refactor(webapp): prefix mollifier env vars with TRIGGER_

All MOLLIFIER_* env vars renamed to TRIGGER_MOLLIFIER_*. The mollifier
primitive is generic — buffer + drainer + trip evaluator with no
trigger-specific assumptions at the redis-worker layer — but this
PR's webapp wiring is specifically the trigger-task mollifier, with
PII-sensitive payload handling and trigger-flow semantics. If we later
mollify another surface (deploys, schedules, etc.) those will want
their own env-var namespace; pre-prefixing now avoids a breaking
rename later.

Renames are mechanical: schema keys in env.server.ts, env.* references
across the v3/mollifier* modules, and a handful of doc-comment
mentions. The bootstrap fallback that has DRAINER_ENABLED default to
the ENABLED value is updated to read TRIGGER_MOLLIFIER_ENABLED from
process.env too. Code-side naming (classes, file names, the literal
word "mollifier") stays unchanged — the rename is env-var only.

Author: d-cs

apps/webapp/app/env.server.ts

@@ -1054,46 +1054,46 @@ const EnvironmentSchema = z
     COMMON_WORKER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
     COMMON_WORKER_REDIS_CLUSTER_MODE_ENABLED: z.string().default("0"),
 
-    MOLLIFIER_ENABLED: z.string().default("0"),
+    TRIGGER_MOLLIFIER_ENABLED: z.string().default("0"),
     // Separate switch for the drainer (consumer side) so it can be split
     // off onto a dedicated worker service. Unset → inherits
-    // MOLLIFIER_ENABLED, so single-container self-hosters don't have to
+    // TRIGGER_MOLLIFIER_ENABLED, so single-container self-hosters don't have to
     // flip two switches. In multi-replica deployments, set this to "0"
     // explicitly on every replica except the one dedicated drainer
     // service — otherwise every replica's polling loop races for the
-    // same buffer entries. `MOLLIFIER_ENABLED` is still the master kill
-    // switch; setting this to "1" while `MOLLIFIER_ENABLED` is "0" is a
+    // same buffer entries. `TRIGGER_MOLLIFIER_ENABLED` is still the master kill
+    // switch; setting this to "1" while `TRIGGER_MOLLIFIER_ENABLED` is "0" is a
     // no-op because the gate-side singleton refuses to construct a
     // buffer when the system is off.
-    MOLLIFIER_DRAINER_ENABLED: z.string().default(process.env.MOLLIFIER_ENABLED ?? "0"),
-    MOLLIFIER_SHADOW_MODE: z.string().default("0"),
-    MOLLIFIER_REDIS_HOST: z
+    TRIGGER_MOLLIFIER_DRAINER_ENABLED: z.string().default(process.env.TRIGGER_MOLLIFIER_ENABLED ?? "0"),
+    TRIGGER_MOLLIFIER_SHADOW_MODE: z.string().default("0"),
+    TRIGGER_MOLLIFIER_REDIS_HOST: z
       .string()
       .optional()
       .transform((v) => v ?? process.env.REDIS_HOST),
-    MOLLIFIER_REDIS_PORT: z.coerce
+    TRIGGER_MOLLIFIER_REDIS_PORT: z.coerce
       .number()
       .optional()
       .transform(
         (v) => v ?? (process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : undefined),
       ),
-    MOLLIFIER_REDIS_USERNAME: z
+    TRIGGER_MOLLIFIER_REDIS_USERNAME: z
       .string()
       .optional()
       .transform((v) => v ?? process.env.REDIS_USERNAME),
-    MOLLIFIER_REDIS_PASSWORD: z
+    TRIGGER_MOLLIFIER_REDIS_PASSWORD: z
       .string()
       .optional()
       .transform((v) => v ?? process.env.REDIS_PASSWORD),
-    MOLLIFIER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
-    MOLLIFIER_TRIP_WINDOW_MS: z.coerce.number().int().positive().default(200),
-    MOLLIFIER_TRIP_THRESHOLD: z.coerce.number().int().positive().default(100),
-    MOLLIFIER_HOLD_MS: z.coerce.number().int().positive().default(500),
-    MOLLIFIER_DRAIN_CONCURRENCY: z.coerce.number().int().positive().default(50),
-    MOLLIFIER_ENTRY_TTL_S: z.coerce.number().int().positive().default(600),
-    MOLLIFIER_DRAIN_MAX_ATTEMPTS: z.coerce.number().int().positive().default(3),
-    MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS: z.coerce.number().int().positive().default(30_000),
-    MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK: z.coerce.number().int().positive().default(500),
+    TRIGGER_MOLLIFIER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
+    TRIGGER_MOLLIFIER_TRIP_WINDOW_MS: z.coerce.number().int().positive().default(200),
+    TRIGGER_MOLLIFIER_TRIP_THRESHOLD: z.coerce.number().int().positive().default(100),
+    TRIGGER_MOLLIFIER_HOLD_MS: z.coerce.number().int().positive().default(500),
+    TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY: z.coerce.number().int().positive().default(50),
+    TRIGGER_MOLLIFIER_ENTRY_TTL_S: z.coerce.number().int().positive().default(600),
+    TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS: z.coerce.number().int().positive().default(3),
+    TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS: z.coerce.number().int().positive().default(30_000),
+    TRIGGER_MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK: z.coerce.number().int().positive().default(500),
 
     BATCH_TRIGGER_PROCESS_JOB_VISIBILITY_TIMEOUT_MS: z.coerce
       .number()

apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts

@@ -9,24 +9,24 @@ export type MollifierGetBuffer = () => MollifierBuffer | null;
 
 function initializeMollifierBuffer(): MollifierBuffer {
   logger.debug("Initializing mollifier buffer", {
-    host: env.MOLLIFIER_REDIS_HOST,
+    host: env.TRIGGER_MOLLIFIER_REDIS_HOST,
   });
 
   return new MollifierBuffer({
     redisOptions: {
       keyPrefix: "",
-      host: env.MOLLIFIER_REDIS_HOST,
-      port: env.MOLLIFIER_REDIS_PORT,
-      username: env.MOLLIFIER_REDIS_USERNAME,
-      password: env.MOLLIFIER_REDIS_PASSWORD,
+      host: env.TRIGGER_MOLLIFIER_REDIS_HOST,
+      port: env.TRIGGER_MOLLIFIER_REDIS_PORT,
+      username: env.TRIGGER_MOLLIFIER_REDIS_USERNAME,
+      password: env.TRIGGER_MOLLIFIER_REDIS_PASSWORD,
       enableAutoPipelining: true,
-      ...(env.MOLLIFIER_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+      ...(env.TRIGGER_MOLLIFIER_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
     },
-    entryTtlSeconds: env.MOLLIFIER_ENTRY_TTL_S,
+    entryTtlSeconds: env.TRIGGER_MOLLIFIER_ENTRY_TTL_S,
   });
 }
 
 export function getMollifierBuffer(): MollifierBuffer | null {
-  if (env.MOLLIFIER_ENABLED !== "1") return null;
+  if (env.TRIGGER_MOLLIFIER_ENABLED !== "1") return null;
   return singleton("mollifierBuffer", initializeMollifierBuffer);
 }

apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts

@@ -11,8 +11,8 @@ function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload>
   if (!buffer) {
     // Unreachable in normal config: getMollifierDrainer() gates on the
     // same env flag as getMollifierBuffer(). If we hit this, fail loud
-    // — the operator has set MOLLIFIER_ENABLED=1 on a worker pod but
-    // the buffer can't initialise (e.g. MOLLIFIER_REDIS_HOST resolves
+    // — the operator has set TRIGGER_MOLLIFIER_ENABLED=1 on a worker pod but
+    // the buffer can't initialise (e.g. TRIGGER_MOLLIFIER_REDIS_HOST resolves
     // to nothing). Crashing surfaces the misconfig immediately rather
     // than silently leaving entries un-drained.
     throw new Error("MollifierDrainer initialised without a buffer — env vars inconsistent");
@@ -24,7 +24,7 @@ function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload>
   // polling with no SIGTERM handler registered by the caller — exactly
   // the failure mode the validation is supposed to prevent.
   //
-  // The SIGTERM handler in worker.server.ts is sync fire-and-forget:
+  // The SIGTERM handler in mollifierDrainerWorker.server.ts is sync fire-and-forget:
   // `drainer.stop({ timeoutMs })` returns a promise that keeps the event
   // loop alive, but in cluster mode the primary runs its own
   // GRACEFUL_SHUTDOWN_TIMEOUT and will call `process.exit(0)`
@@ -34,17 +34,17 @@ function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload>
   // its own teardown after the drainer settles.
   const shutdownMarginMs = 1_000;
   if (
-    env.MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS >=
+    env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS >=
     env.GRACEFUL_SHUTDOWN_TIMEOUT - shutdownMarginMs
   ) {
     throw new Error(
-      `MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS (${env.MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS}) must be at least ${shutdownMarginMs}ms below GRACEFUL_SHUTDOWN_TIMEOUT (${env.GRACEFUL_SHUTDOWN_TIMEOUT}); otherwise the primary's hard exit shadows the drainer's deadline.`,
+      `TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS (${env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS}) must be at least ${shutdownMarginMs}ms below GRACEFUL_SHUTDOWN_TIMEOUT (${env.GRACEFUL_SHUTDOWN_TIMEOUT}); otherwise the primary's hard exit shadows the drainer's deadline.`,
     );
   }
 
   logger.debug("Initializing mollifier drainer", {
-    concurrency: env.MOLLIFIER_DRAIN_CONCURRENCY,
-    maxAttempts: env.MOLLIFIER_DRAIN_MAX_ATTEMPTS,
+    concurrency: env.TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY,
+    maxAttempts: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS,
   });
 
   // Phase 1 handler: no-op ack. The trigger has ALREADY been written to
@@ -74,9 +74,9 @@ function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload>
         payloadHash,
       });
     },
-    concurrency: env.MOLLIFIER_DRAIN_CONCURRENCY,
-    maxAttempts: env.MOLLIFIER_DRAIN_MAX_ATTEMPTS,
-    maxOrgsPerTick: env.MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK,
+    concurrency: env.TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY,
+    maxAttempts: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS,
+    maxOrgsPerTick: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK,
     // A no-op handler shouldn't throw, but if something does (e.g. an
     // unexpected deserialise failure), don't loop — let it FAIL terminally
     // so the entry is observable in metrics.
@@ -88,12 +88,12 @@ function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload>
 
 // Returns a configured-but-stopped drainer. Callers MUST register their
 // SIGTERM / SIGINT shutdown handlers before invoking `drainer.start()` —
-// see `apps/webapp/app/services/worker.server.ts`. Starting inside the
-// singleton factory would put the polling loop ahead of handler
-// registration, leaving a narrow window where a SIGTERM landing between
-// `start()` and `process.once("SIGTERM", ...)` would skip the graceful
-// stop. The split is intentional.
+// see `apps/webapp/app/v3/mollifierDrainerWorker.server.ts`. Starting
+// inside the singleton factory would put the polling loop ahead of
+// handler registration, leaving a narrow window where a SIGTERM landing
+// between `start()` and `process.once("SIGTERM", ...)` would skip the
+// graceful stop. The split is intentional.
 export function getMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload> | null {
-  if (env.MOLLIFIER_ENABLED !== "1") return null;
+  if (env.TRIGGER_MOLLIFIER_ENABLED !== "1") return null;
   return singleton("mollifierDrainer", initializeMollifierDrainer);
 }

apps/webapp/app/v3/mollifier/mollifierGate.server.ts

@@ -78,9 +78,9 @@ export type GateDependencies = {
 const defaultEvaluator = createRealTripEvaluator({
   getBuffer: () => getMollifierBuffer(),
   options: () => ({
-    windowMs: env.MOLLIFIER_TRIP_WINDOW_MS,
-    threshold: env.MOLLIFIER_TRIP_THRESHOLD,
-    holdMs: env.MOLLIFIER_HOLD_MS,
+    windowMs: env.TRIGGER_MOLLIFIER_TRIP_WINDOW_MS,
+    threshold: env.TRIGGER_MOLLIFIER_TRIP_THRESHOLD,
+    holdMs: env.TRIGGER_MOLLIFIER_HOLD_MS,
   }),
 });
 
@@ -104,7 +104,7 @@ function logDivertDecision(
 // Resolve the per-org mollifier flag purely from the in-memory
 // `Organization.featureFlags` JSON. No DB query — `triggerTask` is the
 // trigger hot path and the webapp CLAUDE.md forbids adding Prisma calls
-// there. The fleet-wide kill switch lives in `MOLLIFIER_ENABLED`; rollout
+// there. The fleet-wide kill switch lives in `TRIGGER_MOLLIFIER_ENABLED`; rollout
 // is per-org via the JSON, matching the pattern used by `canAccessAi`,
 // `hasComputeAccess`, etc. There is no global `FeatureFlag` table read
 // in this path by design.
@@ -124,8 +124,8 @@ export function makeResolveMollifierFlag(): (inputs: GateInputs) => Promise<bool
 const resolveMollifierFlag = makeResolveMollifierFlag();
 
 export const defaultGateDependencies: GateDependencies = {
-  isMollifierEnabled: () => env.MOLLIFIER_ENABLED === "1",
-  isShadowModeOn: () => env.MOLLIFIER_SHADOW_MODE === "1",
+  isMollifierEnabled: () => env.TRIGGER_MOLLIFIER_ENABLED === "1",
+  isShadowModeOn: () => env.TRIGGER_MOLLIFIER_SHADOW_MODE === "1",
   resolveOrgFlag: resolveMollifierFlag,
   evaluator: defaultEvaluator,
   logShadow: (inputs, decision) =>

apps/webapp/app/v3/mollifierDrainerWorker.server.ts

@@ -29,18 +29,18 @@ declare global {
  * `batchTriggerWorker`).
  *
  * Gating order:
- *   - `MOLLIFIER_DRAINER_ENABLED !== "1"`  → early return. Unset defaults
- *     to `MOLLIFIER_ENABLED`, so single-container self-hosters still get
+ *   - `TRIGGER_MOLLIFIER_DRAINER_ENABLED !== "1"`  → early return. Unset defaults
+ *     to `TRIGGER_MOLLIFIER_ENABLED`, so single-container self-hosters still get
  *     the drainer for free with one flag. In multi-replica deployments,
  *     set this to "0" explicitly on every replica except the dedicated
  *     drainer service so the polling loop doesn't race across replicas.
- *   - `MOLLIFIER_ENABLED !== "1"`  → `getMollifierDrainer()` returns null
- *     and the bootstrap is a no-op. `MOLLIFIER_ENABLED` remains the
+ *   - `TRIGGER_MOLLIFIER_ENABLED !== "1"`  → `getMollifierDrainer()` returns null
+ *     and the bootstrap is a no-op. `TRIGGER_MOLLIFIER_ENABLED` remains the
  *     master kill switch; the new flag only controls WHICH replicas
  *     run the drainer when the system is on.
  */
 export function initMollifierDrainerWorker(): void {
-  if (env.MOLLIFIER_DRAINER_ENABLED !== "1") {
+  if (env.TRIGGER_MOLLIFIER_DRAINER_ENABLED !== "1") {
     return;
   }
 
@@ -54,7 +54,7 @@ export function initMollifierDrainerWorker(): void {
       // call so the two never get out of sync.
       const stopDrainer = () => {
         drainer
-          .stop({ timeoutMs: env.MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS })
+          .stop({ timeoutMs: env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS })
           .catch((error) => {
             logger.error("Failed to stop mollifier drainer", { error });
           });

apps/webapp/test/mollifierGate.test.ts

@@ -183,7 +183,7 @@ describe("evaluateGate cascade — exhaustive truth table", () => {
 });
 
 // Hot-path guard: `triggerTask.server.ts` calls `evaluateGate` on every
-// trigger when `MOLLIFIER_ENABLED=1`. The per-org override path must resolve
+// trigger when `TRIGGER_MOLLIFIER_ENABLED=1`. The per-org override path must resolve
 // without a Prisma round-trip — otherwise the gate adds a DB query to the
 // highest-throughput code path in the system (see apps/webapp/CLAUDE.md).
 describe("resolveMollifierFlag — hot path", () => {
@@ -211,7 +211,7 @@ describe("resolveMollifierFlag — hot path", () => {
     // Regression intent: the resolver MUST NOT call `flag()` (which would
     // query `FeatureFlag` via Prisma) on the trigger hot path. Per-org
     // rollout via `Organization.featureFlags` JSON is the only enable
-    // path; the fleet-wide kill switch is `MOLLIFIER_ENABLED`.
+    // path; the fleet-wide kill switch is `TRIGGER_MOLLIFIER_ENABLED`.
     const resolve = makeResolveMollifierFlag();
 
     const fromNull = await resolve({
@@ -404,7 +404,7 @@ describe("evaluateGate — per-org isolation via Organization.featureFlags", ()
     // `FeatureFlag` table on the hot path. An org with `orgFeatureFlags`
     // unset (the default for almost every org during rollout) gets
     // pass_through, period. The fleet-wide kill switch lives in
-    // `MOLLIFIER_ENABLED`, not the FeatureFlag table.
+    // `TRIGGER_MOLLIFIER_ENABLED`, not the FeatureFlag table.
     const orgInherits = { ...inputs, orgId: "org_inherits", orgFeatureFlags: null };
     const orgEmpty = { ...inputs, orgId: "org_empty", orgFeatureFlags: {} };
     const orgUnrelated = {