fix(mollifier): keep trigger hot path DB-free and fail open on flag errors

d-cs · d-cs · commit 3f8b48979118 · 2026-05-14T13:22:05.000+01:00
resolveOrgFlag now checks the per-org Organization.featureFlags override
in-memory before falling back to the global flag() helper, so the common
per-org enablement path resolves without a Prisma round-trip on every
trigger call. evaluateGate also wraps the flag resolution in try/catch
and fails open to false on error, mirroring the trip evaluator.
diff --git a/apps/webapp/app/v3/mollifier/mollifierGate.server.ts b/apps/webapp/app/v3/mollifier/mollifierGate.server.ts
@@ -1,7 +1,7 @@
 import { env } from "~/env.server";
 import { logger } from "~/services/logger.server";
 import { flag } from "~/v3/featureFlags.server";
-import { FEATURE_FLAG } from "~/v3/featureFlags";
+import { FEATURE_FLAG, FeatureFlagCatalog } from "~/v3/featureFlags";
 import { getMollifierBuffer } from "./mollifierBuffer.server";
 import { createRealTripEvaluator } from "./mollifierTripEvaluator.server";
 import {
@@ -95,15 +95,35 @@ function logDivertDecision(
   });
 }
 
+// Check per-org override in-memory before consulting the DB. `triggerTask`
+// is the hot path, so we resolve the common case (org has an explicit
+// `mollifierEnabled` value in its `Organization.featureFlags` JSON) without
+// a Prisma round-trip. Only orgs with no override fall through to `flag()`,
+// which queries the global `FeatureFlag` row.
+export function makeResolveMollifierFlag(
+  flagFn: typeof flag = flag,
+): (inputs: GateInputs) => Promise<boolean> {
+  return (inputs) => {
+    const override = inputs.orgFeatureFlags?.[FEATURE_FLAG.mollifierEnabled];
+    if (override !== undefined) {
+      const parsed = FeatureFlagCatalog[FEATURE_FLAG.mollifierEnabled].safeParse(override);
+      if (parsed.success) {
+        return Promise.resolve(parsed.data);
+      }
+    }
+    return flagFn({
+      key: FEATURE_FLAG.mollifierEnabled,
+      defaultValue: false,
+    });
+  };
+}
+
+const resolveMollifierFlag = makeResolveMollifierFlag();
+
 export const defaultGateDependencies: GateDependencies = {
   isMollifierEnabled: () => env.MOLLIFIER_ENABLED === "1",
   isShadowModeOn: () => env.MOLLIFIER_SHADOW_MODE === "1",
-  resolveOrgFlag: (inputs) =>
-    flag({
-      key: FEATURE_FLAG.mollifierEnabled,
-      defaultValue: false,
-      overrides: inputs.orgFeatureFlags ?? {},
-    }),
+  resolveOrgFlag: resolveMollifierFlag,
   evaluator: defaultEvaluator,
   logShadow: (inputs, decision) =>
     logDivertDecision("mollifier.would_mollify", inputs, decision),
@@ -123,7 +143,21 @@ export async function evaluateGate(
     return { action: "pass_through" };
   }
 
-  const orgFlagEnabled = await d.resolveOrgFlag(inputs);
+  // Fail open: a transient DB error resolving the per-org flag must not
+  // block triggers. Mirror the evaluator's fail-open posture in
+  // `mollifierTripEvaluator.server.ts`.
+  let orgFlagEnabled: boolean;
+  try {
+    orgFlagEnabled = await d.resolveOrgFlag(inputs);
+  } catch (error) {
+    logger.warn("mollifier.resolve_org_flag_failed", {
+      envId: inputs.envId,
+      orgId: inputs.orgId,
+      taskId: inputs.taskId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    orgFlagEnabled = false;
+  }
   const shadowOn = d.isShadowModeOn();
 
   if (!orgFlagEnabled && !shadowOn) {
diff --git a/apps/webapp/test/mollifierGate.test.ts b/apps/webapp/test/mollifierGate.test.ts
@@ -16,6 +16,7 @@ import { FEATURE_FLAG } from "~/v3/featureFlags";
 import { makeFlag } from "~/v3/featureFlags.server";
 import {
   evaluateGate,
+  makeResolveMollifierFlag,
   type GateDependencies,
   type GateInputs,
   type TripDecision,
@@ -195,6 +196,101 @@ describe("evaluateGate cascade — exhaustive truth table", () => {
 // we build it via `makeFlag(prisma)` and let the `Organization.featureFlags`
 // blob flow through `flag()`'s overrides path. The global `FeatureFlag` table
 // is empty, so the only signal moving outcomes is the per-org JSON.
+// Hot-path guard: `triggerTask.server.ts` calls `evaluateGate` on every
+// trigger when `MOLLIFIER_ENABLED=1`. The per-org override path must resolve
+// without a Prisma round-trip — otherwise the gate adds a DB query to the
+// highest-throughput code path in the system (see apps/webapp/CLAUDE.md).
+describe("resolveMollifierFlag — hot path", () => {
+  it("returns override value without calling flag() when override is set", async () => {
+    let flagCalls = 0;
+    const flagStub: any = async () => {
+      flagCalls += 1;
+      return false;
+    };
+    const resolve = makeResolveMollifierFlag(flagStub);
+
+    const enabled = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { mollifierEnabled: true },
+    });
+    const disabled = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { mollifierEnabled: false },
+    });
+
+    expect(enabled).toBe(true);
+    expect(disabled).toBe(false);
+    expect(flagCalls).toBe(0);
+  });
+
+  it("falls back to flag() when org has no override for the key", async () => {
+    let flagCalls = 0;
+    const flagStub: any = async () => {
+      flagCalls += 1;
+      return true;
+    };
+    const resolve = makeResolveMollifierFlag(flagStub);
+
+    const fromNull = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: null,
+    });
+    const fromUnrelatedKeys = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { hasAiAccess: true },
+    });
+
+    expect(fromNull).toBe(true);
+    expect(fromUnrelatedKeys).toBe(true);
+    expect(flagCalls).toBe(2);
+  });
+});
+
+describe("evaluateGate — fail open on resolveOrgFlag error", () => {
+  it("treats org flag as false when resolveOrgFlag throws, and does not block triggers", async () => {
+    const spies: Spies = {
+      evaluatorCalls: 0,
+      logShadowCalls: [],
+      logMollifiedCalls: [],
+      recordDecisionCalls: [],
+    };
+    const deps: Partial<GateDependencies> = {
+      isMollifierEnabled: () => true,
+      isShadowModeOn: () => false,
+      resolveOrgFlag: async () => {
+        throw new Error("simulated prisma timeout");
+      },
+      evaluator: async () => {
+        spies.evaluatorCalls += 1;
+        return trippedDecision;
+      },
+      logShadow: (inputs, decision) => {
+        spies.logShadowCalls.push({ inputs, decision });
+      },
+      logMollified: (inputs, decision) => {
+        spies.logMollifiedCalls.push({ inputs, decision });
+      },
+      recordDecision: (outcome, reason) => {
+        spies.recordDecisionCalls.push({ outcome, reason });
+      },
+    };
+
+    const outcome = await evaluateGate(inputs, deps);
+
+    expect(outcome.action).toBe("pass_through");
+    expect(spies.evaluatorCalls).toBe(0);
+    expect(spies.recordDecisionCalls).toEqual([{ outcome: "pass_through", reason: undefined }]);
+  });
+});
+
 describe("evaluateGate — per-org isolation via Organization.featureFlags", () => {
   function makeIsolationDeps(
     realResolveOrgFlag: GateDependencies["resolveOrgFlag"],
