vercel · NathanColosimo · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 18, 2026
@@ -0,0 +1,28 @@
+---
+"@workflow/swc-playground-wasm": patch
+"@workflow/swc-plugin": patch
+"@workflow/world-postgres": patch
+"@workflow/world-testing": patch
+"@workflow/world-vercel": patch
+"@workflow/world-local": patch
+"@workflow/web-shared": patch
+"@workflow/sveltekit": patch
+"@workflow/builders": patch
+"workflow": patch
+"@workflow/errors": patch
+"@workflow/rollup": patch
+"@workflow/vitest": patch
+"@workflow/astro": patch
+"@workflow/nitro": patch
+"@workflow/world": patch
+"@workflow/core": patch
+"@workflow/nest": patch
+"@workflow/next": patch
+"@workflow/nuxt": patch
+"@workflow/vite": patch
+"@workflow/cli": patch
+"@workflow/web": patch
+"@workflow/ai": patch
+---
+
+Add experimental rate limiting and flow concurrency control
@@ -565,6 +565,19 @@ jobs:
           DEPLOYMENT_URL: "http://localhost:${{ matrix.app.name == 'sveltekit' && '4173' || (matrix.app.name == 'astro' && '4321' || '3000') }}"
           NEXT_CANARY: ${{ matrix.app.canary && '1' || '' }}
 
+      - name: Run Low-Concurrency Worker-Slot Test
+        if: ${{ !matrix.app.canary && matrix.app.name == 'nextjs-turbopack' }}
+        run: |
+          cd "${{ steps.prepare-workbench.outputs.workbench_app_path }}" && PORT=3001 WORKFLOW_POSTGRES_WORKER_CONCURRENCY=1 pnpm start &
+          echo "starting low-concurrency tests in 10 seconds" && sleep 10
+          pnpm vitest run packages/core/e2e/e2e.test.ts -t "frees worker slots for unrelated workflows while a waiter is blocked"
+        env:
+          NODE_OPTIONS: "--enable-source-maps"
+          APP_NAME: ${{ matrix.app.name }}
+          WORKBENCH_APP_PATH: ${{ steps.prepare-workbench.outputs.workbench_app_path }}
+          DEPLOYMENT_URL: "http://localhost:3001"
+          WORKFLOW_LIMITS_LOW_CONCURRENCY: "1"
+
       - name: Generate E2E summary
         if: always()
         run: node .github/scripts/aggregate-e2e-results.js . --job-name "E2E Local Postgres (${{ matrix.app.name }})" >> $GITHUB_STEP_SUMMARY || true

@@ -18,84 +18,84 @@
 // Layer 1: Known AI agent UA substrings (lowercase).
 const AI_AGENT_UA_PATTERNS = [
   // Anthropic — https://support.claude.com/en/articles/8896518
-  "claudebot",
-  "claude-searchbot",
-  "claude-user",
-  "anthropic-ai",
-  "claude-web",
+  'claudebot',
+  'claude-searchbot',
+  'claude-user',
+  'anthropic-ai',
+  'claude-web',
 
   // OpenAI — https://platform.openai.com/docs/bots
-  "chatgpt",
-  "gptbot",
-  "oai-searchbot",
-  "openai",
+  'chatgpt',
+  'gptbot',
+  'oai-searchbot',
+  'openai',
 
   // Google AI
-  "gemini",
-  "bard",
-  "google-cloudvertexbot",
-  "google-extended",
+  'gemini',
+  'bard',
+  'google-cloudvertexbot',
+  'google-extended',
 
   // Meta
-  "meta-externalagent",
-  "meta-externalfetcher",
-  "meta-webindexer",
+  'meta-externalagent',
+  'meta-externalfetcher',
+  'meta-webindexer',
 
   // Search/Research AI
-  "perplexity",
-  "youbot",
-  "you.com",
-  "deepseekbot",
+  'perplexity',
+  'youbot',
+  'you.com',
+  'deepseekbot',
 
   // Coding assistants
-  "cursor",
-  "github-copilot",
-  "codeium",
-  "tabnine",
-  "sourcegraph",
+  'cursor',
+  'github-copilot',
+  'codeium',
+  'tabnine',
+  'sourcegraph',
 
   // Other AI agents / data scrapers (low-harm to serve markdown)
-  "cohere-ai",
-  "bytespider",
-  "amazonbot",
-  "ai2bot",
-  "diffbot",
-  "omgili",
-  "omgilibot",
+  'cohere-ai',
+  'bytespider',
+  'amazonbot',
+  'ai2bot',
+  'diffbot',
+  'omgili',
+  'omgilibot',
 ];
 
 // Layer 2: Known AI service URLs in Signature-Agent header (RFC 9421).
-const SIGNATURE_AGENT_DOMAINS = ["chatgpt.com"];
+const SIGNATURE_AGENT_DOMAINS = ['chatgpt.com'];
 
 // Layer 3: Traditional bot exclusion list — bots that should NOT trigger
 // the heuristic layer (they're search engine crawlers, social previews, or
 // monitoring tools, not AI agents).
 const TRADITIONAL_BOT_PATTERNS = [
-  "googlebot",
-  "bingbot",
-  "yandexbot",
-  "baiduspider",
-  "duckduckbot",
-  "slurp",
-  "msnbot",
-  "facebot",
-  "twitterbot",
-  "linkedinbot",
-  "whatsapp",
-  "telegrambot",
-  "pingdom",
-  "uptimerobot",
-  "newrelic",
-  "datadog",
-  "statuspage",
-  "site24x7",
-  "applebot",
+  'googlebot',
+  'bingbot',
+  'yandexbot',
+  'baiduspider',
+  'duckduckbot',
+  'slurp',
+  'msnbot',
+  'facebot',
+  'twitterbot',
+  'linkedinbot',
+  'whatsapp',
+  'telegrambot',
+  'pingdom',
+  'uptimerobot',
+  'newrelic',
+  'datadog',
+  'statuspage',
+  'site24x7',
+  'applebot',
 ];
 
 // Broad regex for bot-like UA strings (used only in Layer 3 heuristic).
 const BOT_LIKE_REGEX = /bot|agent|fetch|crawl|spider|search/i;
 
-export type DetectionMethod = "ua-match" | "signature-agent" | "heuristic";
+export type DetectionMethod = 'ua-match' | 'signature-agent' | 'heuristic';
 
 export interface DetectionResult {
   detected: boolean;
@@ -111,36 +111,36 @@ export interface DetectionResult {
 export function isAIAgent(request: {
   headers: { get(name: string): string | null };
 }): DetectionResult {
-  const userAgent = request.headers.get("user-agent");
+  const userAgent = request.headers.get('user-agent');
 
   // Layer 1: Known UA pattern match
   if (userAgent) {
     const lowerUA = userAgent.toLowerCase();
     if (AI_AGENT_UA_PATTERNS.some((pattern) => lowerUA.includes(pattern))) {
-      return { detected: true, method: "ua-match" };
+      return { detected: true, method: 'ua-match' };
     }
   }
 
   // Layer 2: Signature-Agent header (RFC 9421, used by ChatGPT agent)
-  const signatureAgent = request.headers.get("signature-agent");
+  const signatureAgent = request.headers.get('signature-agent');
   if (signatureAgent) {
     const lowerSig = signatureAgent.toLowerCase();
     if (SIGNATURE_AGENT_DOMAINS.some((domain) => lowerSig.includes(domain))) {
-      return { detected: true, method: "signature-agent" };
+      return { detected: true, method: 'signature-agent' };
     }
   }
 
   // Layer 3: Missing browser fingerprint heuristic
   // Real browsers (Chrome 76+, Firefox 90+, Safari 16.4+) send sec-fetch-mode
   // on navigation requests. Its absence signals a programmatic client.
-  const secFetchMode = request.headers.get("sec-fetch-mode");
+  const secFetchMode = request.headers.get('sec-fetch-mode');
   if (!secFetchMode && userAgent && BOT_LIKE_REGEX.test(userAgent)) {
     const lowerUA = userAgent.toLowerCase();
     const isTraditionalBot = TRADITIONAL_BOT_PATTERNS.some((pattern) =>
       lowerUA.includes(pattern)
     );
     if (!isTraditionalBot) {
-      return { detected: true, method: "heuristic" };
+      return { detected: true, method: 'heuristic' };
     }
   }
 

@@ -59,24 +59,24 @@ const proxy = (request: NextRequest, context: NextFetchEvent) => {
   // AI agent detection — rewrite docs pages to markdown for agents
   // so they always get structured content without needing .md URLs or Accept headers
   if (
-    (pathname === "/docs" || pathname.startsWith("/docs/")) &&
-    !pathname.includes("/llms.mdx/")
+    (pathname === '/docs' || pathname.startsWith('/docs/')) &&
+    !pathname.includes('/llms.mdx/')
   ) {
     const agentResult = isAIAgent(request);
     if (agentResult.detected && !isMarkdownPreferred(request)) {
       const result =
-        pathname === "/docs"
+        pathname === '/docs'
           ? `/${i18n.defaultLanguage}/llms.mdx`
           : rewriteLLM(pathname);
 
       if (result) {
         context.waitUntil(
           trackMdRequest({
             path: pathname,
-            userAgent: request.headers.get("user-agent"),
-            referer: request.headers.get("referer"),
-            acceptHeader: request.headers.get("accept"),
-            requestType: "agent-rewrite",
+            userAgent: request.headers.get('user-agent'),
+            referer: request.headers.get('referer'),
+            acceptHeader: request.headers.get('accept'),
+            requestType: 'agent-rewrite',
             detectionMethod: agentResult.method,
           })
         );