Block workflow traffic until bootstrap blockers clear

Block workflow traffic until bootstrap blockers clear

Author: durable-workflow-ops

README.md

@@ -705,6 +705,12 @@ of pretending to be interchangeable HTTP peers. `GET /api/cluster/info`,
 `/api/health`, and `/api/ready` stay available for discovery and liveness even
 on scheduler-only, execution-only, or matching-only nodes.
 
+Those runtime-serving workflow routes also fail closed on bootstrap blockers.
+If database connectivity or workflow-table migrations are not ready, hosted
+workflow and worker-protocol routes return `503` with
+`reason: "workflow_v2_blocked"` plus `blocked_by` and `remediation` instead of
+accepting traffic that depends on an incomplete rollout state.
+
 The same `GET /api/cluster/info` response now includes a versioned
 `coordination_health` manifest for rollout-safety coordination risk. It
 summarizes the current server-wide workflow v2 health status, warning and error

app/Http/Middleware/RequireWorkflowBootstrapReady.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Support\ControlPlaneProtocol;
+use App\Support\ServerReadiness;
+use App\Support\WorkerProtocol;
+use Closure;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class RequireWorkflowBootstrapReady
+{
+    public function __construct(
+        private readonly ServerReadiness $readiness,
+    ) {}
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        $status = $this->readiness->workflowStatus();
+        $blockedBy = is_array($status['blocked_by'] ?? null)
+            ? array_values(array_filter($status['blocked_by'], static fn (mixed $value): bool => is_string($value) && $value !== ''))
+            : [];
+
+        if (($status['status'] ?? null) !== 'blocked' || $blockedBy === []) {
+            return $next($request);
+        }
+
+        return self::error(
+            $request,
+            503,
+            'workflow_v2_blocked',
+            'This node is not ready to serve workflow v2 traffic until bootstrap blockers are cleared.',
+            array_filter([
+                'blocked_by' => $blockedBy,
+                'remediation' => is_string($status['remediation'] ?? null) ? $status['remediation'] : null,
+            ], static fn (mixed $value): bool => $value !== null),
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $extra
+     */
+    private static function error(Request $request, int $status, string $reason, string $message, array $extra = []): JsonResponse
+    {
+        if (WorkerProtocol::isWorkerPlaneRequest($request)) {
+            return WorkerProtocol::json(array_filter([
+                'reason' => $reason,
+                'message' => $message,
+            ] + $extra, static fn (mixed $value): bool => $value !== null), $status);
+        }
+
+        return ControlPlaneProtocol::jsonForRequest($request, array_filter([
+            'reason' => $reason,
+            'message' => $message,
+        ] + $extra, static fn (mixed $value): bool => $value !== null), $status);
+    }
+}

app/Support/RemoteScheduleStarter.php

@@ -16,6 +16,7 @@ final class RemoteScheduleStarter implements ScheduleWorkflowStarter
 {
     public function __construct(
         private readonly WorkflowStartService $startService,
+        private readonly ServerReadiness $readiness,
     ) {}
 
     public function start(
@@ -24,6 +25,20 @@ public function start(
         string $outcome,
         ?string $effectiveOverlapPolicy = null,
     ): ScheduleStartResult {
+        $workflowStatus = $this->readiness->workflowStatus();
+        $blockedBy = is_array($workflowStatus['blocked_by'] ?? null)
+            ? array_values(array_filter($workflowStatus['blocked_by'], static fn (mixed $value): bool => is_string($value) && $value !== ''))
+            : [];
+
+        if (($workflowStatus['status'] ?? null) === 'blocked' && $blockedBy !== []) {
+            throw new WorkflowExecutionUnavailableException(
+                'schedule_start',
+                $schedule->schedule_id,
+                'workflow_v2_blocked',
+                'Workflow v2 bootstrap blockers must clear before scheduled workflows can start.',
+            );
+        }
+
         $action = WorkflowSchedule::normalizeActionTimeouts(
             is_array($schedule->action) ? $schedule->action : [],
         );

routes/api.php

@@ -18,6 +18,7 @@
 use App\Http\Middleware\ControlPlaneVersionResolver;
 use App\Http\Middleware\NamespaceResolver;
 use App\Http\Middleware\RequireRole;
+use App\Http\Middleware\RequireWorkflowBootstrapReady;
 use App\Http\Middleware\RequireTopologyRoles;
 use App\Http\Middleware\WorkerProtocolVersionResolver;
 use Illuminate\Support\Facades\Route;
@@ -51,6 +52,11 @@
 // NamespaceResolver on hosted routes so wrong-node requests fail closed with a
 // machine-readable topology reason without leaking namespace existence.
 //
+// RequireWorkflowBootstrapReady sits in the same slot for runtime-serving
+// workflow routes. It only blocks on explicit database/migration bootstrap
+// blockers so routes fail closed during rollout/schema drift without locking
+// out recovery paths such as compatible worker registration.
+//
 // WorkerProtocolVersionResolver follows the same ordering for worker-plane
 // routes, keeping protocol skew and namespace errors in the worker envelope.
 Route::middleware([Authenticate::class])->group(function () {
@@ -62,6 +68,7 @@
     $cpv = ControlPlaneVersionResolver::class;
     $httpControl = RequireTopologyRoles::class.':api_ingress,control_plane';
     $httpWorker = RequireTopologyRoles::class.':api_ingress,control_plane';
+    $workflowBootstrap = RequireWorkflowBootstrapReady::class;
     $wpv = WorkerProtocolVersionResolver::class;
 
     // ── System ───────────────────────────────────────────────────────
@@ -82,7 +89,7 @@
     });
 
     // ── Workflows ────────────────────────────────────────────────────
-    Route::prefix('workflows')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
+    Route::prefix('workflows')->middleware([$operator, $cpv, $httpControl, $workflowBootstrap, $ns])->group(function () {
         Route::get('/', [WorkflowController::class, 'index']);
         Route::post('/', [WorkflowController::class, 'start']);
         Route::get('/{workflowId}', [WorkflowController::class, 'show']);
@@ -113,12 +120,12 @@
     });
 
     // ── Bridge Adapters ──────────────────────────────────────────────
-    Route::prefix('bridge-adapters')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
+    Route::prefix('bridge-adapters')->middleware([$operator, $cpv, $httpControl, $workflowBootstrap, $ns])->group(function () {
         Route::post('/webhook/{adapter}', [BridgeAdapterController::class, 'webhook']);
     });
 
     // ── Worker Task Polling ──────────────────────────────────────────
-    Route::prefix('worker')->middleware([$worker, $wpv, $httpWorker, $ns])->group(function () {
+    Route::prefix('worker')->middleware([$worker, $wpv, $httpWorker, $workflowBootstrap, $ns])->group(function () {
         // Registration
         Route::post('/register', [WorkerController::class, 'register']);
         Route::post('/heartbeat', [WorkerController::class, 'heartbeat']);

tests/Feature/ScheduleEvaluateTest.php

@@ -223,6 +223,34 @@ public function test_it_records_rollout_safety_start_rejections_as_skips(): void
         $this->assertSame([], $schedule->recent_actions ?? []);
     }
 
+    public function test_it_skips_due_schedules_when_workflow_bootstrap_is_blocked(): void
+    {
+        DB::table('migrations')
+            ->where('migration', '2026_04_21_000300_add_workflow_definition_fingerprints_to_worker_registrations')
+            ->delete();
+
+        WorkflowSchedule::create([
+            'schedule_id' => 'skip-bootstrap-blocked',
+            'namespace' => 'default',
+            'spec' => ['cron_expressions' => ['* * * * *']],
+            'action' => ['workflow_type' => 'TestWorkflow'],
+            'next_fire_at' => now()->subMinute(),
+        ]);
+
+        $this->artisan('schedule:evaluate')
+            ->assertExitCode(0)
+            ->expectsOutputToContain('skipped');
+
+        $schedule = WorkflowSchedule::where('schedule_id', 'skip-bootstrap-blocked')->firstOrFail();
+        $this->assertSame('workflow_v2_blocked', $schedule->last_skip_reason);
+        $this->assertSame(1, (int) $schedule->skipped_trigger_count);
+        $this->assertSame(0, (int) $schedule->fires_count);
+        $this->assertSame(0, (int) $schedule->failures_count);
+        $this->assertNull($schedule->last_fired_at);
+        $this->assertNull($schedule->latest_workflow_instance_id);
+        $this->assertSame([], $schedule->recent_actions ?? []);
+    }
+
     // ── next_fire_at advancement ────────────────────────────────────
 
     public function test_it_advances_next_fire_at_after_successful_fire(): void

tests/Feature/WorkflowBootstrapRouteGatingTest.php

@@ -0,0 +1,142 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature;
+
+use App\Models\WorkflowNamespace;
+use App\Support\ControlPlaneProtocol;
+use App\Support\WorkerProtocol;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+use Workflow\V2\Support\WorkerCompatibilityFleet;
+
+class WorkflowBootstrapRouteGatingTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        config([
+            'server.auth.driver' => 'token',
+            'server.auth.token' => null,
+            'server.auth.role_tokens' => [
+                'worker' => 'worker-token',
+                'operator' => 'operator-token',
+                'admin' => 'admin-token',
+            ],
+            'server.auth.backward_compatible' => true,
+        ]);
+
+        WorkflowNamespace::query()->updateOrCreate(
+            ['name' => 'default'],
+            [
+                'description' => 'Default namespace',
+                'retention_days' => 30,
+                'status' => 'active',
+            ],
+        );
+    }
+
+    public function test_pending_rollout_safety_migrations_block_control_plane_routes(): void
+    {
+        $this->blockWorkflowBootstrap();
+
+        $this->withHeaders($this->controlHeaders('operator-token'))
+            ->getJson('/api/workflows')
+            ->assertStatus(503)
+            ->assertHeader(ControlPlaneProtocol::HEADER, ControlPlaneProtocol::VERSION)
+            ->assertJsonPath('reason', 'workflow_v2_blocked')
+            ->assertJsonPath('blocked_by.0', 'migrations')
+            ->assertJsonPath(
+                'remediation',
+                'Restore database connectivity and migrate the workflow tables before relying on workflow v2 rollout-safety health.',
+            );
+    }
+
+    public function test_pending_rollout_safety_migrations_block_worker_protocol_routes(): void
+    {
+        $this->blockWorkflowBootstrap();
+
+        $this->withHeaders($this->workerHeaders('worker-token'))
+            ->postJson('/api/worker/register', [
+                'worker_id' => 'bootstrap-blocked-worker',
+                'task_queue' => 'default',
+                'runtime' => 'python',
+                'build_id' => 'build-a',
+            ])
+            ->assertStatus(503)
+            ->assertHeader(WorkerProtocol::HEADER, WorkerProtocol::VERSION)
+            ->assertJsonPath('reason', 'workflow_v2_blocked')
+            ->assertJsonPath('blocked_by.0', 'migrations');
+    }
+
+    public function test_bootstrap_gate_runs_before_namespace_resolution_on_hosted_routes(): void
+    {
+        $this->blockWorkflowBootstrap();
+
+        $this->withHeaders($this->controlHeaders('operator-token', 'ghost-namespace'))
+            ->getJson('/api/workflows')
+            ->assertStatus(503)
+            ->assertJsonPath('reason', 'workflow_v2_blocked')
+            ->assertJsonMissing(['reason' => 'namespace_not_found']);
+    }
+
+    public function test_worker_registration_can_recover_fail_mode_compatibility_health(): void
+    {
+        config()->set('queue.default', 'redis');
+        config()->set('queue.connections.redis.driver', 'redis');
+        config()->set('workflows.v2.compatibility.current', 'build-a');
+        config()->set('workflows.v2.compatibility.supported', ['build-a']);
+        config()->set('workflows.v2.fleet.validation_mode', 'fail');
+
+        WorkerCompatibilityFleet::clear();
+
+        $this->withHeaders($this->workerHeaders('worker-token'))
+            ->postJson('/api/worker/register', [
+                'worker_id' => 'build-a-worker',
+                'task_queue' => 'default',
+                'runtime' => 'python',
+                'build_id' => 'build-a',
+            ])
+            ->assertCreated()
+            ->assertHeader(WorkerProtocol::HEADER, WorkerProtocol::VERSION)
+            ->assertJsonPath('worker_id', 'build-a-worker')
+            ->assertJsonPath('registered', true);
+
+        WorkerCompatibilityFleet::clear();
+    }
+
+    private function blockWorkflowBootstrap(): void
+    {
+        \Illuminate\Support\Facades\DB::table('migrations')
+            ->where('migration', '2026_04_21_000300_add_workflow_definition_fingerprints_to_worker_registrations')
+            ->delete();
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function workerHeaders(string $token): array
+    {
+        return [
+            'Authorization' => "Bearer {$token}",
+            'X-Namespace' => 'default',
+            WorkerProtocol::HEADER => WorkerProtocol::VERSION,
+        ];
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function controlHeaders(string $token, string $namespace = 'default'): array
+    {
+        return [
+            'Authorization' => "Bearer {$token}",
+            'X-Namespace' => $namespace,
+            ControlPlaneProtocol::HEADER => ControlPlaneProtocol::VERSION,
+        ];
+    }
+}