[world-postgres, world-local] Fix TOCTOU races in entity state transitions by pranaygp · Pull Request #1434 · vercel/workflow

pranaygp · 2026-03-18T07:34:20Z

Summary

Add atomic terminal-state guards to all entity update operations across both postgres and local worlds to match the Vercel world's DynamoDB conditional expressions. Previously, several updates had no atomic guard on status, allowing concurrent requests to bypass TOCTOU pre-validation and corrupt the event log.

Root cause

The postgres world's entity UPDATEs were not atomic with respect to state validation. Pre-validation would SELECT the current status, check it, then proceed to an unconditional UPDATE — a classic TOCTOU (time-of-check-time-of-use) race.

When multiple webhook hook_received events triggered concurrent workflow continuations that each queued the same step, two Graphile Worker jobs could execute simultaneously:

Handler A: step_started → execute step → step_completed (sets status to completed)
Handler B: step_started validation reads step as running (passes) → unconditional UPDATE reverts status from completed back to running → executes step again → step_completed succeeds (status was running)
Replay finds two step_completed events for one step → second is unconsumed → CORRUPTED_EVENT_LOG

Postgres world changes

Add conditional WHERE clauses to all entity UPDATEs:

Event	Before	After
`step_started`	No guard	`NOT IN (completed, failed, cancelled)`
`step_completed`	Missing `cancelled`	`NOT IN (completed, failed, cancelled)`
`step_failed`	Missing `cancelled`	`NOT IN (completed, failed, cancelled)`
`step_retrying`	No guard	`NOT IN (completed, failed, cancelled)`
`run_completed`	No guard	`NOT IN (completed, failed, cancelled)`
`run_failed`	No guard	`NOT IN (completed, failed, cancelled)`
`run_cancelled`	No guard	`NOT IN (completed, failed, cancelled)`
`wait_completed`	Already correct	No change

Local world changes

step_completed / step_failed: Use writeExclusive lock file to atomically prevent concurrent duplicate terminal transitions
step_started: Check for terminal lock file before allowing start
wait_completed: Use writeExclusive lock (same pattern as PR Fix concurrent wait_completed race condition in world-local #1388)
isStepTerminal: Include cancelled status

Tests added

Concurrent step_completed race (exactly one succeeds, one gets 409)
Concurrent step_failed race
step_started rejection after concurrent step_completed
Concurrent wait_completed race

Test plan

pnpm build passes
All 465 core unit tests pass
All 121 local world storage tests pass (including 4 new concurrent race tests)
All postgres world unit tests pass
E2E local postgres tests pass (previously flaky webhookWorkflow test)

Closes #1388

🤖 Generated with Claude Code

The step_started UPDATE had no conditional guard on step status, allowing a concurrent execution to revert a completed step back to 'running'. This caused duplicate step_completed events, triggering CORRUPTED_EVENT_LOG. Add notInArray guard to match the existing pattern on step_completed and the DynamoDB conditional expression used in the Vercel world. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

changeset-bot · 2026-03-18T07:34:25Z

🦋 Changeset detected

Latest commit: 6f0f64a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages

Name	Type
@workflow/world-postgres	Patch
@workflow/world-local	Patch
@workflow/cli	Patch
@workflow/core	Patch
@workflow/vitest	Patch
workflow	Patch
@workflow/world-testing	Patch
@workflow/builders	Patch
@workflow/next	Patch
@workflow/nitro	Patch
@workflow/web-shared	Patch
@workflow/ai	Patch
@workflow/astro	Patch
@workflow/nest	Patch
@workflow/rollup	Patch
@workflow/sveltekit	Patch
@workflow/vite	Patch
@workflow/nuxt	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2026-03-18T07:34:26Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
example-nextjs-workflow-turbopack	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
example-nextjs-workflow-webpack	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
example-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-astro-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-express-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-fastify-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-hono-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-nitro-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-nuxt-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-sveltekit-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workbench-vite-workflow	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workflow-docs	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workflow-nest	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am
workflow-swc-playground	Ready	Preview, Comment, Open in v0	Mar 18, 2026 7:53am

github-actions · 2026-03-18T07:34:30Z

🧪 E2E Test Results

❌ Some tests failed

Summary

	Passed	Failed	Skipped	Total
❌ ▲ Vercel Production	756	2	67	825
❌ 💻 Local Development	722	60	118	900
❌ 📦 Local Production	722	60	118	900
✅ 🐘 Local Postgres	782	0	118	900
❌ 🪟 Windows	67	5	3	75
❌ 🌍 Community Worlds	118	56	15	189
❌ 📋 Other	188	10	27	225
Total	3355	193	466	4014

❌ Failed Tests

▲ Vercel Production (2 failed)

astro (1 failed):

stepFunctionAsStartArgWorkflow - step function reference passed as start() argument | wrun_01KKZZ8A37Q362SM09E6FCGYRH | 🔍 observability

hono (1 failed):

hookDisposeTestWorkflow - hook token reuse after explicit disposal while workflow still running | wrun_01KKZZ50WZCQ5X0RJ8SC4DV7G3 | 🔍 observability

💻 Local Development (60 failed)

astro-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

express-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

fastify-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

hono-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-turbopack-canary (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-turbopack-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-webpack-canary (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-webpack-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nitro-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nuxt-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

sveltekit-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

vite-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

📦 Local Production (60 failed)

astro-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

express-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

fastify-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

hono-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-turbopack-canary (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-turbopack-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-webpack-canary (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nextjs-webpack-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nitro-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

nuxt-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

sveltekit-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

vite-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

🪟 Windows (5 failed)

nextjs-turbopack (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

🌍 Community Worlds (56 failed)

mongodb (3 failed):

hookWorkflow is not resumable via public webhook endpoint | wrun_01KKZYYSPZ9PZCKG3WB5Q08JP4
webhookWorkflow | wrun_01KKZYZ2F1Z5QE0J4N9ZP0EVZ2
concurrent hook token conflict - two workflows cannot use the same hook token simultaneously | wrun_01KKZZ4D70BW3JYDP0ZFN07BBV

redis (2 failed):

hookWorkflow is not resumable via public webhook endpoint | wrun_01KKZYYSPZ9PZCKG3WB5Q08JP4
concurrent hook token conflict - two workflows cannot use the same hook token simultaneously | wrun_01KKZZ4D70BW3JYDP0ZFN07BBV

turso (51 failed):

addTenWorkflow | wrun_01KKZYXHYN9MWBXJMSDY5B9N3H
addTenWorkflow | wrun_01KKZYXHYN9MWBXJMSDY5B9N3H
wellKnownAgentWorkflow (.well-known/agent) | wrun_01KKZYZ3T2S5AKBWK04AYMFPCV
should work with react rendering in step
promiseAllWorkflow | wrun_01KKZYXSV6NSGKC9RT1GD8EJF9
promiseRaceWorkflow | wrun_01KKZYXZKPZQ0RS9YW6F6B5SKK
promiseAnyWorkflow | wrun_01KKZYY1VW9QVF31XE0XJ1AN6F
importedStepOnlyWorkflow | wrun_01KKZYZK51E8NTSSAMEPVE6MH3
hookWorkflow | wrun_01KKZYYF4SSZJFKK3C8CNSG3TZ
hookWorkflow is not resumable via public webhook endpoint | wrun_01KKZYYSPZ9PZCKG3WB5Q08JP4
webhookWorkflow | wrun_01KKZYZ2F1Z5QE0J4N9ZP0EVZ2
sleepingWorkflow | wrun_01KKZYZCJJT0BMQ62WD7RT5HBN
parallelSleepWorkflow | wrun_01KKZYZS4T172GCRVKJ5J578YM
nullByteWorkflow | wrun_01KKZYZWE9XRMAXYE52FHQJKYG
workflowAndStepMetadataWorkflow | wrun_01KKZYZYHNEZVD9HG5JYN2MSJ7
fetchWorkflow | wrun_01KKZZ0VDWN7XJFY4GZQ4MD986
promiseRaceStressTestWorkflow | wrun_01KKZZ0YSG812Q9SY4JBNRWC0Y
error handling error propagation workflow errors nested function calls preserve message and stack trace
error handling error propagation workflow errors cross-file imports preserve message and stack trace
error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
error handling retry behavior RetryableError respects custom retryAfter delay
error handling retry behavior maxRetries=0 disables retries
error handling catchability FatalError can be caught and detected with FatalError.is()
hookCleanupTestWorkflow - hook token reuse after workflow completion | wrun_01KKZZ3S4N9DDSM20XWSMHK8VA
concurrent hook token conflict - two workflows cannot use the same hook token simultaneously | wrun_01KKZZ4D70BW3JYDP0ZFN07BBV
hookDisposeTestWorkflow - hook token reuse after explicit disposal while workflow still running | wrun_01KKZZ50WZCQ5X0RJ8SC4DV7G3
stepFunctionPassingWorkflow - step function references can be passed as arguments (without closure vars) | wrun_01KKZZ5MFJA5QPJE013BTA6NRQ
stepFunctionWithClosureWorkflow - step function with closure variables passed as argument | wrun_01KKZZ5XA33T79C66H7QG6HP5D
closureVariableWorkflow - nested step functions with closure variables | wrun_01KKZZ62RYQENP41VTRHMJGETA
spawnWorkflowFromStepWorkflow - spawning a child workflow using start() inside a step | wrun_01KKZZ64XPYG7X1E2V3XDPB5N1
health check (queue-based) - workflow and step endpoints respond to health check messages
pathsAliasWorkflow - TypeScript path aliases resolve correctly | wrun_01KKZZ6K2MET0H6YMWRH74NH00
Calculator.calculate - static workflow method using static step methods from another class | wrun_01KKZZ6RPEQKQD5MVRZMJAZBWD
AllInOneService.processNumber - static workflow method using sibling static step methods | wrun_01KKZZ6Y379RF2JB034Z3FYX4A
ChainableService.processWithThis - static step methods using this to reference the class | wrun_01KKZZ74K4N302RSHJE5FBJVXR
thisSerializationWorkflow - step function invoked with .call() and .apply() | wrun_01KKZZ7A56M40NT80Q9JWJ6EY0
customSerializationWorkflow - custom class serialization with WORKFLOW_SERIALIZE/WORKFLOW_DESERIALIZE | wrun_01KKZZ7GV0Z3AY26GRMA40AT30
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4
crossContextSerdeWorkflow - classes defined in step code are deserializable in workflow context | wrun_01KKZZ828CZAB5V8N09Z0K58EH
stepFunctionAsStartArgWorkflow - step function reference passed as start() argument | wrun_01KKZZ8A37Q362SM09E6FCGYRH
cancelRun - cancelling a running workflow | wrun_01KKZZ8GKP5Z7CDZHJN6JJYYP2
cancelRun via CLI - cancelling a running workflow | wrun_01KKZZ8SW7B0ET60KFBKT7RZ8F
pages router addTenWorkflow via pages router
pages router promiseAllWorkflow via pages router
pages router sleepingWorkflow via pages router
hookWithSleepWorkflow - hook payloads delivered correctly with concurrent sleep | wrun_01KKZZ95XB7Z6YJ4GNVKB6NG5W
sleepInLoopWorkflow - sleep inside loop with steps actually delays each iteration | wrun_01KKZZ9SGCWP6D57ZKVGN9HS8M
sleepWithSequentialStepsWorkflow - sequential steps work with concurrent sleep (control) | wrun_01KKZZA3TB7MMGE5T3R6A3TM0B

📋 Other (10 failed)

e2e-local-dev-nest-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

e2e-local-prod-nest-stable (5 failed):

error handling error propagation step errors basic step error preserves message and stack trace
error handling error propagation step errors cross-file step error preserves message and function names in stack
error handling retry behavior regular Error retries until success
error handling retry behavior FatalError fails immediately without retries
instanceMethodStepWorkflow - instance methods with "use step" directive | wrun_01KKZZ7QEAE2BEZ5QDNX14D3N4

Details by Category

❌ ▲ Vercel Production

App	Passed	Failed	Skipped
❌ astro	67	1	7
✅ example	68	0	7
✅ express	68	0	7
✅ fastify	68	0	7
❌ hono	67	1	7
✅ nextjs-turbopack	73	0	2
✅ nextjs-webpack	73	0	2
✅ nitro	68	0	7
✅ nuxt	68	0	7
✅ sveltekit	68	0	7
✅ vite	68	0	7

❌ 💻 Local Development

App	Passed	Failed	Skipped
❌ astro-stable	61	5	9
❌ express-stable	61	5	9
❌ fastify-stable	61	5	9
❌ hono-stable	61	5	9
❌ nextjs-turbopack-canary	50	5	20
❌ nextjs-turbopack-stable	67	5	3
❌ nextjs-webpack-canary	50	5	20
❌ nextjs-webpack-stable	67	5	3
❌ nitro-stable	61	5	9
❌ nuxt-stable	61	5	9
❌ sveltekit-stable	61	5	9
❌ vite-stable	61	5	9

❌ 📦 Local Production

App	Passed	Failed	Skipped
❌ astro-stable	61	5	9
❌ express-stable	61	5	9
❌ fastify-stable	61	5	9
❌ hono-stable	61	5	9
❌ nextjs-turbopack-canary	50	5	20
❌ nextjs-turbopack-stable	67	5	3
❌ nextjs-webpack-canary	50	5	20
❌ nextjs-webpack-stable	67	5	3
❌ nitro-stable	61	5	9
❌ nuxt-stable	61	5	9
❌ sveltekit-stable	61	5	9
❌ vite-stable	61	5	9

✅ 🐘 Local Postgres

App	Passed	Skipped
✅ astro-stable	66	9
✅ express-stable	66	9
✅ fastify-stable	66	9
✅ hono-stable	66	9
✅ nextjs-turbopack-canary	55	20
✅ nextjs-turbopack-stable	72	3
✅ nextjs-webpack-canary	55	20
✅ nextjs-webpack-stable	72	3
✅ nitro-stable	66	9
✅ nuxt-stable	66	9
✅ sveltekit-stable	66	9
✅ vite-stable	66	9

❌ 🪟 Windows

App	Passed	Failed	Skipped
❌ nextjs-turbopack	67	5	3

❌ 🌍 Community Worlds

App	Passed	Failed	Skipped
✅ mongodb-dev	3	0	2
❌ mongodb	52	3	3
✅ redis-dev	3	0	2
❌ redis	53	2	3
✅ turso-dev	3	0	2
❌ turso	4	51	3

❌ 📋 Other

App	Passed	Failed	Skipped
❌ e2e-local-dev-nest-stable	61	5	9
✅ e2e-local-postgres-nest-stable	66	0	9
❌ e2e-local-prod-nest-stable	61	5	9

📋 View full workflow run

❌ Some E2E test jobs failed:

Vercel Prod: failure
Local Dev: failure
Local Prod: failure
Local Postgres: success
Windows: failure

Check the workflow run for details.

github-actions · 2026-03-18T07:34:30Z

📊 Benchmark Results

📈 Comparing against baseline from main branch. Green 🟢 = faster, Red 🔺 = slower.

workflow with no steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
💻 Local	🥇 Express	0.039s (-9.6% 🟢)	1.006s (~)	0.967s	10	1.00x
💻 Local	Nitro	0.045s (-5.2% 🟢)	1.005s (~)	0.960s	10	1.15x
💻 Local	Next.js (Turbopack)	0.049s	1.005s	0.956s	10	1.24x
🌐 Redis	Next.js (Turbopack)	0.055s	1.005s	0.950s	10	1.40x
🐘 Postgres	Nitro	0.056s (-13.7% 🟢)	1.012s (~)	0.955s	10	1.43x
🐘 Postgres	Next.js (Turbopack)	0.057s	1.011s	0.954s	10	1.46x
🐘 Postgres	Express	0.063s (+26.5% 🔺)	1.011s (~)	0.947s	10	1.60x
🌐 MongoDB	Next.js (Turbopack)	0.121s	1.008s	0.887s	10	3.08x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	0.418s (-13.3% 🟢)	2.284s (-5.2% 🟢)	1.866s	10	1.00x
▲ Vercel	Express	0.484s (-2.6%)	2.284s (-13.2% 🟢)	1.800s	10	1.16x
▲ Vercel	Next.js (Turbopack)	0.585s (-14.0% 🟢)	2.339s (-6.9% 🟢)	1.754s	10	1.40x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

workflow with 1 step

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
💻 Local	🥇 Express	1.091s (-3.1%)	2.006s (~)	0.915s	10	1.00x
💻 Local	Next.js (Turbopack)	1.121s	2.005s	0.884s	10	1.03x
💻 Local	Nitro	1.126s (~)	2.006s (~)	0.879s	10	1.03x
🌐 Redis	Next.js (Turbopack)	1.131s	2.007s	0.875s	10	1.04x
🐘 Postgres	Express	1.135s (+1.1%)	2.011s (~)	0.877s	10	1.04x
🐘 Postgres	Next.js (Turbopack)	1.145s	2.011s	0.866s	10	1.05x
🐘 Postgres	Nitro	1.156s (+0.5%)	2.012s (~)	0.856s	10	1.06x
🌐 MongoDB	Next.js (Turbopack)	1.323s	2.009s	0.686s	10	1.21x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Express	1.976s (-2.2%)	3.489s (-6.6% 🟢)	1.513s	10	1.00x
▲ Vercel	Nitro	2.042s (-16.1% 🟢)	3.487s (-15.5% 🟢)	1.445s	10	1.03x
▲ Vercel	Next.js (Turbopack)	2.098s (+1.4%)	3.736s (~)	1.637s	10	1.06x

🔍 Observability: Express | Nitro | Next.js (Turbopack)

workflow with 10 sequential steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
💻 Local	🥇 Express	10.613s (-2.7%)	11.025s (~)	0.412s	3	1.00x
🌐 Redis	Next.js (Turbopack)	10.769s	11.023s	0.253s	3	1.01x
💻 Local	Next.js (Turbopack)	10.866s	11.022s	0.156s	3	1.02x
🐘 Postgres	Express	10.914s (+1.7%)	11.039s (~)	0.126s	3	1.03x
💻 Local	Nitro	10.916s (~)	11.023s (~)	0.107s	3	1.03x
🐘 Postgres	Next.js (Turbopack)	10.925s	11.037s	0.112s	3	1.03x
🐘 Postgres	Nitro	10.994s (~)	11.378s (+3.0%)	0.384s	3	1.04x
🌐 MongoDB	Next.js (Turbopack)	12.342s	13.022s	0.680s	3	1.16x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	16.700s (+4.7%)	18.500s (+2.8%)	1.800s	2	1.00x
▲ Vercel	Express	16.703s (+1.4%)	18.423s (~)	1.720s	2	1.00x
▲ Vercel	Next.js (Turbopack)	16.873s (-2.5%)	18.026s (-4.4%)	1.153s	2	1.01x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

workflow with 25 sequential steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
💻 Local	🥇 Express	26.741s (-2.8%)	27.054s (-3.6%)	0.312s	3	1.00x
🌐 Redis	Next.js (Turbopack)	26.910s	27.049s	0.139s	3	1.01x
🐘 Postgres	Next.js (Turbopack)	27.112s	27.727s	0.615s	3	1.01x
💻 Local	Next.js (Turbopack)	27.170s	28.051s	0.881s	3	1.02x
🐘 Postgres	Express	27.211s (+2.1%)	28.063s (+3.7%)	0.852s	3	1.02x
🐘 Postgres	Nitro	27.361s (~)	28.063s (~)	0.703s	3	1.02x
💻 Local	Nitro	27.506s (~)	28.053s (~)	0.547s	3	1.03x
🌐 MongoDB	Next.js (Turbopack)	30.636s	31.055s	0.420s	2	1.15x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Express	42.718s (-2.4%)	44.391s (-2.4%)	1.672s	2	1.00x
▲ Vercel	Nitro	43.502s (~)	45.295s (-0.7%)	1.794s	2	1.02x
▲ Vercel	Next.js (Turbopack)	44.963s (+2.4%)	46.351s (+1.2%)	1.388s	2	1.05x

🔍 Observability: Express | Nitro | Next.js (Turbopack)

workflow with 50 sequential steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🌐 Redis	🥇 Next.js (Turbopack)	53.526s	54.098s	0.571s	2	1.00x
🐘 Postgres	Next.js (Turbopack)	53.877s	54.095s	0.218s	2	1.01x
🐘 Postgres	Express	54.139s (+1.4%)	54.592s (+0.9%)	0.452s	2	1.01x
🐘 Postgres	Nitro	54.400s (~)	55.100s (~)	0.700s	2	1.02x
💻 Local	Express	54.949s (-3.1%)	55.103s (-3.5%)	0.155s	2	1.03x
💻 Local	Next.js (Turbopack)	55.981s	56.100s	0.119s	2	1.05x
💻 Local	Nitro	56.745s (~)	57.103s (~)	0.357s	2	1.06x
🌐 MongoDB	Next.js (Turbopack)	60.894s	61.075s	0.181s	2	1.14x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	103.287s (+11.1% 🔺)	104.851s (+11.3% 🔺)	1.564s	1	1.00x
▲ Vercel	Express	104.019s (+9.5% 🔺)	105.137s (+7.1% 🔺)	1.118s	1	1.01x
▲ Vercel	Next.js (Turbopack)	111.863s (+14.9% 🔺)	113.923s (+15.7% 🔺)	2.060s	1	1.08x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

Promise.all with 10 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Next.js (Turbopack)	1.250s	2.010s	0.761s	15	1.00x
🐘 Postgres	Express	1.271s (+4.1%)	2.011s (~)	0.740s	15	1.02x
🐘 Postgres	Nitro	1.279s (~)	2.011s (~)	0.732s	15	1.02x
🌐 Redis	Next.js (Turbopack)	1.361s	2.007s	0.645s	15	1.09x
💻 Local	Express	1.467s (-3.2%)	2.005s (~)	0.538s	15	1.17x
💻 Local	Next.js (Turbopack)	1.516s	2.005s	0.489s	15	1.21x
💻 Local	Nitro	1.562s (+2.6%)	2.006s (~)	0.444s	15	1.25x
🌐 MongoDB	Next.js (Turbopack)	2.168s	3.008s	0.840s	10	1.74x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Express	2.274s (-4.3%)	3.608s (-7.7% 🟢)	1.335s	9	1.00x
▲ Vercel	Next.js (Turbopack)	2.294s (-1.3%)	3.581s (+1.4%)	1.288s	9	1.01x
▲ Vercel	Nitro	2.437s (-2.5%)	3.810s (-7.6% 🟢)	1.373s	8	1.07x

🔍 Observability: Express | Next.js (Turbopack) | Nitro

Promise.all with 25 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Nitro	2.437s (-1.0%)	3.013s (~)	0.576s	10	1.00x
🐘 Postgres	Express	2.461s (+2.8%)	3.011s (~)	0.550s	10	1.01x
🐘 Postgres	Next.js (Turbopack)	2.478s	3.012s	0.535s	10	1.02x
🌐 Redis	Next.js (Turbopack)	2.577s	3.008s	0.431s	10	1.06x
💻 Local	Express	2.688s (-10.9% 🟢)	3.008s (-18.2% 🟢)	0.319s	10	1.10x
💻 Local	Next.js (Turbopack)	2.837s	3.208s	0.371s	10	1.16x
💻 Local	Nitro	3.027s (+1.4%)	3.759s (+2.3%)	0.732s	8	1.24x
🌐 MongoDB	Next.js (Turbopack)	4.742s	5.179s	0.437s	6	1.95x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Express	2.636s (+3.1%)	3.772s (-2.3%)	1.136s	8	1.00x
▲ Vercel	Next.js (Turbopack)	2.786s (~)	4.054s (+2.7%)	1.268s	8	1.06x
▲ Vercel	Nitro	2.878s (+13.1% 🔺)	4.067s (+1.0%)	1.188s	8	1.09x

🔍 Observability: Express | Next.js (Turbopack) | Nitro

Promise.all with 50 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Express	3.582s (+0.9%)	4.013s (~)	0.431s	8	1.00x
🐘 Postgres	Nitro	3.624s (~)	4.013s (~)	0.389s	8	1.01x
🐘 Postgres	Next.js (Turbopack)	3.755s	4.013s	0.258s	8	1.05x
🌐 Redis	Next.js (Turbopack)	4.362s	5.178s	0.817s	6	1.22x
💻 Local	Express	6.763s (-17.1% 🟢)	7.015s (-22.2% 🟢)	0.252s	5	1.89x
💻 Local	Next.js (Turbopack)	7.112s	7.766s	0.654s	4	1.99x
💻 Local	Nitro	8.101s (~)	8.771s (-2.8%)	0.670s	4	2.26x
🌐 MongoDB	Next.js (Turbopack)	10.103s	10.686s	0.584s	3	2.82x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Express	3.034s (+8.5% 🔺)	4.305s (+2.1%)	1.271s	7	1.00x
▲ Vercel	Next.js (Turbopack)	3.328s (+8.0% 🔺)	4.689s (-2.5%)	1.362s	7	1.10x
▲ Vercel	Nitro	3.426s (+24.9% 🔺)	4.760s (+9.3% 🔺)	1.334s	7	1.13x

🔍 Observability: Express | Next.js (Turbopack) | Nitro

Promise.race with 10 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Nitro	1.267s (-1.9%)	2.011s (~)	0.744s	15	1.00x
🐘 Postgres	Express	1.268s (+4.7%)	2.010s (~)	0.742s	15	1.00x
🐘 Postgres	Next.js (Turbopack)	1.269s	2.011s	0.742s	15	1.00x
🌐 Redis	Next.js (Turbopack)	1.310s	2.006s	0.697s	15	1.03x
💻 Local	Express	1.464s (-7.6% 🟢)	2.006s (-3.2%)	0.543s	15	1.16x
💻 Local	Next.js (Turbopack)	1.484s	2.005s	0.521s	15	1.17x
💻 Local	Nitro	1.535s (~)	2.005s (~)	0.470s	15	1.21x
🌐 MongoDB	Next.js (Turbopack)	2.155s	3.009s	0.853s	10	1.70x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	2.172s (+1.5%)	3.580s (-2.3%)	1.409s	9	1.00x
▲ Vercel	Next.js (Turbopack)	2.199s (+3.6%)	3.594s (-1.5%)	1.396s	9	1.01x
▲ Vercel	Express	2.374s (+7.4% 🔺)	3.773s (-4.2%)	1.400s	8	1.09x

🔍 Observability: Nitro | Next.js (Turbopack) | Express

Promise.race with 25 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Express	2.427s (+3.7%)	3.010s (~)	0.583s	10	1.00x
🐘 Postgres	Next.js (Turbopack)	2.458s	3.011s	0.554s	10	1.01x
🐘 Postgres	Nitro	2.461s (~)	3.011s (~)	0.550s	10	1.01x
🌐 Redis	Next.js (Turbopack)	2.561s	3.008s	0.447s	10	1.06x
💻 Local	Next.js (Turbopack)	2.674s	3.208s	0.534s	10	1.10x
💻 Local	Express	2.685s (-12.9% 🟢)	3.008s (-20.0% 🟢)	0.323s	10	1.11x
💻 Local	Nitro	3.059s (~)	3.760s (+2.3%)	0.701s	8	1.26x
🌐 MongoDB	Next.js (Turbopack)	4.728s	5.176s	0.448s	6	1.95x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	2.470s (~)	3.809s (-1.1%)	1.339s	8	1.00x
▲ Vercel	Express	2.481s (-14.4% 🟢)	3.861s (-10.1% 🟢)	1.380s	8	1.00x
▲ Vercel	Next.js (Turbopack)	2.820s (+4.8%)	4.134s (+0.9%)	1.314s	8	1.14x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

Promise.race with 50 concurrent steps

💻 Local Development

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
🐘 Postgres	🥇 Nitro	3.581s (-0.8%)	4.015s (~)	0.434s	8	1.00x
🐘 Postgres	Express	3.585s (+0.9%)	4.014s (~)	0.429s	8	1.00x
🐘 Postgres	Next.js (Turbopack)	3.724s	4.013s	0.288s	8	1.04x
🌐 Redis	Next.js (Turbopack)	4.253s	5.011s	0.758s	6	1.19x
💻 Local	Next.js (Turbopack)	7.141s	7.770s	0.629s	4	1.99x
💻 Local	Express	7.384s (-15.3% 🟢)	8.016s (-13.6% 🟢)	0.632s	4	2.06x
💻 Local	Nitro	9.234s (+2.6%)	9.774s (+2.6%)	0.540s	4	2.58x
🌐 MongoDB	Next.js (Turbopack)	10.031s	10.680s	0.649s	3	2.80x

▲ Production (Vercel)

World	Framework	Workflow Time	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	2.784s (-12.5% 🟢)	4.056s (-19.2% 🟢)	1.272s	8	1.00x
▲ Vercel	Express	2.790s (-4.8%)	3.831s (-12.3% 🟢)	1.041s	8	1.00x
▲ Vercel	Next.js (Turbopack)	3.919s (~)	5.332s (-1.7%)	1.412s	6	1.41x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

Stream Benchmarks (includes TTFB metrics)

workflow with stream

💻 Local Development

World	Framework	Workflow Time	TTFB	Slurp	Wall Time	Overhead	Samples	vs Fastest
💻 Local	🥇 Express	0.140s (-30.6% 🟢)	1.003s (~)	0.009s (-22.9% 🟢)	1.015s (~)	0.875s	10	1.00x
💻 Local	Next.js (Turbopack)	0.172s	1.002s	0.011s	1.017s	0.845s	10	1.23x
🌐 Redis	Next.js (Turbopack)	0.183s	1.000s	0.002s	1.008s	0.824s	10	1.31x
💻 Local	Nitro	0.198s (~)	1.003s (~)	0.012s (-2.5%)	1.018s (~)	0.819s	10	1.42x
🐘 Postgres	Next.js (Turbopack)	0.203s	1.001s	0.001s	1.012s	0.809s	10	1.45x
🐘 Postgres	Express	0.212s (+19.9% 🔺)	0.997s (~)	0.001s (+8.3% 🔺)	1.013s (~)	0.801s	10	1.52x
🐘 Postgres	Nitro	0.226s (+1.6%)	0.996s (~)	0.001s (-17.6% 🟢)	1.012s (~)	0.787s	10	1.61x
🌐 MongoDB	Next.js (Turbopack)	0.494s	0.959s	0.002s	1.009s	0.515s	10	3.54x

▲ Production (Vercel)

World	Framework	Workflow Time	TTFB	Slurp	Wall Time	Overhead	Samples	vs Fastest
▲ Vercel	🥇 Nitro	1.577s (-6.8% 🟢)	2.280s (-16.4% 🟢)	0.006s (+20.4% 🔺)	2.793s (-17.7% 🟢)	1.216s	10	1.00x
▲ Vercel	Express	1.599s (+5.9% 🔺)	2.457s (+14.2% 🔺)	0.006s (+28.6% 🔺)	3.000s (+10.5% 🔺)	1.401s	10	1.01x
▲ Vercel	Next.js (Turbopack)	1.625s (-8.1% 🟢)	2.591s (~)	0.339s (+6537.3% 🔺)	3.514s (+9.2% 🔺)	1.889s	10	1.03x

🔍 Observability: Nitro | Express | Next.js (Turbopack)

Summary

Fastest Framework by World

Winner determined by most benchmark wins

World	🥇 Fastest Framework	Wins
💻 Local	Express	10/12
🐘 Postgres	Nitro	4/12
▲ Vercel	Nitro	7/12

Fastest World by Framework

Winner determined by most benchmark wins

Framework	🥇 Fastest World	Wins
Express	💻 Local	5/12
Next.js (Turbopack)	🐘 Postgres	5/12
Nitro	🐘 Postgres	6/12

Column Definitions

Workflow Time: Runtime reported by workflow (completedAt - createdAt) - primary metric
TTFB: Time to First Byte - time from workflow start until first stream byte received (stream benchmarks only)
Slurp: Time from first byte to complete stream consumption (stream benchmarks only)
Wall Time: Total testbench time (trigger workflow + poll for result)
Overhead: Testbench overhead (Wall Time - Workflow Time)
Samples: Number of benchmark iterations run
vs Fastest: How much slower compared to the fastest configuration for this benchmark

Worlds:

💻 Local: In-memory filesystem world (local development)
🐘 Postgres: PostgreSQL database world (local development)
▲ Vercel: Vercel production/preview deployment
🌐 Turso: Community world (local development)
🌐 MongoDB: Community world (local development)
🌐 Redis: Community world (local development)
🌐 Jazz: Community world (local development)

📋 View full workflow run

Copilot

Pull request overview

Fixes a concurrency bug in the Postgres world’s event-sourcing storage where step_started could race with step_completed and revert a terminal step back to running, leading to duplicated step events and replay failures (CORRUPTED_EVENT_LOG).

Changes:

Adds a terminal-state guard to the step_started step UPDATE (status NOT IN ('completed','failed')) to prevent reverting completed/failed steps.
Improves in-code documentation explaining the TOCTOU scenario and why the conditional UPDATE is required.
Adds a changeset to release the fix as a patch for @workflow/world-postgres.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
packages/world-postgres/src/storage.ts	Adds a conditional WHERE clause to `step_started` UPDATE to prevent reverting terminal steps; expands comments and adds a fallback existence/terminal-state check when the UPDATE affects 0 rows.
.changeset/fix-step-started-race-condition.md	Patch changeset documenting the race-condition fix and its rationale.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

packages/world-postgres/src/storage.ts

          .where(
            and(
              eq(Schema.steps.runId, effectiveRunId),
-              eq(Schema.steps.stepId, data.correlationId!)
+              eq(Schema.steps.stepId, data.correlationId!),
+              // Only update if not already in terminal state (prevents TOCTOU race)
+              notInArray(Schema.steps.status, ['completed', 'failed'])
            )


TooTallNate · 2026-03-18T07:40:17Z

.changeset/fix-step-started-race-condition.md

+'@workflow/world-postgres': patch
+---
+
+Fix race condition in `step_started` that could corrupt the event log. The `UPDATE` for `step_started` now includes a conditional guard (`status NOT IN ('completed', 'failed')`) to prevent a concurrent step execution from reverting a completed step back to running. This matches the existing guard on `step_completed` and the DynamoDB conditional expression used in the Vercel world.


Unnecessary context.

Suggested change

Fix race condition in `step_started` that could corrupt the event log. The `UPDATE` for `step_started` now includes a conditional guard (`status NOT IN ('completed', 'failed')`) to prevent a concurrent step execution from reverting a completed step back to running. This matches the existing guard on `step_completed` and the DynamoDB conditional expression used in the Vercel world.

Fix race condition in `step_started` that could corrupt the event log. The `UPDATE` for `step_started` now includes a conditional guard (`status NOT IN ('completed', 'failed')`) to prevent a concurrent step execution from reverting a completed step back to running.

Add conditional WHERE clauses to match the Vercel world's DynamoDB conditional expressions, preventing TOCTOU races where concurrent requests could bypass pre-validation and write invalid state transitions. Changes: - step_started: add NOT IN (completed, failed, cancelled) guard - step_retrying: add terminal-state guard (was unguarded) - step_completed/step_failed: add cancelled to guard - run_completed/run_failed/run_cancelled: add terminal-state guards - isStepTerminal: include cancelled status Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Local world fixes: - step_completed/step_failed: use writeExclusive lock to prevent concurrent duplicate terminal transitions - step_started: check for terminal lock file before allowing start - wait_completed: use writeExclusive lock (port from PR #1388) - isStepTerminal: include cancelled status Tests: - Concurrent step_completed race (exactly one succeeds, one gets 409) - Concurrent step_failed race - step_started rejection after concurrent step_completed - Concurrent wait_completed race Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pranaygp · 2026-03-18T07:58:07Z

.changeset/fix-step-started-race-condition.md

+Add atomic terminal-state guards to all entity update operations across both postgres and local worlds to match the Vercel world's DynamoDB conditional expressions.
+
+**Postgres world**: Add conditional WHERE clauses to prevent TOCTOU races where concurrent requests bypass pre-validation and corrupt the event log.
+
+**Local world**: Use `writeExclusive` lock files to atomically prevent concurrent terminal state transitions for steps and waits. Add `cancelled` to `isStepTerminal`.


split these into 2 separate changelings, 1 for each package

vercel · 2026-03-18T08:16:30Z

packages/world-local/src/storage/events-storage.ts

+            tag
+          );
+          try {
+            await fs.access(terminalLockPath);


TOCTOU race in step_started allows it to overwrite a concurrent step_completed/step_failed terminal state back to running, corrupting the step file.

pranaygp requested a review from a team as a code owner March 18, 2026 07:34

Copilot AI review requested due to automatic review settings March 18, 2026 07:34

Copilot started reviewing on behalf of pranaygp March 18, 2026 07:34 View session

vercel bot deployed to Preview – workflow-swc-playground March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-hono-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-nitro-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-express-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-sveltekit-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-fastify-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-astro-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-vite-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workflow-nest March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – example-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workbench-nuxt-workflow March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-webpack March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-turbopack March 18, 2026 07:35 View deployment

vercel bot deployed to Preview – workflow-docs March 18, 2026 07:36 View deployment

Copilot AI reviewed Mar 18, 2026

View reviewed changes

TooTallNate reviewed Mar 18, 2026

View reviewed changes

TooTallNate approved these changes Mar 18, 2026

View reviewed changes

pranaygp mentioned this pull request Mar 18, 2026

Fix concurrent wait_completed race condition in world-local #1388

Open

vercel bot deployed to Preview – workflow-swc-playground March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-express-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-hono-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-fastify-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-vite-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-sveltekit-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-astro-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-nitro-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – example-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workbench-nuxt-workflow March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workflow-nest March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-webpack March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-turbopack March 18, 2026 07:44 View deployment

vercel bot deployed to Preview – workflow-docs March 18, 2026 07:44 View deployment

pranaygp changed the title ~~[world-postgres] Fix TOCTOU race in step_started that corrupts event log~~ [world-postgres, world-local] Fix TOCTOU races in entity state transitions Mar 18, 2026

vercel bot deployed to Preview – workflow-swc-playground March 18, 2026 07:51 View deployment

vercel bot deployed to Preview – workbench-hono-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-vite-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-nitro-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-express-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-sveltekit-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-fastify-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-astro-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – example-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workflow-nest March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – workbench-nuxt-workflow March 18, 2026 07:52 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-turbopack March 18, 2026 07:53 View deployment

vercel bot deployed to Preview – example-nextjs-workflow-webpack March 18, 2026 07:53 View deployment

vercel bot deployed to Preview – workflow-docs March 18, 2026 07:53 View deployment

pranaygp requested a review from TooTallNate March 18, 2026 07:57

pranaygp commented Mar 18, 2026

View reviewed changes

vercel bot reviewed Mar 18, 2026

View reviewed changes

	Fix race condition in `step_started` that could corrupt the event log. The `UPDATE` for `step_started` now includes a conditional guard (`status NOT IN ('completed', 'failed')`) to prevent a concurrent step execution from reverting a completed step back to running. This matches the existing guard on `step_completed` and the DynamoDB conditional expression used in the Vercel world.
	Fix race condition in `step_started` that could corrupt the event log. The `UPDATE` for `step_started` now includes a conditional guard (`status NOT IN ('completed', 'failed')`) to prevent a concurrent step execution from reverting a completed step back to running.

Conversation

pranaygp commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Root cause

Postgres world changes

Local world changes

Tests added

Test plan

Uh oh!

changeset-bot bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

Uh oh!

vercel bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🧪 E2E Test Results

Summary

❌ Failed Tests

Details by Category

Uh oh!

github-actions bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📊 Benchmark Results

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

💻 Local Development

▲ Production (Vercel)

Summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

TooTallNate Mar 18, 2026

Choose a reason for hiding this comment

Uh oh!

pranaygp Mar 18, 2026

Choose a reason for hiding this comment

Uh oh!

vercel bot Mar 18, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

pranaygp commented Mar 18, 2026 •

edited

Loading

changeset-bot bot commented Mar 18, 2026 •

edited

Loading

vercel bot commented Mar 18, 2026 •

edited

Loading

github-actions bot commented Mar 18, 2026 •

edited

Loading

github-actions bot commented Mar 18, 2026 •

edited

Loading