fix(mollifier): degrade to disabled when redis host is unset, no main-redis fallback

Two operational guards for misconfigured rollouts:

1. Drop the MOLLIFIER_REDIS_* fallback to the main REDIS_* cluster.
   The mollifier writes to a dedicated Redis to keep burst traffic off
   the engine's primary queue — silently colocating with the main Redis
   when MOLLIFIER_REDIS_HOST is unset defeats the design.

2. Degrade gracefully instead of crashing the pod. If MOLLIFIER_ENABLED
   was flipped on without setting MOLLIFIER_REDIS_HOST, the buffer
   returns null (with a one-shot warn log per process) and the drainer
   no-ops. No crash loops, no failed deploys, no traffic impact —
   operators see the warn line and fix the misconfig in a follow-up
   deploy.

The drainer's previously-unreachable "env vars inconsistent" throw
becomes reachable in this degraded mode; replace it with a null return
so worker.server.ts's existing null check short-circuits cleanly.

Author: d-cs

apps/webapp/app/env.server.ts

@@ -1032,25 +1032,16 @@ const EnvironmentSchema = z
 
     MOLLIFIER_ENABLED: z.string().default("0"),
     MOLLIFIER_SHADOW_MODE: z.string().default("0"),
-    MOLLIFIER_REDIS_HOST: z
-      .string()
-      .optional()
-      .transform((v) => v ?? process.env.REDIS_HOST),
-    MOLLIFIER_REDIS_PORT: z.coerce
-      .number()
-      .optional()
-      .transform(
-        (v) => v ?? (process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : undefined),
-      ),
-    MOLLIFIER_REDIS_USERNAME: z
-      .string()
-      .optional()
-      .transform((v) => v ?? process.env.REDIS_USERNAME),
-    MOLLIFIER_REDIS_PASSWORD: z
-      .string()
-      .optional()
-      .transform((v) => v ?? process.env.REDIS_PASSWORD),
-    MOLLIFIER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
+    // No fallback to the main `REDIS_*` cluster. The mollifier writes to a
+    // dedicated Redis to keep burst traffic off the engine's primary queue.
+    // If `MOLLIFIER_ENABLED=1` but `MOLLIFIER_REDIS_HOST` is unset, the
+    // buffer degrades to disabled (with a warn log) rather than silently
+    // colocating with the main Redis. See `mollifierBuffer.server.ts`.
+    MOLLIFIER_REDIS_HOST: z.string().optional(),
+    MOLLIFIER_REDIS_PORT: z.coerce.number().optional(),
+    MOLLIFIER_REDIS_USERNAME: z.string().optional(),
+    MOLLIFIER_REDIS_PASSWORD: z.string().optional(),
+    MOLLIFIER_REDIS_TLS_DISABLED: z.string().default("false"),
     MOLLIFIER_TRIP_WINDOW_MS: z.coerce.number().int().positive().default(200),
     MOLLIFIER_TRIP_THRESHOLD: z.coerce.number().int().positive().default(100),
     MOLLIFIER_HOLD_MS: z.coerce.number().int().positive().default(500),

apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts

@@ -26,7 +26,25 @@ function initializeMollifierBuffer(): MollifierBuffer {
   });
 }
 
+// Latch so we log the degraded-config warning exactly once per process
+// instead of on every `getMollifierBuffer()` call (which is per-trigger).
+let degradedConfigLogged = false;
+
 export function getMollifierBuffer(): MollifierBuffer | null {
   if (env.MOLLIFIER_ENABLED !== "1") return null;
+  // Fail safe, not loud: if MOLLIFIER_ENABLED was flipped on without
+  // setting `MOLLIFIER_REDIS_HOST`, degrade the mollifier to disabled
+  // rather than crash-looping the pod (or — worse — sharing the main
+  // engine Redis). One warn log per process is enough for operators to
+  // spot the misconfig without drowning logs in repeats.
+  if (!env.MOLLIFIER_REDIS_HOST) {
+    if (!degradedConfigLogged) {
+      logger.warn(
+        "mollifier.degraded_config: MOLLIFIER_ENABLED=1 but MOLLIFIER_REDIS_HOST is unset — treating as disabled until configured",
+      );
+      degradedConfigLogged = true;
+    }
+    return null;
+  }
   return singleton("mollifierBuffer", initializeMollifierBuffer);
 }

apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts

@@ -6,11 +6,15 @@ import { singleton } from "~/utils/singleton";
 import { getMollifierBuffer } from "./mollifierBuffer.server";
 import type { BufferedTriggerPayload } from "./bufferedTriggerPayload.server";
 
-function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload> {
+function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload> | null {
   const buffer = getMollifierBuffer();
   if (!buffer) {
-    // Should be unreachable: getMollifierDrainer() guards on the same env flag as getMollifierBuffer().
-    throw new Error("MollifierDrainer initialised without a buffer — env vars inconsistent");
+    // Buffer degraded to disabled (e.g. MOLLIFIER_ENABLED=1 but
+    // MOLLIFIER_REDIS_HOST unset). Don't crash the pod — return null and
+    // let the worker shutdown registration short-circuit. The degraded
+    // config is logged once by `getMollifierBuffer()`; we don't double
+    // log here.
+    return null;
   }
 
   logger.debug("Initializing mollifier drainer", {