Skip to content

perf(webapp,run-store): grouped run-ops reads + mint-kind flip grace#4227

Open
d-cs wants to merge 22 commits into
mainfrom
runops-split-reads-and-mint-flip-grace
Open

perf(webapp,run-store): grouped run-ops reads + mint-kind flip grace#4227
d-cs wants to merge 22 commits into
mainfrom
runops-split-reads-and-mint-flip-grace

Conversation

@d-cs

@d-cs d-cs commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

Two threads on the run-ops split path.

Read path: per-item run reads are batched into grouped queries, a waitpoint's connected-run reads are bounded, and the dedicated-schema relation hydrators fetch only the requested columns instead of whole rows. Retrieve also falls back to the other database when a routed read misses, so a run whose physical residency diverges from its id shape is still found rather than returning a spurious not-found. Fewer and lighter queries on the run read path, with no change to results.

Mint-kind flip safety: flipping which database new runs mint to is now a deterministic wall-clock cutover, for both per-org and global flips. For a grace window every process resolves the same database, so a flip cannot route two concurrent triggers that share an idempotency key to different databases (which would bypass the per-database unique constraint and create a duplicate run).

Supersedes the earlier #4205 and #4208.

Draft: validation in progress.

d-cs and others added 13 commits July 9, 2026 15:14
Several run-ops read paths issued one database query per item where a single
batched query returns the same data: batch results hydrated each member run
separately, the run retrieve endpoint resolved each locked worker version
separately, the dedicated-schema relation hydrator ran per row, and a few
services read runs in per-id loops. These now group into batched reads.

Adds a grouped findRunsByIds to the run store (one residency-partitioned read
for a set of run ids) and routes the presenters and services through it. The
dedicated-schema relation hydrator batches across all rows per relation. The
waitpoint connected-runs read also regains its display limit at the fetch, so
it no longer loads every connected run into memory before slicing to five.
…n unrequested

findRunsByIds forces `id` into the select so it can key the result map, but did
not remove it afterwards, so returned rows carried an `id` the declared payload
type did not include. Delete the injected id from each value when the caller's
select did not request it; the map stays keyed by id.
…list

The waitpoint detail view capped the connected-run lookup before checking the
runs still existed, so a run deleted after connecting could take a slot ahead of
a live one and under-count (or empty) the list. Join to the run table so the cap
only ever lands on connections whose run still exists.
Batched relation hydration returned the same row object to every parent linking
the same target, so two parents connected to one run shared a single instance and
an in-place edit to one leaked into the other. Return a shallow clone on the
bare-projection path so each parent gets a distinct object.
The connected-runs relation read fetched every connection id for a waitpoint
with no existence check or limit, so a heavily-connected waitpoint could pull
an unbounded id list into the grouped run lookup. Existence-join to the run
table and cap at the shared connected-runs limit on both schema branches, and
slice the cross-store union to the same bound.
The dedicated-schema relation hydrators fetched full target rows and then
stripped unrequested fields in memory, pulling wide columns even when the
caller only selected a couple. Push the caller's select into the target
findMany so only the requested columns are read. No change to results.
Flipping an organization's run-ops mint kind (which database new runs are
minted on) took effect independently per process as each cached value expired.
For a window after a flip, two concurrent triggers using the same idempotency
key could mint on different databases, where the per-database unique constraint
can't dedupe them, producing a duplicate run.

The flip is now a deterministic wall-clock cutover: the admin feature-flag
routes stamp the previously-effective kind and a flip timestamp onto the
organization, and the mint read resolves the old kind until flippedAt + grace
(default 90s, chosen to outlast the caches a flip drains through), after which
every process crosses to the new kind together. During the window all processes
agree on one database, so a concurrent same-key collision lands on a single
database and the existing unique-constraint retry returns the one idempotent
run. A same-target re-save carries the in-flight stamp forward, so it can't
slide the cutover.
…clock

The grace-window cutover was timestamped with the webapp process's own clock, so
clock skew between processes could shift the boundary. Read the time from the
control-plane database instead, so the flip is anchored to one authoritative
clock rather than whichever process handled the flag change.
The grace cutover compares the reader's wall clock against a DB-clock
flippedAt stamp, so it assumes clock-synced hosts (skew well under the
grace window). Records that invariant and the accepted residual on
effectiveMintKind. No behavior change.
Global runOpsMintKind flips now stamp the previous kind and flip time
like per-org flips, so a global flip is a deterministic cutover and
cannot route two concurrent triggers that share an idempotency key to
different databases. The resolver reads the grace stamp from the same
source as the kind.
…isses

RoutingRunStore.findRun routed a classifiable id to its single owning
store by id shape and returned null on a miss, so a run whose physical
residency diverges from its id shape would 404 even though it exists.
Read the owning store first, then fall back to the other store only on
a miss, mirroring the unrouted fan-out. The found-in-owning-store path
is unchanged (single read).
@changeset-bot

changeset-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5dc5a09

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 96cd6c29-546a-4d68-9b8a-46f78cdf0045

📥 Commits

Reviewing files that changed from the base of the PR and between 7db8e46 and 5dc5a09.

📒 Files selected for processing (3)
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout. (27)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: typecheck / typecheck
  • GitHub Check: code-quality / code-quality
  • GitHub Check: audit
  • GitHub Check: Analyze (javascript-typescript)
🧰 Additional context used
📓 Path-based instructions (10)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
{packages/core,apps/webapp}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use zod for validation in packages/core and apps/webapp

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

**/*.{ts,tsx,js,jsx}: Prefer static imports over dynamic import(); only use dynamic imports when resolving circular dependencies, enabling real code splitting, or conditionally loading a module at runtime.
Always import from @trigger.dev/sdk; never use @trigger.dev/sdk/v3 or the deprecated client.defineJob.

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
**/*.{test,spec}.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use vitest for all tests in the Trigger.dev repository

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
apps/webapp/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

apps/webapp/**/*.{ts,tsx}: Access environment variables through the env export of env.server.ts instead of directly accessing process.env
Use subpath exports from @trigger.dev/core package instead of importing from the root @trigger.dev/core path

Always use findFirst instead of findUnique for Prisma queries.

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
apps/webapp/**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

Do not import env.server.ts directly or indirectly into test files; instead pass environment-dependent values through options/parameters to make code testable

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
apps/webapp/**/*.{test,spec}.{ts,tsx}

📄 CodeRabbit inference engine (apps/webapp/CLAUDE.md)

In test files, never import env.server.ts; pass configuration as options instead.

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
**/*.test.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Place test files next to their source files, e.g. MyService.ts -> MyService.test.ts.

Files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
apps/webapp/app/routes/**/*.ts

📄 CodeRabbit inference engine (apps/webapp/CLAUDE.md)

Use Remix flat-file route naming with dot-separated segments in app/routes/ (for example, api.v1.tasks.$taskId.trigger.ts maps to /api/v1/tasks/:taskId/trigger).

Files:

  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
🧠 Learnings (20)
📚 Learning: 2026-03-22T13:26:12.060Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-03-22T19:24:14.403Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma error P1001 ("Can't reach database server") in TypeScript, don’t assume a single error shape. Prisma can surface P1001 via two different error classes/fields: `PrismaClientKnownRequestError` exposes it as `err.code === "P1001"` (common during mid-query connection drops), while `PrismaClientInitializationError` exposes it as `err.errorCode === "P1001"` (common on client startup failure). Therefore, predicates should use `err.code === "P1001" || err.errorCode === "P1001"`. Do not flag `err.code === "P1001"` as “unreachable/never matches,” as it is expected in production.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma errors for P1001 ("Can't reach database server"), do not assume it only appears under a single property name. Prisma may surface P1001 via either `PrismaClientKnownRequestError` (`err.code === "P1001"`, e.g., mid-query connection drops) or `PrismaClientInitializationError` (`err.errorCode === "P1001"`, e.g., client startup connection failure). To reliably detect the condition, check `err.code === "P1001" || err.errorCode === "P1001"`, and avoid review rules that would incorrectly flag `err.code === "P1001"` as unreachable/never-matching.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-13T19:53:13.759Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3937
File: packages/trigger-sdk/skills/realtime-and-frontend/SKILL.md:258-260
Timestamp: 2026-06-13T19:53:13.759Z
Learning: When reviewing code that uses `trigger.dev/react-hooks`’s `useRealtimeRun`, preserve the call signature where the first argument is the full realtime handle object (not `handle.id`). This is intentional to maintain type-safety and is consistent with the official docs; do not suggest changing the first argument from the handle object to `handle.id`.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-17T17:13:49.929Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3948
File: apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx:48-62
Timestamp: 2026-06-17T17:13:49.929Z
Learning: In triggerdotdev/trigger.dev, within `dashboardLoader`/`dashboardAction` (or similar context resolver code) whenever you resolve an organization ID from an organization slug for RBAC/enterprise authorization scope, always read from the primary Prisma client (`prisma`), not `$replica`. Using `$replica` can hit replica-lag and cause the RBAC lookup/authorization to run without the correct org scope (bypassing intended role enforcement). Implement the slug→org lookup with `prisma.organization.findFirst(...)` (or equivalent primary-client query) and add an inline comment documenting why the primary client is required (replica lag could lead to unscoped RBAC checks).

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-23T13:04:21.413Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4023
File: apps/webapp/app/services/upsertBranch.server.ts:14-18
Timestamp: 2026-06-23T13:04:21.413Z
Learning: In TypeScript, it’s valid to `import { type X }` and then use `typeof X` in a type-only position, e.g. `type Alias = z.infer<typeof X>`. The `type` modifier suppresses the runtime import, but the type checker still has the full exported type so `z.infer<typeof X>` can resolve correctly. In code reviews, don’t flag this as a TypeScript compile error as long as `typeof X` is used in a type context (e.g., with `z.infer`, `type` aliases, generics), not as a runtime value.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-07T12:25:18.271Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3531
File: apps/webapp/test/sentryTraceContext.server.test.ts:9-47
Timestamp: 2026-05-07T12:25:18.271Z
Learning: In the triggerdotdev/trigger.dev webapp test suite, it is acceptable to leave `createInMemoryTracing()` calls that register a global `NodeTracerProvider` without `afterEach`/`afterAll` teardown. Do not flag this as a test-ordering risk when the code follows the established pattern used across webapp tests (e.g., replication service/benchmark/backfiller tests). This is considered safe because `trace.getActiveSpan()` when called outside a `context.with(...)` block reads `AsyncLocalStorage.getStore()` (undefined when no `run()` scope exists), so it falls back to `ROOT_CONTEXT` with no attached span—regardless of which provider is registered.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
📚 Learning: 2026-05-28T20:02:10.647Z
Learnt from: myftija
Repo: triggerdotdev/trigger.dev PR: 3772
File: apps/webapp/test/findOrCreateBackgroundWorker.test.ts:1-1
Timestamp: 2026-05-28T20:02:10.647Z
Learning: In the triggerdotdev/trigger.dev monorepo, for the `apps/webapp` package use the established convention of storing Vitest tests (unit, integration, and e2e) under `apps/webapp/test/` rather than colocating them next to source files. Do not flag files located in `apps/webapp/test/` as violating any rule that says to colocate tests with source.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
📚 Learning: 2026-05-12T21:04:05.815Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3542
File: apps/webapp/app/components/sessions/v1/SessionStatus.tsx:1-3
Timestamp: 2026-05-12T21:04:05.815Z
Learning: In this Remix + TypeScript codebase, do not flag a server/client boundary violation when a file imports only types from a module matching `*.server`.

Specifically, it’s safe to import types using `import type { Foo } from "*.server"` or `import { type Foo } from "*.server"` because TypeScript erases type-only imports at compile time and they emit no JavaScript, so they won’t cross the Remix server/client bundle boundary.

Only raise the boundary concern for value imports (e.g., `import { Foo }` without `type`, or `import Foo`), since those produce JavaScript output.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-25T18:21:51.905Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4039
File: apps/webapp/app/routes/invite-revoke.tsx:0-0
Timestamp: 2026-06-25T18:21:51.905Z
Learning: During the Zod v4 migration in the triggerdotdev/trigger.dev webapp, ensure any imports from `conform-to/zod` use the Zod-4 subpath: `conform-to/zod/v4` (e.g., `import { parseWithZod } from "conform-to/zod/v4"`). Do not import from the package root `conform-to/zod`, because it is the Zod 3 implementation and may load Zod-3-only symbols (e.g., `ZodBranded`, `ZodEffects`), which can throw at module load (notably with `zod4.4.3`). This should be enforced across `apps/webapp/**/*` where helpers like `parseWithZod` and `conformZodMessage` are used.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-07-03T17:10:21.498Z
Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 4148
File: apps/webapp/app/models/orgMember.server.ts:149-168
Timestamp: 2026-07-03T17:10:21.498Z
Learning: In triggerdotdev/trigger.dev, `User.email` (Prisma schema: `internal-packages/database/prisma/schema.prisma`) currently does NOT use `citext` and does NOT have a `lower(email)` functional unique index. Therefore, do not introduce Prisma queries like `where: { email: { equals: <value>, mode: "insensitive" } }` (or any case-insensitive lookup) against `User.email`, because it can force sequential scans of the `users` table under load. During review, ensure email is normalized (e.g., lowercased/trimmed) before both writes and subsequent lookups, and if true case-insensitive behavior/uniqueness is required, implement it via a separate app-wide migration (e.g., switch to `citext` and/or add a functional unique index with backfill) rather than bolting it onto individual feature PRs.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-18T14:40:02.173Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3658
File: packages/core/src/v3/realtimeStreams/manager.test.ts:1-147
Timestamp: 2026-05-18T14:40:02.173Z
Learning: In the triggerdotdev/trigger.dev repo, the policy “Never mock anything — use testcontainers instead” should only be enforced for integration tests that interact with real external services (e.g., Redis, Postgres) via actual infrastructure. For unit tests that exercise pure in-memory logic (e.g., cache semantics) it is OK to stub collaborators such as `ApiClient` using Vitest (`vi.fn()`) to assert call counts or control behavior. Do not flag `vi.fn()`-based `ApiClient` stubs in unit tests as violations of the testcontainers policy.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
📚 Learning: 2026-06-04T18:16:35.386Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3836
File: apps/supervisor/src/backpressure/backpressureMonitor.ts:3-5
Timestamp: 2026-06-04T18:16:35.386Z
Learning: When reviewing TypeScript in this repo, apply the rule “prefer type aliases over interfaces” only to data/object shapes and union/intersection type modeling. If an interface is being used as a behavioral contract for collaborators to implement (e.g., method-shape interfaces that define required behavior, such as `BackpressureLogger` / `BackpressureSignalSource` in `apps/supervisor/src/backpressure/backpressureMonitor.ts`), keep it as an `interface` and do not flag it as a type-alias-vs-interface violation.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-09T17:58:04.699Z
Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 3879
File: apps/webapp/app/models/vercelIntegration.server.ts:619-630
Timestamp: 2026-06-09T17:58:04.699Z
Learning: In this codebase, outbound raw `fetch` calls should typically rely on Node/undici’s default request timeout (about ~300s) rather than adding a per-call `AbortController` + `setTimeout` wrapper inside individual functions (e.g. in files like `apps/webapp/app/models/vercelIntegration.server.ts`). During code review, do not flag the absence of a per-call timeout on a single `fetch` as an issue; if per-call timeouts are needed, they should be implemented via a codebase-wide convention (e.g., a shared fetch wrapper or documented pattern) rather than ad-hoc per-function changes.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
  • apps/webapp/app/routes/admin.api.v1.feature-flags.ts
  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-16T09:19:47.637Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3960
File: apps/webapp/test/prismaInfrastructureErrorCapture.test.ts:0-0
Timestamp: 2026-06-16T09:19:47.637Z
Learning: In this repo’s Vitest setup, `vitest.config.ts` uses `globals: true`, so identifiers like `vi`, `describe`, `it`, and `expect` are available as globals in Vitest test files. During code review, do not flag missing `vi`/`describe`/`it`/`expect` imports as a runtime error or correctness issue when they’re used in `*.test.ts/tsx` or `*.spec.ts/tsx` files. Explicit imports are still preferred for consistency, but they’re not required for runtime behavior.

Applied to files:

  • apps/webapp/test/runOpsMintGlobalFlipLock.test.ts
📚 Learning: 2026-03-29T19:16:28.864Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3291
File: apps/webapp/app/v3/featureFlags.ts:53-65
Timestamp: 2026-03-29T19:16:28.864Z
Learning: When reviewing TypeScript code that uses Zod v3, treat `z.coerce.*()` schemas as their direct Zod type (e.g., `z.coerce.boolean()` returns a `ZodBoolean` with `_def.typeName === "ZodBoolean"`) rather than a `ZodEffects`. Only `.preprocess()`, `.refine()`/`.superRefine()`, and `.transform()` are expected to wrap schemas in `ZodEffects`. Therefore, in reviewers’ logic like `getFlagControlType`, do not flag/unblock failures that require unwrapping `ZodEffects` when the input schema is a `z.coerce.*` schema.

Applied to files:

  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-06-09T16:27:26.195Z
Learnt from: myftija
Repo: triggerdotdev/trigger.dev PR: 3878
File: apps/webapp/app/v3/services/computeTemplateCreation.server.ts:0-0
Timestamp: 2026-06-09T16:27:26.195Z
Learning: When working in triggerdotdev/trigger.dev code related to worker-group/region default resolution (e.g., defaultWorkerInstanceGroupId handling used by getGlobalDefaultWorkerGroup, getDefaultWorkerGroupForProject, and RegionsPresenter), do NOT add org-level featureFlags overrides in only one resolution site. That can cause template creation routing/decisions to diverge from actual run routing. If org-level override of the default region/worker group is required, it must be centralized in getGlobalDefaultWorkerGroup so every resolution path remains aligned.

Applied to files:

  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-05T09:38:02.512Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3523
File: apps/webapp/app/routes/api.v3.batches.ts:178-181
Timestamp: 2026-05-05T09:38:02.512Z
Learning: When reviewing code that catches `ServiceValidationError` in `*.server.ts` files, do not blindly forward `error.status` to HTTP responses, because SVEs may be thrown with non-default statuses (e.g., 400/500) and forwarding them can cause client-visible behavioral regressions (e.g., surfacing 500s to clients). Prefer a safe default response status of `error.status ?? 422`, but only after confirming via the reachable call graph that the caught `ServiceValidationError` instances are expected to carry those non-default statuses; otherwise, normalize to `422` to avoid unexpected client-visible 5xx behavior.

Applied to files:

  • apps/webapp/app/v3/featureFlags.server.ts
📚 Learning: 2026-05-14T08:21:07.614Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3614
File: apps/webapp/app/v3/mollifier/mollifierGate.server.ts:48-52
Timestamp: 2026-05-14T08:21:07.614Z
Learning: When using Trigger.dev v3 feature flags in the webapp, prefer the existing per-org gating mechanism supported by `flag()` via the `overrides` argument. Pass `Organization.featureFlags` (from `environment.organization.featureFlags`) as the `overrides` value; overrides must take precedence over the global `featureFlag` row. Do not require schema changes or add an `orgId` field to `FlagsOptions` for per-org gating—use the overrides pattern consistently (e.g., in gate flows like `resolveOrgFlag` and any server code that threads `environment.organization.featureFlags` into the gate call).

Applied to files:

  • apps/webapp/app/v3/featureFlags.server.ts
🔇 Additional comments (5)
apps/webapp/app/routes/admin.api.v1.feature-flags.ts (2)

29-33: LGTM!


37-40: 🎯 Functional Correctness

No issue here
stampMintKindFlip() returns the same outgoingFlags object and only adds/updates runOpsMintKindPrev / runOpsMintKindFlippedAt, so unrelated flags remain in the payload persisted by makeSetMultipleFlags.

			> Likely an incorrect or invalid review comment.
apps/webapp/app/v3/featureFlags.server.ts (2)

2-10: LGTM!


161-192: 🩺 Stability & Availability | ⚡ Quick win

Consider an explicit $transaction timeout for the advisory-lock wait.

pg_advisory_xact_lock is acquired inside the interactive transaction, so time spent blocked waiting for the lock counts against Prisma's default interactive-transaction timeout (~5s). Under concurrent global flips, later transactions can exceed that window and abort. Passing an explicit { timeout, maxWait } makes the serialization robust rather than relying on the default. The 8-way concurrent test passes only because per-flip work is sub-millisecond.

♻️ Suggested option
-  return client.$transaction(async (tx) => {
+  return client.$transaction(
+    async (tx) => {
       await tx.$executeRaw`SELECT pg_advisory_xact_lock(hashtext('runops-global-mint-kind-flip'))`;
       ...
-  });
+    },
+    { timeout: 15_000, maxWait: 10_000 }
+  );
apps/webapp/test/runOpsMintGlobalFlipLock.test.ts (1)

28-60: LGTM!


Walkthrough

Adds deterministic mint-kind flip grace handling with server-side timestamp stamping, new feature-flag metadata, and cache-aware resolution. Replaces several per-record database reads with grouped queries and batched relation hydration across legacy and dedicated stores. Adds bounded connected-run retrieval, residency fallback routing, projection isolation, and presenter integrations. Expands integration coverage for grouped reads, split-store behavior, schedule residency, connected-run limits, mint flips, and cross-database waitpoint resumption.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is a summary only and omits the template’s required issue link, checklist, testing, changelog, and screenshots sections. Add the template sections: Closes #issue, checklist items, testing steps, changelog, and screenshots or explicit N/A entries.
Docstring Coverage ⚠️ Warning Docstring coverage is 35.42% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main grouped read and mint-kind grace changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch runops-split-reads-and-mint-flip-grace

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

devin-ai-integration[bot]

This comment was marked as resolved.

@d-cs d-cs self-assigned this Jul 10, 2026
coderabbitai[bot]

This comment was marked as resolved.

d-cs added 4 commits July 10, 2026 16:21
…int kind

stampMintKindFlip injected the default mint kind into every org feature-flag save, so an unrelated flag change wrote an explicit per-org runOpsMintKind override, pinning the org to that kind and making a later global flip silently skip it. Only stamp when the save actually sets runOpsMintKind.
The raw queries reading a waitpoint's connected runs relied on search_path, so they broke on deployments using a non-public database schema. Qualify the tables with the configured schema so they resolve correctly.
…ields

An org's first per-org mint-flag override computed its cutover grace window against the wrong baseline, which could skip the grace window and briefly let two concurrent triggers sharing an idempotency key resolve to different databases. Seed the baseline from the effective global flag, strip the derived stamp fields from the request body, and apply the read-and-stamp atomically.
…d schema

The dedicated-schema hydrator for a waitpoint's connectedRuns relation fetched an unbounded list of connections and full run rows. Bound it per parent with a window function so a waitpoint with many connections cannot pull a large result set for a display-only field.
coderabbitai[bot]

This comment was marked as resolved.

d-cs added 3 commits July 10, 2026 17:28
…w SQL

Replaces the raw connected-runs query, which JOINed the waitpoint connection table onto the large TaskRun table, with two indexed ORM reads joined in memory: read the connection rows, then resolve the runs by id. The id lookup can only plan as a primary-key lookup, so the query planner never scans TaskRun, and Prisma qualifies the schema per client so the previous manual schema handling is gone.
@d-cs d-cs marked this pull request as ready for review July 10, 2026 19:44
@d-cs

d-cs commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator Author

How idempotency was tested

Two properties were checked directly against the running system, one for each failure mode a two-database split introduces:

1. Concurrent dedup, on each database. With the residency flag fixed to one database, a burst of concurrent triggers sharing a single idempotency key was issued. The result is exactly one run: the first insert wins and every other caller receives that same run id, because the per-database unique index on the idempotency key rejects the duplicate inserts. Repeated with the flag fixed to the other database: same result, one run.

2. Dedup across the residency flip. A key is first used while new runs mint into database A. The flag is then flipped so new runs mint into database B, and the same key is triggered again. It returns the original run id from database A rather than minting a second run in database B. This is the case a per-database unique constraint cannot catch on its own (the constraint in B cannot see the row in A), so it confirms the pre-mint existing-run lookup spans both databases.

Together these close both gaps a split could open: a race within one database (rejected by the unique constraint) and a key reused across the cutover (caught by the cross-database lookup before a second run is minted).

devin-ai-integration[bot]

This comment was marked as resolved.

The global feature-flag route read, stamped, and wrote the mint-kind grace metadata without a lock, so two concurrent global flips could clobber each other's grace stamp and skip the deterministic cutover window (briefly reopening the cross-database duplicate window the grace exists to close). Wrap the read/stamp/write in one transaction under an advisory lock, mirroring the per-org routes. An advisory lock rather than row FOR UPDATE because the global flag rows may not exist yet on a first flip.
@d-cs

d-cs commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator Author

SQL structure and index usage: confirmed good

Every DB query this PR adds or changes was inventoried and checked with EXPLAIN against real-sized data on both the control-plane and run-ops databases: all query sites are index-covered, none can sequentially scan a large table, and no new indexes are required. An independent adversarial re-check of every large-table query could not produce a scan. The introduced reads fall into a few shapes.

Connected-runs in the presenter (now ORM, no raw SQL). Two indexed reads joined in memory, so the runs table is only ever a primary-key lookup:

SELECT "id", "taskRunId" FROM "WaitpointRunConnection"
WHERE "waitpointId" = $1 ORDER BY "id" LIMIT 25;
-- Index Scan using WaitpointRunConnection_waitpointId_idx

SELECT "id", "friendlyId" FROM "TaskRun"
WHERE "id" IN ($1, $2, ...) ORDER BY "id" LIMIT 5;
-- Index Scan using TaskRun_pkey

On the control-plane schema the implicit many-to-many resolves as three primary-key / id IN reads (Waitpoint_pkey then _WaitpointRunConnections_B_index then TaskRun_pkey), never a JOIN or semi-join.

Grouped relation hydration (run-store). Per-parent (N+1) hydration is collapsed into one IN (...) query per relation key: each join reads its FK-side index and each target reads its primary key (e.g. WaitpointRunConnection_taskRunId_waitpointId_key, Waitpoint_completedByTaskRunId_key, TaskRunWaitpoint_waitpointId_idx, then the _pkey on the target). Strictly fewer round trips than before.

Bounded connected-runs (run-store, parameterized raw). The two previously-unbounded paths are now capped, and both plan index-driven:

-- dedicated (run-ops): cap per waitpoint via a window
SELECT "taskRunId" FROM (
  SELECT c."taskRunId",
         ROW_NUMBER() OVER (PARTITION BY c."waitpointId" ORDER BY c."id") AS rn
  FROM "WaitpointRunConnection" c
  JOIN "TaskRun" t ON t."id" = c."taskRunId"
  WHERE c."waitpointId" = ANY($1)
) ranked WHERE rn <= 5;
-- Index Scan WaitpointRunConnection_waitpointId_idx + Index Only Scan TaskRun_pkey

-- legacy (control-plane)
SELECT c."A" FROM "_WaitpointRunConnections" c
JOIN "TaskRun" t ON t."id" = c."A" WHERE c."B" = $1 LIMIT 5;
-- Index Scan _WaitpointRunConnections_B_index + Index Only Scan TaskRun_pkey

Batch and flag reads. Batch members resolve by id IN (...) on TaskRun_pkey (the attempts relation reads TaskRunAttempt_taskRunId_idx); the admin org-flag routes touch only Organization (primary key) and FeatureFlag.

Honest notes, none of which are scan or index risks:

  • The batch-member id IN list grows with batch item count. That is inherent to returning all batch results, is unchanged by this PR, and stays a primary-key lookup.
  • The global-flag read is a sequential scan on FeatureFlag, which is a fixed catalog table (about one row) that cannot grow with data.
  • The two raw LIMIT 5 reads have no ORDER BY, so which five connections return is nondeterministic: a display-only nuance, not a performance one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants