Oban worker that wakes a due waiting workflow run by stable id.
Job args contain only workflow_run_id per Phase 25 D-10. All
correctness — row locking, due/anchor evaluation, branch resolution,
next-step emission, and noop semantics — lives behind the shared
Chimeway.Workflows.Progression.progress_run/2 seam, so non-Oban hosts
that drive progression manually through progress_due_runs/1 and
Oban-backed hosts that wake runs through this worker share identical
internal semantics.
Threats covered:
- T-25-07 (spoofing): the worker accepts only
workflow_run_idand reloads all workflow/delivery truth from Chimeway-owned rows before acting. Job args never carry rule data, delivery facts, or tenancy hints that could be tampered with mid-flight. - T-25-08 (DoS / duplicate emission): the worker delegates to the
same
FOR UPDATE-locked engine path thatprogress_due_runs/1uses, so duplicate jobs and concurrent retries collapse to noop without emitting another next-step delivery. - T-25-09 (repudiation): the engine persists transition reasons,
anchor facts, and curated workflow outcomes durably before any
advancement, so retries leave an auditable trail in
chimeway_workflow_transitionsrather than queue archaeology.