fix(webapp): close pass-2 cross-table gaps (span-detail 500, one-time-token claim)

- The strengthened findRuns guard threw on GET /api/v1/runs/:runId/spans/:spanId,
  which pages child runs with take and no orderBy across both tables. Add a
  createdAt order so it takes the bounded cross-table merge (and the 50-row cap
  is now deterministic, most recent first) instead of throwing for every org.
- Key the one-time-use-token cross-table claim on the token alone (a reserved
  task slot), matching the task-independent oneTimeUseToken unique constraint,
  so a multi-task token cannot mint twice across the flip. Stop excluding
  triggerAndWait from the token claim. Always resolve a held claim on the
  success path (publish, else release) so it cannot leak until its TTL.

Author: d-cs

apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts

@@ -126,6 +126,11 @@ export const loader = createLoaderApiRoute(
     const triggeredRuns = await runStore.findRuns(
       {
         take: 50,
+        // A parentSpanId predicate spans both run tables (it carries no id), so
+        // the cross-table store requires a total-order key to bound the merge;
+        // createdAt also makes the 50-row cap deterministic (most recent first)
+        // rather than an arbitrary single-table slice.
+        orderBy: { createdAt: "desc" },
         select: {
           friendlyId: true,
           taskIdentifier: true,

apps/webapp/app/runEngine/concerns/idempotencyKeys.server.ts

@@ -21,6 +21,18 @@ import type { TraceEventConcern, TriggerTaskRequest } from "../types";
 // handleTriggerRequest.
 const resolveOrgMollifierFlag = makeResolveMollifierFlag();
 
+// Reserved task slot for the cross-table one-time-use-token claim. The DB
+// constraint `@@unique([oneTimeUseToken])` is TASK-INDEPENDENT, so the claim
+// must be keyed on the token alone, not (task, token): a single token can
+// authorise more than one task, and two presentations for different tasks
+// straddling a `runTableV2` flip would otherwise build different claim keys and
+// both proceed. Folding the token into one constant task slot makes the claim
+// key (envId, token)-scoped, matching the DB constraint's scope. Paired with
+// the `otu:` idempotencyKey prefix, collision with a real task's idempotency
+// claim would require a task literally named this AND an idempotency key of the
+// form `otu:<token-hash>`.
+const ONE_TIME_USE_TOKEN_CLAIM_TASK = "__one_time_use_token__";
+
 // Claim ownership context returned to the caller when the
 // IdempotencyKeyConcern won a pre-gate claim. Caller MUST publish the
 // winning runId on pipeline success (`publishClaim`) or release the
@@ -222,29 +234,30 @@ export class IdempotencyKeyConcern {
       // unique constraint on `oneTimeUseToken` can't see across the two tables,
       // so neither INSERT raises P2002 and one token spawns two runs. For
       // v2-cutover orgs, serialise on the token via a Redis claim so the first
-      // presentation wins and the rest resolve to it. Excludes
-      // resumeParentOnCompletion (triggerAndWait) to match the buffer
-      // fallback's handling — a one-time PUBLIC_JWT token is a fire-and-forget
-      // public trigger, not a parent/child wait, so that case is left to the
-      // per-table constraint.
+      // presentation wins and the rest are rejected as already-used. Not
+      // excluded for resumeParentOnCompletion: for v2 orgs the idempotency-keyed
+      // claim covers triggerAndWait too (claimEligible short-circuits on
+      // shouldUseV2RunTable), so the token claim is consistent in doing the same;
+      // the loser is rejected (not returned a cached run), so there is no
+      // waitpoint-blocking subtlety to avoid.
       const oneTimeUseToken = request.options?.oneTimeUseToken;
-      if (oneTimeUseToken && !request.body.options?.resumeParentOnCompletion) {
+      if (oneTimeUseToken) {
         const orgFeatureFlags =
           (request.environment.organization?.featureFlags as
             | Record<string, unknown>
             | null
             | undefined) ?? null;
         if (shouldUseV2RunTable(orgFeatureFlags)) {
-          // Namespace the claim key so a token can never collide with a real
-          // idempotency key in the same (envId, taskIdentifier) slot. The TTL is
-          // a fixed pipeline-dwell bound, NOT the customer idempotencyKeyTTL:
-          // there is no idempotency key in this path, so a client-supplied TTL
-          // has no meaning here, and a tiny value would expire the claim
-          // mid-flight and reopen the cross-table dup window.
+          // Key the claim on (envId, token), task-independent, to match the DB's
+          // task-independent oneTimeUseToken constraint (see the constant's
+          // comment). The TTL is a fixed pipeline-dwell bound, NOT the customer
+          // idempotencyKeyTTL: there is no idempotency key in this path, so a
+          // client-supplied TTL has no meaning here, and a tiny value would
+          // expire the claim mid-flight and reopen the cross-table dup window.
           const claimKey = `otu:${oneTimeUseToken}`;
           const outcome = await claimOrAwait({
             envId: request.environment.id,
-            taskIdentifier: request.taskId,
+            taskIdentifier: ONE_TIME_USE_TOKEN_CLAIM_TASK,
             idempotencyKey: claimKey,
             ttlSeconds: env.TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS,
             safetyNetMs: env.TRIGGER_MOLLIFIER_CLAIM_WAIT_MS,
@@ -274,7 +287,7 @@ export class IdempotencyKeyConcern {
               idempotencyKeyExpiresAt,
               claim: {
                 envId: request.environment.id,
-                taskIdentifier: request.taskId,
+                taskIdentifier: ONE_TIME_USE_TOKEN_CLAIM_TASK,
                 idempotencyKey: claimKey,
                 token: outcome.token,
               },

apps/webapp/app/runEngine/services/triggerTask.server.ts

@@ -716,17 +716,24 @@ export class RunEngineTriggerTaskService {
           }
         },
       );
-      // Pipeline returned successfully — publish the claim if we held
-      // one. Waiters polling for our key resolve to this runId.
-      if (idempotencyClaim && result?.run?.friendlyId) {
-        await publishMollifierClaim({
-          envId: idempotencyClaim.envId,
-          taskIdentifier: idempotencyClaim.taskIdentifier,
-          idempotencyKey: idempotencyClaim.idempotencyKey,
-          token: idempotencyClaim.token,
-          runId: result.run.friendlyId,
-          ttlSeconds: env.TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS,
-        });
+      // Pipeline returned — resolve the claim if we held one. On success (a run
+      // with a friendlyId) publish it so waiters resolve to this runId;
+      // otherwise release it. Never leave a held claim unresolved on the success
+      // path: an orphaned claim would block concurrent waiters for the full
+      // safety-net window even though this request did not produce a run.
+      if (idempotencyClaim) {
+        if (result?.run?.friendlyId) {
+          await publishMollifierClaim({
+            envId: idempotencyClaim.envId,
+            taskIdentifier: idempotencyClaim.taskIdentifier,
+            idempotencyKey: idempotencyClaim.idempotencyKey,
+            token: idempotencyClaim.token,
+            runId: result.run.friendlyId,
+            ttlSeconds: env.TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS,
+          });
+        } else {
+          await releaseMollifierClaim(idempotencyClaim);
+        }
       }
       return result;
     } catch (err) {

apps/webapp/test/oneTimeUseTokenClaim.test.ts

@@ -70,14 +70,18 @@ describe("IdempotencyKeyConcern · one-time-use token cross-table claim", () =>
 
     expect(result.isCached).toBe(false);
     if (result.isCached === false) {
-      // The trigger pipeline must publish/release this claim — keyed on the
-      // namespaced token so it can never collide with a real idempotency key.
+      // The trigger pipeline must publish/release this claim. It is keyed on
+      // the namespaced token AND a reserved, task-independent slot — matching
+      // the task-independent oneTimeUseToken DB constraint, NOT request.taskId.
       expect(result.claim?.idempotencyKey).toBe("otu:tok-1");
       expect(result.claim?.envId).toBe("env_a");
-      expect(result.claim?.taskIdentifier).toBe("my-task");
+      expect(result.claim?.taskIdentifier).toBe("__one_time_use_token__");
     }
     expect(claimIdempotency).toHaveBeenCalledTimes(1);
-    expect(claimIdempotency.mock.calls[0][0]).toMatchObject({ idempotencyKey: "otu:tok-1" });
+    expect(claimIdempotency.mock.calls[0][0]).toMatchObject({
+      idempotencyKey: "otu:tok-1",
+      taskIdentifier: "__one_time_use_token__",
+    });
   });
 
   it("v2 org: a concurrent winner (claim resolved) rejects the second presentation as already-used", async () => {
@@ -113,7 +117,7 @@ describe("IdempotencyKeyConcern · one-time-use token cross-table claim", () =>
     expect(claimIdempotency).not.toHaveBeenCalled();
   });
 
-  it("triggerAndWait one-time token: left to the per-table constraint (not claimed here)", async () => {
+  it("triggerAndWait one-time token IS claimed (v2 orgs serialise it like the keyed claim)", async () => {
     const claimIdempotency = vi.fn(async () => ({ kind: "claimed" as const }));
     h.buffer = {
       claimIdempotency,
@@ -127,9 +131,12 @@ describe("IdempotencyKeyConcern · one-time-use token cross-table claim", () =>
 
     expect(result.isCached).toBe(false);
     if (result.isCached === false) {
-      expect(result.claim).toBeUndefined();
+      // resumeParentOnCompletion is NOT excluded from the token claim: for a v2
+      // org the cross-table dup hole is identical, and the loser is rejected
+      // (no cached-run waitpoint subtlety to avoid).
+      expect(result.claim?.idempotencyKey).toBe("otu:tok-1");
     }
-    expect(claimIdempotency).not.toHaveBeenCalled();
+    expect(claimIdempotency).toHaveBeenCalledTimes(1);
   });
 
   it("no one-time token: ordinary no-idempotency-key trigger is unaffected", async () => {