feat(webapp): mollifier trigger-time decisions — mollify, claim, read fallback#3753
Open
d-cs wants to merge 13 commits into
Open
feat(webapp): mollifier trigger-time decisions — mollify, claim, read fallback#3753d-cs wants to merge 13 commits into
d-cs wants to merge 13 commits into
Conversation
|
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
d-cs
commented
May 26, 2026
d-cs
force-pushed
the
mollifier-phase-3-trigger
branch
2 times, most recently
from
5a7bc19 to
baa6f17
Compare
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
d-cs
force-pushed
the
mollifier-phase-3-trigger
branch
from
01f3958 to
449a0bc
Compare
d-cs
force-pushed
the
mollifier-phase-3-buffer
branch
from
e85e771 to
9298706
Compare
d-cs
force-pushed
the
mollifier-phase-3-trigger
branch
from
449a0bc to
ffe51b8
Compare
d-cs
force-pushed
the
mollifier-phase-3-buffer
branch
from
9298706 to
f4c5b21
Compare
d-cs
force-pushed
the
mollifier-phase-3-trigger
branch
6 times, most recently
from
cae33fa to
16bfff0
Compare
0ski
approved these changes
May 28, 2026
… fallback The trigger hot path's mollifier integration: - `mollifyTrigger`: when the gate trips, write the engine.trigger snapshot to the buffer and return a synthesised QUEUED response. - Pre-gate idempotency-key claim: same-key triggers serialise through Redis so a burst lands in PG / buffer exactly once. - Read-fallback extensions: `findRunByIdWithMollifierFallback` for the trigger-time idempotency lookup that must see buffered runs. - Gate bypasses: debounce, oneTimeUseToken, parentTaskRun (triggerAndWait) skip the mollify path entirely. - triggerTask + IdempotencyKeyConcern wired to the above. Stacked on buffer extensions PR. All behaviour gated by the master `TRIGGER_MOLLIFIER_ENABLED` switch; off-state hot path is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`new Date("not-a-date")` returns a truthy Invalid Date object, which would
mis-classify the run as CANCELED in the read-fallback synthesised shape.
Add an `asDate` helper that rejects NaN-valued parses and use it for
`cancelledAt` and `delayUntil`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The buffer's claim API now requires a caller-supplied ownership token so compare-and-act protects the slot against a stale predecessor. Wires the token end-to-end: - `claimOrAwait` generates the token (UUID) up front and reuses it across the retry path; returns it on the `claimed` outcome. - `publishClaim` and `releaseClaim` wrappers accept and forward the token to the buffer. - `ClaimedIdempotency` carries the token so the trigger pipeline can publish or release with the same token it claimed under. - `triggerTask.server.ts` threads the token into the publish call. Tests pin token round-trip: claimOrAwait → claimIdempotency, plus the publish and release pass-through. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…t leak fix)
Devin review flagged a security + correctness bug: the mollify path
returned \`MollifySyntheticResult\` with run shape
\`{ friendlyId, spanId }\` and the call site cast it to
\`TriggerTaskServiceResult\` (which expects \`run: TaskRun\` with an
\`id: string\`). Downstream, the trigger route calls
\`saveRequestIdempotency(requestKey, "trigger", result.run.id)\` — so
the cache stored \`undefined\` as the entity id. On SDK retry the
request-idempotency flow then ran
\`prisma.taskRun.findFirst({ where: { id: undefined } })\`. Prisma
strips \`undefined\` from where clauses, so the query degenerates to an
unfiltered \`findFirst\` and returns an arbitrary TaskRun row —
potentially from another env / user.
Fix:
- Add \`id: string\` to \`MollifySyntheticResult.run\`.
- Compute it via \`RunId.fromFriendlyId(...)\` on both branches:
the happy-accept path (id from \`args.runFriendlyId\`) and the
\`duplicate_idempotency\` race-loser path (id from
\`result.existingRunId\` so the response carries the WINNER's id).
- Add regression tests pinning both branches.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…uard - readFallback: read snapshot.taskVersion (the key buildEngineTriggerInput writes) instead of the nonexistent snapshot.lockToVersion, so buffered version-locked runs report their locked version; test now uses the real key as a regression guard. - env: TRIGGER_MOLLIFIER_TRIP_THRESHOLD back to positive() (matching sibling mollifier numerics) to forbid threshold=0 silently mollifying every trigger. - idempotencyKeys: document why the resolved-but-unfindable fall-through is safe (PG-unique + accept SETNX dedup + ~30s claim TTL self-heal); add regression test pinning the fall-through and the resolved-and-findable cached-hit path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Remove plan-tracking shorthand (Q#, C#, F#, Phase N, _plans/) from trigger-layer mollifier comments and test names; reword to plain English. Comment/test-name only; no behaviour change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…f-state token alloc triggerTask.server.ts: mollifier.buffered logs at debug, not info — it fires per mollified trigger during a burst, exactly when info-level would flood aggregation. idempotencyClaim.server.ts: move the buffer-null fall-open check above token generation so the mollifier-OFF path skips the default randomUUID() for idempotency-keyed triggers (triggerTask is the highest-throughput path). Injected test generators still honoured. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…nt, docs URL
idempotencyKeys.server.ts: reword 'bypasses the gate via F4' to 'bypasses the gate entirely' — last residual internal planning-label reference I missed in the earlier cleanup pass.
triggerTask.server.ts: reindent the startSpan arrow-function body to conventional depth (+4 sp on lines 143-619). The body was under-indented relative to the 'async (span) => {' opener after the try-wrapper for claim resolution was added around it; closes (arrow at 8sp, startSpan at 6sp) were already conventional, so only the body needed shifting. Pure whitespace — diff stat is balanced 413/413.
mollifierMollify.server.ts: docs URL → https://trigger.dev/docs/management/tasks/batch-trigger. The previous burst-handling anchor doesn't exist on the docs site.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
d-cs
force-pushed
the
mollifier-phase-3-trigger
branch
from
f126737 to
36cc024
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Addresses Devin's review on PR #3753 (idempotencyKeys.server.ts comment 2026-05-28): when TRIGGER_MOLLIFIER_ENABLED=1 globally during staged rollout, claimOrAwait was issuing a Redis SETNX for every idempotency-keyed trigger — including orgs that had not opted in. Those orgs gain nothing from the claim (the gate always returns pass_through for them, so the buffer is never written to) and PG unique constraint already deduplicates same-key races on the pass-through path. Wrap the claim block in an additional per-org check using the same in-memory Organization.featureFlags predicate that evaluateGate uses (makeResolveMollifierFlag) — no DB query. Non-opted-in orgs now skip claimOrAwait entirely; opted-in orgs still get the cross-store race coordination. Regression test added in mollifierClaimResolution.test.ts: with orgFlag=false the concern returns isCached:false with no claim, without calling claimIdempotency at all. The two prior tests now opt the fake org in (organization.featureFlags.mollifierEnabled=true) so they still exercise the resolution branches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Addresses two Devin findings on PR #3753 (readFallback.server.ts:206 comments 2026-05-28). 1) batchId field-name mismatch: #buildEngineTriggerInput in triggerTask.server.ts writes batch info as a nested object 'batch: { id, index }', not as a flat 'batchId'. readFallback was reading the non-existent snapshot.batchId so SyntheticRun.batchId was always undefined for buffered runs. Now reads snapshot.batch.id (the internal cuid, matching what PG stores in TaskRun.batchId). 2) parentTaskRunFriendlyId / rootTaskRunFriendlyId structurally unfillable: the snapshot carries the INTERNAL parent/root ids (parentTaskRunId / rootTaskRunId, what engine.trigger consumes), not friendlyIds. Convert internal to friendly via RunId.toFriendlyId so consumers do not have to special-case the buffered path. Four regression tests in mollifierReadFallback.test.ts: batchId extracted from nested snapshot.batch.id; a flat snapshot.batchId key is ignored (belt-and-braces); parent/root friendly conversion round-trips through RunId.generate(); parent/root undefined when the snapshot has no parent context. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tency expiry PG-resident path enforces `idempotencyKeyExpiresAt`: when an existing PG row is found, the lookup compares its `expiresAt` against now, clears the key on expiry, and lets a new run go through. The buffered path was missing this — `findBufferedRunWithIdempotency` returned any buffered run whose snapshot carried the key, regardless of how long ago the customer's TTL had elapsed. `idempotencyKeyTTL: "2s"` plus a second trigger 4s later would return the original buffered runId. Two layers needed the fix: 1. **Read-side (this concern).** Surface `idempotencyKeyExpiresAt` on `SyntheticRun` (the snapshot already stores it; `findRunByIdWithMollifierFallback` just wasn't exposing it). In `findBufferedRunWithIdempotency`, apply the same `expiresAt < new Date()` check as the PG path and return null on expiry. 2. **Write-side (the buffer's accept dedupe).** Returning null from step 1 isn't enough: the trigger pipeline then proceeds to `mollifyTrigger`, whose `buffer.accept` Lua dedupes by `(envId, taskIdentifier, idempotencyKey)` via SETNX on the same `mollifier:idempotency:*` key and would still echo the stale runId as `duplicate_idempotency`. On expiry, clear the buffer-side idempotency binding via `buffer.resetIdempotency` — the same primitive `ResetIdempotencyKeyService` uses for the explicit reset-via-API path. The next accept then goes through as a fresh trigger. Verified end-to-end: with mollifier active and `idempotencyKeyTTL: "2s"`, a same-key retrigger after 4s returns a new runId; same-key retriggers within the TTL still dedupe to the original. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Batch triggers crash with HTTP 500 "Foreign key constraint violated on
the constraint BatchTaskRunItem_taskRunId_fkey" whenever the mollifier
gate is active. The crash chain:
1. batchTriggerV3 generates a run id per item, calls
`triggerTaskService.call` with `options.batchId` set.
2. The mollifier gate trips, the item is buffered, the mollify response
returns a stripped run shape `{ id, friendlyId, spanId }` with no
PG row.
3. batchTriggerV3 then tries `prisma.batchTaskRunItem.create({
taskRunId: result.run.id, ... })` — the FK to TaskRun.id fails
because no row was written.
The proper fix requires both ends: skip the join-row create at
trigger-time AND create it on the drainer-side materialise. The
drainer fix is non-trivial (the drainer / replay PR territory, not
the dashboard PR) and the snapshot already carries
`batch: { id, index }` so it has the info — but until that's wired
through to a `BatchTaskRunItem.create` call on materialise, skipping
trigger-time would silently lose the batch <-> run link forever and
break batch progress reporting + `batchTriggerAndWait` parent
resumption.
Short-circuit the gate when `options.batchId` is set so batch items
always go straight to PG. Batch triggers lose the burst-protection
benefit of the mollifier; single triggers and triggerAndWait are
unaffected. Removing this bypass is the natural follow-up once the
drainer-side BatchTaskRunItem path lands in the appropriate earlier PR.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Pushed 2 follow-up fixes:
Verified end-to-end against a buffered run; webapp typecheck clean. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The trigger hot path's mollifier integration:
mollifyTrigger: when the gate trips, write the engine.trigger snapshot to the buffer and return a synthesised QUEUED response. Postgres write is deferred to drainer-replay (next PR in the stack).findRunByIdWithMollifierFallbackfor the trigger-time idempotency lookup that must see buffered runs.debounce,oneTimeUseToken,parentTaskRunId/triggerAndWaitskip the mollify path entirely.triggerTask+IdempotencyKeyConcernwired to the above.All behaviour gated by the master
TRIGGER_MOLLIFIER_ENABLEDswitch; off-state hot path is unchanged (the gate is not even consulted).Stacked on the buffer extensions PR.
Test plan
Ship-gate follow-up fixes
BatchTaskRunItem_taskRunId_fkeyFK violation on batch triggers when the gate trips. End-state is a drainer-sideBatchTaskRunItemcreate-on-materialise; batch traffic passes through the gate until that lands.mollifier:idempotency:*SETNX binding (write-side) so a re-trigger past the customer's TTL lands as a fresh run instead of echoing the stale buffered runId.