fix(webapp): skip request-idempotency cache for mollified triggers

`saveRequestIdempotency` caches the runId returned by the trigger
service against the x-trigger-request-idempotency-key header. When
the gate mollifies the trigger, that runId is a synthesised cuid with
no PG row; a lost-response SDK retry would lookup the cached id in
`handleRequestIdempotency`, miss in PG, fall through to a fresh
trigger attempt, and — for triggers without a task-level idempotency
key — produce a duplicate buffer entry.

Surface the divert as a typed `isMollified` flag on
`TriggerTaskServiceResult` and gate the route's
`saveRequestIdempotency` call on it. Retries during the buffer
window are now accepted as fresh triggers; task-level idempotency
keys still dedupe via the buffer's SETNX in
`findBufferedRunWithIdempotency`. The behaviour is bounded by the
drainer's eventual materialisation — once the PG row lands, normal
request-idempotency from that point forward works as usual.

Regression covered by two assertions in the existing mollifier tests:
the mollify path returns `isMollified: true`, and the pass-through
path leaves the flag falsy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: d-cs

apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts

@@ -134,7 +134,20 @@ const { action, loader } = createActionApiRoute(
         return json({ error: "Task not found" }, { status: 404 });
       }
 
-      await saveRequestIdempotency(requestIdempotencyKey, "trigger", result.run.id);
+      // Skip request-idempotency caching when the gate diverted to the
+      // mollifier buffer. `result.run.id` is a synthesised cuid with no
+      // corresponding PG row, so a lost-response SDK retry that reaches
+      // `handleRequestIdempotency` would lookup that id, miss in PG, and
+      // fall through to a fresh trigger — producing a duplicate buffer
+      // entry for triggers without a task-level idempotency key (the
+      // task-level path still dedupes via the buffer's SETNX in
+      // `findBufferedRunWithIdempotency`). Accepting the retry-as-fresh-
+      // trigger semantics here is bounded by the drainer's eventual
+      // materialisation: once the run lands in PG, normal request-
+      // idempotency from that point forward works as usual.
+      if (!result.isMollified) {
+        await saveRequestIdempotency(requestIdempotencyKey, "trigger", result.run.id);
+      }
 
       const $responseHeaders = await responseHeaders(result.run, authentication);
 

apps/webapp/app/runEngine/services/triggerTask.server.ts

@@ -514,7 +514,13 @@ export class RunEngineTriggerTaskService {
                     // TaskRun; the route handler only reads
                     // `result.run.friendlyId`. traceRun flushes the PARTIAL
                     // run-span event to ClickHouse on callback return.
-                    return result as unknown as TriggerTaskServiceResult;
+                    // `isMollified` flags the route to skip the request-
+                    // idempotency cache write — see the field's contract on
+                    // `TriggerTaskServiceResult`.
+                    return {
+                      ...(result as unknown as TriggerTaskServiceResult),
+                      isMollified: true,
+                    };
                   }
                   if (!mollifierBuffer) {
                     logger.warn(

apps/webapp/app/v3/services/triggerTask.server.ts

@@ -46,6 +46,14 @@ export class OutOfEntitlementError extends Error {
 export type TriggerTaskServiceResult = {
   run: TaskRun;
   isCached: boolean;
+  // True when the mollifier gate diverted the trigger to the Redis
+  // buffer and `run` is a synthesised record (no PG row exists yet).
+  // The trigger route reads this to skip `saveRequestIdempotency` —
+  // caching the synth runId would mean a lost-response SDK retry hits
+  // a PG-miss in `handleRequestIdempotency` and falls through to a
+  // fresh trigger, producing a duplicate buffer entry for trigger
+  // calls that don't carry a task-level idempotency key.
+  isMollified?: boolean;
 };
 
 export const MAX_ATTEMPTS = 2;

apps/webapp/test/engine/triggerTask.test.ts

@@ -1385,6 +1385,18 @@ describe("RunEngineTriggerTaskService", () => {
       expect(synthetic.notice.message).toBeTypeOf("string");
       expect(synthetic.notice.docs).toBeTypeOf("string");
 
+      // The mollify branch must flag `isMollified: true` on the result so
+      // the trigger route can skip `saveRequestIdempotency`. Caching the
+      // synthetic runId in the request-idempotency table would mean a
+      // lost-response SDK retry (same `x-trigger-request-idempotency-key`
+      // header) hits a PG miss in `handleRequestIdempotency` and falls
+      // through to a fresh trigger — producing a duplicate buffer entry
+      // for trigger calls without a task-level idempotency key. The
+      // bounded behaviour (accept retry-as-fresh-trigger during the
+      // buffer window) is the deliberate choice; a stale-cache lookup
+      // returning null is not.
+      expect(result?.isMollified).toBe(true);
+
       // buffer.accept ran — Redis has the canonical engine.trigger snapshot
       // under the synthesised friendlyId. The drainer will read this and
       // replay it through engine.trigger to materialise the run.
@@ -1490,6 +1502,12 @@ describe("RunEngineTriggerTaskService", () => {
       // getMollifierBuffer must not be called either — the call site short-circuits
       // before touching the singleton when the gate says pass_through.
       expect(getBufferSpy).not.toHaveBeenCalled();
+      // Pass-through must NOT set `isMollified` — `result.run` is a real
+      // PG row, and the trigger route's `saveRequestIdempotency` is
+      // safe to call. Setting the flag here would silently skip the
+      // request-idempotency cache for every non-mollified trigger on a
+      // mollifier-enabled org, breaking lost-response retry dedup.
+      expect(result?.isMollified).toBeFalsy();
 
       await engine.quit();
     },