Merge branch 'main' into feat(webapp)-chat-ai-UI-improvements

Author: samejr

.github/workflows/check-review-md.yml

@@ -14,7 +14,10 @@ concurrency:
 
 jobs:
   audit:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: >-
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
       github.event.pull_request.draft == false &&
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest

.github/workflows/claude-md-audit.yml

@@ -15,7 +15,10 @@ concurrency:
 
 jobs:
   audit:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: >-
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
       github.event.pull_request.draft == false &&
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest

.github/workflows/claude.yml

@@ -12,11 +12,16 @@ on:
 
 jobs:
   claude:
+    # Set the ENABLE_CLAUDE_CODE repository variable to 'false' to turn off Claude
+    # jobs; leave it unset (the default) to keep them enabled.
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      vars.ENABLE_CLAUDE_CODE != 'false' &&
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/workflow-checks.yml

@@ -36,6 +36,11 @@ jobs:
 
   zizmor:
     name: Zizmor
+    # Uploads SARIF to the Security tab, which requires GitHub code scanning to be
+    # enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository
+    # variable to 'false' to skip this job where code scanning isn't available;
+    # leave it unset (the default) to run the scan.
+    if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }}
     runs-on: ubuntu-latest
     permissions:
       security-events: write # Upload SARIF to GitHub Security tab

.server-changes/harden-realtime-change-publishing.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Harden the native realtime backend's run-change publishing so a publish can never throw into a run lifecycle operation and never buffers commands in memory during a pub/sub Redis outage.

apps/webapp/app/redis.server.ts

@@ -11,6 +11,8 @@ export type RedisWithClusterOptions = {
   clusterMode?: boolean;
   clusterOptions?: Omit<ClusterOptions, "redisOptions">;
   keyPrefix?: string;
+  /** Cap retries for a command before it rejects; `null` means unlimited (default: ioredis's default of 20). */
+  maxRetriesPerRequest?: number | null;
 };
 
 export type RedisClient = Redis | Cluster;
@@ -44,6 +46,9 @@ export function createRedisClient(
         password: options.password,
         enableAutoPipelining: true,
         reconnectOnError: defaultReconnectOnError,
+        ...(options.maxRetriesPerRequest !== undefined
+          ? { maxRetriesPerRequest: options.maxRetriesPerRequest }
+          : {}),
         ...(options.tlsDisabled
           ? {
               checkServerIdentity: () => {
@@ -72,6 +77,9 @@ export function createRedisClient(
       enableAutoPipelining: true,
       keyPrefix: options.keyPrefix,
       reconnectOnError: defaultReconnectOnError,
+      ...(options.maxRetriesPerRequest !== undefined
+        ? { maxRetriesPerRequest: options.maxRetriesPerRequest }
+        : {}),
       ...(options.tlsDisabled ? {} : { tls: {} }),
     });
   }

apps/webapp/app/services/realtime/runChangeNotifier.server.ts

@@ -225,7 +225,13 @@ export class RunChangeNotifier {
 
   #ensurePublisher(): RedisClient {
     if (!this.#publisher) {
-      this.#publisher = createRedisClient(`${this.#connectionName}:pub`, this.options.redis);
+      // Publishes are fire-and-forget with a consumer-side backstop, so a dropped publish is
+      // latency-only. Cap retries (vs ioredis's default 20) so a pub/sub outage rejects publishes
+      // after ~1 reconnect cycle instead of buffering them in memory across the fleet.
+      this.#publisher = createRedisClient(`${this.#connectionName}:pub`, {
+        ...this.options.redis,
+        maxRetriesPerRequest: 1,
+      });
     }
     return this.#publisher;
   }

apps/webapp/app/services/realtime/runChangeNotifierInstance.server.ts

@@ -1,6 +1,7 @@
 import { getMeter } from "@internal/tracing";
 import { env } from "~/env.server";
 import { singleton } from "~/utils/singleton";
+import { logger } from "../logger.server";
 import { RunChangeNotifier, type ChangeRecordInput } from "./runChangeNotifier.server";
 
 /**
@@ -74,12 +75,24 @@ export function publishChangeRecord(input: ChangeRecordInput): void {
   if (!nativeBackendEnabled) {
     return;
   }
-  getRunChangeNotifier().publish(input);
+  // Publish runs on the run-engine event bus / metadata flush loop; lazy init + encoding happen
+  // before the notifier's own try/catch, so guard the whole call — it must never throw at its caller.
+  try {
+    getRunChangeNotifier().publish(input);
+  } catch (error) {
+    logger.error("[runChangeNotifier] publishChangeRecord threw; dropping notification", { error });
+  }
 }
 
 export function publishManyChangeRecords(inputs: ChangeRecordInput[]): void {
   if (!nativeBackendEnabled) {
     return;
   }
-  getRunChangeNotifier().publishMany(inputs);
+  try {
+    getRunChangeNotifier().publishMany(inputs);
+  } catch (error) {
+    logger.error("[runChangeNotifier] publishManyChangeRecords threw; dropping notifications", {
+      error,
+    });
+  }
 }

docker/Dockerfile

@@ -68,6 +68,7 @@ RUN chmod +x ./scripts/wait-for-it.sh
 RUN chmod +x ./scripts/entrypoint.sh
 COPY --chown=node:node .configs/tsconfig.base.json .configs/tsconfig.base.json
 COPY --chown=node:node scripts/updateVersion.ts scripts/updateVersion.ts
+COPY --chown=node:node scripts/bundleSdkDocs.ts scripts/bundleSdkDocs.ts
 RUN pnpm run generate
 RUN --mount=type=secret,id=sentry_auth_token \
     SENTRY_AUTH_TOKEN=$(cat /run/secrets/sentry_auth_token) \

scripts/bundleSdkDocs.ts

@@ -65,6 +65,19 @@ async function collectManifest(): Promise<string[]> {
 }
 
 async function bundleSdkDocs() {
+  // When the SDK is built as a dependency inside a pruned workspace (e.g. the webapp Docker
+  // image), the repo-level docs/ tree is a separate workspace package that isn't part of that
+  // build's dependency graph, so it isn't present. The SDK isn't being published there, so
+  // there's nothing to bundle: skip rather than fail. Publishing always runs from the full
+  // monorepo where docs/ exists, so the missing-docs guard below still protects releases.
+  const docsRoot = path.join(repoRoot, "docs");
+  try {
+    await fs.access(docsRoot);
+  } catch {
+    console.log(`[bundleSdkDocs] docs/ not present at ${docsRoot}; skipping (pruned build)`);
+    return;
+  }
+
   const manifest = await collectManifest();
 
   if (manifest.length === 0) {