Oban worker that performs the scheduled :pending → :expired flip for governed tool approvals.
This is the scheduled-sweep half of the dual-mechanism TTL enforcement (D15-12):
- This worker (scheduled enqueue) — flips
:pendingapprovals to:expiredatexpires_at. - Lazy guard in
ApprovalResumeWorker— catches any approval the sweep missed.
The scheduled enqueue of this worker (scheduled_at: approval.expires_at) lives in
plan 15-03's lane-opening path (Governance.approve/3). This worker only performs the flip.
Branch Logic
nilapproval (deleted) →:ok— idempotent no-op.:pendingapproval → status:expired+:expiredToolActionEventco-committed.- Any other status (
:approved,:rejected,:expired, etc.) →:ok— idempotent no-op.
Idempotency
The no-op catch-all guarantees safety if the worker runs late or twice: a non-:pending
approval will not be re-expired (mirrors SlaCountdownWorker :active → :breached idiom).
Telemetry
:approval_transition event emitted AFTER the with pipeline succeeds (D-29).