revert(mollifier): use standard REDIS_* fallback and fail loud on misconfig

Two prior changes are reverted:

1. MOLLIFIER_REDIS_HOST (plus _PORT/_USERNAME/_PASSWORD/_TLS_DISABLED)
   regain their `.transform((v) => v ?? process.env.REDIS_*)` fallback
   to the main Redis cluster, matching the convention used elsewhere in
   the codebase for dedicated-cluster env vars. Operators who don't set
   a dedicated mollifier Redis fall back to the main one — that's the
   accepted default.

2. getMollifierBuffer() no longer degrades to disabled with a warn log
   when MOLLIFIER_ENABLED=1 but MOLLIFIER_REDIS_HOST is unset. The
   buffer initialises normally (falling back to the main Redis if
   configured), and if that fails the pod crashes loudly. Same for the
   drainer: initializeMollifierDrainer() throws "env vars inconsistent"
   if the buffer comes back null, surfacing the misconfig immediately
   rather than silently leaving entries un-drained.

Operationally: silent degradation hides config errors from operators
and produces "why are no triggers being mollified?" debugging sessions.
Loud failure surfaces the same misconfig at deploy time via the pod's
health checks.

Author: d-cs

apps/webapp/app/env.server.ts

@@ -1032,16 +1032,25 @@ const EnvironmentSchema = z
 
     MOLLIFIER_ENABLED: z.string().default("0"),
     MOLLIFIER_SHADOW_MODE: z.string().default("0"),
-    // No fallback to the main `REDIS_*` cluster. The mollifier writes to a
-    // dedicated Redis to keep burst traffic off the engine's primary queue.
-    // If `MOLLIFIER_ENABLED=1` but `MOLLIFIER_REDIS_HOST` is unset, the
-    // buffer degrades to disabled (with a warn log) rather than silently
-    // colocating with the main Redis. See `mollifierBuffer.server.ts`.
-    MOLLIFIER_REDIS_HOST: z.string().optional(),
-    MOLLIFIER_REDIS_PORT: z.coerce.number().optional(),
-    MOLLIFIER_REDIS_USERNAME: z.string().optional(),
-    MOLLIFIER_REDIS_PASSWORD: z.string().optional(),
-    MOLLIFIER_REDIS_TLS_DISABLED: z.string().default("false"),
+    MOLLIFIER_REDIS_HOST: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_HOST),
+    MOLLIFIER_REDIS_PORT: z.coerce
+      .number()
+      .optional()
+      .transform(
+        (v) => v ?? (process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : undefined),
+      ),
+    MOLLIFIER_REDIS_USERNAME: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_USERNAME),
+    MOLLIFIER_REDIS_PASSWORD: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_PASSWORD),
+    MOLLIFIER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
     MOLLIFIER_TRIP_WINDOW_MS: z.coerce.number().int().positive().default(200),
     MOLLIFIER_TRIP_THRESHOLD: z.coerce.number().int().positive().default(100),
     MOLLIFIER_HOLD_MS: z.coerce.number().int().positive().default(500),

apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts

@@ -26,25 +26,7 @@ function initializeMollifierBuffer(): MollifierBuffer {
   });
 }
 
-// Latch so we log the degraded-config warning exactly once per process
-// instead of on every `getMollifierBuffer()` call (which is per-trigger).
-let degradedConfigLogged = false;
-
 export function getMollifierBuffer(): MollifierBuffer | null {
   if (env.MOLLIFIER_ENABLED !== "1") return null;
-  // Fail safe, not loud: if MOLLIFIER_ENABLED was flipped on without
-  // setting `MOLLIFIER_REDIS_HOST`, degrade the mollifier to disabled
-  // rather than crash-looping the pod (or — worse — sharing the main
-  // engine Redis). One warn log per process is enough for operators to
-  // spot the misconfig without drowning logs in repeats.
-  if (!env.MOLLIFIER_REDIS_HOST) {
-    if (!degradedConfigLogged) {
-      logger.warn(
-        "mollifier.degraded_config: MOLLIFIER_ENABLED=1 but MOLLIFIER_REDIS_HOST is unset — treating as disabled until configured",
-      );
-      degradedConfigLogged = true;
-    }
-    return null;
-  }
   return singleton("mollifierBuffer", initializeMollifierBuffer);
 }

apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts

@@ -6,15 +6,16 @@ import { singleton } from "~/utils/singleton";
 import { getMollifierBuffer } from "./mollifierBuffer.server";
 import type { BufferedTriggerPayload } from "./bufferedTriggerPayload.server";
 
-function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload> | null {
+function initializeMollifierDrainer(): MollifierDrainer<BufferedTriggerPayload> {
   const buffer = getMollifierBuffer();
   if (!buffer) {
-    // Buffer degraded to disabled (e.g. MOLLIFIER_ENABLED=1 but
-    // MOLLIFIER_REDIS_HOST unset). Don't crash the pod — return null and
-    // let the worker shutdown registration short-circuit. The degraded
-    // config is logged once by `getMollifierBuffer()`; we don't double
-    // log here.
-    return null;
+    // Unreachable in normal config: getMollifierDrainer() gates on the
+    // same env flag as getMollifierBuffer(). If we hit this, fail loud
+    // — the operator has set MOLLIFIER_ENABLED=1 on a worker pod but
+    // the buffer can't initialise (e.g. MOLLIFIER_REDIS_HOST resolves
+    // to nothing). Crashing surfaces the misconfig immediately rather
+    // than silently leaving entries un-drained.
+    throw new Error("MollifierDrainer initialised without a buffer — env vars inconsistent");
   }
 
   logger.debug("Initializing mollifier drainer", {