feat(webapp): add run-ops split-mode opt-in flag + distinct-DB sentinel (W0-FND-07)

Add RUN_OPS_SPLIT_ENABLED (OFF by default) plus the run-ops DB URL env keys,
a distinct-DB runtime sentinel that fingerprints each database by its Postgres
control-file system identifier, and the isSplitEnabled() Wave-0 gate. The gate
returns true only when the flag is on AND the sentinel proves the two run-ops
URLs resolve to physically distinct databases, so a pooler/replica can never
arm a false split and the migration family stays unreachable in single-DB mode.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: d-cs

.server-changes/run-ops-split-mode-gate.md

@@ -0,0 +1,9 @@
+---
+area: webapp
+type: feature
+---
+
+Add the run-ops DB-split opt-in flag (RUN_OPS_SPLIT_ENABLED, OFF by default) and a
+distinct-DB runtime sentinel. isSplitEnabled() gates the whole migration/routing
+family OFF unless the flag is on AND the two run-ops URLs are proven to be
+physically distinct databases. Self-host behavior is unchanged (single-DB).

apps/webapp/app/env.server.ts

@@ -125,6 +125,27 @@ const EnvironmentSchema = z
         "DIRECT_URL is invalid, for details please check the additional output above this message."
       ),
     DATABASE_READ_REPLICA_URL: z.string().optional(),
+    // --- Run-ops DB split (W0-FND-07) — Cloud-only scaling concern; OFF by default. ---
+    // Explicit positive opt-in. Split behavior is unreachable unless this is true
+    // AND the distinct-DB sentinel confirms the two URLs are physically distinct DBs.
+    RUN_OPS_SPLIT_ENABLED: BoolEnv.default(false),
+    // The NEW run-ops DB (PlanetScale/PG17) writer. Optional so single-DB installs never set it.
+    TASK_RUN_DATABASE_URL: z
+      .string()
+      .refine(isValidDatabaseUrl, "TASK_RUN_DATABASE_URL is invalid")
+      .optional(),
+    // The NEW run-ops DB unpooled/direct endpoint (Prisma migrate/introspection;
+    // PlanetScale poolers break advisory locks). Consumed by the migration units.
+    TASK_RUN_DATABASE_DIRECT_URL: z
+      .string()
+      .refine(isValidDatabaseUrl, "TASK_RUN_DATABASE_DIRECT_URL is invalid")
+      .optional(),
+    // The LEGACY run-ops DB (RDS/PG14, drains during Wave 1). When unset, legacy
+    // run-ops reuses the existing DATABASE_URL (legacy run-ops == control-plane RDS in Wave 1).
+    TASK_RUN_LEGACY_DATABASE_URL: z
+      .string()
+      .refine(isValidDatabaseUrl, "TASK_RUN_LEGACY_DATABASE_URL is invalid")
+      .optional(),
     SESSION_SECRET: z.string(),
     MAGIC_LINK_SECRET: z.string(),
     ENCRYPTION_KEY: z

apps/webapp/app/v3/runOpsMigration/distinctDbSentinel.server.ts

@@ -0,0 +1,57 @@
+import { PrismaClient } from "@trigger.dev/database";
+
+export type DatabaseFingerprint = { systemIdentifier: string; databaseName: string };
+
+export type SentinelResult = { distinct: true } | { distinct: false; reason: string };
+
+export async function readDatabaseFingerprint(url: string): Promise<DatabaseFingerprint> {
+  const client = new PrismaClient({ datasources: { db: { url } } });
+  try {
+    const rows = await client.$queryRawUnsafe<
+      Array<{ system_identifier: string; database_name: string }>
+    >(
+      "SELECT system_identifier::text AS system_identifier, current_database() AS database_name FROM pg_control_system()"
+    );
+    const row = rows[0];
+    if (!row) {
+      throw new Error("distinct-db sentinel: pg_control_system() returned no rows");
+    }
+    return { systemIdentifier: row.system_identifier, databaseName: row.database_name };
+  } finally {
+    await client.$disconnect();
+  }
+}
+
+export async function probeDistinctDatabases(
+  legacyUrl: string,
+  newUrl: string,
+  opts?: { logger?: { warn: (msg: string, meta?: Record<string, unknown>) => void } }
+): Promise<SentinelResult> {
+  try {
+    const [legacy, next] = await Promise.all([
+      readDatabaseFingerprint(legacyUrl),
+      readDatabaseFingerprint(newUrl),
+    ]);
+    const sameCluster = legacy.systemIdentifier === next.systemIdentifier;
+    const sameDb = sameCluster && legacy.databaseName === next.databaseName;
+    // Same-cluster-different-database policy: two databases inside the SAME cluster
+    // (same system identifier, different current_database()) are reported distinct: true.
+    // That is acceptable — they are genuinely separate Postgres databases with separate
+    // WAL-visible state for our purposes, and the Cloud topology always uses separate
+    // clusters anyway. A stricter "must be a different cluster" policy would gate on
+    // sameCluster alone; that is flagged as an open question, not decided here.
+    if (sameDb) {
+      const reason =
+        "run-ops legacy and new URLs resolve to the SAME physical database " +
+        `(systemIdentifier=${legacy.systemIdentifier}, database=${legacy.databaseName}); ` +
+        "refusing to enable split — pooler/replica likely.";
+      opts?.logger?.warn(reason);
+      return { distinct: false, reason };
+    }
+    return { distinct: true };
+  } catch (error) {
+    const reason = `distinct-db sentinel probe failed; failing closed (single-DB). ${String(error)}`;
+    opts?.logger?.warn(reason, { error });
+    return { distinct: false, reason };
+  }
+}

apps/webapp/app/v3/runOpsMigration/splitMode.server.ts

@@ -0,0 +1,61 @@
+/**
+ * isSplitEnabled() is the Wave-0 gate. The entire migration/routing/FK-drop family
+ * MUST be unreachable when this returns false. Default is false (single-DB). Never
+ * infer split-vs-single from URL string-equality — distinctness is proven by the
+ * runtime sentinel.
+ */
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { probeDistinctDatabases as defaultProbe } from "./distinctDbSentinel.server";
+
+export type SplitModeConfig = {
+  flagEnabled: boolean;
+  legacyUrl?: string;
+  newUrl?: string;
+};
+
+export type SplitModeDeps = {
+  probe?: typeof defaultProbe;
+  logger?: { warn: (msg: string, meta?: Record<string, unknown>) => void };
+};
+
+export async function computeSplitEnabled(
+  config: SplitModeConfig,
+  deps: SplitModeDeps = {}
+): Promise<boolean> {
+  // Hard gate #1: explicit positive opt-in. OFF by default -> never probe.
+  if (!config.flagEnabled) {
+    return false;
+  }
+  // Both URLs are required to even consider a split.
+  if (!config.legacyUrl || !config.newUrl) {
+    deps.logger?.warn(
+      "RUN_OPS_SPLIT_ENABLED is on but TASK_RUN_LEGACY_DATABASE_URL / TASK_RUN_DATABASE_URL are not both set; staying single-DB."
+    );
+    return false;
+  }
+  // Hard gate #2: runtime sentinel must confirm physically-distinct DBs.
+  const probe = deps.probe ?? defaultProbe;
+  const result = await probe(config.legacyUrl, config.newUrl, { logger: deps.logger });
+  return result.distinct === true;
+}
+
+let cached: Promise<boolean> | undefined;
+
+export function isSplitEnabled(): Promise<boolean> {
+  if (!cached) {
+    cached = computeSplitEnabled(
+      {
+        flagEnabled: env.RUN_OPS_SPLIT_ENABLED,
+        legacyUrl: env.TASK_RUN_LEGACY_DATABASE_URL,
+        newUrl: env.TASK_RUN_DATABASE_URL,
+      },
+      { logger }
+    );
+  }
+  return cached;
+}
+
+export function __resetSplitModeCacheForTests(): void {
+  cached = undefined;
+}

apps/webapp/package.json

@@ -249,6 +249,7 @@
     "@swc/helpers": "^0.4.11",
     "@tailwindcss/forms": "^0.5.3",
     "@tailwindcss/typography": "^0.5.9",
+    "@testcontainers/postgresql": "^11.14.0",
     "@total-typescript/ts-reset": "^0.4.2",
     "@types/bcryptjs": "^2.4.2",
     "@types/compression": "^1.7.2",

apps/webapp/test/runOpsSplitMode.test.ts

@@ -0,0 +1,95 @@
+import { describe, expect, it, vi } from "vitest";
+// @testcontainers/postgresql resolves because Task 0 declared it in apps/webapp/package.json.
+import { PostgreSqlContainer } from "@testcontainers/postgresql";
+import { computeSplitEnabled } from "~/v3/runOpsMigration/splitMode.server";
+import { probeDistinctDatabases } from "~/v3/runOpsMigration/distinctDbSentinel.server";
+
+describe("computeSplitEnabled (pure)", () => {
+  it("is OFF by default and never probes when the flag is off", async () => {
+    const probe = vi.fn();
+    const result = await computeSplitEnabled(
+      { flagEnabled: false, legacyUrl: "postgres://a", newUrl: "postgres://b" },
+      { probe }
+    );
+    expect(result).toBe(false);
+    expect(probe).not.toHaveBeenCalled(); // self-host opens no second connection
+  });
+
+  it("stays single-DB when flag is on but URLs are missing", async () => {
+    const probe = vi.fn();
+    expect(await computeSplitEnabled({ flagEnabled: true }, { probe })).toBe(false);
+    expect(probe).not.toHaveBeenCalled();
+  });
+
+  it("enables split only when flag is on AND sentinel confirms distinct", async () => {
+    const probe = vi.fn().mockResolvedValue({ distinct: true });
+    expect(
+      await computeSplitEnabled(
+        { flagEnabled: true, legacyUrl: "postgres://a", newUrl: "postgres://b" },
+        { probe }
+      )
+    ).toBe(true);
+  });
+
+  it("stays single-DB when sentinel reports NOT distinct", async () => {
+    const probe = vi.fn().mockResolvedValue({ distinct: false, reason: "same DB" });
+    expect(
+      await computeSplitEnabled(
+        { flagEnabled: true, legacyUrl: "postgres://a", newUrl: "postgres://b" },
+        { probe }
+      )
+    ).toBe(false);
+  });
+
+  // Migration-family unreachability proof: with the flag off the gate returns false and
+  // no probe runs. Downstream migration-family units are required to early-return on
+  // !isSplitEnabled(); this unit proves the gate's value, each downstream unit's own test
+  // proves it honors the gate. (W0-FND-08's "split OFF collapses to a single prisma/$replica
+  // pair with no second connection opened" depends on this no-probe behavior.)
+  it("is provably unreachable (no probe) when the flag is off", async () => {
+    const probe = vi.fn();
+    expect(
+      await computeSplitEnabled(
+        { flagEnabled: false, legacyUrl: "postgres://a", newUrl: "postgres://b" },
+        { probe }
+      )
+    ).toBe(false);
+    expect(probe).not.toHaveBeenCalled();
+  });
+});
+
+describe("distinct-DB sentinel (real Postgres)", () => {
+  it("reports NOT distinct when both URLs hit the same physical cluster", async () => {
+    const pg = await new PostgreSqlContainer("docker.io/postgres:14").start();
+    try {
+      const url = pg.getConnectionUri();
+      const result = await probeDistinctDatabases(url, url);
+      expect(result.distinct).toBe(false); // identical URL -> false-split prevented
+    } finally {
+      await pg.stop();
+    }
+  }, 60_000);
+
+  it("reports distinct when URLs hit two separate clusters (PG14 legacy + PG17 new)", async () => {
+    const legacy = await new PostgreSqlContainer("docker.io/postgres:14").start();
+    const next = await new PostgreSqlContainer("docker.io/postgres:17").start();
+    try {
+      const result = await probeDistinctDatabases(
+        legacy.getConnectionUri(),
+        next.getConnectionUri()
+      );
+      expect(result.distinct).toBe(true);
+    } finally {
+      await legacy.stop();
+      await next.stop();
+    }
+  }, 120_000);
+
+  it("fails closed (single-DB) when a DB is unreachable", async () => {
+    const result = await probeDistinctDatabases(
+      "postgresql://nouser:nopass@127.0.0.1:1/none",
+      "postgresql://nouser:nopass@127.0.0.1:2/none"
+    );
+    expect(result.distinct).toBe(false);
+  }, 30_000);
+});