feat: Enhance workflow concurrency management with validation and atomicity

Author: octoper

ARCHITECTURE.md

@@ -301,9 +301,12 @@ attempt is persisted individually as a `step_attempt`.
 
 Workers are configured with a concurrency limit (e.g., 10). A worker will
 maintain up to 10 in-flight workflow runs simultaneously. It polls for new work
-only when it has available capacity. The Backend's atomic `dequeue` operation
-(`FOR UPDATE SKIP LOCKED`) ensures that multiple workers can poll the same table
-without race conditions or processing the same run twice.
+only when it has available capacity. Claim atomicity is backend-specific:
+
+- Postgres uses `FOR UPDATE SKIP LOCKED` plus advisory locks for constrained
+  buckets.
+- SQLite uses transaction-level single-writer locking (`BEGIN IMMEDIATE`) to
+  serialize claim writes.
 
 ### 5.3. Workflow-Run Concurrency
 
@@ -327,7 +330,7 @@ defineWorkflow(
 
 `key` and `limit` can each be either static values (`string`/`number`) or
 functions of the validated workflow input. They are resolved once when the run
-is created and persisted on the `workflow_run`.
+is created and persisted on `workflow_runs`.
 Resolved keys are stored verbatim; only empty/all-whitespace keys are rejected.
 
 During claim/dequeue, a run is claimable only when the number of active leased
@@ -341,6 +344,9 @@ is:
 
 `pending`, `sleeping`, and expired-lease `running` runs do not consume
 concurrency slots.
+For active runs in a bucket (`pending`, `running`), the resolved
+`concurrency_limit` is required to be consistent; conflicting limits are
+rejected at run creation.
 
 ### 5.4. Handling Crashes During Parallel Execution
 

packages/docs/docs/workers.mdx

@@ -119,6 +119,8 @@ Only active leased `running` runs consume workflow-concurrency slots.
 Resolved keys are stored verbatim; only empty/all-whitespace keys are rejected.
 Sleeping runs are non-consuming until they are claimed again as actively leased
 `running` runs.
+Within active `pending` and actively leased `running` runs for the same
+workflow+version+key bucket, the resolved `limit` must remain consistent.
 
 ## Heartbeats and Crash Recovery
 
@@ -166,6 +168,8 @@ Workers coordinate through the database:
 - Each workflow run is claimed by exactly one worker at a time
 - Workers use atomic database operations to prevent duplicate processing
 - If a worker crashes, its workflows become available to other workers
+- SQLite relies on transaction-level single-writer locking (`BEGIN IMMEDIATE`)
+  while Postgres uses row locks plus advisory locks for constrained buckets
 
 ## Graceful Shutdown
 

packages/docs/docs/workflows.mdx

@@ -213,6 +213,8 @@ defineWorkflow(
 - key must resolve to a non-empty string
 - limit must resolve to a positive integer
 - resolved keys are stored verbatim; only empty/all-whitespace keys are rejected
+- within active runs (`pending`/`running`) for the same
+  workflow+version+key bucket, `limit` must remain consistent
 
 When concurrency is configured, runs in the same bucket are constrained by:
 

packages/openworkflow/README.md

@@ -98,6 +98,8 @@ Keys are stored verbatim (for example, `" foo "` and `"foo"` are different
 concurrency keys); only empty or all-whitespace keys are rejected.
 Sleeping runs do not consume workflow-concurrency slots until they are claimed
 again as actively leased `running` runs.
+For a given active bucket (`workflow + version + key`), the resolved `limit`
+must stay consistent across `pending`/`running` runs.
 
 ## Documentation
 

packages/openworkflow/backend-concurrency.ts

@@ -0,0 +1,114 @@
+import type { CreateWorkflowRunParams } from "./backend.js";
+
+const INVALID_CONCURRENCY_KEY_TYPE_ERROR =
+  'Invalid workflow concurrency metadata: "concurrencyKey" must be a string or null.';
+export const INVALID_CONCURRENCY_KEY_VALUE_ERROR =
+  'Invalid workflow concurrency metadata: "concurrencyKey" must be a non-empty string when provided.';
+const INVALID_CONCURRENCY_LIMIT_TYPE_ERROR =
+  'Invalid workflow concurrency metadata: "concurrencyLimit" must be a number or null.';
+export const INVALID_CONCURRENCY_LIMIT_VALUE_ERROR =
+  'Invalid workflow concurrency metadata: "concurrencyLimit" must be a positive integer or null.';
+const INVALID_CONCURRENCY_PAIR_ERROR =
+  'Invalid workflow concurrency metadata: "concurrencyKey" and "concurrencyLimit" must both be null or both be set.';
+export const CONCURRENCY_LIMIT_MISMATCH_ERROR =
+  'Invalid workflow concurrency metadata: active runs in the same bucket must use the same "concurrencyLimit".';
+
+/**
+ * Bucket identity for workflow-level concurrency.
+ */
+export interface ConcurrencyBucket {
+  workflowName: string;
+  version: string | null;
+  key: string;
+  limit: number;
+}
+
+/**
+ * Normalize and validate workflow concurrency metadata passed to create calls.
+ * This protects direct backend callers that bypass client-side validation.
+ * @param params - Workflow run creation params
+ * @returns Params with normalized concurrency fields
+ * @throws {Error} When concurrency metadata has invalid shape or values
+ */
+export function normalizeCreateWorkflowRunParams(
+  params: CreateWorkflowRunParams,
+): CreateWorkflowRunParams {
+  const rawParams = params as unknown as Record<string, unknown>;
+  const rawConcurrencyKey = rawParams["concurrencyKey"];
+  const rawConcurrencyLimit = rawParams["concurrencyLimit"];
+
+  if (rawConcurrencyKey === undefined && rawConcurrencyLimit === undefined) {
+    return {
+      ...params,
+      concurrencyKey: null,
+      concurrencyLimit: null,
+    };
+  }
+
+  if (
+    rawConcurrencyKey !== undefined &&
+    rawConcurrencyKey !== null &&
+    typeof rawConcurrencyKey !== "string"
+  ) {
+    throw new Error(INVALID_CONCURRENCY_KEY_TYPE_ERROR);
+  }
+
+  if (
+    rawConcurrencyLimit !== undefined &&
+    rawConcurrencyLimit !== null &&
+    typeof rawConcurrencyLimit !== "number"
+  ) {
+    throw new Error(INVALID_CONCURRENCY_LIMIT_TYPE_ERROR);
+  }
+
+  const concurrencyKey =
+    rawConcurrencyKey === undefined ? null : rawConcurrencyKey;
+  const concurrencyLimit =
+    rawConcurrencyLimit === undefined ? null : rawConcurrencyLimit;
+
+  if ((concurrencyKey === null) !== (concurrencyLimit === null)) {
+    throw new Error(INVALID_CONCURRENCY_PAIR_ERROR);
+  }
+
+  if (
+    typeof concurrencyKey === "string" &&
+    concurrencyKey.trim().length === 0
+  ) {
+    throw new Error(INVALID_CONCURRENCY_KEY_VALUE_ERROR);
+  }
+
+  if (
+    typeof concurrencyLimit === "number" &&
+    (!Number.isFinite(concurrencyLimit) ||
+      !Number.isInteger(concurrencyLimit) ||
+      concurrencyLimit <= 0)
+  ) {
+    throw new Error(INVALID_CONCURRENCY_LIMIT_VALUE_ERROR);
+  }
+
+  return {
+    ...params,
+    concurrencyKey,
+    concurrencyLimit,
+  };
+}
+
+/**
+ * Return bucket identity for constrained runs, otherwise null.
+ * @param params - Normalized workflow run creation params
+ * @returns Concurrency bucket or null for unconstrained runs
+ */
+export function toConcurrencyBucket(
+  params: CreateWorkflowRunParams,
+): ConcurrencyBucket | null {
+  if (params.concurrencyKey === null || params.concurrencyLimit === null) {
+    return null;
+  }
+
+  return {
+    workflowName: params.workflowName,
+    version: params.version,
+    key: params.concurrencyKey,
+    limit: params.concurrencyLimit,
+  };
+}