? null,
+        );
+    }
+
+    /**
+     * @return array<string, array{command: array<string, mixed>, errorField: string, expectedMessage: string}>
+     */
+    public static function invalidWorkflowTaskCommandScopeProvider(): array
+    {
+        return [
+            'retry policy on completion' => [
+                'command' => [
+                    'type' => 'complete_workflow',
+                    'retry_policy' => ['max_attempts' => 2],
+                ],
+                'errorField' => 'commands.0.retry_policy',
+                'expectedMessage' => 'retry_policy is only supported for schedule_activity and start_child_workflow commands.',
+            ],
+            'activity timeout on child command' => [
+                'command' => [
+                    'type' => 'start_child_workflow',
+                    'workflow_type' => 'tests.external-child-workflow',
+                    'start_to_close_timeout' => 30,
+                ],
+                'errorField' => 'commands.0.start_to_close_timeout',
+                'expectedMessage' => 'start_to_close_timeout is only supported for schedule_activity commands.',
+            ],
+            'child timeout on activity command' => [
+                'command' => [
+                    'type' => 'schedule_activity',
+                    'activity_type' => 'tests.external-activity',
+                    'run_timeout_seconds' => 30,
+                ],
+                'errorField' => 'commands.0.run_timeout_seconds',
+                'expectedMessage' => 'run_timeout_seconds is only supported for start_child_workflow commands.',
+            ],
+            'non retryable on completion' => [
+                'command' => [
+                    'type' => 'complete_workflow',
+                    'non_retryable' => true,
+                ],
+                'errorField' => 'commands.0.non_retryable',
+                'expectedMessage' => 'non_retryable is only supported for fail_workflow and fail_update commands.',
+            ],
+            'heartbeat exceeds start to close' => [
+                'command' => [
+                    'type' => 'schedule_activity',
+                    'activity_type' => 'tests.external-activity',
+                    'start_to_close_timeout' => 10,
+                    'heartbeat_timeout' => 30,
+                ],
+                'errorField' => 'commands.0.heartbeat_timeout',
+                'expectedMessage' => 'heartbeat_timeout cannot exceed start_to_close_timeout.',
+            ],
+            'schedule to start exceeds schedule to close' => [
+                'command' => [
+                    'type' => 'schedule_activity',
+                    'activity_type' => 'tests.external-activity',
+                    'schedule_to_start_timeout' => 60,
+                    'schedule_to_close_timeout' => 30,
+                ],
+                'errorField' => 'commands.0.schedule_to_start_timeout',
+                'expectedMessage' => 'schedule_to_start_timeout cannot exceed schedule_to_close_timeout.',
+            ],
+            'child run exceeds execution' => [
+                'command' => [
+                    'type' => 'start_child_workflow',
+                    'workflow_type' => 'tests.external-child-workflow',
+                    'execution_timeout_seconds' => 60,
+                    'run_timeout_seconds' => 120,
+                ],
+                'errorField' => 'commands.0.run_timeout_seconds',
+                'expectedMessage' => 'run_timeout_seconds cannot exceed execution_timeout_seconds.',
+            ],
+        ];
+    }
+
     /**
      * @return array<string, array{path: string, body: array<string, mixed>, errorFields: list<string>}>
      */
