feat(redis-worker): batched pop in MollifierDrainer for fast single-env drains#3797
Open
d-cs wants to merge 14 commits into
Open
feat(redis-worker): batched pop in MollifierDrainer for fast single-env drains#3797d-cs wants to merge 14 commits into
d-cs wants to merge 14 commits into
Conversation
Design for an autonomous, containerised pipeline that validates and proposes production-grade fixes for ~250 deepsec security findings tracked in Linear, with local-only review and no GitHub exposure until disclosure timing is decided. Implementation lives in a separate repository. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
End-to-end plumbing plan — new repo at ~/Development/sec-fix-pipeline/, worker daemon, stub agent container, MinIO artifact storage, Linear label state machine. Stub agent only; Phases 2-6 (real agent, full stack, durability, resumable runs, dashboard) tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a drainBatchSize option (default 1, preserves existing behaviour) that lets the drainer pop up to N entries from each chosen env per tick and dispatch them all through the shared concurrency-bounded limiter. Org/env fairness is preserved — the per-tick env selection is unchanged, only the in-env pop count grows. Wires TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE through the webapp (default 50). For a single-env burst of K entries with K > 1, drain time drops from K × tick_time to ceil(K / drainBatchSize) × tick_time with handler parallelism capped at concurrency. Heavy single-tenant tails go from minutes to tens of seconds without changing PG load characteristics. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: d38b449 The changes in this PR will be included in the next version bump. This PR includes changesets to release 32 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR adds a per-environment batching option to MollifierDrainer. A new option/env var (TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE, server default 50) is wired into initialization and logging. The drainer gains an optional Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Addresses CodeRabbit review: the prefetched-pop tick design moved every popped entry into DRAINING before any of them got a pLimit slot, so a process crash mid-tick stranded up to maxOrgsPerTick × drainBatchSize entries for stale-sweep to recover (~25k at defaults). Replaces it with a worker-pool: spawn min(concurrency, totalBudget) workers; each worker round-robin-picks an env with budget remaining, pops one entry, processes it, releases its slot. At any moment, the count of popped-but-not-acked entries is bounded by `concurrency` — identical safety to the pre-batch one-pop-per-env path — while a single-env burst still uses the full concurrency budget (all workers can pull from the same env). Adds a regression test pinning the bound: never has more than `concurrency` entries popped-but-not-acked at any moment. Two existing batch tests now use concurrency=1 to isolate the break-on-empty/error semantic from the worker-pool's parallel-pick race (the race semantic itself is covered by the new safety test). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
…-tolerant assertions The two batch tests that exercise pop-failure / queue-empty behaviour were temporarily set to concurrency=1 to dodge the worker pool's parallel-pick race. That collapsed the worker pool and stopped the tests from validating their semantics under genuine concurrency. Restored concurrency=5 (matching the rest of the suite) and switched the non-deterministic counts to bounded-range assertions: - mid-batch pop failure: actual drained entries are deterministic (the two bad pops + one good pop); failure count is in [1, concurrency] because workers that loop after a sibling's empty/null pop can re-pop the broken env before skip.add propagates. envBadPops is bounded by drainBatchSize + concurrency — the property is "bounded retry", not "exactly one". - stops popping early: popCalls in [3, concurrency + 2] and strictly less than drainBatchSize — the property is "we don't pop all the way to the batch ceiling once the queue empties". These bounds are tight enough to catch a regression to unbounded pops while tolerating the legitimate race between worker iterations. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Multiple workers can race past pickNextEnv into the same env before skip propagates from the first failing pop. With the prior unguarded `failed += 1` each racing worker bumped the count, so a single broken env could contribute up to `concurrency` failures in one tick — drifting from the documented "one failure per env batch" contract. Guard the increment on `!skip.has(envId)` so the per-env failure count is exactly one regardless of race. Tightens the test assertion from "in [1, concurrency]" to "=== 1". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…nto feat/mollifier-drain-batch
nicktrn
approved these changes
Jun 2, 2026
… entries
Adds a Redis sorted set `mollifier:draining` mirroring entries currently
in DRAINING state (popped by the drainer, not yet acked/failed/requeued),
scored by pop wall-clock millis. Maintained atomically with the existing
per-entry status transitions:
- popAndMarkDraining → ZADD score=now-ms
- ackMollifierEntry → ZREM
- failMollifierEntry → ZREM
- requeueMollifierEntry → ZREM
Each pre-existing Lua picks up one extra Redis op; ack/fail also gain a
runId arg so they can ZREM without a hash read. Buffer exposes:
- getDrainingCount(): ZCARD — gauge value
- listStaleDraining(olderThanMs, limit): ZRANGEBYSCORE — forensics
after an ECS OOM ("which entries were stranded?")
NOT load-bearing for correctness — per-entry hash still carries status,
stale-sweep still scans queue LISTs. The set is a fast top-level index
so a wiped/out-of-date set just over-reports the gauge; recovery paths
are untouched. A test pins this graceful-degradation invariant.
Wires `mollifier.draining.current` ObservableGauge polled every 15s on
the drainer worker pods. unref'd setInterval so it can't block graceful
shutdown; idempotent under dev hot-reload. Test seam exported for unit
testing without spinning a real OTel meter.
Tests:
- 7 redisTest cases in buffer.test.ts (lifecycle on every Lua boundary,
requeue-and-repop score replacement, listStaleDraining cutoff/limit,
graceful-degradation when set is wiped)
- 6 unit tests in webapp for the gauge poller (eager fire, cadence,
null buffer no-op, transient-error survives, idempotent start,
stop halts loop)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
`mollifier-buffer-extensions.md` and `mollifier-drainer-terminal-failure-callback.md` describe changes that have already shipped on prior merged PRs; carrying them on this branch would double-publish in the next release. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
drainBatchSizetoMollifierDrainer(default1— preserves existing behaviour) and wiresTRIGGER_MOLLIFIER_DRAIN_BATCH_SIZEthrough the webapp (default50). Each tick the drainer now pops up todrainBatchSizefrom each chosen env, then dispatches every popped entry through the sharedconcurrency-boundedpLimit. Per-org/per-env fairness is unchanged — only the in-env pop count grows.Pre-existing behaviour was one pop per env per tick. For a single-env burst that single-flighted the drain at the per-tick floor of
pop + engine.trigger ≈ 50–60 ms. With buffer entries piling up under a real-world tenant burst that's tens of minutes of tail latency to fully materialise — even though PG itself could comfortably sustain the writes.Why this matters — heavy-tail illustration
Scenario: 100 customers in one window — 94 fire 20 triggers each, 5 fire 100, 1 fires 1000. Gate at
THRESHOLD=10/s,HOLD_MS=500. First 10 of each burst hit PG directly; the rest buffer.With
DRAIN_BATCH_SIZE=50,DRAIN_CONCURRENCY=50, ~50 msengine.trigger:Without batching (one pop per env per tick — current behaviour):
So the heavy single-tenant tail drops from ~49 s to ~3.4 s (~14× faster) without changing PG load characteristics. Smalls go up slightly in this scenario (500 ms → 1.3 s) because all 100 envs share one tick's dispatch queue — that's the trade we accept for the heavy tail; the worst-case small wait is still inside one tick. PG load is identical either way (50 concurrent inserts at a time, capped by
DRAIN_CONCURRENCY).What changed
packages/redis-workerdrainBatchSizeoption (default 1 — full backward compat).runOnce()refactored to pop per-env batches in parallel, then dispatch all popped entries through the existing globalpLimit. Mid-batch pop failure aborts only that env's batch and counts as one failure (same semantic as the old per-env path).processOneFromEnvhelper.apps/webappTRIGGER_MOLLIFIER_DRAIN_BATCH_SIZEenv var (default 50, matchingDRAIN_CONCURRENCY).mollifierDrainer.server.ts.Test cloud config (separate cloud PR):
TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE="50"on the worker service. Production rollout deferred until we've watched it on test cloud.Test plan
MollifierDrainer.drainBatchSize:drainBatchSizeacross ticksconcurrencycap still holds when batch > concurrencydrainBatchSize > 1(load-bearing — guards against future regressions to per-env-instead-of-per-org rotation)drainBatchSize)drainBatchSize=1→ backward-compat locked.pnpm run build --filter @trigger.dev/redis-workerclean.pnpm run typecheck --filter webappclean.redisTestblock (real Redis via testcontainers) — couldn't run locally on this branch due to testcontainers runtime discovery; will validate in CI.burst 50against a flagged env and confirm the 50th entry's drain time drops from ~2.5 s to <200 ms.Notes
maxOrgsPerTick × drainBatchSizeentries can sit in the JS pLimit queue between pop and dispatch. At defaults that's500 × 50 = 25 000× ~5 KB snapshot ≈ ~125 MB worst case per worker — well within headroom.1/tickis documented as the fairness baseline elsewhere. Org-level fairness is what callers actually rely on; this change does not weaken that.🤖 Generated with Claude Code