fix(webapp): populate run.id on mollify synthetic result (cross-tenant leak fix)

Devin review flagged a security + correctness bug: the mollify path
returned \`MollifySyntheticResult\` with run shape
\`{ friendlyId, spanId }\` and the call site cast it to
\`TriggerTaskServiceResult\` (which expects \`run: TaskRun\` with an
\`id: string\`). Downstream, the trigger route calls
\`saveRequestIdempotency(requestKey, "trigger", result.run.id)\` — so
the cache stored \`undefined\` as the entity id. On SDK retry the
request-idempotency flow then ran
\`prisma.taskRun.findFirst({ where: { id: undefined } })\`. Prisma
strips \`undefined\` from where clauses, so the query degenerates to an
unfiltered \`findFirst\` and returns an arbitrary TaskRun row —
potentially from another env / user.

Fix:
- Add \`id: string\` to \`MollifySyntheticResult.run\`.
- Compute it via \`RunId.fromFriendlyId(...)\` on both branches:
  the happy-accept path (id from \`args.runFriendlyId\`) and the
  \`duplicate_idempotency\` race-loser path (id from
  \`result.existingRunId\` so the response carries the WINNER's id).
- Add regression tests pinning both branches.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: d-cs

apps/webapp/app/v3/mollifier/mollifierMollify.server.ts

@@ -1,3 +1,4 @@
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
 import type { MollifierBuffer } from "@trigger.dev/redis-worker";
 import { serialiseMollifierSnapshot, type MollifierSnapshot } from "./mollifierSnapshot.server";
 import type { TripDecision } from "./mollifierGate.server";
@@ -9,12 +10,20 @@ export type MollifyNotice = {
 };
 
 export type MollifySyntheticResult = {
-  // `spanId` is the root-span id allocated at gate-accept time and stored
-  // in the snapshot. Callers like the dashboard's Test action use it to
-  // build a `v3RunSpanPath` URL that auto-opens the right details panel
-  // — without it, the buffered run lands on the run-detail page with no
-  // span selected (parity gap with PG-resident runs).
-  run: { friendlyId: string; spanId: string };
+  // `id` is the canonical TaskRun primary key derived from `friendlyId`
+  // via `RunId.fromFriendlyId`. Downstream consumers in the trigger
+  // route — notably `saveRequestIdempotency` (Q3) — index the request-
+  // idempotency cache by this id; without it the cache stores
+  // `undefined` and Prisma's `findFirst({ where: { id: undefined } })`
+  // on retry strips the predicate and returns an arbitrary TaskRun
+  // (potential cross-tenant leak). Always populated.
+  //
+  // `spanId` is the root-span id allocated at gate-accept time and
+  // stored in the snapshot. Callers like the dashboard's Test action
+  // use it to build a `v3RunSpanPath` URL that auto-opens the right
+  // details panel — without it, the buffered run lands on the
+  // run-detail page with no span selected (parity gap with PG runs).
+  run: { id: string; friendlyId: string; spanId: string };
   error: undefined;
   // The race-loser path (Q5): if accept's SETNX hit an existing
   // buffered run with the same (env, task, idempotencyKey), the
@@ -60,7 +69,11 @@ export async function mollifyTrigger(args: {
     // causes `v3RunSpanPath` to omit the `?span=` param, which matches
     // current behaviour for cached PG responses.
     return {
-      run: { friendlyId: result.existingRunId, spanId: "" },
+      run: {
+        id: RunId.fromFriendlyId(result.existingRunId),
+        friendlyId: result.existingRunId,
+        spanId: "",
+      },
       error: undefined,
       isCached: true,
     };
@@ -73,7 +86,11 @@ export async function mollifyTrigger(args: {
   const rawSpanId = args.engineTriggerInput.spanId;
   const spanId = typeof rawSpanId === "string" ? rawSpanId : "";
   return {
-    run: { friendlyId: args.runFriendlyId, spanId },
+    run: {
+      id: RunId.fromFriendlyId(args.runFriendlyId),
+      friendlyId: args.runFriendlyId,
+      spanId,
+    },
     error: undefined,
     isCached: false,
     notice: NOTICE,

apps/webapp/test/mollifierMollify.test.ts

@@ -6,6 +6,7 @@ vi.mock("~/db.server", () => ({
 }));
 
 import { mollifyTrigger } from "~/v3/mollifier/mollifierMollify.server";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
 import type { MollifierBuffer } from "@trigger.dev/redis-worker";
 
 function fakeBuffer(
@@ -22,7 +23,7 @@ describe("mollifyTrigger", () => {
   it("writes the snapshot to buffer and returns synthesised result", async () => {
     const { buffer, accept } = fakeBuffer();
     const result = await mollifyTrigger({
-      runFriendlyId: "run_friendly_1",
+      runFriendlyId: "run_abc123def456",
       environmentId: "env_a",
       organizationId: "org_1",
       engineTriggerInput: { taskIdentifier: "my-task", payload: '{"x":1}' },
@@ -37,14 +38,14 @@ describe("mollifyTrigger", () => {
 
     expect(accept).toHaveBeenCalledOnce();
     expect(accept).toHaveBeenCalledWith({
-      runId: "run_friendly_1",
+      runId: "run_abc123def456",
       envId: "env_a",
       orgId: "org_1",
       payload: expect.any(String),
       idempotencyKey: undefined,
       taskIdentifier: undefined,
     });
-    expect(result.run.friendlyId).toBe("run_friendly_1");
+    expect(result.run.friendlyId).toBe("run_abc123def456");
     expect(result.error).toBeUndefined();
     expect(result.isCached).toBe(false);
     expect(result.notice).toEqual({
@@ -57,10 +58,10 @@ describe("mollifyTrigger", () => {
   it("echoes the winner's runId with isCached=true on duplicate_idempotency", async () => {
     const { buffer } = fakeBuffer({
       kind: "duplicate_idempotency",
-      existingRunId: "run_winner",
+      existingRunId: "run_winner12345",
     });
     const result = await mollifyTrigger({
-      runFriendlyId: "run_loser",
+      runFriendlyId: "run_loser56789a",
       environmentId: "env_a",
       organizationId: "org_1",
       engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
@@ -69,16 +70,56 @@ describe("mollifyTrigger", () => {
       idempotencyKey: "key",
       taskIdentifier: "t",
     });
-    expect(result.run.friendlyId).toBe("run_winner");
+    expect(result.run.friendlyId).toBe("run_winner12345");
     expect(result.isCached).toBe(true);
     expect(result.notice).toBeUndefined();
   });
 
+  // Regression: the synthetic result MUST carry a populated `run.id`
+  // derived from the friendlyId. Without it, the route handler's
+  // `saveRequestIdempotency(…, result.run.id)` stores `undefined` as
+  // the cached entity id, and on SDK retry Prisma's
+  // `findFirst({ where: { id: undefined } })` silently drops the
+  // predicate and returns an arbitrary TaskRun — a cross-tenant leak
+  // path. (See Devin review on PR #3753.)
+  it("populates run.id from friendlyId on the happy-accept path", async () => {
+    const { buffer } = fakeBuffer();
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_pri456789ab",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+    });
+    expect(result.run.id).toBe(RunId.fromFriendlyId("run_pri456789ab"));
+    expect(result.run.id).toMatch(/^[a-z0-9]+$/); // non-undefined, non-empty
+  });
+
+  it("populates run.id from the WINNER's friendlyId on duplicate_idempotency", async () => {
+    const { buffer } = fakeBuffer({
+      kind: "duplicate_idempotency",
+      existingRunId: "run_winnerdup12",
+    });
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_loser56789a",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+      idempotencyKey: "key",
+      taskIdentifier: "t",
+    });
+    expect(result.run.id).toBe(RunId.fromFriendlyId("run_winnerdup12"));
+    expect(result.run.id).not.toBe(RunId.fromFriendlyId("run_loser56789a"));
+  });
+
   it("snapshot is round-trippable: payload field is parseable JSON of engineTriggerInput", async () => {
     const { buffer, accept } = fakeBuffer();
     const engineInput = { taskIdentifier: "t", payload: "{}", tags: ["a", "b"] };
     await mollifyTrigger({
-      runFriendlyId: "run_x",
+      runFriendlyId: "run_xabcde12345",
       environmentId: "env_a",
       organizationId: "org_1",
       engineTriggerInput: engineInput,