fix(webapp): dashboard typecheck + Devin auth-throw swallowing

d-cs · claude · d-cs · commit e44474945f4e · 2026-05-27T17:44:24.000+01:00
Three issues:

- spans.\$spanParam/route.tsx loader returned a raw \`Response\` (204
  on spanId-mismatch) alongside typedjson, collapsing the
  discriminated \`{type: "run"|"span"}\` union in the useTypedFetcher
  consumer. Switched to \`throw new Response(null, { status: 204 })\`
  so Remix exits cleanly without polluting the return type.

- resources.taskruns.\$runParam.debug.ts loader's buffered branch
  returned \`engine: "V2"\` with \`runtimeEnvironment: null\`, widening
  the V2 variant in debugRun.tsx and breaking every MarQS / RunQueue
  key call site (run.runtimeEnvironment now nullable). Switched to
  \`engine: "BUFFERED" as const\` so debugRun.tsx narrows the buffered
  case to a dedicated panel — the V1/V2 panels recover their non-null
  runtimeEnvironment assumption.

- Devin r3305402673: bare \`catch {}\` was swallowing the intentional
  \`throw new Response("Not Found", { status: 404 })\` auth-check
  fallthrough. Narrowed the try to only wrap \`buffer.getEntry\` (the
  one call that can transient-fail). Authorization and snapshot
  parsing now live outside the try, so an intentional 404 throw isn't
  masked by the transient-error catch. Keeps \`throw\` rather than
  Devin's suggested \`return\` because the consumer is typedjson-typed
  and a raw-Response return collapses the discriminated union.

Also adds a dedicated DebugRunDataBuffered panel for buffered runs
that renders the snapshot's queue / concurrencyKey / task identifier
(buffered runs aren't on a PG queue, so the existing MarQS/RunQueue
panels would 404 anyway).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/apps/webapp/app/components/admin/debugRun.tsx b/apps/webapp/app/components/admin/debugRun.tsx
@@ -66,12 +66,66 @@ function DebugRunContent({ friendlyId }: { friendlyId: string }) {
   );
 }
 
+// PG-resident variants (V1 + V2). Carries `run.runtimeEnvironment` as
+// non-null and the queue/env concurrency fields; the BUFFERED variant
+// has neither and renders via `DebugRunDataBuffered`.
+type PgVariant = Exclude<UseDataFunctionReturn<typeof loader>, { engine: "BUFFERED" }>;
+
 function DebugRunData(props: UseDataFunctionReturn<typeof loader>) {
+  // BUFFERED is the mollifier-buffer branch — no PG queue presence,
+  // so the V1/V2 panels (which dereference run.runtimeEnvironment for
+  // MarQS / RunQueue key construction) would crash. Render the
+  // snapshot fields directly. Narrowing on `engine === "BUFFERED"`
+  // here also strips the buffered variant from the union TS sees in
+  // the V1/V2 branches below, restoring their non-null
+  // runtimeEnvironment assumption. The casts are inside the
+  // discriminated arms — `props.engine === "BUFFERED"` proves the
+  // shape but TS doesn't follow the narrowing through a `{...props}`
+  // spread, so we annotate the variant explicitly.
+  if (props.engine === "BUFFERED") {
+    return <DebugRunDataBuffered {...(props as BufferedVariant)} />;
+  }
+
   if (props.engine === "V1") {
-    return <DebugRunDataEngineV1 {...props} />;
+    return <DebugRunDataEngineV1 {...(props as PgVariant)} />;
   }
 
-  return <DebugRunDataEngineV2 {...props} />;
+  return <DebugRunDataEngineV2 {...(props as PgVariant)} />;
+}
+
+type BufferedVariant = Extract<UseDataFunctionReturn<typeof loader>, { engine: "BUFFERED" }>;
+
+function DebugRunDataBuffered({ run }: BufferedVariant) {
+  return (
+    <Property.Table>
+      <Property.Item>
+        <Property.Label>ID</Property.Label>
+        <Property.Value className="flex items-center gap-2">
+          <ClipboardField value={run.id} variant="tertiary/small" iconButton />
+        </Property.Value>
+      </Property.Item>
+      <Property.Item>
+        <Property.Label>State</Property.Label>
+        <Property.Value>Buffered (mollifier) — not yet materialised to Postgres</Property.Value>
+      </Property.Item>
+      <Property.Item>
+        <Property.Label>Task identifier</Property.Label>
+        <Property.Value>{run.taskIdentifier ?? "—"}</Property.Value>
+      </Property.Item>
+      <Property.Item>
+        <Property.Label>Queue (from snapshot)</Property.Label>
+        <Property.Value>{run.queue ?? "—"}</Property.Value>
+      </Property.Item>
+      <Property.Item>
+        <Property.Label>Concurrency key (from snapshot)</Property.Label>
+        <Property.Value>{run.concurrencyKey ?? "—"}</Property.Value>
+      </Property.Item>
+      <Property.Item>
+        <Property.Label>Buffered at</Property.Label>
+        <Property.Value>{new Date(run.queueTimestamp).toISOString()}</Property.Value>
+      </Property.Item>
+    </Property.Table>
+  );
 }
 
 function DebugRunDataEngineV1({
@@ -82,7 +136,7 @@ function DebugRunDataEngineV1({
   envCurrentConcurrency,
   queueReserveConcurrency,
   envReserveConcurrency,
-}: UseDataFunctionReturn<typeof loader>) {
+}: PgVariant) {
   const keys = new MarQSShortKeyProducer("marqs:");
 
   const withPrefix = (key: string) => `marqs:${key}`;
@@ -354,7 +408,7 @@ function DebugRunDataEngineV2({
   envConcurrencyLimit,
   envCurrentConcurrency,
   keys,
-}: UseDataFunctionReturn<typeof loader>) {
+}: PgVariant) {
   return (
     <Property.Table>
       <Property.Item>
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx
@@ -142,7 +142,11 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       // Don't toast "Event not found" — that's noisy for the initial-render
       // request the dashboard fires before the root span auto-selects.
       // 204 No Content matches what the PG path returns for the same case.
-      return new Response(null, { status: 204 });
+      // THROWN so the loader's return type stays a clean TypedJson union;
+      // returning a raw Response collapses the discriminated `type:
+      // "run" | "span"` union into `Response` downstream and the
+      // useTypedFetcher consumer loses .run / .span access.
+      throw new Response(null, { status: 204 });
     }
 
     const run = await buildSyntheticSpanRun({
diff --git a/apps/webapp/app/routes/resources.taskruns.$runParam.debug.ts b/apps/webapp/app/routes/resources.taskruns.$runParam.debug.ts
@@ -51,47 +51,58 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     // snapshot so the Debug panel can show *something* instead of 404'ing.
     const buffer = getMollifierBuffer();
     if (buffer) {
+      // The `try` only wraps the buffer.getEntry call — that's the
+      // operation that can fail with a transient Redis error we want
+      // to mask as a 404 fallthrough. Authorization and snapshot
+      // parsing are split out below so a deliberate 404
+      // (`throw new Response(...)`) or a malformed-snapshot crash
+      // isn't silently swallowed.
+      let entry: Awaited<ReturnType<typeof buffer.getEntry>> | null = null;
       try {
-        const entry = await buffer.getEntry(runParam);
-        if (entry) {
-          // Same org-membership gate as the PG path above. Without it,
-          // any authenticated user who knows a runId could read the
-          // buffered run's queue/concurrencyKey snapshot across orgs.
-          const member = await $replica.orgMember.findFirst({
-            where: { userId, organizationId: entry.orgId },
-            select: { id: true },
-          });
-          if (!member) {
-            throw new Response("Not Found", { status: 404 });
-          }
-          const snapshot = deserialiseSnapshot<{
-            taskIdentifier?: string;
-            queue?: string;
-            concurrencyKey?: string;
-          }>(entry.payload);
-          return typedjson({
-            engine: "V2" as const,
-            buffered: true,
-            run: {
-              id: entry.runId,
-              engine: "V2" as const,
-              friendlyId: entry.runId,
-              queue: snapshot.queue ?? null,
-              concurrencyKey: snapshot.concurrencyKey ?? null,
-              queueTimestamp: entry.createdAt,
-              runtimeEnvironment: null,
-            },
-            queueConcurrencyLimit: undefined,
-            envConcurrencyLimit: undefined,
-            queueCurrentConcurrency: undefined,
-            envCurrentConcurrency: undefined,
-            queueReserveConcurrency: undefined,
-            envReserveConcurrency: undefined,
-            keys: [],
-          });
-        }
+        entry = await buffer.getEntry(runParam);
       } catch {
-        // fall through to 404 on buffer error
+        // Transient buffer failure — fall through to 404 below.
+      }
+      if (entry) {
+        // Org-membership gate. Without it, any authenticated user who
+        // knows a runId could read the buffered run's queue /
+        // concurrencyKey snapshot across orgs. Thrown so the typedjson
+        // discriminated union below isn't polluted by a raw `Response`
+        // return — the consumer in `debugRun.tsx` switches on
+        // `engine`, and a Response variant collapses the union.
+        const member = await $replica.orgMember.findFirst({
+          where: { userId, organizationId: entry.orgId },
+          select: { id: true },
+        });
+        if (!member) {
+          throw new Response("Not Found", { status: 404 });
+        }
+        const snapshot = deserialiseSnapshot<{
+          taskIdentifier?: string;
+          queue?: string;
+          concurrencyKey?: string;
+        }>(entry.payload);
+        // `engine: "BUFFERED"` is a distinct discriminant from V1/V2
+        // so the `debugRun.tsx` consumer can narrow on it. Returning
+        // `engine: "V2"` here widened the V2 variant's
+        // `run.runtimeEnvironment` to nullable, which broke the
+        // MarQS-key call sites in the existing V1/V2 panels (they
+        // assume non-null). A buffered run has no PG queue presence
+        // so those panels would 404 anyway; the dedicated buffered
+        // handler in debugRun.tsx renders the snapshot's queue +
+        // concurrencyKey directly.
+        return typedjson({
+          engine: "BUFFERED" as const,
+          buffered: true,
+          run: {
+            id: entry.runId,
+            friendlyId: entry.runId,
+            queue: snapshot.queue ?? null,
+            concurrencyKey: snapshot.concurrencyKey ?? null,
+            queueTimestamp: entry.createdAt,
+            taskIdentifier: snapshot.taskIdentifier ?? null,
+          },
+        });
       }
     }
     throw new Response("Not Found", { status: 404 });
